Check Point - Secure Platform R71 Administration Guide
Check Point - Secure Platform R71 Administration Guide
Check Point - Secure Platform R71 Administration Guide
R71
Administration Guide
13 April, 2010
More Information
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10313
For additional technical information about Check Point visit Check Point Support Center
(http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to us (mailto:[email protected]?subject=Feedback on SecurePlatform
R71 Administration Guide).
Page 6
Chapter 2
Preparing to Install SecurePlatform
In This Chapter
Page 7
Hardware Compatibility Testing Tool
Note - You must specify that you are burning "CD image" and not
single file.
When the tool has finished analyzing the hardware, a summary page is displayed with the following
information:
statement whether the Platform is suitable for installing SecurePlatform
number of supported and unsupported mass storage devices found
number of supported and unsupported Ethernet Controllers found
Additional information can be obtained by pressing the Devices button. The devices information window
lists all the devices, found on the machine (grouped according to functionality).
Use the arrow keys to navigate through the list.
Pressing Enter on a specific device displays detailed information about that device.
The detailed information can be saved to a diskette, to a TFTP Server, or dumped through the Serial
Console. This action can be required in cases where some of the devices are not supported.
In This Chapter
General Procedure 10
Client Setup 11
Server Setup 11
General Procedure
To perform the network installation:
1. The client boots from the network, using the PXE network loader.
2. The client sends a broadcast request, using the BOOTP protocol.
3. The server responds to the client, by providing the client's assigned IP address and a filename
(pxelinux.0 by default), to which to download the PXE boot loader.
4. The client downloads the PXE Boot Loader, using TFTP, and executes it.
5. The PXE boot loader downloads a PXE configuration file from the server, containing the names of the
kernel and the ramdisk that the client requires.
6. The PXE boot loader downloads the kernel and the ramdisk.
7. The kernel is run, using ramdisk as its environment.
8. The Installer is executed.
9. At this point the installation can be configured to load files from the FTP server.
The client's requirements are minimal. Only PXE is required.
The server requires the following items to be installed:
DHCP daemon
TFTP daemon
PXE boot loader
Kernel
Ramdisk
Page 10
Client Setup
Client Setup
On the client machine, enable the network boot, using PXE, from the BIOS setup. (It sometimes appears as
DHCP.) The procedure differs from machine to machine. Consult specific machine documentation, if
necessary.
Server Setup
The following setup details and instructions apply to a server running SecurePlatform, as its operating
system. Setup on a server running a different OS may differ slightly.
Required Packages
The following packages are required for server setup:
DHCP daemon (located on the Check Point CDROM and installed, by default, on SecurePlatform)
Xinetd (/SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm on the Check Point CDROM)
TFTP daemon (/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm)
FTP server (/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm)
TCP-Wrappers package
(/SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm)
Kernel (can be found on the SecurePlatform CD at /SecurePlatform/kernel)
Ramdisk (can be found on the SecurePlatform CD at /SecurePlatform/ramdisk-pxe)
The configuration file should include a subnet declaration, for each subnet that is connected to the
DHCP server.
The configuration should include a host declaration, for each host that will use this server for remote
installation.
A sample configuration file follows:
subnet 192.92.93.0 netmask 255.255.255.0 {
}host foo {
filename "/pxelinux.0";
You can also use different FTP servers, or HTTP servers, to host SecurePlatform installation files.
In This Chapter
Page 13
Status
Status
Use the Status page to view device and network information about the SecurePlatform machine.
Device Status
This provides a summary of the device status, and displays information such as the machine Host Name,
Version and Build, and Installation Type.
Network
This section allows you to configure the network interfaces, routing table, DNS and Host Name.
Network Connections
This page enables you to edit the properties of existing network connections (for example, xDSL
connections using PPPoE or PPTP) and to add the following interface:
VLAN
Secondary IP
PPPoE
PPTP
Bond
Bridge
ISDN
Loopback
The Network Connections table displays all available network connections.
To configure network connections:
To edit the properties of an interface, click the Name of the interface.
To delete a connection, select the connection checkbox and click Delete.
Note -
Loopback and Ethernet connection cannot be deleted.
When a Bridge or Bond is deleted, interfaces allocated for the
specific connection are released.
To disable a connection without deleting it, select the checkbox and click Disable.
To configure a connection to work without an IP address, click Remove IP.
To add a connection, click New and select the connection type from the drop-down list.
If the connections were changed while on this page, click Refresh.
Routing Table
This page enables you to manage the routing table on your device. You can add or delete static and default
routes.
Note -
You cannot edit an existing route. To modify a specific route,
delete it and create a new route in its place.
Be careful not to delete a route that allows you to connect to the
device.
To delete a route:
Select the checkbox of the specific route and click Delete.
To add a new static route:
1. On the Routing Table page, click New and select Route. The Add New Route page appears.
2. Supply the:
Destination IP Address
Destination Netmask
Interface (from the drop-down box)
Gateway
Metric
3. Click Apply.
To add a default route:
1. On the Routing Table page, click New and select Default Route. The Add Default Route page
appears.
2. Supply the following:
Gateway
Metric
3. Click Apply.
DNS Servers
In the DNS Servers page, you can define up to three DNS servers.
Note - Changes in the DNS configuration will take effect only after
restarting the device services. To restart device services, use the
Device Control page.
To add a Host:
1. Click New. The Add Host page is displayed.
2. Supply a Hostname.
3. Supply a Host IP Address.
4. Click Apply.
To delete a Host:
Select the checkbox of the entry and click Delete.
Device
Use these pages to configure the SecurePlatform machine.
Device Control
This page provides diagnostics information about all the processes that are running on the machine. For
each Process, the User, PID, Parent PID, %CPU, % Memory and Command are displayed. You can use the
Device Control drop-down list to Start, Restart, or Stop all of the Check Point products. In addition, you can
Shutdown the device, Reboot it, or download a diagnostic file (cpinfo output) useful for support.
To refresh the information displayed in the page click Refresh.
Backup
This page allows you to configure backup settings.
You can choose to configure a scheduled backup, or you can choose to perform an immediate backup
operation. The backup data can be stored on your desktop computer, locally (on the device), on a TFTP
Server, an SCP Server or an FTP Server.
Note - If you use a stock TFTP Server with Unix/Linux flavors, you
must create a world writable file having the same name as the
proposed backup file before executing the backup. Otherwise, the
backup will not succeed. It is strongly recommended that you refer to
your TFPT server manual, or simply to the TFPT protocol, and verify
that the usage of the utility is compliant with the environment that you
are working in.
The SecurePlatform backup mechanism enables exporting snapshots of the user configurable configuration.
Exported configurations can later be imported in order to restore a previous state in case of failure.
Two common use cases for backup are:
When the current configuration stops working, a previous exported configuration may be used in order to
revert to a previous system state.
Upgrading to a new SecurePlatform version. The procedure would include:
Backing up the configuration of the current version
Installing the new version
To make a backup now, click the Backup now link.
To configure a backup schedule, click Scheduled backup.
The Backup page displays the Current device date and time. This may be different than the browser
machine time.
To restore the backup, run the restore shell command from the device.
Information Backed Up
The information backed up includes:
All settings performed by the Admin GUI
Network configuration data
Description To restore the backup, run the restore shell command from the device.
When the restore command is executed by itself, without any additional
flags, a menu of options is displayed. The options in the menu provide
the same functionality, as the command line flags, for the restore
command
Parameter Description
Parameters
-h
obtain usage
-d
debug flag
--tftp
<ServerIP> IP address of TFTP server, from which the
[<Filename>] configuration is restored, and the filename.
--scp
<ServerIP> IP address of SCP server, from which the
<Username> configuration is restored, the username and
<Password> password used to access the SCP Server, and the
[<Filename>] filename.
--file
<Filename> Specify a filename for restore operation, performed
locally.
Example When the restore command is executed by itself, without any additional
flags, the following menu is displayed:
Choose one of the following:
Output
---------------------------------------------------
[L] Restore local backup package
[T] Restore backup package from TFTP server
[S] Restore backup package from SCP server
[R] Remove local backup package
[Q] Quit
---------------------------------------------------
Scheduling a Backup
To schedule a backup:
1. On the Backup page, click Scheduled backup. The Scheduled backup page appears.
2. Select Enable backup recurrence.
3. Set up the backup schedule.
4. Select a device to hold the backup. The options include the current SecurePlatform, a TFTP Server
(Trivial File Transfer Protocol: A version of the TCP/IP FTP protocol that has no directory or password
capability), or an SCP Server (SCP is a secure FTP protocol).
5. Click Apply.
To execute a backup:
Click Backup now.
Upgrade
To upgrade the device:
1. Download an upgrade package, as directed. If you already downloaded the file, you can skip this step.
Device Administrators
This page lists the device Administrators, allows you to create or delete the device Administrator, and
download a One Time Login Key.
To create a device Administrator:
1. On the device Administrators page, click New. The Add Administrator page appears.
2. For Check Point appliances only: It is recommended to select Secure Password Scheme, so that the
password strength is validated when the Administrator is created.
3. Provide a name and a password for the device Administrator.
4. Click Apply.
To download a One Time Login Key:
1. Click Download.
The Login Key Challenge page is displayed.
2. Supply a challenge-question and answer to protect your Login Key from unauthorized usage.
3. Click OK.
Note - The One Time Login Key will be required in case you forget
your password. Save this file in a safe place.
Product Configuration
Use these pages to configure the installed Check Point products on the SecurePlatform machine.
Certificate Authority
The Certificate Authority page lists key parameters of the Security Management Certificate Authority. The
certificate authority is the entity that issues certificates for the Security Management Server, Security
Gateways, users and other trusted entities such as OPSEC applications used in the system.
To create a new root certificate for the CA, click Reset.
Licenses
Use the Licenses page to apply a license for the products that you have installed.
To apply a license:
1. Click the Check Point User Center link to obtain a license from the User Center
(http://usercenter.checkpoint.com), if you do not yet have the required license.
2. Click New.
3. Enter the IP Address, Expiration Date, SKU/Features, and Signature Key; or copy the license string
into the clipboard, and click Paste License to copy all the information into the fields.
4. Click Apply.
Products
Use this page to see which products and versions are installed on the device.
Performance Optimization
In this page you can download the Performance Optimization Guide
(http://downloads.checkpoint.com/dc/download.htm?ID=8711) which describes how to optimize the
performance of Security Gateway for version R70 and later versions. The document also provides an
overview of some of the firewall technologies in order to provide a basic understanding of how to configure
the gateway parameters to best optimize network performance.
Click Start Download to obtain this document.
In This Chapter
Using sysconfig
Once you have performed the first time setup, via the command line setup wizard, you can use sysconfig
to modify your configuration.
To run sysconfig, login to SecurePlatform and enter sysconfig at the prompt.
The sysconfig main menu lists various configuration items, (note that all configuration items must be
defined). We recommend step by step configuration, by addressing each menu item in sequence, one after
the other.
Select a menu item by typing the relevant number and pressing Enter. Selecting a main menu option
displays an additional menu for setting or viewing various configuration items. To return to the main menu,
select the menu item Done. To quit, select Exit from the main menu.
When selecting a set option, sysconfig prompts you to enter all relevant configuration parameters. As
soon as all the parameters are completed, the change is applied.
Note - Entering e at any point during sysconfig takes you one menu
level up.
Page 22
Check Point Products Configuration
4 Time & Date Set the time zone, date and local time, or show
the date and time settings.
6 Routing Add network and route, add new host, set default
gateway, delete route, or show routing
configuration.
For information on how to connect to your Security Management server using the Check Point
SmartConsole, refer to the R71 Internet Security Products Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=10327)
For information on how to set up a Firewall and Address Translation policy, see the R71 Firewall
Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10309).
In This Chapter
User Management
SecurePlatform Shell includes two permission levels (Modes): Standard and Expert.
Page 24
SecurePlatform Administrators
Standard Mode
This is the default mode, when logging in to a SecurePlatform system. In Standard Mode, the
SecurePlatform Shell provides a set of commands, required for easy configuration and routine
administration of a SecurePlatform system. Most system commands are not supported in this Mode.
Standard mode commands are listed in SecurePlatform Shell.
Standard Mode displays the following prompt: [hostname]#, where hostname is the host name of the
machine.
Expert Mode
The Expert Mode provides full system root permissions and a full system shell. Switching from Standard
Mode to Expert Mode requires a password. The first time you switch to Expert mode you will be asked to
select a password. Until then, the password is the same as the one that you set for Standard Mode.
You need to enter the first replacement password that you used when logging in as the admin user. Any
sequential administrator password change will not update the expert password that you must enter at the
first-time expert user password change.
To exit Expert Mode, run the command exit.
Expert Mode displays the following prompt: [Expert@hostname]#, where hostname is the host name of
the machine.
Note - An Expert user must first login as a Standard user, and only
then enter the expert command to access Expert Mode. Until you
change passwords, the Expert password is the same password that
you set for Standard Mode, i.e. you need to enter the first replacement
password that you used when logging in as the admin user. Any
sequential admin password change will not update the expert
password that you must enter at the first-time expert user password
change.
SecurePlatform Administrators
SecurePlatform supports multiple administrator access to the regular shell. This can be used to audit
configuration changes performed by administrators. Every such change is logged to the system's syslog
mechanism, with the username of the administrator, as a tag.
To configure another administrator from the cpshell:
Enter the following command:
adduser [-x EXTERNAL_AUTH] <user name>
You will be asked to enter and confirm a password for the administrator. The password must conform to the
following complexity requirements:
at least 6 characters, in length
a mixture of alphabetic and numeric characters
at least four different characters
does not use simple dictionary words, or common strings such as "qwerty"
All Administrators must be authenticated by one of the supported authentication methods. As well as being
authenticated through the internal database, Administrators may also be authenticated via RADIUS.
SecurePlatform administrators can be authenticated using the RADIUS server in two ways:
By configuring the local user authentication via the RADIUS server. In this case it is necessary to define
all users that will be authenticated by the RADIUS server on every SecurePlatform machine, and it is
NOT required to define any RADIUS groups.
By defining the list of RADIUS groups. All users that belong to the RADIUS groups defined on
SecurePlatform will be able to authenticate and perform login.
The option utilizing RADIUS groups allows more flexibility, by eliminating the need to define all RADIUS
users on each SecurePlatform machine.
There is a special RADIUS group called any. When this group is present in the group list, ALL users defined
on the RADIUS server will be able to log into the SecurePlatform machine.
To authenticate an Administrator via RADIUS, you must:
1. Enter expert mode.
2. Type the command
pro enable
3. Verify that a RADIUS server is configured. If a RADIUS server is not configured, add one by using the
following command:
radius servers add <server[:port]> <secret> <timeout> <label>
4. Verify that at least one of the following is correct:
The user that you want to authenticate via the RADIUS server is configured on SecurePlatform, as
using the RADIUS authentication method. You can define local users that authenticate via RADIUS
by using the following command:
radius users add <username>
At least one RADIUS group is configured, and the user defined on the RADIUS server belongs to
that group. You can define RADIUS groups by using the following command line:
radius groups add <groupname>
5. Define the Administrator as a RADIUS user, by using the following command:
radius users add <username>
You can use the following commands to monitor and modify your RADIUS configuration.
To control RADIUS servers:
radius servers show
radius servers add <server[:port]> <secret> <timeout>
radius servers del <server[:port]>
To control RADIUS user groups:
radius groups show
radius groups add <groupname>
Using TFTP
The Trivial File Transfer Protocol (TFTP) provides an easy way for transferring files to and from
SecurePlatform. SecurePlatform mechanisms that can utilize TFTP include:
Backup / Restore Utilities
Patch Utility – used for software updates
Diag Utility – used for obtaining various diagnostics information
Note - Freeware and Shareware TFTP servers are readily available on
the Internet.
Follow the vendor instructions on how to setup the TFTP server, and make sure that you configure the
server to allow both reception and transmission of files.
For more information about the backup and restore utilities, see backup (on page 34), and restore (on
page 37).
In This Chapter
Command Shell 29
Management Commands 30
Documentation Commands 31
Date and Time Commands 31
System Commands 34
Snapshot Image Management 38
System Diagnostic Commands 40
Check Point Commands 42
Network Diagnostics Commands 42
Network Configuration Commands 47
User and Administrator Commands 55
Command Shell
Command Set
To display a list of available commands, enter ? or help at the command prompt. Many commands provide
short usage instructions by running the command with the parameter '--help', or with no parameters.
Page 29
Management Commands
Key Command
^u Delete line
Command Output
Some command output may be displayed on more than one screen. By default, the Command Shell will
display one screen, and prompt: -More-.
Click any key to continue to display the rest of the command output.
The More functionality can be turned on or off, using the scroll command.
Management Commands
exit
Exit the current Mode:
In Standard Mode, exit the shell (logout of the SecurePlatform system)
In Expert Mode, exit to Standard Mode
Syntax
exit
Expert Mode
Switch from Standard Mode to Expert Mode.
Syntax
expert
Description
After entering the expert, command supply the expert password. After password verification, you will be
transferred into expert mode.
passwd
Changing the password can be performed in both modes. Changing the password in Standard Mode
changes the login password. Changing the password in Expert Mode changes the Expert Mode and Boot
Loader password. During the first transfer to Expert Mode, you will be required to enter your Standard Mode
password, i.e. you need to enter the first replacement password that you used when logging in as the admin
user. Any sequential admin password change will not update the expert password that you must enter at the
first-time expert user password change. Change the Expert Mode password. After the Expert Mode
password is changed, the new password must be used to obtain Expert Mode access.
Syntax
passwd
Documentation Commands
help
List the available commands and their respective descriptions.
Syntax
help
or
?
Syntax
date [MM-DD-YYYY]
Parameters
Table 7-3 Date Parameters
parameter meaning
time
Show or set the system's time. Changing the date or time affects the hardware clock.
Syntax
time [HH:MM]
Parameters
Table 7-4 Time Parameters
parameter meaning
HH:MM The time to be set, first two digits (HH) are the
hour [00..23], last two digits (MM) are the
minute [00..59]
timezone
Set the system's time zone.
Syntax
Parameters
Table 7-5 Time Zone Parameters
parameter meaning
parameter meaning
ntp
Configure and start the Network Time Protocol polling client.
Syntax
Parameters
Table 7-6 ntp Parameters
parameter meaning
ntpstop
Stop polling the NTP server.
Syntax
ntpstop
ntpstart
Start polling the NTP server.
Syntax
ntpstart
System Commands
audit
Display or edit commands, entered in the shell for a specific session. The audit is not kept between
sessions.
Syntax
audit setlines <number_of_lines>
audit show <number_of_lines>
audit clear <number_of_lines>
Parameters
Table 7-7 Audit Parameters
parameter meaning
show
<number_of_lines>
show <number_of_lines> recent commands entered
backup
Backup the system configuration. You can also copy backup files to a number of scp and tftp servers for
improved robustness of backup. The backup command, run by itself, without any additional flags, will use
default backup settings and will perform a local backup.
Syntax
backup -hbackup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm
<-m DayOfMonth> | <-w DaysOfWeek>] | off]
[--tftp <ServerIP> [-path <Path>] [<Filename>]]
[--scp <ServerIP> <Username> <Password> [-path <Path>]
[<Filename>]]
[--ftp <ServerIP> <Username> <Password> [-path <Path>]
[<Filename>]]
[--file [-path <Path>] [<Filename>]]
Parameters
Table 7-8 Backup Parameters
parameter meaning
-h obtain usage
-d debug flag
Examples
backup –file –path /tmp filename
backup
–tftp <ip1> -path tmp
–tftp <ip2> -path var file1
–scp <ip3> username1 password1 –path /bin file2
–file file3
--scp <ip4> username2 password2 file4
--scp <ip5> username3 password3 –path mybackup
The backup file is saved on:
1. tftp server with ip1, the backup file is saved in the tmp directory (under the tftp server default directory –
usually /tftproot) with the default file name – backup_SystemName_TimaStamp.tgz
2. tftp server with ip2 , the backup file is saved on var (under the tftp server default directory – usually
/tftproot) as file1
3. scp server with ip3 , the backup file is saved on /bin as file2
4. locally on the default directory (/var/CPbackup/backups) as file3
5. scp server with ip4 on the username2 home directory as file4
6. scp server with ip5 on ~username3/mybackup/ with the default backup file name
reboot
Restart the system.
Syntax
reboot
patch
Apply an upgrade or hotfix file.
Note - See the Release Notes for information about when to replace
the patch utility with a more recent version.
Syntax
patch add scp <ip_address> <patch_name> [password (in expert
mode)]
patch add tftp <ip_address> <patch_name>
patch add cd <patch_name>
patch add <full_patch_path>
patch log
Parameters
Table 7-9 Patch Parameters
parameter meaning
cd install from CD
restore
Restore the system configuration.
Syntax
restore [-h] [-d][[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
Parameters
parameter meaning
-h obtain usage
-d debug flag
When the restore command is executed by itself, without any additional flags, a menu of options is
displayed. The options in the menu provide the same functionality, as the command line flags, for the
restore command
Choose one of the following:
-----------------------------------------------------------
[L] Restore local backup package
[T] Restore backup package from TFTP server
[S] Restore backup package from SCP server
[V] Restore backup package from FTP server
[R] Remove local backup package
[Q] Quit
-----------------------------------------------------------
Select the operation of your choice.
shutdown
Shut down the system.
Syntax
shutdown
ver
Display the SecurePlatform system's version.
Syntax
ver
Revert
Reboot the system from a snapshot file. The revert command, run by itself, without any additional flags, will
use default backup settings, and will reboot the system from a local snapshot.
Parameters
Table 7-10 Revert Parameters
parameter meaning
-h obtain usage
-d debug flag
The revert command functionality can also be accessed from the Snapshot image management boot
option.
Snapshot
This command creates a snapshot file. The snapshot command, run by itself, without any additional flags,
will use default backup settings and will create a local snapshot.
Syntax
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>]
[--scp <ServerIP> <Username> <Password> <Filename>]
[--ftp <ServerIP> <Username> <Password> <Filename>
[--file <Filename>]]
Parameters
Table 7-11 Snapshot Parameters
parameter meaning
-h obtain usage
-d debug flag
Syntax
diag <log_file_name> tftp <tftp_host_ip_address>
Parameters
Table 7-12 Diag Parameters
parameter meaning
log
Shows the list of available log files, applies log rotation parameters, shows the index of the log file in the list,
and selects the number of lines of the log to display.
Syntax
log --help
log list
log limit <log-index><max-size><backlog-copies>
log unlimit <log-index>
log show <log-index> [<lines>]
Parameters
Table 7-13 Log Parameters
parameter meaning
top
Display the top 15 processes on the system and periodically updates this information. Raw CPU percentage
is used to rank the processes.
Syntax
top
Syntax
ping [-dfnqrvR] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize]
Parameters
Table 7-14 ping Parameters
parameter meaning
parameter meaning
traceroute
Tracking the route a packet follows (or finding the miscreant gateway that is discarding your packets) can be
difficult. Traceroute utilizes the IP protocol 'time to live' field and attempts to elicit an ICMP TIME_EXCEEDED
response from each gateway along the path to a designated host.
Syntax
traceroute [ -dFInrvx ] [ -f first_ttl ] [ -g gateway ] [ -i
iface ]
[ -m max_ttl ] [ -p port ] [ -q nqueries ] [ -s src_addr ] [
-t tos ]
[ -w waittime ] host [ packetlen ]
Parameters
Table 7-15 traceroute Parameters
parameter meaning
parameter meaning
netstat
Show network statistics.
Syntax
netstat [-veenNcCF] [<Af>] -r
netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -i | [-cnNe] -M | -s }
Parameters
Table 7-16 netstat Parameters
parameter meaning extended meaning
Syntax
arp [-vn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
addarp
addarp adds a persistent ARP entry (one that will survive re-boot).
Syntax
addarp <hostname> <hwaddr>
delarp
delarp removes ARP entries created by addarp.
Syntax
delarp <hostname> <MAC>
Parameters
Table 7-17 arp Parameters
parameter meaning extended meaning
hosts
Show, set or remove hostname to IP-address mappings.
Syntax
hosts add <IP-ADDRESS> <host1> [<host2> ...]
hosts remove <IP_ADDRESS> <host1> [<host2> ...]
hosts
Parameters
Table 7-18 hosts Parameters
hosts parameter meaning
ifconfig
Show, configure or store network interfaces settings.
Syntax
ifconfig [-a] [-i] [-v] [-s] <interface> [[<AF>] <address>]
[add <address>[/<prefixlen>]]
[del <address>[/<prefixlen>]]
[[-]broadcast [<address>]] [[-]pointopoint [<address>]]
[netmask <address>] [dstaddr <address>] [tunnel <address>]
[outfill <NN>] [keepalive <NN>]
[hw <HW> <address>] [metric <NN>] [mtu <NN>]
[[-]trailers] [[-]arp] [[-]allmulti]
[multicast] [[-]promisc]
[mem_start <NN>] [io_addr <NN>] [irq <NN>] [media <type>]
[txqueuelen <NN>]
[[-]dynamic]
[up|down]
[--save]
ifConfig Parameters
parameter meaning
interface The name of the interface. This is usually a driver name, followed by a
unit number, for example eth0 for the first Ethernet interface.
parameter meaning
[-]arp Enable or disable the use of the ARP protocol, on this interface.
dstaddr addr Set the remote IP address for a point-to-point link (such as PPP).
This keyword is now obsolete; use the point-to-point keyword instead.
netmask addr Set the IP network mask, for this interface. This value defaults to the
usual class A, B or C network mask (as derived from the interface IP
address), but it can be set to any value.
irq addr Set the interrupt line used by this device. Not all devices can
dynamically change their IRQ setting.
io_addr addr Set the start address in I/O space for this device.
mem_start Set the start address for shared memory used by this device. Only a
addr few devices need this parameter set.
media type Set the physical port, or medium type, to be used by the device. Not
all devices can change this setting, and those that can vary in what
values they support. Typical values for type are 10base2 (thin
Ethernet), 10baseT (twisted-pair 10Mbps Ethernet), AUI (external
transceiver) and so on. The special, medium type of auto can be used
to tell the driver to auto-sense the media. Not all drivers support this
feature.
[-]broadcast If the address argument is given, set the protocol broadcast address
[addr] for this interface. Otherwise, set (or clear) the IFF_BROADCAST flag
for the interface.
hw class Set the hardware address of this interface, if the device driver
address supports this operation. The keyword must be followed by the name of
the hardware class and the printable ASCII equivalent of the hardware
address. Hardware classes currently supported include: ether
(Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR
NET/ROM).
parameter meaning
multicast Set the multicast flag on the interface. This should not normally be
needed, as the drivers set the flag correctly themselves.
txqueuelen Set the length of the transmit queue of the device. It is useful to set
length this to small values, for slower devices with a high latency (modem
links, ISDN), to prevent fast bulk transfers from disturbing interactive
traffic, like telnet, too much.
vconfig
Configure virtual LAN interfaces.
Syntax
vconfig add [interface-name] [vlan_id]
vconfig rem [vlan-name]
Parameters
Table 7-19 vconfig Parameters
parameter meaning
parameter meaning
route
Show, configure or save the routing entries.
Syntax
route [-nNvee] [-FC] [<AF>] List kernel routing tables
route [-v] [-FC] {add|del|flush} ... Modify routing table for AF.
route {-h|--help} [<AF>] Detailed usage syntax for specified AF.
route {-V|--version} Display version/author and exit.
route --save
Parameters
Table 7-20 route Parameters
parameter meaning extended meaning
hostname
Show or set the system's host name.
Syntax
hostname [--help]
hostname <host>
hostname <host> <external_ip_address>
Parameters
Table 7-21 hostname Parameters
parameter meaning
domainname
Show or set the system's domain name.
Syntax
domainname [<domain>]
Parameters
Table 7-22 domainname Parameters
parameter meaning
Show domainname
dns
Add, remove, or show the Domain Name resolving servers.
Syntax
dns [add|del <ip_of_nameserver>]
Parameters
Table 7-23 dns Parameters
parameter meaning
sysconfig
Interactive script to set networking and security of the system.
Syntax
sysconfig
webui
webui configures the port the SecurePlatform HTTPS web server uses for the management interface.
Syntax
webui enable [https_port]
webui disable
Parameters
Table 7-24 webui parameters
parameter meaning
Syntax
adduser [-x EXTERNAL_AUTH] <user name>
deluser
deluser deletes a SecurePlatform administrator.
Syntax
deluser <user name>
showusers
showusers displays all SecurePlatform administrators.
Syntax
showusers
lockout
Lock out a SecurePlatform administrator.
Syntax
lockout enable <attempts> <lock_period>
lockout disable
lockout show
Parameters
Table 7-25 lockout Parameters
parameter meaning
unlockuser
Unlock a locked administrator. (See lockout (on page 55) for more information about a locked administrator.)
Syntax
unlockuser <username>
checkuserlock
Display the lockout status of a SecurePlatform administrator (whether or not the administrator is locked out).
Syntax
checkuserlock <username>
In This Chapter
Parameters
Table 8-26 snmp Parameters
parameter meaning
Page 57
SNMP Monitoring
parameter meaning
SNMP Monitoring
Introduction to SNMP Monitor
Hardware health sensors and RAID disks can be monitored using the SecurePlatform SNMP monitoring
daemon. SNMP traps can be set to fire once an OID value is in breach of a configurable threshold. When
the OID value is back within threshold boundaries a "clear" trap is sent.
The SNMP monitoring daemon snmpmonitor integrates with the default SecurePlatform net-snmp / Agentx
components that are part of the standard SecurePlatform installation.
Once the expression <oid> <operator> <threshold> evaluates to true, traps are sent until the
expression evaluates back to false. At that point one or more clear traps are sent to indicate that the OID
value has fallen back within acceptable boundaries.
Message A textual message to describe the trap (sent as part of the trap),
must be enclosed within double quotes "".
Example:
cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 5 "memAvailReal"
cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 != "active" 5 "Cluster State"
To verify correctness of OID used in a cp_monitor line make sure the equivalent snmpget command
returns a value. For example, if attempting to configure the above example cp_monitor
"memAvailReal" line, then the following snmpget command should return a value:
"snmpget -v 2c -c public localhost 1.3.6.1.4.1.2021.4.6.0"
cp_cleartrap
The optional cp_cleartrap command can instruct the daemon about the number of clear traps to send
and the interval between each. That is, once a rule's OID value falls back to being within configured
threshold.
cp_cleartrap <interval> <retries>
trap2sink
The trap2sink command designates a host that receives traps.
The snmpmonitor daemon requires a trap2sink command to exist inside the /etc/snmp/snmpd.conf
file. The trap2sink command is required (as opposed to the trapsink command) because the
snmpmonitor daemon sends SNMP version 2c traps. Note this command is part of the net-snmp syntax.
Table 8-29 trap_2_sink parameters
parameter meaning
Example:
trap2sink 10.10.10.10 public
trap2sink 10.10.10.10:1610 MyCommunity
In This Chapter
1. Hardware sensors monitoring is supported on all UTM-1 models except the xx50 series.
2. Hardware sensors monitoring for open servers is supported on certified servers with an Intelligent
Platform Management Interface (IPMI) card installed. The IPMI specification defines a set of common
interfaces to a computer system, which system administrators can use to monitor system health.
3. RAID Monitoring with SNMP is supported on Power-1 servers with RAID card installed (Power-1 9070
and Power-1 11070).
4. RAID Monitoring with SNMP on HP servers is supported with a P400 RAID controller.
Page 61
RAID Monitoring with SNMP
Volumes 1.3.6.1.4.1.2620.1.6.7.7.1.1
Disks 1.3.6.1.4.1.2620.1.6.7.7.2.1
Each volume in the RAID configuration has an entry in the Volumes table. Each volume's entry in the
Volumes table contains the following OID values:
Disk Volume Information OID Comment
Index .1
Volume ID .2
Index .1
Volume ID .2
SCSI ID .3
Vendor .5
Product ID .6
Revision .7
SNMP monitoring rules are defined in the snmpd.conf configuration file. For full details see SNMP
Monitoring (on page 58).
Temperatures 1.3.6.1.4.1.2620.1.6.7.8.1.1
Voltages 1.3.6.1.4.1.2620.1.6.7.8.3.1
Each sensor in the system has an entry in one of the 3 tables. Each sensor's entry contains the following
OID values:
Index .1
Name .2
Value .3
SNMP monitoring rules are defined in the snmpd.conf configuration file. For full details see SNMP
Monitoring (on page 58).
On Power-1 and UTM-1 appliances the hardware status can be monitored using WebUI and SNMP polling,
or by defining the SNMP trap using the cp_monitor mechanism.
SNMP monitoring rules are defined in the snmpd.conf configuration file. For full details see SNMP
Monitoring (on page 58). Examples of cp_monitor for various appliance types are as follows:
UTM-1 130
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0>8020"M/BTempistoohigh"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0>9020"CPUTempistoohigh"
UTM-1 270
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0>8020"M/BTempistoohigh"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0 > 100 20 "CPU Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 < 16320 20 "Case Fan speed is too low"
Power-1 5070
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0 > 80 20 "M/B Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0 > 100 20 "CPU Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 < 4220 20 "Case Fan speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0 < 16320 20 "CPU 1 Fan speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.3.0 < 16320 20 "CPU 2 Fan speed is too low"
Power-1 9070
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0 >10020"CPU1Tempistoohigh"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0 >10020"CPU2Tempistoohigh"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.3.0 > 80 20 "M/B Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 < 3000 20 "CPU 1 Fan speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0 < 3000 20 "CPU 2 Fan speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.3.0 < 3000 20 "Case Fan speed is too low"
Power-1 11000
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0 > 100 20 "CPU 1 Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0 > 80 20 "M/B Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.3.0 > 100 20 "CPU 2 Temp is too high"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 < 0 20 "Case Fan 1 speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0 < 500 20 "CPU 1 Fan speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.3.0 < 500 20 "CPU 2 Fan speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.4.0 < 0 20 "Case Fan 2 speed is too low"
cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.5.0 < 0 20 "Case Fan 3 speed is too low"
The Hardware Sensors page provides information about temperature, voltage and fan speed of the
appliance. A warning is displayed if one of the values exceeds the threshold’s values. The thresholds are
hard-coded in the hardware.
The following shows the Hardware Sensors page of the SecurePlatform Web interface.
Page 67
E
Example RAID Monitoring OIDs • 63
Index Example Sensors Monitoring OIDs • 64
Examples • 35
exit • 30
A Expert Mode • 25, 30
addarp • 47 F
adduser • 55
Administration Web Server Definition • 18 FIPS 140-2 Compliant Systems • 27
Administrator Security Settings • 19 First Time Setup Using the Command Line • 22
arp • 47 First Time Setup Using the Web Interface • 13
audit • 34
G
B General Procedure • 10
backup • 34
Backup • 16
H
Backup and Restore • 28 Hardware Compatibility Testing Tool • 8
Before Using the Tool • 8 Hardware Health Monitoring • 61
BIOS • 9 help • 31
BIOS Security Configuration Recommendations Host and Domain Name • 15
•9 Hosting Installation Files • 12
Booting in Maintenance Mode • 67 hostname • 53
hosts • 48
C How to Authenticate Administrators via RADIUS
Certificate Authority • 20 • 26
Check Point Commands • 42
Check Point Products Configuration • 23
I
checkuserlock • 56 ifconfig • 49
Client Setup • 11 Information Backed Up • 17
Command Line Editing • 29 installation • 7
Command Output • 30 before you begin • 7
Command Set • 29 without CD-ROM • 7
Command Shell • 29 Installing Products on SecurePlatform • 9
Commands used by SNMP Monitor • 58 Installing SecurePlatform on Computers without
Configuration Using the Command Line • 22 CDROM Drives • 10
Configuration Using the Web Interface • 13 Introduction to Hardware Health Monitoring • 61
Configuring SNMP Monitoring and Traps • 60 Introduction to SecurePlatform • 6
Configuring the SNMP Agent • 57 Introduction to SNMP Monitor • 58
Connecting to SecurePlatform by Using Secure
Shell • 24 L
Connecting to the Web Interface • 13 Licenses • 20
cp_cleartrap • 59 Local Hosts Configuration • 15
cp_monitor • 58 lockout • 55
Customizing the Boot Process • 67 Lockout of Administrator Accounts • 27
D log • 41
date • 31 M
Date and Time Commands • 31 Management Commands • 30
delarp • 47 Managing Your SecurePlatform System • 24
deluser • 55
Description • 31 N
Device • 16
Device Administrators • 19 netstat • 45
Device Control • 16 Network • 14
Network Configuration Commands • 47
device Date and Time Setup • 16
Network Connections • 14
Device Status • 14
Network Diagnostics Commands • 42
DHCP Daemon Setup • 11
ntp • 33
diag • 40
dns • 53 ntpstart • 33
DNS Servers • 15 ntpstop • 33
Documentation Commands • 31 O
domainname • 53
Download SmartConsole Applications • 20 Obtaining the Hardware Compatibility Testing
Tool • 8
P U
Parameters • 32, 33, 34, 35, 37, 39, 40, 41, 42, unlockuser • 56
44, 46, 47, 49, 51, 52, 53, 54, 56, 57 Upgrade • 18
passwd • 31 User and Administrator Commands • 55
patch • 36 User Management • 24
Performance Optimization • 21 Using sysconfig • 22
ping • 42 Using TFTP • 27
Preparing the SecurePlatform Machine • 7 Using the Hardware Compatibility Testing Tool •
Preparing to Install SecurePlatform • 7 8
pro enable command • 26
Product Configuration • 20 V
Products • 21 vconfig • 51
PXELINUX Configuration Files • 11 ver • 38
VGA display • 7
R
Viewing the Backup Log • 18
RAID Monitoring with SNMP • 61 Viewing the Scheduling Status • 17
reboot • 36
Required Packages • 11 W
restore • 37 Web and SSH Clients • 19
Restoring the Backup • 17 webui • 54
Revert • 39
route • 52
Routing Table • 15
Running the Hardware Compatibility Testing
Tool • 8
S
Scheduling a Backup • 18
SecurePlatform Administrators • 25
SecurePlatform Boot Loader • 67
SecurePlatform Hardware Requirements • 7
SecurePlatform Shell • 29
Security Management Administrator • 20
Security Management GUI Clients • 20
Sensors Monitoring Via the Web Interface on
Power-1 and UTM-1 • 65
Sensors Monitoring with SNMP • 63
Sensors Monitoring with SNMP on Power-1 and
UTM-1 Appliances • 64
serial console • 7
Server Setup • 11
showusers • 55
shutdown • 38
Snapshot • 39
Snapshot Image Management • 38, 67
SNMP Monitor Configuration Guidelines • 58
SNMP Monitoring • 58
SNMP Support • 57
Standard Mode • 25
Status • 14
Syntax • 30, 31, 32, 33, 34, 36, 37, 38, 40, 41,
42, 43, 45, 47, 48, 49, 51, 52, 53, 54, 55, 56
sysconfig • 54
System Commands • 34
System Diagnostic Commands • 40
T
TFTP and FTP Daemon Setup • 12
time • 32
timezone • 32
top • 42
traceroute • 43
trap2sink • 59
Page 70