作業環境
- 型番: Check Point 750(L-71W)
- バージョン: R77.20.80
コンフィグ関連
■コンフィグの表示
show configuration
CheckPoint-01> show configurationシステム関連
■ファームウェアバージョンの表示
show software-versionver
CheckPoint-01> show software-version
This is Check Point's 750 Appliance R77.20.80 - Build 392※ver でも全く同じ出力内容となります
※当作業環境では使用不可でしたが show version all というコマンドもあるようです
■ライセンス情報の表示
cplic print
CheckPoint-01> cplic print
Host Expiration Features
======================================================================
Check Point product trial period will expire in 31 days.
Until then, you will be able to use the complete Check Point Product Suite.
Please obtain a permanent license from Check Point User Center at:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html
======================================================================■管理者アクセス設定の表示
show admin-access
CheckPoint-01> show admin-access
LAN: true
Wireless: true
VPN: true
WAN: true
allowed-ipv4-addresses: any
web-access-port: 4434
ssh-access-port: 22
support-weak-tls-version: false■DNS 設定の表示
show dns
CheckPoint-01> show dns
mode: global
proxy: on
resolving: on
primary ipv4-address: 8.8.8.8
secondary ipv4-address: 192.168.179.1
tertiary ipv4-address:■時刻の表示
show clock
CheckPoint-01> show clock
Tue May 11 23:33:37 GMT+0900 2021■NTP 設定の表示
show ntp
CheckPoint-01> show ntp
active: on
primary: 10.1.10.1
secondary: ntp.nict.jp
interval: 1
auth: off
secret:
secret-id:
timezone: GMT+09:00(Osaka/Sapporo/Tokyo)
auto-adjust-daylight-saving: onshow ntp servers
CheckPoint-01> show ntp servers
primary: 10.1.10.1
secondary: ntp.nict.jpハードウェア関連
■モデル情報・診断情報の表示
show diag
CheckPoint-01> show diag
Current system info
-----------------------------------
Image name: R77_990172392_20_80
Image version: 392
Bootloader version: 91
HW MAC Address: 00:1C:7F:7F:32:53
LAN MAC Address: 00:1C:7F:7F:32:54
DMZ MAC Address: 00:1C:7F:7F:32:55
Wireless region: 32 - MKK5_MKKA2
Unit version: 1
Unit model: L71
Marketing capabilities: 1
Marketing name: 750
ODM Hardware Revision:
Management opaque: kpcIPeo5MH4=:Dc71eohj77M=:kQ3GX4dnVco=
Hardware capabilities: 3 - SD card + Wireless
RTC status: OK
NAND status: OK
The total number of NAND blocks in the appliancebox is 4096
The max number of NAND bad blocks allowed in the appliance is 80
The number of NAND bad blocks in the appliance is 0
On board temperature: 49.0C (valid: -5C ~ 85C)
CPU temperature: 59.0C (valid: 0C ~ 105C)
Voltage VDD_3P3V: 3.3880V (valid: 3.1255V ~ 3.4755V)
Voltage VDD_12V: 12.252V (valid: 11.343V ~ 12.663V)
Voltage VDD_5V: 5.057V (valid: 4.722V ~ 5.282V)
Voltage VDD_1P8V: 1.8000V (valid: 1.7005V ~ 1.9005V)
Voltage VDD_1P5V: 1.4940V (valid: 1.4155V ~ 1.5855V)
Voltage VDD_1P05V: 1.058V (valid: 0.988V ~ 1.113V)
Voltage VDD_CPU_1V: 1.088V (valid: 0.855V ~ 1.128V)
Voltage VDD_0P9V: 0.9060V (valid: 0.8455V ~ 0.9555V)
Voltage DDR_VTT_0P75V: 0.748V (valid: 0.703V ~ 0.798V)
----------------------------------- インターフェース関連
■インターフェース状態一覧の表示
show interfaces table
CheckPoint-01> show interfaces table
name ipv4-address mask-length assignment status mac-address
LAN1_Sw... 192.168.1.1 24 ASSIGNMENT.SEPAR... 00:1c:7f:7f:32:54
DMZ 0 ASSIGNMENT.UNASS... off 00:1c:7f:7f:32:55
cp7f7f3253 192.168.252.1 24 ASSIGNMENT.SEPAR... off 00:10:f3:78:bd:3f
LAN1 0 LAN1Sw 1/full
LAN2 0 LAN1Sw disconnected
LAN3 10.10.10.1 24 ASSIGNMENT.SEPAR... 100/full 00:1c:7f:7f:32:54
LAN4 0 ASSIGNMENT.UNASS... off 00:1c:7f:7f:32:54
LAN5 0 ASSIGNMENT.UNASS... off 00:1c:7f:7f:32:54
LAN6 0 ASSIGNMENT.UNASS... off 00:1c:7f:7f:32:54
Internet1 10.1.10.9 24 ASSIGNMENT.SEPAR...show interfaces all
CheckPoint-01> show interfaces all
name: LAN1_Switch
ipv4-address: 192.168.1.1
status:
mac-address: 00:1c:7f:7f:32:54
description:
name: DMZ
ipv4-address:
status: off
mac-address: 00:1c:7f:7f:32:55
description:
name: cp7f7f3253
ipv4-address: 192.168.252.1
status: off
mac-address: 00:10:f3:78:bd:3f
description:
name: LAN1
ipv4-address:
status: 1/full
mac-address:
description:
(以下略)■インターフェースの詳細情報の表示
show interface <インターフェース名>
CheckPoint-01> show interface LAN3
dhcp-exclude-end-range:
bridge-stp-priority: 32768
lan-mac-filtering: on
vti-is-numbered:
ipv6-address:
secondary:
cluster-status: non-ha
other-config-flag: off
wireless-radio-mode: off
bridge-stp-hello-time: 2
protected-mgmt-frames: off
description:
rts-threshold: 2346
subnet-mask: 255.255.255.0
is-connection-static: false
lan-access-track: none
ssid: cp_vap1
mac-address: 00:1c:7f:7f:32:54
dns-ipv6 primary:
min-advertisement-interval:
password:
assignment: ASSIGNMENT.SEPARATE_NETWORK
wireless-wep-password1:
interface: LAN3
dns-primary:
wep-default-key: 1
exclude-ip-pool:
xr: off
hop-limit: 64
include-ip-pool: 10.10.10.1-10.10.10.254
dns-secondary:
dhcp-ipv6-range-end:
wpa-authenticate-using: password
dns-tertiary:
wds: off
station-to-station: allow
wireless-wep-password2:
exclude-ipv6-pool:
wmm: on
name:
is-hidden: false
mtu: 1500
dhcp-ipv6-exclude-start-range:
802dot1x-re-authentication-frequency:0
bridge-anti-spoofing: off
bridge-stp-forward-delay: 15
status: 100/full
tkip-group-key-update-interval:600
max-advertisement-interval: 600
advertisement-lifetime:
default-gw:
retransmission-timer: 0
hidden-bridge-interface:
nat: on
type: lan
wireless-wep-password4:
internet-connection: table: 0x66324d58
wireless-wep-password3:
ipv6-prefix-length: 64
relay relay-to:
hide-ssid: off
internet-can-be-bridged: false
network-ports: LAN3
mac-address-override:
bridge-stp-aging-time: 20
ipv4-address: 10.10.10.1
beacon-interval: 100
state: on
wds-peer-mac-address:
dhcp-options: table: 0x66326410
dns-ipv6 secondary:
dhcp-ipv6-exclude-end-range:
lan-access: accept
bridge-range:
interface-type: internet-connection
exclude-from-dns-proxy: off
relay-secondary:
dns-ipv6 tertiary:
display-name: LAN3
send-mtu-flag: off
dhcp-exclude-start-range:
name: LAN3
use-defined-networks: false
use-router-advertisement: on
security-type: WPA/WPA2
dhcp-ipv6: off
stp-cost: 100
link-speed: 10/half
band: table: 0x66326d98
mask-length: 24
guest-wireless:
dhcp-range-start: 10.10.10.1
dtim-period: 1
type: unnumbered
auto-negotiation: on
relay relay-to:
dhcp-ipv6-range-start:
reachable-timer: 0
hotspot: off
wireless-transmission-rate: auto
stp: off
dhcp-range-end: 10.10.10.254
remote:
dhcp: off
dns-ipv6: auto
name: LAN3
wireless-mac-filter: off
wireless-mac-filter-list: table: 0x66327590
802dot1x-authentication: off
stp-priority: 128
peer:
bridge-log-dropped-non-iP: off
managed-config-flag: off
wpa-encryption-type: Auto
vti-number: 0
fragmentation-threshold: 2346
is-bridge-fw-enabled: on
include-ipv6-pool:
master-key-update-interval: 86400
vlan: 3ポリシー関連
■ポリシー一覧の表示
show access-rules type outgoing
CheckPoint-01> show access-rules type outgoing
index name disabled action log src dest service application
1 false accept log NW_10.10.10.0_24
2 false accept log NW_192.168.1.0_24
3 false block log Any_T... Predefine...
4 false block logshow access-rules type incoming-internal-and-vpn
CheckPoint-01> show access-rules type incoming-internal-and-vpn
index name disabled action log src dest service
1 false block logルーティング関連
■ルーティングテーブルの表示
show route all
CheckPoint-01> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
S 0.0.0.0/0 via 10.1.10.6, WAN, cost 0, age 2
C 10.1.10.0/24 is directly connected, WAN
WAN
C 10.10.10.0/24 is directly connected, LAN3
LAN3
C 127.0.0.0/8 is directly connected, lo
lo
C 192.168.1.0/24 is directly connected, LAN1
LAN1■arp テーブルの表示
arp -a
CheckPoint-01> arp -a
? (192.168.1.101) at on LAN1
? (192.168.1.100) at 00:e0:4c:27:f9:0e [ether] on LAN1 インターネット接続関連
■インターネット接続一覧の表示
show internet-connections table
CheckPoint-01> show internet-connections table
name ip-version interface type ipv4-address mask-length default-gw
Internet1 ipv4 WAN dhcp 10.1.10.9 24 10.1.10.6ログ関連
■システムログ・カーネルログの表示
show logs systemshow logs kernel
CheckPoint-01> show logs systemCheckPoint-01> show logs kernelExpert モードでのコマンド
■Linux カーネル情報の表示
cat /proc/version
[Expert@CheckPoint-01]# cat /proc/version
Linux version 3.10.20-al-5.0-pr2 (builder@Lnx50BccCmp8.checkpoint.com) (gcc version 4.7.3 20130328 (prerelease) (crosstool-NG linaro-1.13.1-4.7-2013.04-20130415 - Linaro GCC 2013.04) ) #1 SMP Thu May 10 14:38:41 IDT 2018■インターフェース情報の表示
ifconfig -a
[Expert@CheckPoint-01]# ifconfig -a
DMZ Link encap:Ethernet HWaddr 00:1C:7F:7F:32:55
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
DSL Link encap:Ethernet HWaddr 9E:38:5C:19:8C:B2
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
LAN1 Link encap:Ethernet HWaddr 00:1C:7F:7F:32:54
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:527120 errors:0 dropped:0 overruns:0 frame:0
TX packets:697390 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:70888605 (67.6 MiB) TX bytes:620930861 (592.1 MiB)
(以下略)■ハードウェア情報の表示 (Serial 等)
dmidecode
※バージョン R80 を対象とした情報がありましたが、当作業環境では使用不可でした
■サポート用情報の表示(通常は使わない?)
cpinfo
恐らくサポート用の情報がすべて出力されますが、量がとんでもなく多く(数十MB単位)、出力が終わらないので使わない方が良いかもしれません。
非エキスパートモードで、以下コマンドでサポートファイルを TFTP サーバに保存できました。こちらの方法を使ったほうが良さそうです。
cpinfo to-tftp <TFTPサーバアドレス>
CheckPoint-01> cpinfo to-tftp 192.168.1.100
Creating cpinfo.txt file...
Copying cpinfo file to TFTP server: 192.168.1.100
Cpinfo file has been copied to TFTP server―――――――――――――
