【Check Point 750】各種 show コマンドまとめ

ファイアウォール(UTM)

作業環境

  • 型番: Check Point 750(L-71W)
  • バージョン: R77.20.80

他の型番や R80 や R80.20 ではコマンドが一部異なるようなので注意してください。

コンフィグ関連

■コンフィグの表示

  • show configuration
CheckPoint-01> show configuration

システム関連

■ファームウェアバージョンの表示

  • show software-version
  • ver

CheckPoint-01> show software-version
This is Check Point's 750 Appliance R77.20.80 - Build 392

ver でも全く同じ出力内容となります
※当作業環境では使用不可でしたが show version all というコマンドもあるようです

■ライセンス情報の表示

  • cplic print
CheckPoint-01> cplic print
Host             Expiration  Features



======================================================================
 Check Point product trial period will expire in 31 days.
 Until then, you will be able to use the complete Check Point Product Suite.
 Please obtain a permanent license from Check Point User Center at:
 https://usercenter.checkpoint.com/pub/usercenter/get_started.html
======================================================================

■管理者アクセス設定の表示

  • show admin-access
CheckPoint-01> show admin-access
LAN:                          true
Wireless:                     true
VPN:                          true
WAN:                          true
allowed-ipv4-addresses:       any
web-access-port:              4434
ssh-access-port:              22
support-weak-tls-version:     false

■DNS 設定の表示

  • show dns
CheckPoint-01> show dns
mode:                         global
proxy:                        on
resolving:                    on
primary ipv4-address:         8.8.8.8
secondary ipv4-address:       192.168.179.1
tertiary ipv4-address:

■時刻の表示

  • show clock
CheckPoint-01> show clock
Tue May 11 23:33:37 GMT+0900 2021

■NTP 設定の表示

  • show ntp
CheckPoint-01> show ntp
active:                       on
primary:                      10.1.10.1
secondary:                    ntp.nict.jp
interval:                     1
auth:                         off
secret:
secret-id:
timezone:                     GMT+09:00(Osaka/Sapporo/Tokyo)
auto-adjust-daylight-saving:  on

  • show ntp servers
CheckPoint-01> show ntp servers
primary:                      10.1.10.1
secondary:                    ntp.nict.jp

ハードウェア関連

■モデル情報・診断情報の表示

  • show diag
CheckPoint-01> show diag


Current system info
-----------------------------------
Image name: R77_990172392_20_80
Image version: 392
Bootloader version: 91
HW MAC Address: 00:1C:7F:7F:32:53
LAN MAC Address: 00:1C:7F:7F:32:54
DMZ MAC Address: 00:1C:7F:7F:32:55
Wireless region: 32 - MKK5_MKKA2
Unit version: 1
Unit model: L71
Marketing capabilities: 1
Marketing name: 750
ODM Hardware Revision: 
Management opaque: kpcIPeo5MH4=:Dc71eohj77M=:kQ3GX4dnVco=
Hardware capabilities: 3 - SD card + Wireless
RTC status: OK
NAND status: OK
The total number of NAND blocks in the appliancebox is 4096
The max number of NAND bad blocks allowed in the appliance is 80
The number of NAND bad blocks in the appliance is 0
On board temperature: 49.0C (valid: -5C ~ 85C)
CPU temperature:      59.0C (valid: 0C ~ 105C)
Voltage VDD_3P3V:        3.3880V (valid: 3.1255V ~ 3.4755V)
Voltage VDD_12V:        12.252V (valid: 11.343V ~ 12.663V)
Voltage VDD_5V:        5.057V (valid: 4.722V ~ 5.282V)
Voltage VDD_1P8V:        1.8000V (valid: 1.7005V ~ 1.9005V)
Voltage VDD_1P5V:         1.4940V (valid: 1.4155V ~ 1.5855V)
Voltage VDD_1P05V:     1.058V (valid: 0.988V ~ 1.113V)
Voltage VDD_CPU_1V:     1.088V (valid: 0.855V ~ 1.128V)
Voltage VDD_0P9V:     0.9060V (valid: 0.8455V ~ 0.9555V)
Voltage DDR_VTT_0P75V:     0.748V (valid: 0.703V ~ 0.798V)
-----------------------------------

インターフェース関連

■インターフェース状態一覧の表示

  • show interfaces table
CheckPoint-01> show interfaces table
name        ipv4-address      mask-length  assignment           status           mac-address
LAN1_Sw...  192.168.1.1       24           ASSIGNMENT.SEPAR...                   00:1c:7f:7f:32:54
DMZ                           0            ASSIGNMENT.UNASS...  off              00:1c:7f:7f:32:55
cp7f7f3253  192.168.252.1     24           ASSIGNMENT.SEPAR...  off              00:10:f3:78:bd:3f
LAN1                          0            LAN1Sw               1/full
LAN2                          0            LAN1Sw               disconnected
LAN3        10.10.10.1        24           ASSIGNMENT.SEPAR...  100/full         00:1c:7f:7f:32:54
LAN4                          0            ASSIGNMENT.UNASS...  off              00:1c:7f:7f:32:54
LAN5                          0            ASSIGNMENT.UNASS...  off              00:1c:7f:7f:32:54
LAN6                          0            ASSIGNMENT.UNASS...  off              00:1c:7f:7f:32:54
Internet1   10.1.10.9         24           ASSIGNMENT.SEPAR...

  • show interfaces all
CheckPoint-01> show interfaces all
name:                         LAN1_Switch
ipv4-address:                 192.168.1.1
status:
mac-address:                  00:1c:7f:7f:32:54
description:

name:                         DMZ
ipv4-address:
status:                       off
mac-address:                  00:1c:7f:7f:32:55
description:

name:                         cp7f7f3253
ipv4-address:                 192.168.252.1
status:                       off
mac-address:                  00:10:f3:78:bd:3f
description:

name:                         LAN1
ipv4-address:
status:                       1/full
mac-address:
description:
(以下略)

■インターフェースの詳細情報の表示

  • show interface <インターフェース名>
CheckPoint-01> show interface LAN3
dhcp-exclude-end-range:
bridge-stp-priority:          32768
lan-mac-filtering:            on
vti-is-numbered:
ipv6-address:
secondary:
cluster-status:               non-ha
other-config-flag:            off
wireless-radio-mode:          off
bridge-stp-hello-time:        2
protected-mgmt-frames:        off
description:
rts-threshold:                2346
subnet-mask:                  255.255.255.0
is-connection-static:         false
lan-access-track:             none
ssid:                         cp_vap1
mac-address:                  00:1c:7f:7f:32:54
dns-ipv6 primary:
min-advertisement-interval:
password:
assignment:                   ASSIGNMENT.SEPARATE_NETWORK
wireless-wep-password1:
interface:                    LAN3
dns-primary:
wep-default-key:              1
exclude-ip-pool:
xr:                           off
hop-limit:                    64
include-ip-pool:              10.10.10.1-10.10.10.254
dns-secondary:
dhcp-ipv6-range-end:
wpa-authenticate-using:       password
dns-tertiary:
wds:                          off
station-to-station:           allow
wireless-wep-password2:
exclude-ipv6-pool:
wmm:                          on
name:
is-hidden:                    false
mtu:                          1500
dhcp-ipv6-exclude-start-range:
802dot1x-re-authentication-frequency:0
bridge-anti-spoofing:         off
bridge-stp-forward-delay:     15
status:                       100/full
tkip-group-key-update-interval:600
max-advertisement-interval:   600
advertisement-lifetime:
default-gw:
retransmission-timer:         0
hidden-bridge-interface:
nat:                          on
type:                         lan
wireless-wep-password4:
internet-connection:          table: 0x66324d58
wireless-wep-password3:
ipv6-prefix-length:           64
relay relay-to:
hide-ssid:                    off
internet-can-be-bridged:      false
network-ports:                LAN3
mac-address-override:
bridge-stp-aging-time:        20
ipv4-address:                 10.10.10.1
beacon-interval:              100
state:                        on
wds-peer-mac-address:
dhcp-options:                 table: 0x66326410
dns-ipv6 secondary:
dhcp-ipv6-exclude-end-range:
lan-access:                   accept
bridge-range:
interface-type:               internet-connection
exclude-from-dns-proxy:       off
relay-secondary:
dns-ipv6 tertiary:
display-name:                 LAN3
send-mtu-flag:                off
dhcp-exclude-start-range:
name:                         LAN3
use-defined-networks:         false
use-router-advertisement:     on
security-type:                WPA/WPA2
dhcp-ipv6:                    off
stp-cost:                     100
link-speed:                   10/half
band:                         table: 0x66326d98
mask-length:                  24
guest-wireless:
dhcp-range-start:             10.10.10.1
dtim-period:                  1
type:                         unnumbered
auto-negotiation:             on
relay relay-to:
dhcp-ipv6-range-start:
reachable-timer:              0
hotspot:                      off
wireless-transmission-rate:   auto
stp:                          off
dhcp-range-end:               10.10.10.254
remote:
dhcp:                         off
dns-ipv6:                     auto
name:                         LAN3
wireless-mac-filter:          off
wireless-mac-filter-list:     table: 0x66327590
802dot1x-authentication:      off
stp-priority:                 128
peer:
bridge-log-dropped-non-iP:    off
managed-config-flag:          off
wpa-encryption-type:          Auto
vti-number:                   0
fragmentation-threshold:      2346
is-bridge-fw-enabled:         on
include-ipv6-pool:
master-key-update-interval:   86400
vlan:                         3

ポリシー関連

■ポリシー一覧の表示

  • show access-rules type outgoing
CheckPoint-01> show access-rules type  outgoing
index     name      disabled   action    log       src                   dest                  service   application
1                   false      accept    log       NW_10.10.10.0_24
2                   false      accept    log       NW_192.168.1.0_24
3                   false      block     log                                                   Any_T...  Predefine...
4                   false      block     log

  • show access-rules type incoming-internal-and-vpn
CheckPoint-01> show access-rules type incoming-internal-and-vpn
index     name      disabled   action    log       src                   dest                  service
1                   false      block     log

ルーティング関連

■ルーティングテーブルの表示

  • show route all
CheckPoint-01> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
       U - Unreachable, i - Inactive

S         0.0.0.0/0           via 10.1.10.6, WAN, cost 0, age 2
C         10.1.10.0/24        is directly connected, WAN
                                  WAN
C         10.10.10.0/24       is directly connected, LAN3
                                  LAN3
C         127.0.0.0/8         is directly connected, lo
                                  lo
C         192.168.1.0/24      is directly connected, LAN1
                                  LAN1

■arp テーブルの表示

  • arp -a
CheckPoint-01> arp -a
? (192.168.1.101) at  on LAN1
? (192.168.1.100) at 00:e0:4c:27:f9:0e [ether] on LAN1

インターネット接続関連

■インターネット接続一覧の表示

  • show internet-connections table
CheckPoint-01> show internet-connections table
name         ip-version interface  type          ipv4-address      mask-length  default-gw
Internet1    ipv4       WAN        dhcp          10.1.10.9         24           10.1.10.6

ログ関連

■システムログ・カーネルログの表示

  • show logs system
  • show logs kernel
CheckPoint-01> show logs system
CheckPoint-01> show logs kernel

Expert モードでのコマンド

■Linux カーネル情報の表示

  • cat /proc/version
[Expert@CheckPoint-01]# cat /proc/version
Linux version 3.10.20-al-5.0-pr2 (builder@Lnx50BccCmp8.checkpoint.com) (gcc version 4.7.3 20130328 (prerelease) (crosstool-NG linaro-1.13.1-4.7-2013.04-20130415 - Linaro GCC 2013.04) ) #1 SMP Thu May 10 14:38:41 IDT 2018

■インターフェース情報の表示

  • ifconfig -a
[Expert@CheckPoint-01]# ifconfig -a
DMZ       Link encap:Ethernet  HWaddr 00:1C:7F:7F:32:55
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

DSL       Link encap:Ethernet  HWaddr 9E:38:5C:19:8C:B2
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

LAN1      Link encap:Ethernet  HWaddr 00:1C:7F:7F:32:54
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:527120 errors:0 dropped:0 overruns:0 frame:0
          TX packets:697390 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:70888605 (67.6 MiB)  TX bytes:620930861 (592.1 MiB)
(以下略)

■ハードウェア情報の表示 (Serial 等)

  • dmidecode

※バージョン R80 を対象とした情報がありましたが、当作業環境では使用不可でした

■サポート用情報の表示(通常は使わない?)

  • cpinfo

恐らくサポート用の情報がすべて出力されますが、量がとんでもなく多く(数十MB単位)、出力が終わらないので使わない方が良いかもしれません。

非エキスパートモードで、以下コマンドでサポートファイルを TFTP サーバに保存できました。こちらの方法を使ったほうが良さそうです。

  • cpinfo to-tftp <TFTPサーバアドレス>
CheckPoint-01> cpinfo to-tftp 192.168.1.100
Creating cpinfo.txt file...
Copying cpinfo file to TFTP server: 192.168.1.100
Cpinfo file has been copied to TFTP server

―――――――――――――

タイトルとURLをコピーしました