Day: December 8, 2018

Basic commands to verify the status of ASA firewall:

• Cisco firewall mode : show firewall
•  Cisco firewall version : show version
• Verify CPU usage : show cpu usage
• Verify memory status : show memory
• Verify failover status : show failover
• Verify failover history : show failover history
• List interface names : show nameif
• List interface IP address: show ip
• List route table : show route
• List nat table : show xlate
• Verify logs : show logging

• Software Versions:
• At this moment checkpoint supports three main software versions
• R77.30
• R80.10
• R80.20
• R77.30 is planned to go out of support in September 2019.
• R88.20 was released at the end of september 2018.

• FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains.
• Syntax to capture fwmonitor is mentioned below:
• fw monitor -e ‘accept src=10.1.1.1 or dst=10.1.1.1;’  -o test.out
• Fwmonitor  captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.

i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.

I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.

For both i & I the interface is the incoming, where the packet enters the firewall.

o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.

O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.

Example:

eth0:i[284]: 10.1.1.1 -> 172.1.1.1 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289
eth0:I[284]: 10.1.1.1 -> 192.168.1.2 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289
eth2:o[284]: 10.1.1.1 -> 192.168.1.2 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289
eth2:O[284]: 10.4.1.1 -> 192.168.1.2 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289

10.1.1.1 — Source.

172.1.1.1 –Destination

10.4.1.1 –Source NAT

192.168.1.2 –Destination NAT

1. Show general system health information : show system info
2. Show percent usage of disk partitions : show system disk-space
3. Show the maximum log file size : show system logdb-quota
4. Show running processes : show system software status
5. Show processes running in the management plane : show system resources
6. Show resource utilization in the dataplane : show running resource-monitor
7. Show the licenses installed on the device : request license info
8. Show when commits, downloads, and/or upgrades are completed : show jobs processed
9. Show session information : show session info
10. Show information about a specific session : show session id <session-id>
11. Show the running security policy : show running security-policy
12. Restart the device : request restart system
13. Show the administrators who are currently logged in to the web interface, CLI, or API : show admins
14. Display the routing table : show routing route
15. Look at routes for a specific destination : show routing fib virtual-router <name> | match <x.x.x.x/Y>
16. Show the NAT policy table : show running nat-policy
17. Test the NAT policy : test nat-policy-match
18. Show NAT pool utilization : a.show running ippool b. show running global-ippool
19. Ping from the management (MGT) interface to a destination IP address : ping host <destination-ip-address>
20. Ping from a dataplane interface to a destination IP address : ping source <ip-address-on-dataplane> host <destination-ip-address>
21. Show network statistics : request netstat statistics yes