cphastop
mount -t iso9660 -o loop <iso_image> /mnt/cdrom
cd /mnt/cdrom
patch add cd

Notes:

  • It's best to verify these steps from Release Notes
  • After install, modify CP object in policy to reflect new version and push policy
  • HFAs will use ./UnixInstallScript instead of 'patch add cd'

[ # ]

route add -net <IP>/<cidr> gw <next hop IP>
route add -host <IP> gw <next hop IP>
route add default gw <gateway>
route del -net <IP>/<cidr> gw <next hop IP>
route --save

[ # ]

ckp_regedit -p 'SOFTWARE/CheckPoint/SIC' | egrep -o '[[:digit:]]{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}'

Notes:

  • Alternatively, you can leave off the grep portion of the command to view the SIC certificate

[ # ]

useradd -u 0 -o -g 0 -m <username> -s /bin/rbash

[ # ]

!! Configuring the captures
!! Method 1 - ACL Capture
  access-list ryan permit ip host <source> host <dst>
  capture ryan-inside access-list ryan int <int>
  show capture ryan-inside

!! Method 2 - Match Capture (This is bidirectional)
  capture ryan-inside interface <int> match ip host <src ip> dest <dest ip>
  sh cap ryan-inside

!! Obtaining capture as PCAP file
!! 1.) Method 1 - Copying to another location
  copy /pcap capture:/<capture-name> <destination>

!! Example:
  copy /pcap capture:/mycap ftp://1.1.1.1/incoming/mycap.pcap

!! 2.) Method 2 - Downloading from the firewall
 Visit in Browser: https://<FW-IP>/admin/capture/<capture_name>/pcap

!! Example:
  Visit in Browser: https://1.1.1.1/admin/capture/mycap/pcap

Notes:

  • To download the PCAP, ensure you are connecting on the same port as ASDM is configured ('show run http')

Documentation

[ # ]

migrate l2l

Notes:

  • This will add ikev2 options with ikev1 fallback

Documentation

[ # ]

interface redundant <1-8>
  member-interface <active interface>
  member-interface <standby interface>
  no shutdown
  exit
show interface redundant<1-8>        !! View active/standby interface information
redundant-interface redundant<1-8> active-member <desired-active-interface>        !! Change the active interface

Notes:

  • By default, the first interface added to the redundant interface will be the active interface
  • This is Cisco's recommendation for a failover configuration

Documentation

[ # ]

  1. Reboot device
  2. At prompt, hit escape to break the boot sequence
  3. 'confreg' !! prompt will start with 'rommon #'
  4. Note your current configuration register (0x1 is the default)
  5. Choose 'Y' to change the configuration
  6. Accept all the defaults EXCEPT 'disable system configuration'. Set this to 'Y'
  7. 'boot'
  8. 'enable' after device has booted !! Just hit enter for the password
  9. 'copy startup-config running-config'
  10. Reset the passwords in 'conf t':

    password <password> enable password <password> username <username> password <password>

  11. 'config-register
  12. 'copy running-config startup-config'

Notes:

  • Must be performed via the console port

Documentation

[ # ]

show ospf database
show ospf neighbor
debug ospf events

[ # ]

interface Ethernet0/1                !! inside for instance
 ospf cost 10
 ospf message-digest-key 1 md5 <md5 key>
 ospf authentication message-digest
interface Ethernet0/2                !! outside for instance
 ospf cost 10
 exit
router ospf 1
 network <internal ip> <internal network> area <area number>  !! Each network that we will advertise
 log-adj-changes
 redistribute rip subnets        !! redistribute RIP if needed !
 exit

[ # ]