vi $FWDIR/conf/objects_5_0.C
Change the following:
  :support_sofaware_profiles (false)
to
  :support_sofaware_profiles (true)
Restart Checkpoint Services

Notes:

  • With the above set to false, if you create the object via Network Objects Manager, upon verification, the following error may appear: "'s IP address is invalid (inside DAG_range)"

Documentation

[ # ]

cphaprob stat  !! view failover status
cphaprob -a if  !! view interface VIP configuration

[ # ]

ethtool -s <interface> speed <speed ie 100> duplex <duplex> autoneg off  !! Modify interface speed

config conn set local <ip>/<cidr> name <interface>  !! IP an interface
config conn add type vlan local <ip>/<cdir> vlan-tag <vlan-tag> dev <physical-int-name>  !! Create sub-interface with vlan
config conn del name <vlan-int>  !! Delete sub-interface

!! Configure monitoring of interface for failover (add/delete required interfaces, 1 per line)
cpstop
vi $FWDIR/conf/discntd.if
cpstart

[ # ]

fwha_vmac_global_param_enabled 1        !! Enable Until Reboot
fwha_vmac_global_param_enabled 0        !! Disable (default)

vi $FWDIR/boot/modules/fwkern.conf        !! Enable Permanently
fwha_vmac_global_param_enabled=1

Notes:

  • This is useful so that the MAC addresses of the VIPs do not change on failover of a cluster. This may correct issues with switches holding onto the old VIP MAC address.

Documentation

[ # ]

webui enable <port>
webui disable

Documentation

[ # ]

clish -s -c "add arpproxy address <ip> macaddress <vip mac>"
clish -s -c "delete arpproxy address <ip>"

[ # ]

cp_conf admin get    !! View current administrators
cp_conf admin add <user> <passw> <r|w>    !! Add user with read-only (r) or write (w) permissions
cp_conf admin del <admin1> <admin2> ...   !! Delete user(s)

cp_conf client get   !! View currently defined GUI clients
cp_conf client add <ip/netmask> !! Add a GUI client
cp_conf client del <GUI Client 2> <GUI Client 2> ... !! Delete GUI client(s)
cp_conf client createlist <GUI Client 1> <GUI Client 2>...  !! Add new GUI clients list

Documentation

[ # ]

useradd -u 0 -g 0 -o -s /bin/bash <username>

[ # ]

chsh -s /bin/bash <username>

[ # ]

cphaprob -d problem -s problem report  !! Performed on active firewall to failover
cphaprob -d problem unregister !! Unregister the problem

Notes:

  • The best place to perform a failover is within the policy. This is for temporary failover purposes. After removing the problem, if the configuration has not been updated, it is likely the firewalls will fail back.

[ # ]