Command Line Tour

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 53 minutes
Difficulty
Beginner
Video Transcription
00:01
Now, I would like to show you some command line utilities
00:05
both on the orchestrator and on the single management object
00:10
that are helpful in
00:13
monitoring or maestro deployment.
00:16
But also troubleshooting your maestro deployment if you're having an issue
00:22
good to know specifically where the cause of that issue is,
00:28
uh,
00:29
using the old adage. When in doubt, rebooted out
00:35
on the, uh,
00:38
orchestrator, you can restart the orchestration service and this will be an outage.
00:48
It's sort of silently
00:50
restarts itself.
00:57
Another useful command is
01:00
this o r ch underscore info.
01:07
This
01:11
this command here is useful for collecting extensive diagnostic information about the orchestrator.
01:21
So it's
01:23
sort of like CP Dump
01:26
pulling information from multiple sources
01:30
and writing it too.
01:32
One archive file. Ah, gee, zipped tar file.
01:38
Some of this output is the result of the orchestrator
01:42
service not restarting correctly because of an issue in this demonstration environment.
01:55
A lot of files in there let's go through it one page at a time.
02:01
So long files
02:06
big files
02:07
and
02:10
counters.
02:17
Next,
02:30
this python script
02:31
will provide ah list of the interfaces and the status of those interfaces. Are they up? Are they down?
02:39
Have something plugged in to the interface port
02:44
or not,
02:46
I'm
02:47
running these commands an expert mode. So I have to provide my own pagination by piping it through the I use the less command.
02:58
So
02:59
this command will show you the status of your orchestrator ports.
03:02
And it needs to be run on the orchestrator. Of course not on Ah single management object.
03:19
Thea
03:22
Security Gateway modules
03:23
use the link Layer Discovery Protocol to inform the orchestrator
03:30
of their presence.
03:30
What? Ah, what
03:32
model they are
03:35
and
03:36
don't
03:37
default Name
03:38
for the appliance
03:40
and you can see what Linklater Discovery Protocol has discovered with this
03:46
l l d p
03:47
c t l one word command
03:51
again paginated.
04:03
I also want to point out config file.
04:12
This configuration file on the orchestrator contains
04:17
the configuration of all security groups that have been defined.
04:24
This same file is found in the single management object and the rest of the security gateways.
04:30
But
04:30
at that level it only contains information about that security group
04:34
and there are only two security group. Unless I only one security group that has been defined. So this information is very short
04:43
in production, there would be many, many more entries.
04:49
Next, Um, you can move between the orchestrator and single management objects.
04:57
And then
04:58
when you're in a single management object, you can move within the security gateway modules that are in
05:05
that security group
05:08
and the command can be abbreviated. Move.
05:11
So I'm gonna move to the first security group,
05:14
the first host, which would be by default, the
05:16
the host answering the single management object i p address.
05:21
And it uses secure shell
05:25
so you can set up
05:28
keys to do the authentication or
05:31
password authentication works.
05:33
Now I am
05:35
in
05:36
the single management object of my first and only security group,
05:44
and
05:45
here
06:13
you can see this same etcetera. SG db dot Jay's on file.
06:17
And
06:20
again, this is a very simple demonstration configuration.
06:25
If I had to find multiple security groups
06:28
at the orchestrator level,
06:30
this file in this security would only contain information about this security group. To see all of the security groups,
06:36
you have to look at
06:38
this file
06:39
on the orchestrator.
06:48
Next the A S G command.
06:51
This is useful to get information about the security group,
06:58
including
07:00
which
07:00
security gateway modules in the group are working. Which ones aren't who's active,
07:05
etcetera.
07:10
So the A s G monitor command
07:16
will
07:17
refresh by default every five seconds you can given interval
07:21
as a decimal number.
07:25
And
07:26
right now, the security group,
07:29
uh, it doesn't have policy installed on it
07:31
anymore. So it's showing that
07:34
policy date never happened.
07:39
Threat policy never happened. And we're in active attention mode
07:44
because
07:46
we're supposed to be a cluster
07:48
active inactive, but we don't have a policy.
07:53
Strand will run until you
07:57
accident. I use control. See,
08:03
with the minus V option, you get a little bit different information
08:07
for this next command a SG bug Verify.
08:11
I find it to be
08:13
they're useful.
08:15
This command runs several diagnostics
08:18
on the
08:20
orchestrator and on the
08:22
security group,
08:24
and it provides
08:26
concise summary of the results of each of those diagnostics.
08:31
See that some are failing that just for various read, such as I've not yet installed Policy
08:39
Security Group.
08:41
Also, my demo environment. It's having a bit too.
08:46
This command is typically followed by the A S G e bug list commit
08:52
or
08:52
for information.
08:56
The dxl
09:00
count command
09:01
is
09:01
useful for visualizing distribution modes
09:07
and
09:09
recall that
09:11
distribution modes determined
09:15
which
09:16
security gateway modules should handle the traffic for a given connection.
09:22
And
09:22
the default is general, where
09:26
both the source and destination I P address and by default
09:31
layer for ports are also
09:33
considered. So source
09:37
I P address and port Destination I P address and port
09:41
are all used in the algorithm to determine
09:43
which security Gateway module should handle the traffic for this connection.
09:50
Another option is user distribution mode, which uses the source port
09:56
and destination I P.
10:01
Or network distribution, which uses the
10:05
destination port and source. I P.
10:09
Well, look a little bit more
10:11
into the distribution modes coming up.
10:16
Another useful A SG command.
10:26
This shows you
10:28
key performance indicators.
10:31
Um, so note Ah, the load averages
10:35
that, um
10:37
are displayed for
10:39
both the cork cell cores and secure excel or, uh,
10:43
secure network
10:45
distributor course.
10:50
And this is ah, very small deployment with no policy, no traffic. So this isn't very interesting, but this command automatically updates
10:58
and is useful in a production system.
11:07
Next, Really quickly. I wanted to show the
11:13
diag list.
11:16
Your man
11:24
provides
11:26
all sorts of tests that can be done, so
11:30
you ah,
11:31
use a SG diag print and the test number and it will conduct that test. This is just a handy cheat sheet,
11:39
so you have to remember the numbers.
11:46
So SG
11:48
Diack, you man, is very useful for
11:50
running system diagnostics.
11:54
Earlier, we talked about distribution modes
11:58
distribution modes.
12:01
Set the algorithm, which determines which security gateway modules should handle. The traffic forgiven connection
12:09
does that by
12:11
Gina
12:11
either the source or destination i P address, depending on the mode chosen
12:16
and
12:18
source or destination. Port, depending on if later four
12:22
is enabled, is part of the
12:24
the decision process.
12:28
And so the default distribution mode is general,
12:31
which uses both the source and destination I P addresses
12:35
and source and destination ports for the decision.
12:41
There's also
12:43
user distribution mode.
12:45
It uses the
12:46
destination I P address and Source Port.
12:50
There's
12:52
the Network Distribution Road, which uses the source I P and the Destination port. And there's also a
12:58
a topology
13:00
auto topology mode, which uses the information from
13:05
the
13:07
Single Management Object
13:11
Security Gateway object that was created in smart dashboard
13:15
are so smart, consul with
13:18
with topology
13:20
indicating which interfaces or internal which interfaces are external, it uses that
13:26
so you can see the current distribution
13:31
and you need to be in global Klay Shell, which I was an expert. Modi exited out of that back into the global Klay show,
13:45
and right now the distribution mode is
13:48
general
13:50
and you can change that.
14:01
You can show
14:03
per interface basis.
14:11
Also see the status of the distribution mode.
14:22
Earlier, we talked a little bit about the correction layer on again. The job of the correction layer
14:28
is to handle nada traffic
14:31
because the distribution mode algorithm uses source and or destination I P source and our destination port.
14:39
Determine
14:41
this packet. Which security Gateway module should be handling the traffic for this connection.
14:46
And with Nat, you're changing either the source and or the destination I P address
14:54
and possibly source and or destination port.
14:58
So
14:58
the distribution mode algorithm will pick the wrong security gateway module.
15:05
The correction layer exists to forward the traffic
15:11
that was
15:11
tanned it off to this second security it way module
15:18
back to the original security gateway module, which was handling the Anat ID traffic.
15:22
So it sees all of the traffic, which is necessary with state full inspection,
15:33
can see some correction layer. Statistics
15:35
begin in this demonstration environment. There is really no traffic
15:39
and I certainly haven't turned on Nat. So the correction layer hasn't had to do anything so far,
15:48
so some best practices
15:52
It depends on the specific network mix of the deployment site.
15:58
Generally distribution mode
16:02
using both source and destination I P. Source and destination port will do the most granular distribution
16:08
of connections to the security gateway modules in the security group.
16:15
However, if you're using Nat, then too
16:19
simplify the job of the correction layer
16:25
any Heiden added. Networks set them to use user mode. So we're looking at the destination I P and Source Port
16:37
and
16:40
the destination networks. If, for instance, static Nat, you would use ah
16:45
network move
16:47
which uses the source. I pee in the destination port
16:51
in the distribution algorithm.
16:56
Teoh
16:56
the global Klay shell is very convenient in a
17:02
security group because configuration changes that you make
17:06
in global Klay shell are automatically propagated to the other security gateway modules
17:12
in the security group.
17:15
But in expert mode,
17:22
there are a number of
17:26
MANNLEIN global commands
17:29
begin with G underscore,
17:32
so one g underscore command that that's useful. G underscore update, com file
17:38
and So this man wants the path to convict file
17:42
and of articles. Value pair, though if you leave off the
17:47
value, it'll just remove that bar from the config file.
17:52
So
17:53
you obviously don't want to do this unless you
17:56
have a very good reason to be editing config file.
18:04
For example, this f w
18:07
Kern config file.
18:10
I'm going to change
18:12
the art forwarding setting
18:23
other than risk type owing it
18:26
copy paste.
18:34
You could see that
18:36
the values been changed in the conflict config file on this security gateway module.
18:44
You can ignore that
18:45
build system diagnostics
18:47
ground issue.
19:06
You can see that the values been changed here is Well, I'm gonna go ahead and put it back
19:23
and see that it's been changed on the second security gateway module
19:27
and the security group
19:30
going back to the first security gateway module.
19:33
You see, it's been changed back.
19:36
So
19:37
useful command. If you need to update some config file parameter
19:41
on all of the security gateway modules in your security group.
19:45
And you probably noticed that I
19:48
got to the second security get way module in the security from the first by typing M space to
19:55
so
19:56
this is sort of shorthand for move. Move from one security gateway module to another and within a security group. If you if you execute this on a security get way module. We moved other security gateway modules in that group,
20:08
and it uses secure shell over,
20:11
um,
20:12
back and network.
20:15
You can also move from the orchestrator too.
20:19
Specific security gateway module. In a security group, you specify the security group number first
20:26
and then the security gateway module number.
20:30
Another useful command is a global TCP dump command.
20:37
So
20:38
same syntax as TCP dump.
20:41
It will aggregate all of the
20:45
packet capture data
20:47
and ah,
20:48
they're useful or getting a large
20:52
out of packet capture data fairly quickly.
20:56
Probably one of his capture filters.
21:00
Generically, the G all command
21:04
will run whatever
21:07
command you give it as
21:11
an argument, it will run that on all of the security gateway modules.
21:15
So
21:21
come up with a command.
21:23
Possibly. Someday be useful.
21:27
Show me the tail end of this same config. File fw current dot com
21:33
and
21:33
only two lines in that file. That wasn't a hard thing for tail to do, but it ran it
21:40
on all of the security gateway modules in the security group and then showed
21:45
the output
21:47
I security Gateway module here.
21:51
If you have
21:52
a security group defined,
21:55
you automatically get
21:57
active backup clustering.
22:00
There will be one security gateway module that has designated act active
22:06
and then one
22:07
that is designated back up in the same security group.
22:11
So what? What happens with packets?
22:15
The orchestrator receives a packet
22:18
from an up link interface.
22:21
It uses the distribution mode algorithm to calculate
22:25
which port
22:26
down Lakeport.
22:29
That connection should be handled by
22:30
and and the algorithm guarantees it will always be a down link port that
22:36
security gateway module is
22:38
looked into,
22:40
so it'll calculate that it needs to go out this port. It will send switch the packet out that port will be received by the security Gateway module
22:48
and
22:49
that security gateway module. If this is a new connection,
22:55
will calculate
22:56
which other security gateway module in the security group should be back up
23:02
and start doing state synchronization to that security gateway module
23:07
and
23:08
and thats done over the synchronization villain.
23:12
So you have, ah, the active that's processing the traffic for the connection and the backup that's being synchronized so it has up to date state tables such as connections, table information.
23:26
And so because there's on Lee
23:32
two security gateway modules that are participating in the clustering,
23:37
you don't have the
23:41
extra overhead that the
23:44
the General Products Cluster Excel experiences
23:48
the, uh,
23:52
the maestro,
23:53
I guess, version of clustering that call it
23:56
hyper sink
23:59
limits
24:00
the overhead. And so
24:03
there's, ah, performance penalty of about 1% of throughput
24:08
her security gateway module
24:11
in the security group.
24:14
So if you have
24:15
for security gateway modules in the security group, then
24:18
you are getting
24:21
roughly 96% of the aggregate throughput
24:26
capability.
24:27
Of those four security gateway modules.
24:32
There's some overhead,
24:33
and this is much, much better than
24:36
Cluster Excel load sharing, where,
24:40
in my experience, when you get to maybe five active, active load sharing gateways in the cluster,
24:48
adding any more makes it worse because of all the overhead of synchronizing everybody to everybody
24:55
by limiting the
24:56
synchronization
24:59
me
25:00
between the active and the backup, that really eliminates a lot of the overhead
25:04
of the synchronization. Then again, it's it's about
25:07
1% penalty,
25:11
so
25:12
that wraps up the command line and ah, a little bit of trouble shooting that I wanted to show you.
25:18
Thank you very much for attending this
25:22
jump. Start training on the Maestro Hyper scale network security solution.
Up Next
Check Point Jump Start: Maestro Hyperscale Network Security

In this course brought to you by industry leader Check Point, they will cover the Maestro Orchestrator initial installation, creation and configuration of security group via the web user interface and SmartConsole features. This course provides a demonstration of the Maestro product. Course will prepare you for their exam, #156-412, at Pearson VUE.

Instructed By