---
title: CHECKPOINT VSX cheat sheet
description: Basics to check routing on VSX instance
---
# VSX
## Cluster
* VSX cluster status
`show cluster state`
## Virtual Instance
* Show all virtual instances
`show virtual-system all`
* Change to VSX instance 1
`set virtual-system 1`
* Change back to VSX instance 0
`set virtual-system 0`
:::warning
"exit" would exit the shell!
:::
:::info
In `expert` mode use `vsenv <ID>`
:::
---
## Cluster
TODO: say something
```
cphaprob stat
```
```
vsx stat -v
```
---
# Interfaces
## in VSX
`clish`:
```
show interfaces all
```
outputs a list with the details of all interfaces.
## [on SmartCenter-CLI](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/VSXG/vsx_util-show_interfaces.htm)
```
vsx_util show_interfaces
```
opens a menu to select the cluster, then lets you select the type of interfaces to be shown.
:::warning
Neither is an elegant solution.
OS only knows about underlay addresses, which will not help you.
:::
---
# Routing
:::info
Enter `show route`, then hit "tab key" for options!
:::
## Show routing table
* Show active routes
`show route`
* Show inactive routes
`show route inactive`
* Show active and inactive routes
`show route all`
* Show connected routes
`show route direct`
* Show static routes
`show route static`
* Show active routes originating from OSPF
`show route ospf`
* Show active routes originating from BGP
`show route bgp`
* Show active and inactive routes from BGP
`show route bgp all`
* Show active NAT pools
`show route nat-pool`
---
## Show specific route
* Show specific route
`show route destination <NW>`
* Show exact route
`show route exact <NW>/<NM>`
* Show routes which include a given subnet
`show route less-specific <NW>/<NM>`
* Show routes inside a given subnet
`show route more-specific <NW>/<NM>`
---
## Show routing table summary
`show route summary`
---
# Dynamic Routing Protocols
## Router-ID
`show router-id`
:::info
router-id is the same for all protocols
:::
## BGP
### Check local AS
`show as`
### Check Router-ID
`show router-id`
---
### Show BGP configuration
```
show configuration bgp
```
---
:::info
BGP process requires an import-map to accept prefixes.
:::
### Check import map
`show bgp routemap`
::: info
will provide <RM-name>
:::
### Show routemap in configuration
`show configuration routemap <RM-name>`
### Modify routemap
#### Add element to RM-ID
`set routemap <RM-name> id <RM-ID> match network <NW>/<NM> exact`
#### Remove element from RM-ID
`set routemap <RM-name> id <RM-ID> match network <NW>/<NM> off`
---
### Show BGP process
`show bgp summary`
### Show peers
`show bgp peers`
### Show specific peer
`show bgp peer <IP> detailed`
### List prefixes received from peer
`show bgp peer <IP> received`
### List prefixes advertised to peer
`show bgp peer <IP> advertise`
:::info
Note that only the ```active firewall node``` has got a BGP session with the peers. The passive firewall node is in state ```idle```.
This is OK, because the passive device syncs its routing table with the active device. So, in case of a failover, it **has all the routes**, even though the peering to the BGP peer has to be established.
---
Also note that the ```active cluster platform-node``` does not necessarily run the ```active firewall node```.
Check this by running ```show cluster state``` in the context of the VSX.
:::
---
### Debugging
`show bgp stats`
`show bgp errors`
`show bgp paths`
---
### Restart session
`restart bgp peer <IP>`
:::warning
Keep in mind that the restart of a dynamic routing protocol will most likely impact your network connectivity!
:::
---
## OSPF
### Check process
`show ospf`
### Check OSPF neighbors
`show ospf neighbors`
### Check OSPF interfaces
`show ospf interfaces`
### OSPF database overview
`show ospf database database-summary`
### Show OPSF database
`show ospf database`
`show ospf database detailed`
`show ospf database router-lsa`
`show ospf database network-lsa`
`show ospf database external-lsa`
`show ospf database summary-lsa`
### OSPF debugging
* Check router-id
`show ospf router-id`
* List OSPF errors
`show ospf errors`
:::info
Enter `show ospf errors` and hit "tab key" for an overview of options!
:::
* List OSPF events
`show ospf events`
* List OSPF packet counters
`show ospf packets`
---
## Route Redistribution
:::info
Route-redistribution can only be checked by its configuration
:::
* Check route-redistribution configuration
`show configuration route-redistribution`
## View network configurations
* Show interfaces configuration
`show configuration interface`
:::warning
This will list the addresses of the overlay network!
For real adresses view toplogy overview in SmartConsole.
:::
* Show static-route configuration
`show configuration static-route`
* Show Autnomous System configuration
`show configuration as`
* Show Router-ID configuration
`show configuration router-id`
* Show BGP configuration
`show configuration bgp`
* Show OSPF configuration
`show configuration ospf`
---
# Snippets
## CLI output pager
* show pager lines on clish
`show clienv rows`
* disable pager on clish
`set clienv rows 0`
## Get a list of overlay addresses in VSX
:::spoiler
```
expert
for int in $(clish -c "show interfaces"); do echo -n $int ; clish -c "show interface $int" | grep ipv4-address; done
```
***maybe better alternative:***
```
expert
clish -c "show interfaces all" | grep '^Interface\|mac-addr\|ipv4-address' | sed 'N;N;s/\n/ /g' | awk '$4 != "Not" && $6 != "Not" {OFS=",";print $2,$4,$6}'
```
:::
:::info
no matter which venv you are in, it will show all interfaces of all VSX.
:::
## Get list of all ipv4 underlay interfaces in VSX
```
expert
ip a s | grep inet | awk '$6 == "global" {OFS=",";print $2,$7}'
```
:::info
However, the IP is the one of the underlay network. In order to see the real IP check `show interface <int>`.
:::
## Get a list of all configured interfaces of VSX
```
expert
for int in $(ip a s | grep inet | awk '$6 == "global" {OFS=",";print $7}'); \
do (echo -n "$int " ; clish -c "show interface $int" | \
grep "^state\|^type\|^mac-addr\|^ipv4-address") | \
sed 'N;N;N;s/\n/ /g' | awk '{OFS=",";print $1,$7,$3,$5,$9}' ; done
```
## Configure "proxy-arp" in VSX
:::warning
CHECKPOINT is a global market leader and therefor does not require to design reasonable setup mechanisms for their products.
Whenever you configure NAT on an interface, where you use other addresses than the interface IP, you have to configure "proxy-arp".
:::
[Configuring Proxy ARP for Manual NAT](https://support.checkpoint.com/results/sk/sk30197) (*requires CP account*) describes the procedure.
Basically, on CLI you switch into the context of your VSX and become ```expert```.
Then create (or edit) file ``` $FWDIR/conf/local.arp```.
This file should contain a table that looks like this:
| VIRTUAL IP | MAC of Interface to respond |
| -------- | -------- |
| IP.AD.DR.ES | MA:CO:FI:NT:ER:FA |
| 1.1.1.1 | AA:BB:CC:DD:EE:FF |
Finally, re-install the policy of your VSX.
---
Check-commands
```
[Expert@HostName:0]# fw ctl arp
[Expert@HostName:0]# fw ctl arp -n
[Expert@HostName:0]# arp -a
[Expert@HostName:0]# arp -e
```
## View addresses of all VSX in a cluster
[vsx_util show_interfaces](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/VSXG/vsx_util-show_interfaces.htm?TocPath=VSX%20Commands%7Cvsx_util%7C_____10)
will create a table of all interfaces of all VSX on a cluster.
## View connection table
:::info
Not specific to VSX
:::
```
fwaccel conns
```
also in `expert`-mode, so you can use shell:
```
fwaccel conns | grep <pattern>
```
[Also](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/CLI/fw-ctl-conntab.htm#:~:text=Use%20the%20%22%20fw%20ctl%20conntab,information%20about%20the%20current%20connections.)
```
fw [-d] ctl conntab
{-h | -help}
-sip=<Source IP Address in Decimal Format>
-sport=<Port Number in Decimal Format>
-dip=<Destination IP Address>
-dport=<Port Number in Decimal Format>
-proto=<Protocol Name>
-service=<Name of Service>
-rule=<Rule Number in Decimal Format>
```
## Change shell to bash and back
[Change clish to bash – and back.](http://svendsen.me/change-clish-to-bash-and-back/)
In `expert`-mode:
```
chsh -s /bin/bash admin
```
and back:
```
chsh -s /etc/cli.sh admin
```
## Debug CPU spikes
/var/log/spike_detective/spike_detective.log
cpview
cpview_services
/var/log/messages
/var/log/spike_detective/xyz
/var/log/spike_detective/ Log nach datum
Sign in with Wallet
Connect another wallet