What sports is Lakshya Sen related to

Check Point CLI Reference Card v2.0.

0 ratings0% found this document useful (0 people voted)
30 views 2 pages


Checpoint CLI Refrence Guide


Available formats

Read PDF, TXT or online on Scribd

Share this document

Share or embed the document

Do you think this document is useful?


Checpoint CLI Refrence Guide


Available formats

As PDF, TXT download or read it online on Scribd

1 Basic firewall information gathering Basic troubleshooting

by Jens Roesen fgate stat Status and statistics of Flood-Gate-1. cpview View OS and software blade statistics. Lake sk101878.
Useful Secure Knowledge articles fwaccel View status, statistics or connection table of SecureXL. cpinfo Collect diagnostic data for CP support cases. Lake sk92739.
sk65385 List of "How To" guides for all Check Point products. fw getifs Show list of configured interfaces with IP and netmask. sar system monitoring tool (GAiA) generating monitoring data
cpstat [-f View OS, HW and CP application status. Issue cpstat every 10 minutes, keeping the data for 7 days. E.g .:
sk97638 Check Point Processes and Daemons
flavor] without any options to see all possible application flags sar -n EDEV - Interface errors from today
sk52421 Ports used by Check Point software sar -u -f / var / log / sa / sa04 - CPU stats from the 4th.
and corresponding flavors. Examples:
sk98348 Best Practices - Security Gateway Performance cpstat fw -f policy verbose policy info cpsizeme For 24h, monitor gw resource utilization every minute and
sk105119 Best Practices - VPN Performance cpstat os -f cpu CPU utilization statistics generate a CSV report to use for sizing considerations or
cpinfo -y all List all installed patches and hotfixes. troubleshooting. See sk88160 for additional information.
There are also a lot of valuable ATRGs (Advanced Technical Reference Guides) available.
Search for ATRG and a suitable keyword. For instance artg ipv6. cpd_sched_config print Show task scheduled with CPD scheduler.
ethtool -S View interface statistics and counters.
enabled_blades View enabled software blades
emergendisk Create a bootable system on a USB device for system or
Check Point Environment variables (most common ones) password recovery and secure HDD wiping.
$ FWDIR FW-1 installation directory, with f.i. the conf, log, lib, bin and spool avsu_client [-app ] Get signature version and status of content security
cpinfo -z -o Create a compressed cpinfo file to open with the InfoView
directories. get_version . Without the -app option Anti Virus is used.
utility or to send to Check Point support.
$ CPDIR SVN Foundation / cpshared tree. show configuration Show running system configuration.
cst Configuration Summary Tool and its enhanced version. Packs
$ CPMDIR Management server installation directory. show commands Show all commands you are allowed to run. ecst IPSO config, logs, core dumps etc. into a single file.
$ FGDIR FloodGate-1 installation directory. show asset all Display general hardware information. fw ctl zdebug drop Real time listing of dropped packets.
$ MDSDIR MDS installation directory. Same as $ FWDIR on MDS level. show sysenv all Display system component status (fans, power supply ...) cpwd_admin list Display PID, status and starting time of CP WatchDog
$ FW_BOOT_DIR Directory with files needed at boot time. asset View hw info on IP Series Appliances running GAiA. monitored processes.
show asset hardware View hw info like serial numbers in Nokia clish. cpca_client lscert Display all ICA certificates.
Reference Card Command Shell Indicators
ipsctl -a View hw info. Also see cat /var/etc/.nvram output. fw tab t [s] View kernel table contents. Make output short with -s switch.
Expert Mode GAiA clish SPLAT cpshell IPSO clish IPSO shell List all available tables with fw tab -s. Example:
A lot of the expert mode commands are also available within GAiA clish as extended display and manage licenses fw tab -t connections -s View connection table.
command. View complete list with the clish command show extended commands. cp_conf lic get View licenses. fw ctl multik stat Show connection statistics for each kernel instance.
Basic starting and stopping cplic print Display more detailed license information. fw ctl pstat Display internal statistics including information about memory,
fw lichosts List protected hosts with limited hosts licenses. inspect, connections, synchronization and NAT.
cpstop Stop all Check Point services except cprid. You can also stop
specific services by issuing an option with cpstop. For instance fw ctl chain displays in and out chain of CP modules. Useful for placing fw
dtps lic SecureClient Policy Server license summary.
cpstop FW1 stops FW-1 / VPN-1 or use cpstop WebAccess to monitor into the chain with the -p option.
stop WebAccess. cplic del Detach license with signature sig from object obj.
cp_conf sic state display SIC trust status or (re) initialize SIC. Also see sk30579
cpstart Start all Check Point services except cprid. cpstart works cplid db_rm Remove license from repository after detaching. cp_conf sic init for additional hints on SIC troubleshooting.
with the same options as cpstop. cplic get Retrieve all licenses from a certain gateway or all gateways fwm sic_reset Reset Internal Certificate Authority (ICA) and delete certs.
cprestart Combined cpstop and cpstart. Complete restart. to synchronize SmartCenter license repository with gw (s). Reinitialize ICA with cpconfig or cp_conf ca init.
cplic put <-l file> Install local license from file to an local machine. cpca_client Manage parts of the ICA. View, create and revoke certificates,
cpridstop Stop, start or restart cprid, the Check Point Remote
cpridstart installation daemon. cplic put <-l Attach one or more central or local licenses from file start and stop the ICA Web Tool. Examples:
cpridrestart file> remotely to obj. cpca_client lscert -stat Valid
fw kill [-t sig] proc Kill a firewall process. PID file in $ FWDIR / tmp / must be cpca_client search
cprlic Remote license management tool.
present. By default sends signal 15 (SIGTERM). fwaccel Disable / enable SecureXL.
contract_util mgmt Get contracts from Management Server.
Example: fw kill -t 9 fwm cpmonitor Statistics and analysis of snoop / tcpdump / fw monitor traffic
fw unloadlocal Uninstalls local security policy and disables IP forwarding. View and manage log files capture files. See sk103212 for download link and usage.
fw lslogs View a list of available fw log files and their size. fw monitor Examples
Basic firewall information gathering
fwm logexport Export / display current fw.log to stdout. The fw monitor packet sniffer is part of every FW-1 installation. For more info see the check
fw ver [-k] Show major and minor version as well as build number
fwm [mds] ver and latest installed hotfix of a Check Point module. Show fw repairlog Rebuild pointer files for . Point guide (http://bit.ly/fwmonref) or my fw monitor cheat sheet (http://bit.ly/cpfwmon).
vpn ver [-k] additional kernel version information with -k switch. fw6 monitor is working with GAiA. Disable SecureXL (fwaccel off) prior to sniffing.
fw logswitch [-audit] Copy current (audit) logfile to YY-MM-DD-HHMMSS.log
fgate ver and start a new fw.log. Display traffic with as SRC or DST on interface ID 2
ver Show CP version and build as well as kernel info. fw log -c Show only records with action , e.g. accept, (List interfaces and corresponding IDs with fw ctl iflist)
cpshared_ver Show the version of the SVN Foundation. drop, reject etc. Starts from the top of the log, use -t fw monitor -e 'accept host ( and ifid = 2;'

cpview Tool combining several Check Point and Linux commands to start a tail at the end. Display all packets from to
into a great text based tool providing both OS and fw log -f -t Tail the actual log file from the end of the log. Without fw monitor -e 'accept src = and dst =;'
software blade information. Lake sk101878. the -t switch it starts from the beginning. UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
fw stat Show the name of the current policy and a brief interface fw log -b View today's log entries between and fw monitor -pi ipopt_strip -e 'accept udpport (53);'
fw stat <-l | --long> list. Use -l or -s for more info. Consider using cpstat .
fw stat <-s | --short>
UPD traffic from or to unprivileged ports, only show post-out
fw instead of -l or -s switch for better formatted output. fw fetchlogs -f Fetch a logfile from a remote CP module. NOTE: The log fw monitor -m O -e 'accept udp and (sport> 1023 or dport> 1023);'
fw ctl iflist Display interface list. module will be deleted from the remote module. Does not work
with current fw.log. Display Windows traceroute (ICMP, TTL <30) from and to
fw ctl arp [-n] Display proxy arp table. -n disables name resolution. fw monitor -e 'accept host ( and tracert;'
fwm logexport -i -o Export logfile to file out.csv, use, (comma) as
cp_conf finger get Display fingerprint on the management module. out.csv -d ',' -p -n delimiter (CSV) and do not resolve services or Capture web traffic for VSX virtual system ID 23
cp_conf client get Display GUI clients list. hostnames (-n). fw monitor -v 23 -e 'accept tcpport (80);'
cp_conf admin get Display admin accounts and permissions. Also fwm -p log list Show index of available system and error log files. Capture traffic on a SecuRemote / SecureClient client into a file
cp_conf auto get Display autostart state of Check Point modules. log show View log file number from the log list index. srfw.exe in $ SRDIR / bin (C: \ Program Files \ CheckPoint \ SecuRemote \ bin)
srfw monitor -o output_file.cap
Basic administration and configuration tasks Backup and Restore Multi-Domain Security Management (Provider-1)
cpconfig Menu based configuration tool. Options depend on the add backup Create backup in / var / CPbackup / backups / or on a remote mdsconfig MDS replacement for cpconfig.
installed products and modules. server (scp / ftp / tftp). Also see sk91400. E.g .: mdsenv [dms_name] Set the environment variables for MDS or DMS level.
add backup local
sysconfig Start SPLAT OS and Check Point product configuration tool. mdsstart [-m | -s] Starts / stops the MDS and all DMS (10 at a time). begin
add backup scp ip path username
cp_conf admin add Add admin user with password pass and permissions perm interactive mdsstop [-m] only the MDS with -m or DMS subsequently with -s.
where w is read / write access and r is read only. Note: set backup restore Restore backup. Also see sk91400. Examples: mdsstat [dms_name] | [-m] Show status of the MDS and all DMS or a certain
permission w does not allow account administration. customer's DMS. Use -m for only MDS status.
set backup restore local
cp_admin_convert Export admin definitions created in cpconfig to set backup restore scp ip path file cpinfo -c Create a cpinfo for the customer DMS . Remember
SmartDashboard. username interactive to run mdsenv in advance.
fwm lock_admin -v View list of locked administrators. show backups List locally stored backups. mcd

Change directory to $ FWDIR / of the current DMS.
fwm lock_admin -u Unlock admin user. Unlock all with -ua. add snapshot Add and delete system snapshots. Example mdsstop_customer Stop single DMS .
cp_conf admin del delete snapshot add snapshot [descr ]
Delete the admin account user. mdsstart_customer Start single DMS .
fwm expdate set snapshot revert Export / import or revert to a certain system snapshot. E.g .:
Set new expiration date for all users or with -f for all users mds_backup [-l] [-d backup binaries and data to current directory. Change
[-f ] set snapshot export set snapshot revert
matching the expiration date filter: directory] output directory with -d, exclude logs with -l, do a dry
set snapshot import set snapshot export path name
fwm expdate 31-Dec-2020 -f 31-Dec-2014.
run with -v. You can exclude files by specifying them in
cp_conf client add show snapshots Show list of local snapshots.
Add / delete GUI clients. You can delete multiple clients at $ MDSDIR / conf / mds_exclude.dat.
cp_conf client del once. upgrade_export Tool from $ FWDIR / bin / upgrade_tools. Saves only Check ./mds_restore Restore MDS backup from file. Notice: you may need to
migrate export Point configuration (policy, objects ...) and no OS settings.
cpca_client Manage parts of the ICA. View, create and revoke copy mds_backup from $ MDSDIR / scripts / as well as
certificates, start and stop the ICA Web Tool. upgrade_import Import config package generated with migrate tools. gtar and gzip from $ MDS_SYSTEM / shared / to the
patch add cd Install the patch from CD.
migrate import directory with the backup file. Normally, mds_backup does
backup Create backup in / var / CPbackup / backups / or on a remote this during backup.
lvm_manager Manage partition sizes on GAiA. See sk95566 for info and
server (scp / ftp / tftp). Also see sk54100. Examples .: cma_migrate Import and if necessary upgrade an export_database
download link.
backup [-f ] created management server or DMS database package.
show users Show configured users and their homedir, UID / GID and backup --scp [-path mdscmd [-m mds Connect to a (remote) MDS as CPMI client and configure
shell. ]
-u user -p pass] or manage it. See mdscmd help.
add user Add a new user with username . restore Restore backup from local package or via scp / ftp / tftp. Delete vsx_util Perfom VSX maintenance from the main DMS. lake
set user shell Set the login shell of user to . Setting it to local backup packages. Menu based.
vsx_util -h for subcommands.
f.i. / bin / bash will log in directly into expert mode. snapshot Take a snapshot of the entire system. Without options it's menu
sk95329 Advanced Technical Reference Guide: Multi-Domain Security Management
set user password Set new password for . based. Note: cpstop is issued! Examples:
snapshot --file sk33207 - How to debug FWM daemon on Provider-1 DMS / CMA
set selfpasswd Change your own password. snapshot --scp VSX (When two commands are given, the first applies to R68 and the second to R75.40 +)
set expert-password Set or change password for entering expert mode. revert Reboot system from snapshot. Same syntax as snapshot. vsx stat [-v] [-l] [id] Show VSX status. Verbose with -v, interface list with
save config Save configuration changes. -l or status of single VS with VS ID .
ClusterXL configuration and troubleshooting and some VRRP
showusers Display a list of configured SecurePlatform administrators. show virtual-system all List all VS with their VS ID and name.
cphaprob state View HA state of all cluster members.
adduser Add a new user with username . vsx get View current shell context. Second line applies to VSX
cphaprob -a if View interface status and CCP state. vsenv
chsh -s Change the login shell for to on SPLAT. on R75.40VS and up.
cphaprob -ia list View list and state of critical cluster devices.
passwd Change your own password. vsx set Set context to VS with the ID . Second line
fw hastat View HA state of local machine. vsenv applies to VSX on R75.40VS and up.
passwd Change expert password in expert mode on SPLAT systems.
cp_conf ha enable | Enable or disable HA. set virtual-system Set context to VS ID .
start transaction Start transaction mode. All changes made will be applied at disable [norestart]
fw -vs unloadlocal Unload policy from a VS. To unload policies on all VS
once if you exit transaction mode with commit or discarded cphastart Enable / Disable ClusterXL on the cluster member. On vsenv ; fw unloadlocal use fw vsx unloadall. See sk33065 for details.
if you exit with rollback. cphastop HA Legacy Mode cphastop might stop the entire cluster.
show version os edition Show which OS edition (32 or 64-bit) is running. vsx sic reset Reset SIC for VS . For details see sk34098.
cphaprob syncstat View sync transport layer statistics. Reset with -reset. vsenv ; fw vsx sicreset Second line applies to VSX on R75.40VS and up.
set edition default Switch between 32 and 64-bit kernel. 64-bit needs at least See sk34475 for detailed description.
32-bit | 64-bit cpinfo -x Start cpinfo collecting data for VS ID .
6GB of RAM (or 1GB running in a VM). fw ctl pstat View sync status and packet statistics. Lake sk34476.
vpn -vs debug trunc Empty & stamp logs, enable IKE & VPN debug.
VPN fw ctl setsync Stop or start synchronization in a cluster.
fw -vs getifs View driver interface list for a VS. You can also use the
vpn tu Start a menu based VPN TunnelUtil program where you can fw -d fullsync Start a full synchronization with debugging output. vsenv ; fw getifs VS name instead of -vs .
list and delete Security Associations (SAs) for peers.
cphaconf set_ccp Configure Cluster Control Protocol (CCP) to use unicast fw tab -vs -t View state tables for virtual system . Second line
vpn shell Start the VPN shell. or multicast messages. By default set to multicast. vsenv ; fw tab -t
applies to VSX on R75.40VS and up.
vpn debug ikeon | ikeoff Debug IKE into $ FWDIR / log / ike.elg. Analyze ike.elg with cphaconf debug_data View multicast MAC addresses used. vsx vspurge Remove unused VSX systems and fetch VS config.
the IKEView tool. Lake sk30994.
clusterXL_admin [-p] Perform a graceful manual failover by registering a fw monitor -v -e View traffic for virtual system with ID .
vpn debug on | off Debug VPN into $ FWDIR / log / vpnd.elg. Analyze vpnd.elg faildevice. Survives a reboot with -p switch set. 'accept;' Attn: with fw monitor use -v instead of -vs.
with the IKEView tool. Lake sk30994.
show vrrp interfaces Detailed status of VRRP interfaces. For a brief overview cphaprob -vs state View HA state for Virtual System id when Per Virtual
vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug. you can also use show vrrp in the iclid shell. System HA mode is configured.
vpn drv stat Show status of VPN-1 kernel module. cphaprob tablestat View IPs and interface IDs for all cluster members. cphaprob -vs register Register a faildevice and switch VS to the next
vpn overlap_encdom Show, if any, overlapping VPN domains. cphaprob igmp View IGMP status for CCP multicast mode. cluster member (only in Per VS HA / VSLS).
vpn macutil Show MAC for Secure Remote user . sk93306 - Advanced Technical Reference Guide: ClusterXL R6x and R7x $ linux_command -z In R68 set context for ifconfig, ip, arp, ping or
sk56202 - How to troubleshoot failovers in ClusterXL traceroute -Z netstat. Uppercase Z for traceroute.
sk60318 - How to troubleshoot VPN issues in Site to Site
sk89940 - How to debug VPND daemon sk62570 - How to troubleshoot failovers in ClusterXL - Advanced A lot of Check Point's commands up to R68 do understand the -vs switch. With newer
sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor sk43984 - Interface flapping when cluster interfaces are connected through several switches versions you often have to change context with vsenv before issuing the commands.
Licensed under Creative Commons BY-NC-SA. SecurePlatform, SofaWare, SmartCenter, ClusterXL, SecureXL, Flood-Gate-1, Provider-1, VSX, IPSO, VPN-1 / UTM-1 Edge and GAiA are all registered trademarks of Check Point Software Technologies, Ltd.