What sports is Lakshya Sen related to
Check Point CLI Reference Card v2.0.
Share this document
Share or embed the document
Do you think this document is useful?
1 Basic firewall information gathering Basic troubleshooting
by Jens Roesen fgate stat Status and statistics of Flood-Gate-1. cpview View OS and software blade statistics. Lake sk101878.
Useful Secure Knowledge articles fwaccel
sk65385 List of "How To" guides for all Check Point products. fw getifs Show list of configured interfaces with IP and netmask. sar system monitoring tool (GAiA) generating monitoring data
sk97638 Check Point Processes and Daemons
flavor] without any options to see all possible application flags sar -n EDEV - Interface errors from today
sk52421 Ports used by Check Point software sar -u -f / var / log / sa / sa04 - CPU stats from the 4th.
sk98348 Best Practices - Security Gateway Performance cpstat fw -f policy verbose policy info cpsizeme For 24h, monitor gw resource utilization every minute and
sk105119 Best Practices - VPN Performance cpstat os -f cpu CPU utilization statistics generate a CSV report to use for sizing considerations or
cpinfo -y all List all installed patches and hotfixes. troubleshooting. See sk88160 for additional information.
There are also a lot of valuable ATRGs (Advanced Technical Reference Guides) available.
Search for ATRG and a suitable keyword. For instance artg ipv6. cpd_sched_config print Show task scheduled with CPD scheduler.
ethtool -S View interface statistics and counters.
enabled_blades View enabled software blades
emergendisk Create a bootable system on a USB device for system or
Check Point Environment variables (most common ones) password recovery and secure HDD wiping.
$ FWDIR FW-1 installation directory, with f.i. the conf, log, lib, bin and spool avsu_client [-app
cpinfo -z -o
utility or to send to Check Point support.
$ CPDIR SVN Foundation / cpshared tree. show configuration Show running system configuration.
cst Configuration Summary Tool and its enhanced version. Packs
$ CPMDIR Management server installation directory. show commands Show all commands you are allowed to run. ecst IPSO config, logs, core dumps etc. into a single file.
$ FGDIR FloodGate-1 installation directory. show asset all Display general hardware information. fw ctl zdebug drop Real time listing of dropped packets.
$ MDSDIR MDS installation directory. Same as $ FWDIR on MDS level. show sysenv all Display system component status (fans, power supply ...) cpwd_admin list Display PID, status and starting time of CP WatchDog
$ FW_BOOT_DIR Directory with files needed at boot time. asset View hw info on IP Series Appliances running GAiA. monitored processes.
show asset hardware View hw info like serial numbers in Nokia clish. cpca_client lscert Display all ICA certificates.
Reference Card Command Shell Indicators
ipsctl -a View hw info. Also see cat /var/etc/.nvram output. fw tab t
Expert Mode GAiA clish SPLAT cpshell IPSO clish IPSO shell List all available tables with fw tab -s. Example:
A lot of the expert mode commands are also available within GAiA clish as extended display and manage licenses fw tab -t connections -s View connection table.
command. View complete list with the clish command show extended commands. cp_conf lic get View licenses. fw ctl multik stat Show connection statistics for each kernel instance.
Basic starting and stopping cplic print Display more detailed license information. fw ctl pstat Display internal statistics including information about memory,
fw lichosts List protected hosts with limited hosts licenses. inspect, connections, synchronization and NAT.
cpstop Stop all Check Point services except cprid. You can also stop
specific services by issuing an option with cpstop. For instance fw ctl chain displays in and out chain of CP modules. Useful for placing fw
dtps lic SecureClient Policy Server license summary.
cpstop FW1 stops FW-1 / VPN-1 or use cpstop WebAccess to monitor into the chain with the -p option.
stop WebAccess. cplic del
cp_conf sic state display SIC trust status or (re) initialize SIC. Also see sk30579
cpstart Start all Check Point services except cprid. cpstart works cplid db_rm
with the same options as cpstop. cplic get
cprestart Combined cpstop and cpstart. Complete restart. to synchronize SmartCenter license repository with gw (s). Reinitialize ICA with cpconfig or cp_conf ca init.
cplic put <-l file> Install local license from file to an local machine. cpca_client Manage parts of the ICA. View, create and revoke certificates,
cpridstop Stop, start or restart cprid, the Check Point Remote
cpridstart installation daemon. cplic put
cpridrestart file> remotely to obj. cpca_client lscert -stat Valid
fw kill [-t sig] proc Kill a firewall process. PID file in $ FWDIR / tmp / must be cpca_client search
cprlic Remote license management tool.
present. By default sends signal 15 (SIGTERM). fwaccel
contract_util mgmt Get contracts from Management Server.
Example: fw kill -t 9 fwm cpmonitor Statistics and analysis of snoop / tcpdump / fw monitor traffic
fw unloadlocal Uninstalls local security policy and disables IP forwarding. View and manage log files capture files. See sk103212 for download link and usage.
fw lslogs View a list of available fw log files and their size. fw monitor Examples
Basic firewall information gathering
fwm logexport Export / display current fw.log to stdout. The fw monitor packet sniffer is part of every FW-1 installation. For more info see the check
fw ver [-k] Show major and minor version as well as build number
fwm [mds] ver and latest installed hotfix of a Check Point module. Show fw repairlog
vpn ver [-k] additional kernel version information with -k switch. fw6 monitor is working with GAiA. Disable SecureXL (fwaccel off) prior to sniffing.
fw logswitch [-audit] Copy current (audit) logfile to YY-MM-DD-HHMMSS.log
fgate ver and start a new fw.log. Display traffic with 192.168.1.12 as SRC or DST on interface ID 2
ver Show CP version and build as well as kernel info. fw log -c
cpshared_ver Show the version of the SVN Foundation. drop, reject etc. Starts from the top of the log, use -t fw monitor -e 'accept host (192.168.1.12) and ifid = 2;'
cpview Tool combining several Check Point and Linux commands to start a tail at the end. Display all packets from 192.168.1.12 to 192.168.3.3
into a great text based tool providing both OS and fw log -f -t Tail the actual log file from the end of the log. Without fw monitor -e 'accept src = 192.168.1.12 and dst = 192.168.3.3;'
software blade information. Lake sk101878. the -t switch it starts from the beginning. UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
fw stat Show the name of the current policy and a brief interface fw log -b
fw stat <-l | --long> list. Use -l or -s for more info. Consider using cpstat
fw stat <-s | --short>
UPD traffic from or to unprivileged ports, only show post-out
fw instead of -l or -s switch for better formatted output. fw fetchlogs -f
fw ctl iflist Display interface list. module will be deleted from the remote module. Does not work
with current fw.log. Display Windows traceroute (ICMP, TTL <30) from and to 192.168.1.12
fw ctl arp [-n] Display proxy arp table. -n disables name resolution. fw monitor -e 'accept host (192.168.1.12) and tracert;'
fwm logexport -i
cp_conf finger get Display fingerprint on the management module. out.csv -d ',' -p -n delimiter (CSV) and do not resolve services or Capture web traffic for VSX virtual system ID 23
cp_conf client get Display GUI clients list. hostnames (-n). fw monitor -v 23 -e 'accept tcpport (80);'
cp_conf admin get Display admin accounts and permissions. Also fwm -p log list Show index of available system and error log files. Capture traffic on a SecuRemote / SecureClient client into a file
cp_conf auto get Display autostart state of Check Point modules. log show
Basic administration and configuration tasks Backup and Restore Multi-Domain Security Management (Provider-1)
cpconfig Menu based configuration tool. Options depend on the add backup Create backup in / var / CPbackup / backups / or on a remote mdsconfig MDS replacement for cpconfig.
installed products and modules. server (scp / ftp / tftp). Also see sk91400. E.g .: mdsenv [dms_name] Set the environment variables for MDS or DMS level.
add backup local
sysconfig Start SPLAT OS and Check Point product configuration tool. mdsstart [-m | -s] Starts / stops the MDS and all DMS (10 at a time). begin
add backup scp ip
cp_conf admin add
permission w does not allow account administration. customer's DMS. Use -m for only MDS status.
set backup restore local
cp_admin_convert Export admin definitions created in cpconfig to set backup restore scp ip
fwm lock_admin -v View list of locked administrators. show backups List locally stored backups. mcd
fwm lock_admin -u
cp_conf admin del
Delete the admin account user. mdsstart_customer
Set new expiration date for all users or with -f for all users mds_backup [-l] [-d backup binaries and data to current directory. Change
matching the expiration date filter: directory] output directory with -d, exclude logs with -l, do a dry
set snapshot import set snapshot export
fwm expdate 31-Dec-2020 -f 31-Dec-2014.
run with -v. You can exclude files by specifying them in
cp_conf client add
Add / delete GUI clients. You can delete multiple clients at $ MDSDIR / conf / mds_exclude.dat.
cp_conf client del
cpca_client Manage parts of the ICA. View, create and revoke copy mds_backup from $ MDSDIR / scripts / as well as
certificates, start and stop the ICA Web Tool. upgrade_import
patch add cd
backup Create backup in / var / CPbackup / backups / or on a remote this during backup.
lvm_manager Manage partition sizes on GAiA. See sk95566 for info and
server (scp / ftp / tftp). Also see sk54100. Examples .: cma_migrate Import and if necessary upgrade an export_database
show users Show configured users and their homedir, UID / GID and backup --scp
-u user -p pass] or manage it. See mdscmd help.
vsx_util -h for subcommands.
sk95329 Advanced Technical Reference Guide: Multi-Domain Security Management
set selfpasswd Change your own password. snapshot --scp
set expert-password Set or change password for entering expert mode. revert Reboot system from snapshot. Same syntax as snapshot. vsx stat [-v] [-l] [id] Show VSX status. Verbose with -v, interface list with
save config Save configuration changes. -l or status of single VS with VS ID
ClusterXL configuration and troubleshooting and some VRRP
showusers Display a list of configured SecurePlatform administrators. show virtual-system all List all VS with their VS ID and name.
cphaprob state View HA state of all cluster members.
cphaprob -a if View interface status and CCP state. vsenv
cphaprob -ia list View list and state of critical cluster devices.
passwd Change your own password. vsx set
fw hastat View HA state of local machine. vsenv
passwd Change expert password in expert mode on SPLAT systems.
cp_conf ha enable | Enable or disable HA. set virtual-system
start transaction Start transaction mode. All changes made will be applied at disable [norestart]
once if you exit transaction mode with commit or discarded cphastart Enable / Disable ClusterXL on the cluster member. On vsenv
if you exit with rollback. cphastop HA Legacy Mode cphastop might stop the entire cluster.
show version os edition Show which OS edition (32 or 64-bit) is running. vsx sic reset
cphaprob syncstat View sync transport layer statistics. Reset with -reset. vsenv
set edition default Switch between 32 and 64-bit kernel. 64-bit needs at least See sk34475 for detailed description.
32-bit | 64-bit cpinfo -x
6GB of RAM (or 1GB running in a VM). fw ctl pstat View sync status and packet statistics. Lake sk34476.
VPN fw ctl setsync
vpn tu Start a menu based VPN TunnelUtil program where you can fw -d fullsync
list and delete Security Associations (SAs) for peers.
cphaconf set_ccp Configure Cluster Control Protocol (CCP) to use unicast fw tab -vs
View state tables for virtual system
vpn shell Start the VPN shell.
applies to VSX on R75.40VS and up.
vpn debug ikeon | ikeoff Debug IKE into $ FWDIR / log / ike.elg. Analyze ike.elg with cphaconf debug_data View multicast MAC addresses used. vsx vspurge Remove unused VSX systems and fetch VS config.
the IKEView tool. Lake sk30994.
clusterXL_admin [-p] Perform a graceful manual failover by registering a fw monitor -v
vpn debug on | off Debug VPN into $ FWDIR / log / vpnd.elg. Analyze vpnd.elg
with the IKEView tool. Lake sk30994.
show vrrp interfaces Detailed status of VRRP interfaces. For a brief overview cphaprob -vs
vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug. you can also use show vrrp in the iclid shell. System HA mode is configured.
vpn drv stat Show status of VPN-1 kernel module. cphaprob tablestat View IPs and interface IDs for all cluster members. cphaprob -vs
vpn overlap_encdom Show, if any, overlapping VPN domains. cphaprob igmp View IGMP status for CCP multicast mode. cluster member (only in Per VS HA / VSLS).
sk56202 - How to troubleshoot failovers in ClusterXL traceroute -Z
sk60318 - How to troubleshoot VPN issues in Site to Site
sk89940 - How to debug VPND daemon sk62570 - How to troubleshoot failovers in ClusterXL - Advanced A lot of Check Point's commands up to R68 do understand the -vs
sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor sk43984 - Interface flapping when cluster interfaces are connected through several switches versions you often have to change context with vsenv
Licensed under Creative Commons BY-NC-SA. SecurePlatform, SofaWare, SmartCenter, ClusterXL, SecureXL, Flood-Gate-1, Provider-1, VSX, IPSO, VPN-1 / UTM-1 Edge and GAiA are all registered trademarks of Check Point Software Technologies, Ltd.