sign in sign up
<<
Home , Kill (command), Traceroute

    Check Point CLI Reference Card – v2.1 Basic frewall informaton gathering Basic troubleshootng by Jens Roesen fgate stat Status and statstcs of Flood-Gate-1. cpview View OS and sofware blade statstcs. See sk101878. Useful Secure Knowledge artcles fwaccel View status, statstcs or connecton table of SecureXL. cpinfo Collect diagnostc data for support cases. See sk92739. sk65385 List of "How To" Guides for all Check Point products. fw getifs Show list of confgured interfaces with IP and netmask. sar System monitoring tool (GAiA) generatng monitoring data every 10 minutes, keeping the data for 7 days. E.g.: sk97638 Check Point Processes and Daemons cpstat [-f View OS, HW and CP applicaton status. Issue cpstat flavour] without any optons to see all possible applicaton ags sar -n EDEV - Interface errors from today sk52421 Ports used by Check Point sofware th and corresponding avours. Examples: sar -u -f /var/log/sa/sa04 - CPU stats from the 4 . sk98348 Best Practces - Security Gateway Performance cpstat fw -f policy – verbose policy cpsizeme For 24h, monitor gw resource utliiaton every minute and sk105119 Best Practces - VPN Performance cpstat os -f cpu – CPU utliiaton statstcs generate a CSV report to use for siiing consideratons or troubleshootng. See sk88160 for additonal informaton. There also are a lot of valuable ATRGs (Advanced Technical Reference Guides) available. cpinfo -y all List all installed patches and hotixes. -S View interface statstcs and counters. Search for “ATRG” and a suitable keyword. For instance “artg ”. cpd_sched_config Show task scheduled with CPD scheduler. emergendisk Create a bootable system on a USB device for system or enabled_blades View enabled sofware blades Check Point Environment variables ( common ones) password recovery and secure HDD wiping. $FWDIR FW-1 installaton directory, with f.i. the conf, log, lib, bin and spool avsu_client [-app ] Get signature version and status of content security cpinfo -z -o Create a compressed cpinfo fle to open with the InfoView get_version . Without the opton “Ant Virus” is used. directories. -app utlity or to send to Check Point support. $CPDIR SVN Foundaton cpshared . show configuration Show running system confguraton. cst Confguraton Summary Tool and its enhanced version. Packs $CPMDIR Management server installaton directory. show commands Show all commands you are allowed to run. ecst IPSO confg, logs, core dumps etc. into a single fle. $FGDIR FloodGate-1 installaton directory. show asset all Display general hardware informaton. fw ctl zdebug drop Real tme listng of dropped packets. $MDSDIR MDS installaton directory. Same as $FWDIR on MDS level. show sysenv all Display system component status (fans, power supply...) cpwd_admin list Display PID, status and startng tme of CP WatchDog monitored processes. $FW_BOOT_DIR Directory with fles needed boot tme. asset View hw info on IP Series Appliances running GAiA. show asset hardware View hw info like serial numbers in Nokia clish. cpca_client lscert Display all ICA certfcates. Reference Card Command Indicators View kernel table contents. output short with switch. ipsctl -a View hw info. Also see /var/etc/.nvram output. fw tab –t [–s] -s Expert Mode GAiA clish SPLAT cpshell IPSO clish IPSO shell List all available tables with fw tab -s. Example: A lot of the expert mode commands are also available within GAiA clish as “extended Display and manage licenses fw tab -t connections -s – View connecton table. command”. View complete list with the clish command “ ”. show extended commands cp_conf lic get View licenses. fw ctl multik stat Show connecton statstcs for each kernel instance. Basic startng and stopping cplic print Display detailed license informaton. fw ctl pstat Display internal statstcs including informaton about memory, inspect, connectons, synchroniiaton and NAT. cpstop Stop all Check Point services except cprid. You can also stop fw lichosts List protected hosts with limited hosts licenses. specifc services by issuing an opton with cpstop. For instance dtps lic SecureClient Policy Server license summary. fw ctl chain Displays in and out chain of CP modules. Useful for placing fw cpstop FW1 stops FW-1 VPN-1 or use cpstop WebAccess to monitor into the chain with the -p opton. cplic Detach license with signature sig from object obj. stop WebAccess. cp_conf sic state Display SIC trust status or (re)initaliie SIC. Also see sk30579 cplid db_rm Remove license from repository afer detaching. cpstart all Check Point services except cprid. cpstart works cp_conf sic init for additonal hints on SIC troubleshootng. with the same optons as cpstop. cplic get Retrieve all licenses from a certain gateway or all gateways fwm sic_reset Reset Internal Certfcate Authority (ICA) and delete certs. to synchroniie SmartCenter license repository with gw(s). cprestart Combined cpstop and cpstart. Complete restart. Reinitaliie ICA with cpconfig or cp_conf ca init. cplic put <-l file> Install local license from to an local machine. cpridstop Stop, start or restart cprid, the Check Point Remote file cpca_client Manage parts of the ICA. View, create and revoke certfcates, cpridstart Installaton Daemon. cplic put <-l Atach one or more central or local licenses from file start and stop the ICA Web Tool. Examples: cpridrestart file> remotely to obj. cpca_client lscert -stat Valid cpca_client search fw [-t sig] proc Kill a Firewall . PID fle in $FWDIR/tmp/ must be cprlic Remote license management tool. present. Per default sends 15 (SIGTERM). fwaccel Disable enable SecureXL. Get contracts from Management Server. Example: contract_util mgmt fw kill -t 9 fwm cpmonitor Statstcs and analysis of snoop/tcpdump/fw monitor traffic fw unloadlocal Uninstalls local security policy and disables IP forwarding. View and manage log fles capture fles. See sk103212 for download and usage. fw lslogs View a list of available fw log fles and their siie. sk98348 - Best Practces - Security Gateway Performance Basic frewall informaton gathering fwm logexport Export display current fw.log to stdout. sk98799 – Kernel fw [-k] Show major and minor version as well as build number PDF - How to Troubleshoot NAT-related Issues fw repairlog Rebuild pointer fles for . fwm [mds] ver and latest installed hotix of a Check Point module. Show tcpdump101 – Generate fw monitor and kernel debug CLI commands online. vpn ver [-k] additonal kernel version informaton with -k switch. fw logswitch [-audit] current (audit) logfle to YY-MM--HHMMSS.log fgate ver and start a new fw.log. fw monitor Examples ver Show CP version and build as well as kernel info. fw log -c Show only records with acton , e.g. accept, The fw monitor packet snifer is part of every FW-1 installaton. For more detailed info see cpshared_ver Show the version of the SVN Foundaton. drop, reject etc. Starts from the of the log, use -t my cheat sheet ( htp: bit.ly cpfwmon ) . Disable SecureXL (fwaccel off) prior to sniffing. to start a at the end. cpview Tool combining several Check Point and commands Display traffic with 192.168.1.12 as SRC or DST on interface ID 2 into a great text based tool providing both OS and fw log -f -t Tail the actual log fle from the end of the log. Without (List interfaces and corresponding IDs with fw ctl iflist) sofware blade informaton. See sk101878. the -t switch it starts from the beginning. fw monitor -e 'accept (192.168.1.12) and ifid=2;' fw stat Show the name of the current policy and a brief interface fw log -b View today's log entries between and Display all packets from 192.168.1.12 to 192.168.3.3 fw stat <-l|--long> list. Use -l or -s for more info. Consider using cpstat . fw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;' fw stat <-s|--short> instead of or switch for beter formated output. fw -l -s fw fetchlogs -f Fetch a logfle from a remote CP module. NOTE: The log UDP port 53 (DNS) packets, pre-in positon is before 'ippot_strip' module will be deleted from the remote module. Does not work fw ctl iflist Display interface list. fw monitor -pi ipopt_strip -e 'accept udpport(53);' with current fw.log. fw ctl arp [-n] Display proxy arp table. -n disables name resoluton. UPD traffic from or to unprivileged ports, only show post-out fwm logexport -i -o Export logfle to fle out.csv, use , (comma) as cp_conf finger get Display fngerprint on the management module. out.csv -d ',' -p -n delimiter (CSV) and do not resolve services or fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);' cp_conf client get Display GUI clients list. hostnames (-n). Display Windows (ICMP, TTL<30) from and to 192.168.1.12 cp_conf admin get Display admin accounts and permissions. Also fwm -p log list Show index of available system and error log fles. fw monitor -e 'accept host(192.168.1.12) and tracert;' cp_conf auto get Display autostart state of Check Point modules. log show View log fle number from the log list index. Capture web traffic for VSX virtual system ID 23 fw monitor - 23 -e 'accept tcpport(80);' Basic administraton and confguraton tasks Backup and Restore Mult-Domain Security Management (Provider-)) cpconfig Menu based confguraton tool. Optons depend on the add backup Create backup in /var/CPbackup/backups/ or on a remote mdsconfig MDS replacement for cpconfig. installed products and modules. server (scp fp ttp). Also see sk91400. E.g.: mdsenv [dms_name] Set the environment variables for MDS or DMS level. sysconfig Start SPLAT OS and Check Point product confguraton tool. add backup local add backup scp ip username mdsstart [-m|-s] Starts stops the MDS and all DMS (10 at a tme). Start cp_conf admin add Add admin user with password pass and permissions perm interactive mdsstop [-m] only the MDS with -m or DMS subsequently with -s. where is read access and r is read only. Note: set backup restore Restore backup. Also see sk91400. Examples: mdsstat [dms_name]|[-m] Show status of the MDS and all DMS or a certain permission w does not allow account administraton. set backup restore local customer's DMS. Use -m for only MDS status. cp_admin_convert Export admin defnitons created in to cpconfig set backup restore scp ip path file cpinfo -c Create a for the customer DMS . Remember SmartDashboard. cpinfo username interactive to run mdsenv in advance. fwm lock_admin -v View list of locked administrators. show backups List locally stored backups. mcd

Change directory to $FWDIR/ of the current DMS. fwm lock_admin -u Unlock admin user. Unlock all with -ua. add snapshot Add and delete sytstem snapshots. Example mdsstop_customer Stop single DMS . cp_conf admin del Delete the admin account . delete snapshot add snapshot [descr <”my destription”>] user mdsstart_customer Start single DMS . Export import or revert to a certain system snapshot. E.g.: fwm expdate Set new expiraton date for all users or with for all users set snapshot revert -f mds_backup [-l] [-d Backup binaries and data to current directory. Change [-f ] matching the expiraton date flter: set snapshot export set snapshot revert set snapshot import directory] output directory with -d, exclude logs with -l, do a dry fwm expdate 31-Dec-2020 -f 31-Dec-2014. set snapshot export path name run with -v. You can exclude fles by specifying them in show snapshots Show list of local snapshots. cp_conf client add Add delete GUI clients. You can delete multple clients at $MDSDIR/conf/mds_exclude.dat. cp_conf client del once. upgrade_export Tool from . Saves only Check $FWDIR/bin/upgrade_tools ./mds_restore Restore MDS backup from file. Notce: you may need to migrate export Point confguraton (policy, objects...) and no OS setngs. cpca_client Manage parts of the ICA. View, create and revoke copy mds_backup from $MDSDIR/scripts/ as well as certfcates, start and stop the ICA Web Tool. upgrade_import Import confg package generated with migrate tools. gtar and gzip from $MDS_SYSTEM/shared/ to the migrate import directory with the backup fle. Normally, mds_backup does add Install the patch from CD. Create backup in or on a remote this during backup. Manage partton siies on GAiA. See sk95566 for info and backup /var/CPbackup/backups/ lvm_manager server (scp fp ttp). Also see sk54100. Examples.: download link. cma_migrate Import and if necessary upgrade an export_database backup [-f ] created management server or DMS database package. show users Show confgured users and their homedir, UID GID and backup --scp [-path mdscmd [-m mds Connect to a (remote) MDS as CPMI client and confgure shell. ] -u user -p pass] or manage it. See mdscmd . Add a new user with username . Restore backup from local package or via scp fp ttp. Delete add user restore local backup packages. Menu based. vsx_util Perfom VSX maintenance from the main DMS. See set user shell Set the login shell of user to . Setng it to vsx_util -h for subcommands. f.i. will log in directly into expert mode. Take a snapshot of the entre system. Without optons it's menu /bin/ snapshot sk95329 – Advanced Technical Reference Guide: Mult-Domain Security Management based. Note: cpstop is issued! Examples: set user password Set new password for . sk33207 - How to debug FWM daemon on Provider-1 DMS CMA snapshot --file Change your own password. set selfpasswd snapshot --scp VSX (When two commands are given, the frst applies to R68 and the second to R75.40+) set expert-password Set or change password for entering expert mode. revert Reboot system from snapshot. Same syntax as snapshot. vsx stat [-v] [-l] [id] Show VSX status. Verbose with -v, interface list with save config Save confguraton changes. or status of single VS with VS ID . ClusterXL confguraton and troubleshootng and some VRRP -l showusers Display a list of confgured SecurePlatorm administrators. show virtual-system all List all VS with their VS ID and name. cphaprob state View HA state of all cluster members. adduser Add a new user with username . vsx get View current shell context. Second line applies to VSX cphaprob -a if View interface status and CCP state. vsenv on R75.40VS and up. -s Change the login shell for to on SPLAT . cphaprob -ia list View list and state of critcal cluster devices. Change your own password. vsx set Set context to VS with the ID . Second line fw hastat View HA state of local machine. vsenv applies to VSX on R75.40VS and up. passwd Change expert password in expert mode on SPLAT systems. cp_conf ha enable| Enable or disable HA. set virtual-system Set context to VS ID . start transaction Start transacton mode. All changes made will be applied at disable [norestart] fw -vs unloadlocal Unload policy from a VS. To unload policies on all VS once if you transacton mode with commit or discarded cphastart Enable Disable ClusterXL on the cluster member. On vsenv ; fw unloadlocal use . See sk33065 for details. if you exit with rollback. fw vsx unloadall cphastop HA Legacy Mode cphastop might stop the entre cluster. show version os edition Show OS editon (32 or 64-bit) is running. vsx sic reset Reset SIC for VS . For details see sk34098. cphaprob syncstat View sync transport layer statstcs. Reset with -reset. vsenv ; fw vsx sicreset Second line applies to VSX on R75.40VS and up. set edition default Switch between 32 and 64-bit kernel. 64-bit needs at least See sk34475 for detailed descripton. 32-bit|64-bit 6GB of RAM (or 1GB running in a VM). cpinfo -x Start cpinfo collectng data for VS ID . fw ctl pstat View sync status and packet statstcs. See sk34476. vpn -vs debug trunc Empty & stamp logs, enable IKE & VPN debug. VPN fw ctl setsync Stop or start synchroniiaton in a cluster. fw -vs getifs View driver interface list for a VS. You can also use the Start a menu based VPN TunnelUtl program where you can vpn tu fw -d fullsync Start a full synchroniiaton with debugging output. vsenv ; fw getifs VS name instead of . list and delete Security Associatons (SAs) for peers. -vs cphaconf set_ccp Confgure Cluster Control Protocol (CCP) to use unicast fw tab -vs -t View state tables for virtual system . Second line Start the VPN shell. vpn shell or multcast messages. By default set to multcast. vsenv ; fw tab -t
applies to VSX on R75.40VS and up. vpn debug ikeon|ikeoff Debug IKE into . Analyie $FWDIR/log/ike.elg ike.elg cphaconf debug_data View multcast MAC addresses used. vsx vspurge Remove unused VSX systems and fetch VS confg. with the IKEView tool. See sk30994. clusterXL_admin [-p] Perform a graceful manual failover by registering a fw monitor -v -e View traffic for virtual system with ID . Debug VPN into . Analyie vpn debug on|off $FWDIR/log/vpnd.elg vpnd.elg faildevice. Survives a reboot with -p switch set. 'accept;' Atn: with use instead of with the IKEView tool. See sk30994. fw monitor -v -vs. show vrrp interfaces Detailed status of VRRP interfaces. For a brief overview View HA state for Virtual System id when “Per Virtual Truncate and stamp logs, enable IKE & VPN debug. cphaprob -vs state vpn debug trunc you can also use show vrrp in the iclid shell. System HA” mode is confgured. vpn drv stat Show status of VPN-1 kernel module. cphaprob tablestat View IPs and interface IDs for all cluster members. cphaprob -vs register Register a faildevice and switch VS to the next vpn overlap_encdom Show, if any, overlapping VPN domains. cphaprob igmp View IGMP status for CCP multcast mode. cluster member (only in Per VS HA VSLS). vpn macutil Show MAC for Secure Remote user . sk93306 - Advanced Technical Reference Guide: ClusterXL R6x and R7x $linux_command -z In R68 set context for , ip, arp, ping or sk60318 - How to troubleshoot VPN issues in Site to Site sk56202 - How to troubleshoot failovers in ClusterXL traceroute -Z . Uppercase “Z” for traceroute. sk89940 - How to debug VPND daemon sk62570 - How to troubleshoot failovers in ClusterXL - Advanced A lot of Check Point's commands up to R68 do understand the -vs switch. With newer sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor sk43984 - Interface apping when cluster interfaces are connected through several switches versions you ofen have to change context with vsenv before issuing the commands. Licensed under Creatve Commons BY-NC-SA. SecurePlatorm, SofaWare, SmartCenter, ClusterXL, SecureXL, Flood-Gate-1, Provider-1, VSX, IPSO, VPN-1 UTM-1 Edge and GAiA are all registered trademarks of Check Point Sofware Technologies, Ltd.