Useful Check Point CLI commands

Useful Check Point commands. Check Point commands generally come under cp (general) and
fw (firewall)
Useful CP Commands
Command

Description
change SIC, licenses and more

cpconfig

Configuration Options:
---------------------(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Disable Check Point SecureXL
(10) Check Point CoreXL
(11) Automatic start of Check Point Products
(12) Exit

cphaprob ldstat

display sync serialization statistics

[Expert@hslcpgw1:0]# cphaprob ldstat
Operand
Calls
Bytes Average Ratio %
------------------------------------------------------ERROR
0 0
0
0
SET
26980814 1776154904
65
0
RENAME
0 0
0
0
REFRESH
19848463 1032728680
52
0
DELETE
16820120 641096828
38
2
SLINK
89543176 1435809728
16
0
UNLINK
0 0
0
0
MODIFYFIELDS
73078451 1258994980
17
0
RECORD DATA CONN 36464
11236616
308 0
COMPLETE DATA CONN 36311 28619855
788 1

Total bytes sent: 4026983060 (4026 MB) in 28619855 packets. Average

140
list the state of the high availability cluster members. Should show active
and standby devices.
[Expert@hslcpgw1:0]# cphaprob stat
cphaprob stat

Cluster Mode: High Availability (Active Up) with IGMP Membership

Number

Unique Address Assigned Load State

1 (local) 1.1.1.1
2
1.1.1.2
cphaprob syncstat

100%
0%

Active
Standby

display sync transport layer statistics

Sync Statistics (IDs of F&A Peers - None):
Other Member Updates:
Sent retransmission requests................... 4791
Avg missing updates per request................ 2
Old or too-new arriving updates................ 7825
Unsynced missing updates....................... 0
Lost sync connection (num of events)........... 499
Timed out sync connection ..................... 0
Local Updates:
Total generated updates ....................... 29778776
Recv Retransmission requests................... 4296
Recv Duplicate Retrans request................. 0
Blocking Events................................ 0
Blocked packets................................ 0
Max length of sending queue.................... 0
Avg length of sending queue.................... 0
Hold Pkts events............................... 1242
Unhold Pkt events.............................. 1242
Not held due to no members..................... 36857
Max held duration (sync ticks)................. 0
Avg held duration (sync ticks)................. 0
Timers:
Sync tick (ms)................................. 100
CPHA tick (ms)................................. 100

Queues:
Sending queue size............................. 512
Receiving queue size........................... 256
cphastop

stop a cluster member from passing traffic. Stops synchronization.

(emergency only)

cplic print

license information

cpstart

start all checkpoint services

cpstat fw

show policy name, policy install time and interface table

high availability state

cpstat ha

Product name: High Availability

Version: N/A
Status:
OK
HA installed: 1
Working mode: High Availability (Active Up)
HA started: yes

cpstat os -f all

checkpoint interface address, routing table, version, memory status, cpu

load, disk space

cpstat os -f cpu

checkpoint cpu status

cpstat os -f routing

checkpoint routing table

cpstop

stop all checkpoint services

list processes actively monitored. Firewall should contain cpd and vpnd.

cpwd_admin
monitor_list

[Expert@hslcpgw1:0]# cpwd_admin monitor_list

cpwd_admin:
APP
FILE_NAME
NO_MSG_TIMES
LAST_MSG_TIME
vpnd
vpnd_32730_434190160.mntr 0/6
[14:58:21]
29/7/2015
CPD
CPD_31828_434188288.mntr
0/10
[14:58:18]
29/7/2015
Table 1. Useful CP Commands

Useful FW Commands
Command

Description
show interface names

fw ctl iflist

[Expert@hslcpgw1:0]# fw ctl iflist

1 : eth1-01
2 : eth1-02
5 : eth5
6 : eth1
7 : eth6
8 : eth2
9 : eth7
10 : eth3
11 : Mgmt

fw ctl pstat

show control kernel memory and connections

fw exportlog -o

export the current log file to ascii

fw fetch <manager IP>

get the policy from the firewall manager

fw log

show the content of the connections log

fw log -b <MMM DD, YYYY

HH:MM:SS> <MMM DD, YYYY
HH:MM:SS>

search the current log for activity between specific

times, eg

fw log -c drop

search for dropped packets in the active log; also

can use accept or reject to search

fw log -f

tail the current log

fwm logexport -i <log name> -o <output

name>

export an old log file on the firewall manager

fw logswitch

rotate logs

fw lslogs

list firewall logs

fw stat

firewall status, should contain the name of the

policy and the relevant interfaces.

fw stat -l

show which policy is associated with which

interface and package drop, accept and reject

fw tab

displays firewall tables

fw tab -s -t connections

number of connections in state table

fw tab -t xlate -x

clear all translated entries

fw unloadlocal

clear local firewall policy

fw ver

firewall version

uname -a

Management server IPSO version

Backup
1. Login cli the firewall just command Backup
Login management server via cli command
# cd $FWDIR/bin/upgrade_tools
# ./upgrade_export filename
Example : ./upgrade_export 28_july_15.tgz
To Import
# cd $FWDIR/bin/upgrade_tools
# ./upgrade_import filename

Table 1.
General checkpoint, IPSO commands

Description

ipsctl hw:eeprom:product_id

Show Product Id. on IPSO

ipsctl hw:eeprom:serial_number

Show Serial No. on IPSO

uname -a

Show IPSO Version

ipsofwd list

show forwarding option on IPSO

[admin]# ipsofwd list

example for forwarding options
net:ip:forward:noforwarding = 0
net:ip:forward:noforwarding_author = fwstart

net:ip:forward:switch_mode = flowpath
net:ip:forwarding = 1
ipsofwd on username

set forwarding on if firewall stopped

ipsctl -w net:log:partner:status:debug 1

enable interface debugging

(sk41089)

ipsctl -w net:log:sink:console 0

disable debugging

Table 2.
Firewall Commands
fw ver

Show Firewall Version

vpn macutil

Generate MAC Address for users. This

can be used to fix an IP in DHCP
Server.

cpstat polsrv -f all

Show the connected and the licensed

users

cpstat fw -f http, ftp, telnet, rlogin, smtp,

pop3

Check protocol states.

fw stat

Show policy name and the interfaces

that have already seen any traffic.

fw stat -long

Shows the policy and the stats for

the policy

cpstat os -f cpu -o 3

Monitor CPU state every 3 seconds

-o Polling interval (seconds) specifies the

cpstat useful parameters
pace of the results. Default is 0, meaning the
results are shown only once.
-c Specifying how many times the results are
shown. Default is 0, meaning the results are
repeatedly shown.
cpstat os

Show SVN Foundation and OS Version

cpstat fw -f all

Product, Policy und Status

informations
cpstat fw -f policy

Show Installed Policy name

fw tab -t connections -s

Show active connections

fw fetch

Install Policy from MGM server

cplic print

Print licenses

fwha_mac_magic

Connecting multiple clusters to the

same network segment (same VLAN,
same switch) sk25977

cp_conf sic state

SIC test on the firewall

cp_conf sic init <Activation Key> [norestart]

SIC reset on the firewall

fw ctl zdebug drop | grep 1.1.1.1

check dropped packets on the

firewall for host 1.1.1.1

Table 3.
Sniffer on the Firewall
fw monitor -m iIoO -e accept (src=IP_S and
dst=_IP_D) or (src=IP_D and dst=IP_S);

Monitor traffic between host

with IP IP_S and host with IP
IP_D

fw monitor -m iIoO -e accept (src=IP_S and

dst=_IP_D) or (src=IP_D and dst=IP_S); -ow
monitor_cat.cap

not just monitor but save as

capture to a file

fw monitor -m iIoO -e accept (src=IP_S and

dst=_IP_D) or (src=IP_D and dst=IP_S); -p all -a -o
Datei.cap

not just monitor but save

capture to a file + deeper
debug

fw monitor -m iIoO -e accept (sport=5200 or

sport=5100 or sport=5000);

Monitor traffic on the source

port 5200, 5100 or 5000

Table 4.
Remote Access and S2S VPN
commands

vpn tu

vpn tunnel util, for VPN checking, delete

fw tab -t inbound_SPI -f

List SPI and users (external IP, office mode IP,

username, DN of a user in case of certificate
auth)

fw tab -t om_assigned_ips -f

List users and assigned Office mode IPs

fw tab -t marcipan_ippool_users -f List Office Mode used IPs

fw tab -t om_assigned_ips -f -m
Lists office mode Ip fore 2000 users (use -u for
2000 | awk {print $7,$11} | grep unlimited number)
-v ^
fw tab -t marcipan_ippool_users -x used to manually clear the Office Mode
connections table on the Gateway
vpn debug trunc

initiates both vpn debug and ike debug

vpn debug on
TDERROR_ALL_ALL=5

initiates vpn debug on the level of detail

provided by TDERROR_ALL_ALL=5. Output file is
$FWDIR/log/vpnd.elg

vpn debug ikeon

initiates vpn ike debug. Output file is

$FWDIR/log/ike.elg

vpn debug mon

Writes ike traffic unecrypted to a file. The output

file is ikemonitor.snoop. In this output file, all the
IKE payloads are in clear

vpn debug ikeof

Stops ike debug. Get ikeviewer to check the ike

traffic and log.

vpn debug of

Stops vpn debug

vpn debug mof

Stops ike snifer

vpn export_12 -obj <objectname> export a certificate using the Security

-cert <certificatename>
Management server. certificate object is the
-file <filename> -passwd
Certificakte Nickname from the GUI.
<passw>
Example:
vpn export_p12 -obj Office_GW
-cert defaultCert
file office_cert.p12 -passwd
mypassword

Table 5.

Clustering
commands
cphaprob list

Show processes monitored by HA

cpstat fw -f sync

Show counters for sync traffic

cphaprob state

Show cluster mode and status

cpstat ha -f all

Show HA process and HA IP status

fw ctl pstat

Show memory, kernel stacks, connections, fragments,, SYNC

status

cphaprob -a if

Show Sync interface(s) and HA IP(s)

cphaprob syncstat

Show Sync statistics

fw hastat

Show HA stat ONLY by ClusterXL! not with VRRP

Table 6.
General commands
ps -aux

Report all active processes in the kernel IPSO

kill -9 prozessid

Stop a process

dmesg

show boot logs

vmstat 5 5

show memory, cpu usage

ifconfig bge1:xx down

set virtual Interface on Provider1 down

fsck

Filsystemcheck

Table 7.
Administrate CMA/MDS
processes
mdsstop_customer

Stop a CMA

mdsstart_customer

Start a CMA

mdsstat

Shows MDS and CMA Status

mdsstop

Stops all CMAs und Server processes

mdsstart

Start all CMAs und Server processes

mdsenv CMANAME

Change the Enviroment to selected CMA

echo $FWDIR

This displays the correct path for the CMA.

cpstat mg

check the connected clients (with Provider1 in the CMA

Level: mdsenv <CMA-IP>)

fwm -a

Change admin password (or cpconfig delete admin and

add admin)

fwm dbload

Install database

watch -d cpstat os -f
cpu

Monitor cpu state with watch

Table 8.
Searching for objects

What you cannot find whit

cross CMA search

cd $FWDIR/conf
grep subdomain objects.C | grep -v Name | awk
{print $2} | grep ^( | sed -e s/(//

Searching all objects with

subdomain subdomain in
their name

cd $FWDIR/conf
grep subdomain /opt/CPmds-R65/customers/*/CPsuiteR65/fw1/conf/objects.C | grep -v Name | awk {print
$1, $3} | grep ( | sed -e s/(//

Searching all objects in all

firewalls (in MDS) with
subdomain subdomain in
their name

grep 2.2.2.2\|3.3.3.3 /opt/CPmdsR65/customers/*/CPsuite-R65/fw1/conf/objects_5_0.C

find the 2 IP Address in the

firewall configs

grep hostimiss.com /opt/CPmdsR65/customers/*/CPsuiteR65/fw1/conf/rulebases_5_0.fws

find the hostname in the

firewall rulebase configs

Table 9.

Archive commands
tar tfv [ARCHIVNAME].tar

Show the content of an archive

tar cfvz [ARCHIVNAME].tar.gz [VERZEICHNIS1] Archive files

[DATEI1]
tar xfvz [ARCHIVNAME].tar.gz

open archive

SCP command
scp root@provider1:/opt/CPmdsR65/customers/cma1/CPsuiteR65/fw1/conf/objects_5_0.C .

copy the objects_5_0.C file to the

lokal folder from where the
command was issued

Collect info for Checkpoint TAC

cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c cma | -x vs]* -z: Output gzipped
(efective with -o option).
* -r: Includes the registry (Windows very large output).
* -v: Prints version information.
* -l: Embeds log records (very large output).
* -n: Does not resolve network addresses (faster)
* -t: Output consists of tables only (SR only).
* -c: Get information about the specified CMA (Provider-1).
* -x: Get information about the specified VS (VSX).

And some example for cpinfo.

CPinfo Options:
cpinfo [-v] [-l] [-n] [-o output_file] [-r | -t [tablename]] [-c cma/ctx]-o output_file
(Redirect output into file output_file)
-r (Include the registry in the output)
-v (Print version information)
-l (Embed Log records)
-n (Do not resolve network addresses)
-t (Output consists of tables only (SR only)
-c (Get information about the specified cma/ctx)
(No parameters): Redirects output to the standard output (the command
window).Required steps to get the cpinfo from mds:1. Back to MDS
# mdsenv
2. Verify the correct environment
# echo $FWDIR
/opt/CPmds-R65/

3. Run cpinfo
# cpinfo -z -n -o /var/mds.cpinfoRequired steps for cpinfo from the relevant CMA
(sk10176)1. List of all Customers (CMAs)
# mdsstat
2. Set the environment for the Customer
# mdsenv CMANAME
3. Verify the correct environment
# echo $FWDIR
/opt/CPmds-R65/customers//CPsuite-R65/fw1/
4. Run cpinfo
# cpinfo -c CMANAME -z -n -o FILENAME

Checkpoint logging in short.

VPN-1/FireWall-1 NG includes the following log type files:- FWDIR/log/xx.log stores
the log records.
FWDIR/log/xx.logptr provides pointers to the beginning of each log record.
FWDIR/log/xx.loginitial_ptr provides pointers to the beginning of each log chain
(logs that share the same connection ID LUUID).
FWDIR/log/xx.logaccount_ptr provides pointers to the beginning of each
accounting record.
Note: the NG log directory also includes an additional temporary pointer file,
named xx.logLuuidDB.To purge/delete the current log files without saving it to a
backup file, run:
# fw logswitch The VPN-1/FireWall-1 NG audit log type files are:- xx.adtlog
stores the audit log records.
xx.adtlogptr provides pointers to the beginning of each log records.
xx.adtloginitial_ptr provides pointers to the beginning of each log chain (logs
that shared the same connection ID LUUID).
xx.adtlogaccount_ptr provides pointers to the beginning of each accounting
record.To purge/delete the current audit log files without saving it to a backup file,
run:
# fw logswitch -audit

This is an example how to collect the same info (the fw version here) from all of our firewall
with a script.
We need to collect the firewalls with their IPs or with their hostnames in a file I call iplist and
run the srcipt with sh ./get_fwversion.sh
root@myserver # cat get_fwversion.sh
#!/bin/bash
for HOST in $(cat iplist | grep -v "^#" | grep -v "^$")
do

echo $HOST
ssh admin@$HOST 'fw ver'
# Some example. Just delete the # for the required command
# ssh admin@$HOST 'ipsctl hw:eeprom:product_id'
# ssh admin@$HOST 'fwaccel stat'
# ssh admin@$HOST 'clish -c "show vrrp"'
# ssh admin@$HOST 'grep buffer /var/log/messages' | tail -n 2
# ssh admin@$HOST 'grep "Log buffer is full\|log/trap messages"
/var/log/messages'
# ssh admin@$HOST 'cpstat os -f cpu'
done
root@myserver # cat iplist
#R55
myfirewall1
myfirewall2
myfirewall3
myfirewall4
myfirewallcluster1_A
myfirewallcluster1_B
#R60
myfirewall5
myfirewall6
#R65
myfirewall7
myfirewall8
myfirewallcluster2_A
myfirewallcluster2_B

Important Files:
On the Management Server:
$FWDIR/conf/classes.C scheme file. Each object in objects.c, rulebases.fws, fwauth.ndb or
whatever must match one of the classes listed below.
$FWDIR/conf/objects_5_0.C object file.
$FWDIR/conf/rulebases_5_0.fws Rulebase file.
$FWDIR/conf/fwauth.NDB userdatabase
$FWDIR/conf/.W The policy file
$FWDIR/conf/user.def.NGX_FLO User defined inspect code (sk30919)
On the Firewall:
$FWDIR/conf/masters On the firewalls shows who is the management server
$FWDIR/conf/initial_module.pf Initial Policy of the firewall
$FWDIR/conf/discntd.if Add the interface-name in this file to disable monitoring in
fw monitor
Posted on March 5, 2013 by otrdemo Leave a comment

###FW MONITOR Examples###

fw monitor -e accept host(192.168.1.12);

SRC or DST:]

[Show packets with IP 192.168.1.12 as

fw monitor -e accept src=192.168.1.12 and dst=192.168.3.3;

from 192.168.1.12 to 192.168.3.3:]
fw monitor -pi ipopt_strip -e accept udpport(53);
(DNS) packets, pre-in position is before ippot_strip':]
fw monitor -m O -e accept udp and (sport>1023 or dport>1023);
from or to unprivileged ports, only show post-out]

[Show all packets

[Show UDP port 53

[Show UPD traffic

fw monitor -e accept host(192.168.1.12) and tracert;

traceroute (ICMP, TTL<30) from and to 192.168.1.12]

[Show Windows

fw monitor -v 23 -e accept tcpport(80);

traffic for VSX virtual system ID 23]

[Show Capture web

fw monitor -e accept ip_p=50 and ifid=0;

protocol 50) packets on the interface with the ID 0.
(List interfaces and corresponding IDs with fw ctl iflist)]

[Show all ESP (IP

srfw monitor -o output_file.cap

[Show traffic on a
SecuRemote/SecureClient client into a file.
srfw.exe is in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)]
fw monitor -m iIoO (accpet dst=172.31.10.100;) | grep ICMP
[This is standard fw
monitor on the destionation and grepping for ICMP (ICMP in capital impotant here, ass the out
put is in capitals)]
fw monitor -e accept ip_p=1; -o ping.cap
fw monitor -m iIoO e (accept src=10.0.1.30 and dst=4.2.2.2) and [9:1] = 1; -o output.cap
fw monitor -m iIoO e accept src=10.0.1.30 or dst=10.0.1.30 and [9:1] = 1; -o output.cap
fw monitor -m iIoO e accept (src=10.0.1.30 or dst=10.0.1.30) and no (sport=443 or
dport=443); -o output.cap [open this file in wire shark.]
fw monitor -m iIoO e accept (src=10.0.1.30 or dst=10.0.1.30); this is a goood fw monitor to
run which wil just output to the CPShell, the -m iIoO Just means - Monitor pre (i)nbound post
(I)nbound pre (o)utbound post (O)utbound interfaces

Management server CLI Splat command

clock
cpconfig
cphaprob ldstat
cphaprob stat
cphaprob syncstat
cphastop
cplic print
cpstart
cpstat fw
cpstat ha
cpstat os -f all
cpstat os -f cpu
cpstat os -f routing
cpstop
cpwd_admin monitor_list
expert
find / -type f -size 10240k
-exec ls -la {} \;
fw ctl iflist
fw ctl pstat
fw exportlog -o
fw fetch 10.0.0.42
fw log
fw log -b <MMM DD,
YYYY HH:MM:SS>
<MMM DD, YYYY
HH:MM:SS>
fw log -c drop
fw log -f
fwm logexport -i <log
name> -o <output name>
fw logswitch

display date and time on firewall

change SIC, licenses and more
display sync serialization statistics
list the state of the high availability cluster members. Should show
active and standby devices.
display sync transport layer statistics
stop a cluster member from passing traffic. Stops synchronization.
(emergency only)
license information
start all checkpoint services
show policy name, policy install time and interface table
high availability state
checkpoint interface table, routing table, version, memory status,
cpu load, disk space
checkpoint cpu status
checkpoint routing table
stop all checkpoint services
list processes actively monitored. Firewall should contain cpd and
vpnd.
change from the initial administrator privilege to advanced
privilege
Search for files larger than 10Mb
show interface names
show control kernel memory and connections
export the current log file to ascii
get the policy from the firewall manager (use this only if there are
problems on the firewall)
show the content of the connections log
search the current log for activity between specific times, eg
fw log -b "Jul 23, 2009 15:01:30" "Jul 23,2009 15:15:00"
search for dropped packets in the active log; also can use accept or
reject to search
tail the current log
export an old log file on the firewall manager
rotate logs

fw lslogs
fw stat
fw stat -l
fw tab
fw tab -s -t connections
fw tab -t xlate -x
fw unloadlocal
fw ver
fwm lock_admin -h
fwm ver
ifconfig -a
log list
log show <list #>
netstat -an | more
netstat -rn
passwd
ps -ef
sysconfig
upgrade_import
hwclock
fw fetch 10.0.0.42
fw log -f

list firewall logs

firewall status, should contain the name of the policy and the
relevant interfaces, i.e. Standard_5_1_1_1_1 [>eth4] [<eth4]
[<eth5] [>eth0.900] [<eth0.900]
show which policy is associated with which interface and package
drop, accept and reject
displays firewall tables
number of connections in state table
clear all translated entries (emergency only)
clear local firewall policy (emergency only)
firewall version
unlock a user account after repeated failed log in attempts
firewall manager version (on SmartCenter)
list all interfaces
list the names of the logs
display a specific log, log show 33 will display "Cant find my
SIC name in registry" if there are communication problems
check what ports are in use or listening
routing table
change the current users password
list running processes
configure date/time, network, dns, ntp
run /opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_import after
a system upgrade to import the old license and system information.
show the hardware clock. If the hardware and operating system
clocks are off by more than a minute, sync the hardware clock to
the OS with "hwclock systohc"
Manually grab the policy from the mgmt server at 10.0.0.42
Shows you realtime logs on the firewall will likely crash your
terminal