21 December 2020

NEXT GENERATION
SECURITY GATEWAY

R81

Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
 Next Generation Security Gateway R81 Administration Guide

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.

Check Point R81

For more about this release, see the R81 home page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Next Generation Security Gateway R81 Administration Guide      |      3

 Next Generation Security Gateway R81 Administration Guide

Revision History

Date Description

21 December 2020 Updated "fw up_execute" on page 395

13 October 2020 First release of this document

Next Generation Security Gateway R81 Administration Guide      |      4

 Table of Contents

Table of Contents
Glossary 13
Check Point Next Generation Security Gateway Solution 22
Security Policy 23
Access Control Policy 23
Threat Prevention Policy 27
HTTPS Inspection Policy 28
Data Loss Prevention Policy 30
Geo Policy 31
Mobile Access Policy 32
Firewall Software Blade 33
IPsec VPN Software Blade 34
Remote Access VPN 35
Threat Prevention 36
Anti-Bot Software Blade 37
Anti-Virus Software Blade 38
Threat Extraction Software Blade 39
Threat Emulation Software Blade 40
Mail Transfer Agent (MTA) 41
IPS Software Blade 42
Identity Awareness Software Blade 43
Content Awareness Software Blade 44
Mobile Access Software Blade 45
Application Control Software Blade 46
URL Filtering Software Blade 47
Data Loss Prevention Software Blade 48
Anti-Spam & Email Security Software Blade 49
UserCheck 50
ClusterXL Software Blade 51
QoS Software Blade 52
VSX 53

Next Generation Security Gateway R81 Administration Guide      |      5

 Table of Contents

Example Physical Network Topology 53

Example VSX Virtual Network Topology 54
SecureXL 55
CoreXL 56
Multi-Queue 57
ICAP 58
HTTPS Inspection 59
HTTP/HTTPS Proxy 60
Hardware Security Module (HSM) 61
Why Use an HSM? 61
The Check Point Environment with an HSM 62
Generic Workflow 63
Workflow for Configuring a Check Point Security Gateway to Work with HSM 63
Workflow for Configuring an HSM Client Workstation 67
Working with Gemalto HSM 68
Configuration Steps 68
Additional Actions for a Gemalto HSM Server 78
Working with FutureX HSM 80
Prerequisites 80
Configuration Steps 81
Disabling Communication from the Security Gateway to the HSM Server 95
Monitoring HTTPS Inspection When Security Gateway Works with HSM 96
Monitoring HTTPS Inspection with HSM in SmartConsole Logs 97
Monitoring HTTPS Inspection with HSM over SNMP 101
Monitoring HTTPS Inspection with HSM in CLI 110
ISP Redundancy on a Security Gateway 119
Introduction 119
ISP Redundancy Modes 123
Outgoing Connections 124
Incoming Connections 125
Configuring ISP Redundancy on a Security Gateway 126
ISP Redundancy and VPN 131
Controlling ISP Redundancy from CLI 132

Next Generation Security Gateway R81 Administration Guide      |      6

 Table of Contents

Force ISP Link State 132

The ISP Redundancy Script 132
Mirror and Decrypt 133
Mirror and Decrypt Requirements 136
Configuring Mirror and Decrypt in Gateway mode 137
Preparing the Security Gateway or each Cluster Member 138
Configuring Mirror and Decrypt in SmartConsole for Gateway Mode 139
Configuring Mirror and Decrypt in VSX mode 144
Preparing the VSX Gateway or each VSX Cluster Member 147
Configuring Mirror and Decrypt in SmartConsole for One Virtual System 148
Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems 153
Mirror and Decrypt Logs 158
ConnectControl - Server Load Balancing 159
ConnectControl Packet Flow 159
Configuring ConnectControl 160
Monitoring Software Blade 164
Cloud Security 165
Advanced Routing 166
SNMP 167
Deploying a Single Security Gateway in Monitor Mode 168
Introduction to Monitor Mode 168
Example Topology for Monitor Mode 169
For More About Monitor Mode 169
Deploying a Single Security Gateway or ClusterXL in Bridge Mode 170
Introduction to Bridge Mode 170
Example Topology for a single Security Gateway in Bridge Mode 171
For More About Bridge Mode 171
Security Before Firewall Activation 172
Boot Security 173
The Initial Policy 178
Troubleshooting: Cannot Complete Reboot 180
Command Line Reference 181
Syntax Legend 182

Next Generation Security Gateway R81 Administration Guide      |      7

 Table of Contents

comp_init_policy 183
control_bootsec 186
cp_conf 190
cp_conf auto 192
cp_conf corexl 193
cp_conf fullha 195
cp_conf ha 196
cp_conf intfs 197
cp_conf lic 198
cp_conf sic 200
cpconfig 201
cpinfo 204
cplic 205
cplic check 207
cplic contract 209
cplic del 211
cplic print 212
cplic put 214
cpprod_util 216
cpstart 219
cpstat 220
cpstop 227
cpview 228
Overview of CPView 228
CPView User Interface 228
Using CPView 229
dynamic_objects 230
cpwd_admin 234
cpwd_admin config 236
cpwd_admin del 239
cpwd_admin detach 240
cpwd_admin exist 241
cpwd_admin flist 242

Next Generation Security Gateway R81 Administration Guide      |      8

 Table of Contents

cpwd_admin getpid 244

cpwd_admin kill 245
cpwd_admin list 246
cpwd_admin monitor_list 249
cpwd_admin start 250
cpwd_admin start_monitor 252
cpwd_admin stop 253
cpwd_admin stop_monitor 255
fw 256
fw -i 260
fw amw 261
fw ctl 264
fw ctl arp 267
fw ctl bench 268
fw ctl block 270
fw ctl chain 271
fw ctl conn 273
fw ctl conntab 274
fw ctl cpasstat 278
'fw ctl debug' and 'fw ctl kdebug' 279
fw ctl dlpkstat 280
fw ctl get 281
fw ctl iflist 283
fw ctl install 284
fw ctl leak 285
fw ctl pstat 288
fw ctl set 290
fw ctl tcpstrstat 292
fw ctl uninstall 294
fw defaultgen 295
fw fetch 296
fw fetchlogs 298
fw getifs 300

Next Generation Security Gateway R81 Administration Guide      |      9

 Table of Contents

fw hastat 301
fw isp_link 302
fw kill 303
fw lichosts 304
fw log 305
fw logswitch 313
fw lslogs 316
fw mergefiles 319
fw monitor 322
fw repairlog 350
fw sam 351
fw sam_policy 358
fw sam_policy add 360
fw sam_policy batch 372
fw sam_policy del 374
fw sam_policy get 377
fw showuptables 381
fw stat 382
fw tab 384
fw unloadlocal 391
fw up_execute 395
fw ver 398
fwboot 400
fwboot bootconf 402
fwboot corexl 406
fwboot cpuid 412
fwboot default 414
fwboot fwboot_ipv6 415
fwboot fwdefault 416
fwboot ha_conf 417
fwboot ht 418
fwboot multik_reg 420
fwboot post_drv 422

Next Generation Security Gateway R81 Administration Guide      |      10

 Table of Contents

sam_alert 423
stattest 427
usrchk 429
Working with Kernel Parameters on Security Gateway 433
Introduction to Kernel Parameters 434
Firewall Kernel Parameters 435
Working with Integer Kernel Parameters 436
Working with String Kernel Parameters 440
SecureXL Kernel Parameters 443
Kernel Debug on Security Gateway 447
Kernel Debug Syntax 448
Kernel Debug Filters 456
Kernel Debug Procedure 461
Kernel Debug Procedure with Connection Life Cycle 463
Kernel Debug Modules and Debug Flags 470
Module 'accel_apps' (Accelerated Applications) 472
Module 'accel_pm_mgr' (Accelerated Pattern Match Manager) 473
Module 'APPI' (Application Control Inspection) 474
Module 'BOA' (Boolean Analyzer for Web Intelligence) 475
Module 'CI' (Content Inspection) 476
Module 'cluster' (ClusterXL) 478
Module 'cmi_loader' (Context Management Interface / Infrastructure Loader) 480
Module 'CPAS' (Check Point Active Streaming) 481
Module 'cpcode' (Data Loss Prevention - CPcode) 482
Module 'CPSSH' (SSH Inspection) 483
Module 'crypto' (SSL Inspection) 485
Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness) 486
Module 'dlpk' (Data Loss Prevention - Kernel Space) 488
Module 'dlpuk' (Data Loss Prevention - User Space) 489
Module 'DOMO' (Domain Objects) 490
Module 'fg' (FloodGate-1 - QoS) 491
Module 'FILE_SECURITY' (File Inspection) 493
Module 'FILEAPP' (File Application) 494

Next Generation Security Gateway R81 Administration Guide      |      11

 Table of Contents

Module 'fw' (Firewall) 495

Module 'gtp' (GPRS Tunneling Protocol) 501
Module 'h323' (VoIP H.323) 502
Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client) 503
Module 'IDAPI' (Identity Awareness API) 505
Module 'kiss' (Kernel Infrastructure) 506
Module 'kissflow' (Kernel Infrastructure Flow) 509
Module 'MALWARE' (Threat Prevention) 510
Module 'multik' (Multi-Kernel Inspection - CoreXL) 511
Module 'MUX' (Multiplexer for Applications Traffic) 513
Module 'NRB' (Next Rule Base) 515
Module 'PSL' (Passive Streaming Library) 517
Module 'RAD_KERNEL' (Resource Advisor - Kernel Space) 518
Module 'RTM' (Real Time Monitoring) 519
Module 'seqvalid' (TCP Sequence Validator and Translator) 521
Module 'SFT' (Stream File Type) 522
Module 'SGEN' (Struct Generator) 523
Module 'synatk' (Accelerated SYN Defender) 524
Module 'UC' (UserCheck) 525
Module 'UP' (Unified Policy) 526
Module 'upconv' (Unified Policy Conversion) 528
Module 'UPIS' (Unified Policy Infrastructure) 529
Module 'VPN' (Site-to-Site VPN and Remote Access VPN) 531
Module 'WS' (Web Intelligence) 533
Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) 535
Module 'WSIS' (Web Intelligence Infrastructure) 537
Running Check Point Commands in Shell Scripts 538

Next Generation Security Gateway R81 Administration Guide      |      12

 Glossary

Glossary
A

Administrator
A user with permissions to manage Check Point security products and the network
environment.

API
In computer programming, an application programming interface (API) is a set of
subroutine definitions, protocols, and tools for building application software. In general
terms, it is a set of clearly defined methods of communication between various software
components.

Appliance
A physical computer manufactured and distributed by Check Point.

Bond
A virtual interface that contains (enslaves) two or more physical interfaces for
redundancy and load sharing. The physical interfaces share one IP address and one
MAC address. See "Link Aggregation".

Bonding
See "Link Aggregation".

Bridge Mode
A Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Next Generation Security Gateway R81 Administration Guide      |      13

 Glossary

CA
Certificate Authority. Issues certificates to gateways, users, or computers, to identify
itself to connecting entities with Distinguished Name, public key, and sometimes IP
address. After certificate validation, entities can send encrypted data using the public
keys in the certificates.

Certificate
An electronic document that uses a digital signature to bind a cryptographic public key
to a specific identity. The identity can be an individual, organization, or software entity.
The certificate is used to authenticate one identity to another.

CGNAT
Carrier Grade NAT. Extending the traditional Hide NAT solution, CGNAT uses
improved port allocation techniques and a more efficient method for logging. A CGNAT
rule defines a range of original source IP addresses and a range of translated IP
addresses. Each IP address in the original range is automatically allocated a range of
translated source ports, based on the number of original IP addresses and the size of
the translated range. CGNAT port allocation is Stateless and is performed during policy
installation. See sk120296.

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

Cluster Member
A Security Gateway that is part of a cluster.

CoreXL
A performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CoreXL Firewall Instance

Also CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewall
kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one
processing CPU core. These firewall instances handle traffic at the same time, and
each firewall instance is a complete and independent firewall inspection kernel.

Next Generation Security Gateway R81 Administration Guide      |      14

 Glossary

CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to
stick to a particular FWK daemon is done at the first packet of connection on a very high
level, before anything else. Depending on the SecureXL settings, and in most of the
cases, the SecureXL can be offloading decryption calculations. However, in some other
cases, such as with Route-Based VPN, it is done by FWK daemon.

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you
can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
For details, see sk92449.

DAIP Gateway
A Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where the
IP address of the external interface is assigned dynamically by the ISP.

Data Type
A classification of data. The Firewall classifies incoming and outgoing traffic according
to Data Types, and enforces the Policy accordingly.

Database
The Check Point database includes all objects, including network objects, users,
services, servers, and protection profiles.

Distributed Deployment
The Check Point Security Gateway and Security Management Server products are
deployed on different computers.

Domain
A network or a collection of networks related to an entity, such as a company, business
unit or geographical location.

Next Generation Security Gateway R81 Administration Guide      |      15

 Glossary

Domain Log Server

A Log Server for a specified Domain, as part of a Multi-Domain Log Server. It stores and
processes logs from Security Gateways that are managed by the corresponding Domain
Management Server. Acronym: DLS.

Expert Mode
The name of the full command line shell that gives full system root permissions in the
Check Point Gaia operating system.

External Network
Computers and networks that are outside of the protected network.

External Users
Users defined on external servers. External users are not defined in the Security
Management Server database or on an LDAP server. External user profiles tell the
system how to identify and authenticate externally defined users.

Firewall
The software and hardware that protects a computer network by analyzing the incoming
and outgoing network traffic (packets).

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restrictive shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for Check Point Gaia operating system.

Next Generation Security Gateway R81 Administration Guide      |      16

 Glossary

Hotfix
A piece of software installed on top of the current software in order to fix some wrong or
undesired behavior.

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IPv4
Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each
set can be from 0 - 255. For example, 192.168.2.1.

IPv6
Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of
hexadecimal numbers, each set can be from 0 - ffff. For example,
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF.

Link Aggregation
Technology that joins (aggregates) multiple physical interfaces together into one virtual
interface, known as a bond interface. Also known as Interface Bonding, or Interface
Teaming. This increases throughput beyond what a single connection could sustain,
and to provides redundancy in case one of the links should fail.

Next Generation Security Gateway R81 Administration Guide      |      17

 Glossary

Log
A record of an action that is done by a Software Blade.

Log Server
A dedicated Check Point computer that runs Check Point software to store and process
logs in Security Management Server or Multi-Domain Security Management
environment.

Management High Availability

Deployment and configuration mode of two Check Point Management Servers, in which
they automatically synchronize the management databases with each other. In this
mode, one Management Server is Active, and the other is Standby. Acronyms:
Management HA, MGMT HA.

Management Interface
Interface on Gaia computer, through which users connect to Portal or CLI. Interface on a
Gaia Security Gateway or Cluster member, through which Management Server
connects to the Security Gateway or Cluster member.

Management Server
A Check Point Security Management Server or a Multi-Domain Server.

Multi-Domain Log Server

A computer that runs Check Point software to store and process logs in Multi-Domain
Security Management environment. The Multi-Domain Log Server consists of Domain
Log Servers that store and process logs from Security Gateways that are managed by
the corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Security Management

A centralized management solution for large-scale, distributed environments with many
different Domain networks.

Multi-Domain Server
A computer that runs Check Point software to host virtual Security Management Servers
called Domain Management Servers. Acronym: MDS.

Next Generation Security Gateway R81 Administration Guide      |      18

 Glossary

Network Object
Logical representation of every part of corporate topology (physical machine, software
component, IP Address range, service, and so on).

Open Server
A physical computer manufactured and distributed by a company, other than Check
Point.

Rule
A set of traffic parameters and other conditions in a Rule Base that cause specified
actions to be taken for a communication session.

Rule Base
Also Rulebase. All rules configured in a given Security Policy.

SecureXL
Check Point product that accelerates IPv4 and IPv6 traffic. Installed on Security
Gateways for significant performance improvements.

Security Gateway
A computer that runs Check Point software to inspect traffic and enforces Security
Policies for connected network resources.

Security Management Server

A computer that runs Check Point software to manage the objects and policies in Check
Point environment.

Next Generation Security Gateway R81 Administration Guide      |      19

 Glossary

Security Policy
A collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over
SSL, for secure communication. This authentication is based on the certificates issued
by the ICA on a Check Point Management Server.

Single Sign-On
A property of access control of multiple related, yet independent, software systems. With
this property, a user logs in with a single ID and password to gain access to a
connected system or systems without using different usernames or passwords, or in
some configurations seamlessly sign on at each system. This is typically accomplished
using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases
on (directory) servers. Acronym: SSO.

SmartConsole
A Check Point GUI application used to manage Security Policies, monitor products and
events, install updates, provision new devices and appliances, and manage a multi-
domain environment and each domain.

SmartDashboard
A legacy Check Point GUI client used to create and manage the security settings in
R77.30 and lower versions.

SmartUpdate
A legacy Check Point GUI client used to manage licenses and contracts.

Software Blade
A software blade is a security solution based on specific business needs. Each blade is
independent, modular and centrally managed. To extend security, additional blades can
be quickly added.

SSO
See "Single Sign-On".

Next Generation Security Gateway R81 Administration Guide      |      20

 Glossary

Standalone
A Check Point computer, on which both the Security Gateway and Security
Management Server products are installed and configured.

Traffic
Flow of data between network devices.

Users
Personnel authorized to use network resources and applications.

VLAN
Virtual Local Area Network. Open servers or appliances connected to a virtual network,
which are not physically connected to the same network.

VLAN Trunk
A connection between two switches that contains multiple VLANs.

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a
computer or cluster with virtual abstractions of Check Point Security Gateways and
other network devices. These Virtual Devices provide the same functionality as their
physical counterparts.

VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that
provide the functionality of physical network devices. It holds at least one Virtual
System, which is called VS0.

Next Generation Security Gateway R81 Administration Guide      |      21

 Check Point Next Generation Security Gateway Solution

Check Point Next Generation

Security Gateway Solution

Item Description

1 SmartConsole

2 Security Management Server

3 Internet and external networks

4 Security Gateway (or Cluster)

5 Internal network

These are the primary components of a Check Point Firewall solution:

n Security Gateway (or Cluster) - The engine that enforces the organization's security policy, is an
entry point to the LAN, and is managed by the Security Management Server.
n Security Management Server- The application that manages, stores, and distributes the security
policy to Security Gateways.
n SmartConsole - A Check Point GUI application that manages security policies, monitor products
and events, install updates, provision new devices and appliances, and manage a multi-domain
environment.

Notes:
n For information about Cluster, see the R81 ClusterXL Administration Guide.
n For information about Security Management Server and SmartConsole, see the
R81 Security Management Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      22

 Security Policy

Security Policy
In This Section:

Access Control Policy 23

Threat Prevention Policy 27
HTTPS Inspection Policy 28
Data Loss Prevention Policy 30
Geo Policy 31
Mobile Access Policy 32

Security Policy is a collection of rules and settings that control network traffic and enforce organization
guidelines for data protection and access to resources with packet inspection.
Check Point solution provides several types of Security Policies.

Access Control Policy

Description

Access Control Policy consists of these parts:

Next Generation Security Gateway R81 Administration Guide      |      23

 Security Policy

n Access Control Rule Base

For more information, see the R81 Security Management Administration Guide.
In addition, see sk120964 - ATRG: Unified Policy.
Contains unified simple and granular rules to control access from specified sources to
specified destinations over specified protocols.
If you enable Identity Awareness Software Blade on your Security Gateways, you can also use
Access Role objects as the source and destination in a rule. This lets you easily make rules for
individuals or different groups of users.

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies .
3. In the Access Control section, click Policy .

Rule structure:

Services
N Nam Sour Destinati & Actio Tim Instal
VPN Track
o e ce on Applicatio n e l On
ns

# Your Specific Specific Specific or Specific or All Accep Any Log Polic
Rule Source Destination All VPN Service objects t or (with y
Name objects objects Communiti Specific or All or Specif Accounti Targe
es Application Drop ic ng) ts
objects Time
or or
Rejec object Alert
t or
or None
User
Auth
or
Clien
t
Auth

Next Generation Security Gateway R81 Administration Guide      |      24

 Security Policy

n NAT Rule Base

For more information, see the R81 Security Management Administration Guide.
Contains automatic and manual rules for Network Address Translation (NAT).

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies .
3. In the Access Control section, click NAT.

Rule structure:

Origin Origin Translat

Original Translat Translat
N al al ed Insta Comme
Destinati ed ed
o Sourc Servic Destinati ll On nts
on Source Services
e es on

Automatic Generated Rules

NAT Rules for X (Y-Z)

# Specific Specific Specific or = = = Polic Your

Source Destination All Service Original Original Original y Comment
objects objects objects or or or Targe
Specific Specific Specific ts
object object object or
Specific
Securit
y
Gatewa
y and
Cluster
objects

Next Generation Security Gateway R81 Administration Guide      |      25

 Security Policy

n Desktop Rule Base

For more information, see the SmartDashboard Help (press F1).

Prerequisites:
1. In the Security Gateway (Cluster) object, enable the IPsec VPN and the Policy Server
Software Blades.
2. In the Policy Package, enable the Desktop Security .
This policy is installed on the Security Management Server. Remote Access Clients download
this policy when a VPN Site update is performed. Once downloaded, this policy determines
access control on the Remote Access Client machines.

The Desktop Policy consists of two Rule Bases:

l Inbound Rules - Control connections directed at the client machine
l Outbound Rules - Control connections initiated by the client machine

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies .
3. In the Access Control section, click Desktop.
4. Click Open Desktop Policy in SmartDashboard.
5. From the top, click the Desktop tab.

Rule structure:

No Source Desktop Service Action Track Comment

# Any All Users@Any Any Accept None Your Comment

or or or or or
Specific Source Specific User Group Specific Service Block Log
objects objects objects or or
Encrypt Alert

Next Generation Security Gateway R81 Administration Guide      |      26

 Security Policy

Threat Prevention Policy

Description

For more information, see the R81 Threat Prevention Administration Guide.
Determines how the system inspects connections for bots and viruses. The primary component of the
policy is the Rule Base. The rules use the Malware database and network objects.
If you enable Identity Awareness Software Blade on your Security Gateways, you can also use Access
Role objects as the scope in a rule. This lets you easily make rules for individuals or different groups of
users.

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies .
3. In the Threat Prevention section, click Policy .

Rule structure:

Protecti
Protect on/ Inst
N Na Sour Destinat Servic Comme
ed Site/ Action Track all
o me ce ion es nts
Scope File/ On
Blade

# Your Specific Specific Specific N/A Any Basic None Polic Your
Rule objects Source Destination (or your or or or y Comment
Name objects objects specific Specific Optimi Log Targe
objects in an Service zed or ts
exception objects or Alert or
rule) Strict In Specifi
or addition: c
Your Packet Securit
Profile Captur y
e Gatew
Forens ay and
Cluster
ics
objects

Next Generation Security Gateway R81 Administration Guide      |      27

 Security Policy

HTTPS Inspection Policy

Next Generation Security Gateway R81 Administration Guide      |      28

 Security Policy

Description

For more information, see the R81 Security Management Administration Guide.
Lets you inspect the HTTP / HTTPS traffic on these Software Blades:
n Anti-Bot
n Anti-Virus
n Application Control
n Content Awareness (Data Awareness)
n Data Loss Prevention
n IPS
n Threat Emulation
n URL Filtering
Security Gateways cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS
Inspection feature to let the Security Gateways create new SSL connections with the external site or
server. The Security Gateways are then able to decrypt and inspect HTTPS traffic that uses the new
SSL connections.

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies .
3. In the HTTPS Inspection section, click Policy .
Note - In addition, in the HTTPS Tools section, click Additional Settings .

Rule structure:

Categor
y/ Inst
N Na Sour Destinat Servi Acti Tra Bla Certific Comm
Custom all
o me ce ion ces on ck de ate ent
Applicat On
ion

# Your Any APPI_ TLS Any Insp None All Poli Outbound Your
Rule global_ defaul or ect or or cy Certific Comment
Name obj_ t Specific or Log Speci TLS ate
Internet servic objects Bypa or fic Targ or
ss Aler Blade Your
or es ets
Specific or t or Certificate
Destination Specific Specifi for Inbound
objects Service c Inspection
objects Securit
y
Gatew
ay and
Cluste
r
object
s

Next Generation Security Gateway R81 Administration Guide      |      29

 Security Policy

Data Loss Prevention Policy

Description

For more information, see the R81 Data Loss Prevention Administration Guide.
Prevents unintentional data leaks by catching protected data before it leaves your organization.

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Manage & Settings .
3. From the left tree, click Blades .
4. In the Data Loss Prevention section, click Configure in SmartDashboard.
5. From the top, click the Data Loss Prevention tab.
6. From the left tree, click Policy .

Rule structure:

In
Na D Tr st Ti
Fla Sourc Desti Prot Exce Acti Sev Cate Com
m at ac all m
g e nation ocol ptions on erity gory ment
e a k O e
n

Category Name(Y-Z)

No You Sp My Outsid Any Shows: Dete Em Low DLP An None Your

Flag r eci Organi e My or none ct ai or Bl y or Comme
or Rul fic zation Org E- or or l Medi ad Specifi nt
Foll e Da mail The Info um c
or or or es
Na ta number Catego
ow Specific Specific or rm Lo or
me Ty of ry
Up Source Destinati FTP User g High
pe exceptio
or objects on or or or or
objects ns added
Impr HTTP Ask Al Crit
for this
ove rule User er ical
Accu (double- or t
racy click this Prev and
cell) ent how
or to
Wate stor
rmar e an
inci
k
den
t

Next Generation Security Gateway R81 Administration Guide      |      30

 Security Policy

Geo Policy
Description

For more information, see the R81 Security Management Administration Guide.
Creates a policy for traffic to or from specific geographical or political locations.

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies .
3. In the Access Control section, click Policy .
4. Follow sk126172 to use Updatable Objects in the Source and Destination columns.
For additional information, see the SmartConsole Online Help (press F1).

Important - From R81, Security Gateways and Clusters no longer support Geo
Policy configured in SmartConsole > Security Policies view > Shared Policies
section > Geo Policy (Known Limitation PMTR-56212).

Rule structure:

Country Direction Action Track Comments

Specific Country object From and To Country Accept None Your Comment
or or or
From Country Drop Log
or or
To Country Alert

Next Generation Security Gateway R81 Administration Guide      |      31

 Security Policy

Mobile Access Policy

Description

For more information, see the R81 Mobile Access Administration Guide.
Controls which user groups have access to which applications, when connecting through a Mobile
Access Security Gateway.

How to get there:

1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Manage & Settings .
3. From the left tree, click Blades .
4. In the Mobile Access section, click Configure in SmartDashboard.
5. From the top, click the Mobile Access tab.
6. From the left tree, click Policy .

Rule structure:

No Users Applications Install On Comment

# All Users Any Any Your Comment

or or or
Specific User objects Specific Custom Application objects Specific Security Gateway objects

Next Generation Security Gateway R81 Administration Guide      |      32

 Firewall Software Blade

Firewall Software Blade

This is the main Software Blade that enforces the Access Control and NAT policies on Security Gateways
and Cluster Members

Next Generation Security Gateway R81 Administration Guide      |      33

 IPsec VPN Software Blade

IPsec VPN Software Blade

This Software Blade lets the Security Gateways and Cluster Members encrypt and decrypt traffic to and
from other Security Gateways and clients.
For more information, see:
n R81 Site to Site VPN Administration Guide
n sk104760 - ATRG: VPN Core (requires Advanced access to Check Point Support Center)
n sk108600 - VPN Site-to-Site with 3rd party (requires Advanced access to Check Point Support
Center)

Policy Server Software Blade

This Software Blade lets you configure a Desktop Security Policy for Remote Access Clients.
This policy controls how the Firewall Software Blade on Remote Access Clients inspects the traffic.
For more information, see:
n "Security Policy" on page 23 > Section Access Control Policy > Section Desktop Rule Base
n R81 Remote Access VPN Administration Guide

Next Generation Security Gateway R81 Administration Guide      |      34

 Remote Access VPN

Remote Access VPN

If employees remotely access sensitive information from different locations and devices, system
administrators must make sure that this access does not become a security vulnerability.
n Check Point's Remote Access VPN solutions let you create a VPN tunnel between a remote user
and the internal network.
For more information, see the R81 Remote Access VPN Administration Guide.
n The Mobile Access Software Blade extends the functionality of Remote Access solutions to include
many clients and deployments.
For more information, see the R81 Mobile Access Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      35

 Threat Prevention

Threat Prevention
To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers
a multi-layered, pre- and post-infection defense approach and a consolidated platform that enables
enterprise security to detect and block modern malware.
For more information, see the R81 Threat Prevention Administration Guide.
These Software Blades provide Threat Prevention:
n "Anti-Bot Software Blade" on page 37
n "Anti-Virus Software Blade" on page 38
n "Threat Extraction Software Blade" on page 39
n "Threat Emulation Software Blade" on page 40
n "IPS Software Blade" on page 42

Next Generation Security Gateway R81 Administration Guide      |      36

 Anti-Bot Software Blade

Anti-Bot Software Blade

This Software Blade discovers infections by correlating multiple detection methods:
n Performs post-infection detection of bots on hosts.
n Prevents bot damages by blocking bot C&C (Command and Control) communications.
n Is continuously updated from ThreatCloud, a collaborative network to fight cybercrime.
For more information, see:
n R81 Threat Prevention Administration Guide
n sk92264 - ATRG: Anti-Bot and Anti-Virus (requires Advanced access to Check Point Support
Center)
In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      37

 Anti-Virus Software Blade

Anti-Virus Software Blade

This Software Blade:
n Performs pre-infection detection and blocking of malware at the Security Gateway (by correlating
multiple detection engines before users are affected).
n Is continuously updated from ThreatCloud.
For more information, see:
n R81 Threat Prevention Administration Guide
n sk92264 - ATRG: Anti-Bot and Anti-Virus (requires Advanced access to Check Point Support
Center)
In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      38

 Threat Extraction Software Blade

Threat Extraction Software Blade

Part of the SandBlast suite.
This Software Blade:
n Provides protection against incoming malicious content.
n Removes exploitable content, including active content and embedded objects, reconstructs files to
eliminate potential threats, and promptly delivers sanitized content to users to maintain business
flow.
To remove possible threats, creates a safe copy of the file, while the inspects the original file for
potential threats.
For more information, see:
n R81 Threat Prevention Administration Guide
n sk114807 - ATRG: Threat Extraction
In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      39

 Threat Emulation Software Blade

Threat Emulation Software Blade

Part of the SandBlast suite.
This Software Blade quickly inspects files and runs them in a virtual sandbox to discover malicious
behavior.
Discovered malware is prevented from entering the network.
The emulation service reports and automatically shares the newly identified threat information with other
customers.
For more information, see:
n R81 Threat Prevention Administration Guide
n sk114806 - ATRG: Threat Emulation (requires Advanced access to Check Point Support Center)
In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      40

 Mail Transfer Agent (MTA)

Mail Transfer Agent (MTA)

The Threat Emulation Software Blade requires this feature to inspect SMTP traffic.
For more information, see:
n R81 Threat Prevention Administration Guide
n sk109699 - ATRG: Mail Transfer Agent (MTA) (requires Advanced access to Check Point Support
Center)

Next Generation Security Gateway R81 Administration Guide      |      41

 IPS Software Blade

IPS Software Blade

This Software Blade:
n Delivers complete and proactive intrusion prevention.
n Delivers thousands of signatures, behavioral and preemptive protections.
n Gives another layer of security on top of Check Point Firewall technology.
n Protects both clients and servers, and lets you control the network usage of certain applications.
The hybrid detection engine provides multiple defense layers, which allows it excellent detection and
prevention capabilities of known threats and in many cases future attacks as well. It also allows
unparalleled deployment and configuration flexibility and excellent performance.
For more information, see:
n R81 Threat Prevention Administration Guide
n sk95193 - ATRG: IPS (requires Advanced access to Check Point Support Center)

Next Generation Security Gateway R81 Administration Guide      |      42

 Identity Awareness Software Blade

Identity Awareness Software Blade

Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and computer
identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps
users and computer identities. This lets you enforce access and audit data based on identity.
Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and
non-Active Directory based networks, as well as for employees and guest users.
Identity Awareness uses the Source and Destination IP addresses of network traffic to identity users and
computers. You can use these elements as matching criteria in the Source and Destination fields of your
policy rules:
n The identity of users or user groups
n The identity of computers or computer groups
With Identity Awareness you define policy rules for specified users, who send traffic from specified
computers or from any computer. Likewise, you can create policy rules for any user on specified
computers.
Identity Awareness gets identities from the configured identity sources.
For more information, see:
n R81 Identity Awareness Administration Guide
n sk86441 - ATRG: Identity Awareness

Next Generation Security Gateway R81 Administration Guide      |      43

 Content Awareness Software Blade

Content Awareness Software Blade

This Software Blade provides data visibility and enforcement in unified Access Control Policy.
You can set the direction of the data in the Access Control Policy to one of these:
n Download Traffic - Into the organization
n Upload Traffic - Out of the organization
n Any Direction
You can set Data Types in the Access Control Policy to one of these:
n Content Types - Classified by analyzing the file content (for example: PCI - credit card numbers,
International Bank Account Numbers - IBAN)
n File Types - Classified by analyzing the file ID (for example: Viewer File - PDF, Executable file,
Presentation file)
You can select one of these services:
n CheckPointExchangeAgent
n ftp
n http
n https
n HTTP_proxy
n HTTPS_proxy
n smtp
n Squid_NTLM
For more information, see the:
n R81 Security Management Administration Guide
n SmartConsole Online Help
n sk119715 - ATRG: Content Awareness (CTNT) (requires Advanced access to Check Point
Support Center)
Note - Content Awareness and Data Loss Prevention (see "Data Loss Prevention
Software Blade" on page 48) both use Data Types in the Access Control Policy.
However, they have different features and capabilities. They work independently, and
the Security Gateway enforces them separately.

Next Generation Security Gateway R81 Administration Guide      |      44

 Mobile Access Software Blade

Mobile Access Software Blade

Check Point Mobile Remote Access VPN Software Blade is the safe and easy solution to connect to
corporate applications over the internet with your mobile device or PC. The solution provides enterprise-
grade remote access with both Layer 3 VPN and SSL VPN. It gives you simple, safe and secure
connectivity to your email, calendar, contacts and corporate applications. At the same time, it protects
networks and endpoint computers from threats.
The Mobile Access Portal lets mobile and remote workers connect easily and securely to critical resources
over the internet.
Check Point Mobile Apps enables secure encrypted communication from unmanaged smartphones and
tablets to your corporate resources.
For more information, see:
n R81 Mobile Access Administration Guide
n sk104577 - ATRG: Mobile Access Blade

Next Generation Security Gateway R81 Administration Guide      |      45

 Application Control Software Blade

Application Control Software Blade

This Software Blade detects or blocks traffic for applications:
n Granular Application Control : Identifies, allows, or blocks thousands of applications. This provides
protection against the increasing threat vectors and malware introduced by internet applications.
n Largest application library with AppWiki : Comprehensive application control that uses the
industry's largest application library. It scans for and detects more than 4,500 applications and more
than 100,000 Web 2.0 widgets. Check Point database is updated frequently with worldwide Apps
and Widgets.
For more information, see:
n R81 Security Management Administration Guide
n sk112249 - Best Practices - Application Control
n sk73220 - ATRG: Application Control (requires Advanced access to Check Point Support Center)
In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      46

 URL Filtering Software Blade

URL Filtering Software Blade

This Software Blade lets you control access to web sites and applications based on their categorization.
For more information, see:
n R81 Security Management Administration Guide
n sk92743 - ATRG: URL Filtering (requires Advanced access to Check Point Support Center)
In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      47

 Data Loss Prevention Software Blade

Data Loss Prevention Software

Blade
This Software Blade prevents unintentional data leaks by catching protected data before it leaves your
organization.
This Software Blade identifies, monitors, and protects data transfer through deep content inspection and
analysis of transaction parameters (such as source, destination, data object, and protocol), with a
centralized management framework. In short, DLP detects and prevents the unauthorized transmission of
confidential information.

Note - Data Loss Prevention is also known as Data Leak Prevention, Information Leak
Detection and Prevention, Information Leak Prevention, Content Monitoring and
Filtering, and Extrusion Prevention.

For more information, see the:

n R81 Data Loss Prevention Administration Guide
n SmartConsole Online Help.
n sk73660 - ATRG: Data Loss Prevention (DLP) (requires Advanced access to Check Point Support
Center)
Note - Data Loss Prevention and Content Awareness (see "Content Awareness
Software Blade" on page 44) both use Data Types in the Access Control Policy.
However, they have different features and capabilities. They work independently, and
the Security Gateway enforces them separately.

In addition, see "UserCheck" on page 50.

Next Generation Security Gateway R81 Administration Guide      |      48

 Anti-Spam & Email Security Software Blade

Anti-Spam & Email Security

Software Blade
This Software Blade enforces Anti-Spam:
n Based on content fingerprint - Identifies spam by analyzing known and emerging distribution
patterns. By avoiding a search for keywords and phrases that might classify a legitimate email as
spam and instead focusing on other message characteristics, this solution offers a high spam
detection rate with a low number of false positives.
n Based on IP Reputation - Blocks known spammers.
n Based on user defined IP addresses and Sender / Domains - Blocks senders identified by either
name, domain, or IP address.
You can configure:
n Directional scanning for SMTP traffic
n Directional scanning for POP3 traffic
n Network exceptions
n List of allowed email senders
For more information, see:
n R81 Threat Prevention Administration Guide
n SmartDashboard built-in help

Next Generation Security Gateway R81 Administration Guide      |      49

 UserCheck

UserCheck
This feature gives users a warning when there is a potential risk of data loss or security violation.
This helps users to prevent security incidents and to learn about the organizational security policy.
These Software Blades require the UserCheck feature:
n "Threat Emulation Software Blade" on page 40
n "Threat Extraction Software Blade" on page 39
n "Anti-Bot Software Blade" on page 37
n "Anti-Virus Software Blade" on page 38
n "Data Loss Prevention Software Blade" on page 48
n "Application Control Software Blade" on page 46
n "URL Filtering Software Blade" on page 47
For more information, see:
n The R81 Security Management Administration Guide > Chapter Creating an Access Control Policy
> Section The Columns of the Access Control Rule Base
n sk83700 - How to customize and localize the UserCheck portal

Next Generation Security Gateway R81 Administration Guide      |      50

 ClusterXL Software Blade

ClusterXL Software Blade

ClusterXL is a Check Point software-based cluster solution for Security Gateway redundancy and Load
Sharing. A ClusterXL Security Cluster contains identical Check Point Security Gateways.
n A High Availability Security Cluster ensures Security Gateway and VPN connection redundancy by
providing transparent failover to a backup Security Gateway in the event of failure.
n A Load Sharing Security Cluster provides reliability and also increases performance, as all members
are active.

Item Description

1 Internal network

2 Switch for internal network

3 Security Gateways with ClusterXL Software Blade

4 Switch for external networks

5 Internet

For more information, see the R81 ClusterXL Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      51

 QoS Software Blade

QoS Software Blade

QoS is a policy based bandwidth management solution that lets you:
n Prioritize business-critical traffic, such as ERP, database and Web services traffic, over lower priority
traffic.
n Guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP)
and video conferencing.
n Give guaranteed or priority access to specified employees, even if they are remotely accessing
network resources.
You deploy QoS with the Security Gateway.
QoS is enabled for both encrypted and unencrypted traffic.

Item Description

1 SmartConsole

2 Security Management Server

3 QoS Policy

4 Security Gateway with QoS Software Blade

5 Internet

6 Internal network

QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check
Point patented Stateful Inspection technology captures and dynamically updates detailed state information
on all network traffic. This state information is used to classify traffic by service or application. After traffic
has been classified, QoS applies an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to
accurately control bandwidth allocation.
For more information, see the R81 QoS Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      52

 VSX

VSX
Virtual System eXtension product runs several virtual firewalls on the same hardware.
Each Virtual System works as a Security Gateway, typically protecting a specified network. When packets
arrive at the VSX Gateway, it sends traffic to the Virtual System protecting the destination network. The
Virtual System inspects all traffic and allows or rejects it according to rules defined in the security policy.
In order to better understand how virtual networks work, it is important to compare physical network
environments with their virtual (VSX) counterparts. While physical networks consist of many hardware
components, VSX virtual networks reside on a single configurable VSX Gateway or cluster that defines and
protects multiple independent networks, together with their virtual components.

Example Physical Network Topology

In a typical deployment with multiple Security Gateways, each protects a separate network.
Each physical Security Gateway has interfaces to the perimeter router and to the network it protects.

Item Description

1 Internet

2 Router

3 Security Gateways

4 Network

Next Generation Security Gateway R81 Administration Guide      |      53

 VSX

Example VSX Virtual Network Topology

Deploy one VSX Gateway with four Virtual Systems to protect multiple networks.

Item Description

1 Internet

2 Router

3 VSX Gateway.
Each Virtual System in a VSX environment is a Security Gateway, with the same security and
networking functionality as a physical gateway.
Each handles packet traffic to and from the one network it protects.

4 Warp Links.
Virtual interfaces and network cables connect the Virtual Systems and the Virtual Switch.

5 Virtual Switch.
Connects all the Virtual Systems to the Internet router.

6 Networks

For more information, see the R81 VSX Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      54

 SecureXL

SecureXL
This feature accelerates traffic that passes through a Security Gateway.
For more information, see:
n R81 Performance Tuning Administration Guide
n sk153832 - ATRG: SecureXL for R80.20 and above (requires Advanced access to Check Point
Support Center)
n sk98348 - Best Practices - Security Gateway Performance

Next Generation Security Gateway R81 Administration Guide      |      55

 CoreXL

CoreXL
CoreXL is a performance-enhancing technology for Security Gateways on multi-core platforms.
CoreXL makes it possible for the CPU cores to perform multiple tasks concurrently. This enhances the
Security Gateway performance.
CoreXL provides almost linear scalability of performance, according to the number of processing cores on
a single machine. The increase in performance does not require changes to management or to network
topology.
On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times.
Each replicated copy of the Firewall kernel, or CoreXL Firewall instance, runs on one CPU core.
These CoreXL Firewall instances handle traffic concurrently, and each CoreXL Firewall instance is a
complete and independent Firewall inspection kernel. When CoreXL is enabled, all the Firewall kernel
instances in the Security Gateway process traffic through the same interfaces and apply the same security
policy.
CoreXL Firewall instances work with SecureXL instances.
For more information. see:
n R81 Performance Tuning Administration Guide
n sk98737 - ATRG: CoreXL (requires Advanced access to Check Point Support Center)
n sk98348 - Best Practices - Security Gateway Performance

Next Generation Security Gateway R81 Administration Guide      |      56

 Multi-Queue

Multi-Queue
By default, each network interface has one traffic queue handled by one CPU.
You cannot use more CPU cores for acceleration than the number of interfaces handling traffic.
Multi-Queue lets you configure more than one traffic queue for each network interface.
For each interface, more than one CPU core is used for acceleration.

Note - Multi-Queue is applicable only if SecureXL is enabled (this is the default).

For more information, see:

n R81 Performance Tuning Administration Guide
n sk98348 - Best Practices - Security Gateway Performance

Next Generation Security Gateway R81 Administration Guide      |      57

 ICAP

ICAP
The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-like protocol (request and
response protocol), which is used to extend transparent proxy servers. This frees up resources and
standardizes the way in which new features are implemented. ICAP is usually used to implement virus
scanning and content filters in transparent HTTP proxy caches.
The ICAP allows ICAP Clients to pass HTTP / HTTPS messages to ICAP Servers for content adaptation.
The ICAP Server executes its transformation service on these HTTP / HTTPS messages and sends
responses to the ICAP Client, usually with modified HTTP / HTTPS messages. The adapted HTTP /
HTTPS messages can be HTTP / HTTPS requests, or HTTP / HTTPS responses.
You can configure a Check Point Security Gateway as:
n ICAP Client - To send the HTTP / HTTPS messages to ICAP Servers for content adaptation.
n ICAP Server - To perform content adaptation in the HTTP / HTTPS messages received from ICAP
Clients.
n Both ICAP Client and ICAP Server at the same time.
Check Point Security Gateway configured for ICAP can work with third party ICAP devices without
changing the network topology.
For more information, see the R81 Threat Prevention Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      58

 HTTPS Inspection

HTTPS Inspection
Lets you inspect the HTTP / HTTPS traffic on these Software Blades:
n Anti-Bot
n Anti-Virus
n Application Control
n Content Awareness (Data Awareness)
n Data Loss Prevention
n IPS
n Threat Emulation
n URL Filtering
Security Gateways cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS
Inspection feature to let the Security Gateways create new SSL connections with the external site or
server. The Security Gateways are then able to decrypt and inspect HTTPS traffic that uses the new SSL
connections.
For more information, see:
n R81 Threat Prevention Administration Guide > Chapter HTTPS Inspection.
n sk108202 - Best Practices - HTTPS Inspection
n sk65123 - HTTPS Inspection FAQ

Next Generation Security Gateway R81 Administration Guide      |      59

 HTTP/HTTPS Proxy

HTTP/HTTPS Proxy
You can configure a Security Gateway to act as an HTTP/HTTPS Proxy on your network.
In such configuration, the Security Gateway becomes an intermediary between hosts that communicate
with each other through the Security Gateway. It does not allow a direct connection between these hosts.
Each successful connection creates two different connections:
n One connection between the client in the organization and the proxy (Security Gateway).
n One connection between the proxy (Security Gateway) and the actual destination.
These proxy modes are supported:
n Transparent - All HTTP traffic on specified ports and interfaces is intercepted and processed by the
Proxy code in the Security Gateway. No configuration is required on the clients.
n Non Transparent - All HTTP/HTTPS traffic on specified ports and interfaces is intercepted and
processed by the Proxy code in the Security Gateway. Configuration of the proxy address and port is
required on client machines.
For more information, see:
n SmartDashboard built-in help
n sk110013 - How to configure Check Point Security Gateway as HTTP/HTTPS Proxy (requires
Advanced access to Check Point Support Center)
n sk92482 - Performance impact from enabling HTTP/HTTPS Proxy functionality (requires
Advanced access to Check Point Support Center)

Next Generation Security Gateway R81 Administration Guide      |      60

 Hardware Security Module (HSM)

Hardware Security Module (HSM)

In This Section:

Why Use an HSM? 61

The Check Point Environment with an HSM 62

Why Use an HSM?

Hardware Security Module (HSM) is a device that stores cryptographic keys.
HSM adds an additional layer of security to the network. HSM is designed to provide dedicated
cryptographic functionality.
When Check Point Security Gateway uses an HSM, the HSM holds these objects for outbound HTTPS
Inspection:
1. The Certificate Authority (CA) certificate (the certificate buffer and the key pair).
The administrator creates the CA certificate and the key pair before you configure the Security
Gateway to work with an HSM.
2. Two to three RSA key pairs for fake certificates.
These keys are created during the initialization of the HTTPS Inspection daemon on the Security
Gateway with 1024-bit, 2048-bit, or 4096-bit length.
You can use these HSM solutions to work with the Check Point Security Gateway:
n Gemalto Luna SP SafeNet HSM
See "Working with Gemalto HSM" on page 68.
n FutureX
See "Working with FutureX HSM" on page 80.

Note - For other HSM vendors that use PKCS#11 API, contact Check Point Solution
Center through a local Check Point Office.

Next Generation Security Gateway R81 Administration Guide      |      61

 Hardware Security Module (HSM)

The Check Point Environment with an HSM

Item Description

1 Internal computers that connect to HTTPS web sites through the Check Point Security Gateway.

2 Check Point Security Gateway with HTTPS Inspection enabled.

3 HTTPS web sites on the Internet.

4 Check Point Security Management Server that manages the Check Point Security Gateway.

5 Interconnecting Network.

6 HSM Server that stores and serves the SSL keys and certificates to the Check Point Security
Gateway.

7 HSM Client workstation used to create a Certificate Authority (CA) certificate on the HSM Server.

Note - Check Point Security Gateway uses the HSM Server only for outbound HTTPS
Inspection.

Next Generation Security Gateway R81 Administration Guide      |      62

 Generic Workflow

Generic Workflow
In This Section:

Workflow for Configuring a Check Point Security Gateway to Work with HSM 63
Workflow for Configuring an HSM Client Workstation 67

This section contains generic workflows for an HSM environment.

Workflow for Configuring a Check Point Security Gateway to

Work with HSM
Follow the steps below on the Security Gateway and Cluster Members that must work with an HSM.

Note - Instructions for specific HSM vendors are located in the corresponding sections.

Generic Step 1 of 3: Configure the HTTPS Inspection to work without the HSM Server
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of every
Virtual System (on the VSX Gateway or every VSX Cluster Member).

Step Instructions

1 In SmartConsole, configure the HTTPS Inspection.

See the R81 Security Management Administration Guide > Chapter HTTPS Inspection.

2 On the Security Gateway (every Cluster Member), disable the HSM in the
$FWDIR/conf/hsm_configuration.C file.
a. Connect to the command line.
b. Log in to the Expert mode.
c. Edit the file:
vi $FWDIR/conf/hsm_configuration.C
d. Configure the value "no" for the parameter "enabled":
:enabled ("no")
e. Save the changes in the file and exit the editor.

3 In SmartConsole, install the applicable Access Control Policy on the Security Gateway
(Cluster).

Next Generation Security Gateway R81 Administration Guide      |      63

 Generic Workflow

Step Instructions

4 Make sure that HTTPS Inspection works correctly without the HSM Server:
a. From an internal computer, connect to any HTTPS web site.
b. On the internal computer, in the web browser, you must receive the signed CA
certificate from the Security Gateway (Cluster).

Generic Step 2 of 3: Install and configure the PKCS#11 library supplied by the HSM vendor
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of the VSX
Gateway or every VSX Cluster Member (context of VS 0).
n You must get the HSM Client package from the HSM vendor.

Step Instructions

1 Unpack and install the HSM Client package supplied by the HSM vendor.

2 Transfer the required PKCS#11 library file to the /usr/lib/hsm_client/ directory.

Important - For security reasons, only the root user has permissions to access this
directory.
You must transfer the physical file into this directory. Do not create a symbolic link.

3 Transfer other tools or files supplied by the HSM vendor that are required to configure the
PKCS#11 library.

4 Configure the required connection or trust between with the HSM Server.

5 Optional: Make sure there is a trusted link with the HSM Server that is based on the
PKCS#11 library.

Note - Use the applicable tool supplied by the HSM vendor. You can also examine
the trust with the Check Point command "cpstat").

Generic Step 3 of 3: Configure the HTTPS Inspection to work with the HSM Server for
Outbound HTTPS Inspection
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of every
Virtual System (on the VSX Gateway or every VSX Cluster Member).

Next Generation Security Gateway R81 Administration Guide      |      64

 Generic Workflow

Notes:
n In this step, you configure the $FWDIR/conf/hsm_configuration.C
file on the Security Gateway (every Cluster Member).
n After you apply the HSM configuration for the first time, you can get an HSM
connection error.
Most common scenario is when you configure several Security Gateways
(Cluster Members) to use the same HSM Server, and they access it at the
same time.
In this case:
a. Run the "fw fetch local" command on the Security Gateway
(Cluster Member) that has an HSM connection issue.
In a VSX environment, run this command in the context of the
problematic VSX Virtual System.
b. When you see "HSM on" on the screen, continue to configure the next
Security Gateway, Cluster Member, or VSX Virtual System.
n After any change in the $FWDIR/conf/hsm_configuration.C file, you
must fetch the local policy (with the "fw fetch local" command) or
install the policy on the Security Gateway (Cluster, VSX Virtual System) in
SmartConsole.
n If the HSM Server is not available when you fetch the local policy or install the
policy in SmartConsole, the HTTPS Inspection cannot inspect the Outbound
HTTPS traffic. As a result, internal computers behind the Security Gateway
(Cluster, VSX Virtual System) cannot access HTTPS web sites.
In addition, see "Disabling Communication from the Security Gateway to the
HSM Server" on page 95.
Configuration steps:

Step Instructions

1 Connect to the command line on the Security Gateway (every Cluster Member).

2 Log in to the Expert mode.

3 Back up the $FWDIR/conf/hsm_configuration.C file.

4 Edit the $FWDIR/conf/hsm_configuration.C file.

5 Configure the required values for these attributes

(see the corresponding sections for HSM vendors):
(
:enabled ("no") # "yes" / "no"
:hsm_vendor_name ("")
:lib_filename ("")
:CA_cert_public_key_handle (0)
:CA_cert_private_key_handle (0)
:CA_cert_buffer_handle (0)
:token_id ("")
)

Next Generation Security Gateway R81 Administration Guide      |      65

 Generic Workflow

Step Instructions

Notes:
n The ":enabled ()" attribute must have the value of either "yes " (to enable the
HSM), or "no" (to disable the HSM).
n The ":hsm_vendor_name ()" attribute must contain the required name of
the HSM vendor.
n The ":lib_filename ()" attribute must contain the name of the PKCS#11
library of your HSM vendor (located in the /usr/lib/hsm_client/ directory).
n The ":CA_cert_<XXX> ()" attributes must have the required values of
handles.
n The ":token_id ()" attribute must contain the password for the partition on
the HSM Server.

Example:
(
:enabled ("yes") # "yes" / "no"
:hsm_vendor_name ("FutureX HSM")
:lib_filename ("libfxpkcs11.so")
:CA_cert_public_key_handle (2)
:CA_cert_private_key_handle (1)
:CA_cert_buffer_handle (3)
:token_id ("safest")
)

6 To apply the new configuration, restart all Check Point services with this command:
cprestart

Important - This blocks all traffic until all services restart. In a cluster, this can
cause a failover.

7 Make sure that the Security Gateway (every Cluster Member) can connect to the HSM
Server and that HTTPS Inspection is activated successfully on the outbound traffic.
Run this command:
cpstat https_inspection -f all
The output must show:
n HSM partition access (Accessible/Not Accessible):
Accessible
n Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see "Monitoring HTTPS Inspection with HSM in CLI" on page 110.

8 Make that HTTPS Inspection is activated successfully on the outbound traffic:

a. From an internal computer, connect to any HTTPS web site.
b. On the internal computer, in the web browser, you must receive the signed CA
certificate from the HSM Server.

Next Generation Security Gateway R81 Administration Guide      |      66

 Generic Workflow

Workflow for Configuring an HSM Client Workstation

HSM Client workstation is an external computer, on which you install the HSM Client software of your HSM
vendor.
HSM Client workstation can run on Windows, Linux, or other operating system, as required by the HSM
vendor.
You use the HSM Client workstation to:
n Create a CA Certificate on the HSM Server.
Check Point Security Gateway uses this CA Certificate for HTTPS Inspection when it needs to store
and access SSL keys on the HSM Server.
n Manage keys for a fake certificate created by the Check Point Security Gateway.

Important - You must get the HSM Client package from the HSM vendor.

Next Generation Security Gateway R81 Administration Guide      |      67

 Working with Gemalto HSM

Working with Gemalto HSM

In This Section:

Configuration Steps 68
Additional Actions for a Gemalto HSM Server 78

Configuration Steps
Use this workflow to configure a Check Point Security Gateway (Cluster) to work with the Gemalto HSM
Server.
Step 1 of 5: Extracting the Gemalto Help Package

Use the Gemalto configuration documents to configure the Gemalto HSM environment.

Step Instructions

1 Download this package:

Gemalto SafeNet HSM Help package
(007-011136-012_Net_HSM_6.2.2_Help_RevA)

Note - Software Subscription or Active Support plan is required

to download this package.

2 Use a Windows-based computer.

3 Extract the Gemalto HSM Help package to some folder.

4 Open the extracted Gemalto HSM Help folder.

5 Double-click the START_HERE.html file.

The Gemalto SafeNet Network HSM 6.2.2 Product Documentation opens.

Next Generation Security Gateway R81 Administration Guide      |      68

 Working with Gemalto HSM

Step 2 of 5: Configuring the Gemalto HSM Server to Work with Security Gateway

Use the Gemalto Help documents to install and configure the Gemalto HSM Server.

Step Instructions

1 Install the Gemalto HSM Appliance.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Installation Guide > SafeNet Network HSM Hardware Installation.

2 Do the initial configuration of the Gemalto HSM Appliance and the Gemalto HSM Server.
From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Configuration Guide > follow from [Step 1] to [Step 6].

3 Run the "sysconf recenCert" command in LunaSH to generate a new certificate for the
Gemalto HSM Server (server.pem).
From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with
each other.

4 Complete the configuration of the Gemalto HSM Server to work with the Check Point Security
Gateway (Cluster):
a. Set the applicable partition to be active and auto-activated.
Run these commands in LunaSH:
lunash:> partition showPolicies -partition <Partition
Name>

lunash:> partition changePolicy -partition <Partition

Name> -policy 22 -value 1

lunash:> partition changePolicy -partition <Partition

Name> -policy 23 -value 1

lunash:> partition showPolicies -partition <Partition

Name>

Note - If you do not set the partition to stay auto-activated, the partition does
not stay activated when the machine is shut down for more than two hours.

b. Disable the validation of the client source IP address by NTLS upon an NTLA client
connection.
Run this command in LunaSH:
lunash:> ntls ipcheck disable

Note - This allows the HSM Server to accept traffic from Check Point Cluster
Members that hide this traffic behind a Cluster VIP address, and from a
Check Point Security Gateway hidden behind NAT.

Next Generation Security Gateway R81 Administration Guide      |      69

 Working with Gemalto HSM

Step 3 of 5: Configuring the Gemalto HSM Client workstation

You use the Gemalto HSM Client workstation to create a CA Certificate on the Gemalto HSM Server.
Check Point Security Gateway (Cluster Members) uses this CA Certificate for HTTPS Inspection to
store and to access SSL keys on the Gemalto HSM Server.

Note - You can also use Check Point Security Gateway (Cluster Members) with the
installed HSM Client package as an HSM Client workstation.

Step Instructions

1 Get this HSM Client package from the Gemalto vendor:

610-012382-017_SW_Client_HSM_6.2.2_RevA

2 Install a Windows-based or Linux-based computer to use as a Gemalto HSM Client

Workstation.

3 Install the HSM Client package on the computer:

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Installation Guide > SafeNet HSM Client Software Installation.

4 Establish a Trust Link between the Gemalto HSM Client Workstation and the Gemalto HSM
Server.
From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance with
each other.
On the Gemalto HSM Client Workstation, run in LunaCM:
lunacm:> clientconfig deploy -c <IP Address of HSM Client
Workstation> -n <IP Address of HSM Server> -par <Partition
Name> -pw <Partition Password>

Next Generation Security Gateway R81 Administration Guide      |      70

 Working with Gemalto HSM

Step 4 of 5: Creating the CA Certificate on the Gemalto HSM Server

Step Instructions

1 On the Gemalto HSM Client workstation, open a command prompt or a terminal window.

2 Use the "cmu generatekeypair" command to create a key pair.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities
Reference Guide > Certificate Management Utility (CMU) > cmu generatekeypair.
Example:
# cd /usr/safenet/lunaclient/bin
# ./cmu generatekeypair -modulusBits=2048 -
publicExponent=65537 -labelPublic="CAPublicKeyPairLabel" -
labelPrivate="CAPrivateKeyPairLabel" -sign=T -verify=T

3 When prompted, enter the password for the partition on Gemalto HSM Server (you
configured it in "Step 2 of 5: Configuring the Gemalto HSM Server to Work with Security
Gateway" on page 69).
Example:
Enter a password for the token in slot 0:

4 Select the RSA mechanism by entering the corresponding number:

[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary
Primes

5 View the handles of the key pair you created.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities
Reference Guide > Certificate Management Utility (CMU) > cmu list.
# ./cmu list
Example output:
Enter password for token in slot 0 : <Password for the
Partition>
handle=17      label=CAPrivateKeyPairLabel
handle=18      label=CAPublicKeyPairLabel

6 Use the handle numbers from the previous step to create the CA certificate.
From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities
Reference Guide > Certificate Management Utility (CMU) > cmu selfsigncertificate
Example:
# ./cmu selfsigncertificate -privatehandle=17
CN="www.gemltoHSM.cp" -sha256WithRSA -startDate 20190720 -
endDate 20240720 -serialNum=111aaa -keyusage
digitalsignature,keycertsign,crlsign -
basicconstraints=critical,ca:true

Next Generation Security Gateway R81 Administration Guide      |      71

 Working with Gemalto HSM

Step Instructions

7 View the handles of the CA certificate you created.

# ./cmu list
Example output:
Enter password for token in slot 0 : <Password for the
Partition>
handle=13     label=www.myhsm.cp
handle=17     label=CAPrivateKeyPairLabel
handle=18     label=CAPublicKeyPairLabel

Important - You use the numbers of these three handles later when you configure
the $FWDIR/conf/hsm_configuration.C file on the Check Point Security
Gateway (Cluster Members).

8 Export the CA certificate to a file.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the Utilities
Reference Guide > Certificate Management Utility (CMU) > cmu export
# ./cmu export -handle=<Handle Number> -outputfile=<Name of
Output File>

Next Generation Security Gateway R81 Administration Guide      |      72

 Working with Gemalto HSM

Step 5 of 5: Configuring the Security Gateway to Work with the Gemalto HSM Server

This step has three sub-steps.

Sub-Step 5-A: Configuring HTTPS Inspection on the Security Gateway (Cluster

Members) to work without the Gemalto HSM Server
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of every
Virtual System (on the VSX Gateway or every VSX Cluster Member).

Step Instructions

1 In SmartConsole, enable and configure the HTTPS Inspection.

See the R81 Security Management Administration Guide > Chapter HTTPS Inspection.

2 On the Security Gateway (every Cluster Member), disable the HSM in the
$FWDIR/conf/hsm_configuration.C file.
a. Connect to the command line.
b. Log in to the Expert mode.
c. Edit the file:
vi $FWDIR/conf/hsm_configuration.C
d. Configure the value "no" for the parameter "enabled":
:enabled ("no")
e. Save the changes in the file and exit the editor.

3 In SmartConsole, install the applicable Access Control Policy on the Security Gateway
(Cluster).

4 Make sure that HTTPS Inspection works correctly without the HSM Server:
a. From an internal computer, connect to any HTTPS web site.
b. On the internal computer, in the web browser, you should receive the signed CA
certificate from the Security Gateway (Cluster).

Next Generation Security Gateway R81 Administration Guide      |      73

 Working with Gemalto HSM

Sub-Step 5-B: Installing the Gemalto HSM Simplified Client Software Packages on the
Security Gateway (Cluster Members)
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of the
VSX Gateway or every VSX Cluster Member (context of VS 0).

Step Instructions

1 Open the Gemalto HSM Client package you received from Gemalto:
610-012382-017_SW_Client_HSM_6.2.2_RevA
Go to this directory: linux > 32

2 Install the HSM Client package.

From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Installation Guide > SafeNet HSM Client Software Installation.

3 In the Expert mode, copy the libCryptoki2.so file to the /usr/lib/hsm_client/ directory:
cp -v /usr/safenet/lunaclient/lib/libCryptoki2.so
/usr/lib/hsm_client/

Important - For security reasons, only the root user has permissions to access
this directory.
You must copy the physical file into this directory. Do not create a symbolic link.

4 Establish a Trust Link between the Gemalto HSM Client on the Security Gateway (every
Cluster Member) and the Gemalto HSM Server.
From the Gemalto SafeNet Network HSM 6.2.2 Product Documentation, go to the
Configuration Guide > [Step 7] Create a trusted link and register Client and Appliance
with each other.
On the Security Gateway (every Cluster Member), run in LunaCM:
lunacm:> clientconfig deploy -c <IP Address of Security
Gateway or Cluster Member> -n <IP Address of HSM Server> -
par <Partition Name> -pw <Partition Password>

5 Examine the partition access on the Security Gateway (every Cluster Member):
# /usr/safenet/lunaclient/bin/vtl verify

Notes:
n For more information, see the Gemalto SafeNet Network HSM 6.2.2
Product Documentation.
For information about establishing a Trust Link, go to the Appliance
Administration Guide > Configuration without One-step NTLS > [Step 7]
Create a Network Trust Link Between the Client and the Appliance.
n If you need to establish new Trust Link, you have to delete the current
Trust Link.
See "Deleting a Trust Link with the HSM Server" on page 78.

Next Generation Security Gateway R81 Administration Guide      |      74

 Working with Gemalto HSM

Sub-Step 5-C: Configuring HTTPS Inspection on the Security Gateway (Cluster

Members) to work with the Gemalto HSM Server
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of the
VSX Gateway or every VSX Cluster Member (context of VS 0).

Notes:
n After you apply the HSM configuration for the first time, you may get an
HSM connection error.
Most common scenario is when you configure several Security Gateways
(Cluster Members) to use the same HSM Server, and they access it at the
same time.
In this case:
a. Run the "fw fetch local" command on the Security Gateway
(Cluster Member) that has an HSM connection issue.
In a VSX environment, run this command in the context of the
problematic VSX Virtual System.
b. Wait until you see "HSM on".
c. Continue to configure the next Security Gateway, Cluster Member,
or VSX Virtual System.
n After any change in the $FWDIR/conf/hsm_configuration.C file,
you must fetch the local policy (with the "fw fetch local" command)
or install the policy on the Security Gateway (Cluster, VSX Virtual System)
in SmartConsole.
n If the HSM Server is not available when you fetch the local policy or install
the policy in SmartConsole, the HTTPS Inspection is not able to inspect
the Outbound HTTPS traffic. As a result, internal computers behind the
Security Gateway (Cluster, VSX Virtual System) are not able to access
HTTPS web sites.
In addition, see "Disabling Communication from the Security Gateway to
the HSM Server" on page 95.

Step Instructions

1 Connect to the command line on the Security Gateway (every Cluster Member).

2 Log in to the Expert mode.

3 Back up the $FWDIR/conf/hsm_configuration.C file:

cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

4 Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

Next Generation Security Gateway R81 Administration Guide      |      75

 Working with Gemalto HSM

Step Instructions

5 Configure the required values for these attributes:

(
:enabled ("yes")
:hsm_vendor_name ("Luna Gemalto HSM")
:lib_filename ("libCryptoki2.so")
:CA_cert_public_key_handle (<Number of "Public" Handle for
CA certificate>)
:CA_cert_private_key_handle (<Number of "Private" Handle
for CA certificate>)
:CA_cert_buffer_handle (<Number of Handle for CA
certificate>)
:token_id ("<Password for Partition on Gemalto HSM
Server>")
)

Notes:
n The ":enabled ()" attribute must have the value of either "yes " (to enable
the HSM), or "no" (to disable the HSM).
n The ":hsm_vendor_name ()" attribute must contain the string "Luna
Gemalto HSM " (or must be empty).
n The ":lib_filename ()" attribute must contain the name of the PKCS#11
library of the Gemalto HSM vendor (located in the /usr/lib/hsm_client/
directory on the Security Gateway or Cluster Member).
n The ":CA_cert_<XXX> ()" attributes must have the required values of
handles from the output of the "cmu list" command on the Gemalto
HSM Server.
See "Step 4 of 5: Creating the CA Certificate on the Gemalto HSM
Server" on page 71.
n The ":token_id ()" attribute must have the contain the password for the
partition on the Gemalto HSM Server.
See "Step 2 of 5: Configuring the Gemalto HSM Server to Work with
Security Gateway" on page 69.
Example:
(
:enabled ("yes")
:hsm_vendor_name ("Gemalto HSM")
:lib_filename ("libCryptoki2.so")
:CA_cert_public_key_handle (17)
:CA_cert_private_key_handle (18)
:CA_cert_buffer_handle (13)
:token_id ("p@ssw0rd")
)

Next Generation Security Gateway R81 Administration Guide      |      76

 Working with Gemalto HSM

Step Instructions

6 Apply the new configuration.

n If you explicitly defined (or changed) the value of the ":hsm_vendor_name ()"
attribute the string "Gemalto HSM ", then restart all Check Point services with this
command:
cprestart

Important - This blocks all traffic until all services restart. In a cluster, this
can cause a failover.

n If you did not define the value of the ":hsm_vendor_name ()" attribute (it is empty),
then fetch the local policy with this command:
fw fetch local

7 Make sure that the Security Gateway (every Cluster Member) can connect to the HSM
Server and that HTTPS Inspection is activated successfully on the outbound traffic.
Run this command:
cpstat https_inspection -f all
The output must show:
n HSM partition access (Accessible/Not Accessible):
Accessible
n Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see "Monitoring HTTPS Inspection with HSM in CLI" on page 110.

8 Make that HTTPS Inspection is activated successfully on the outbound traffic:

a. From an internal computer, connect to any HTTPS web site.
b. On the internal computer, in the web browser, you should receive the signed CA
certificate from the HSM Server.

Next Generation Security Gateway R81 Administration Guide      |      77

 Working with Gemalto HSM

Additional Actions for a Gemalto HSM Server

Deleting a Trust Link with the HSM Server

If you need to establish new Trust Link between a Check Point Security Gateway and an HSM Server,
you have to delete the current Trust Link.
Use Case: When you replace or reconfigure a Check Point Security Gateway, or an HSM Server.

Step Instructions

1 Delete the current Trust Link on the Check Point Security Gateway (every Cluster Member):
a. Connect to the command line.
b. Log in to the Expert mode.
c. Go to the SafeNet HSM Simplified Client installation directory:
cd /usr/safenet/lunaclient/bin/
d. Delete the old Trust Link:
./vtl deleteServer -n <IP Address of HSM Server>

2 Delete the current Trust Link on the HSM Appliance:

a. Connect to the HSM Appliance over SSH.
b. Examine the list of configured HSM Client Workstations:
lunash:> client list
c. Delete the Check Point HSM Client Workstation:
lunash:> client delete -client <Name of HSM Client>

Note - For more information, see the Gemalto SafeNet Network HSM 6.2.2
Product Documentation.

Next Generation Security Gateway R81 Administration Guide      |      78

 Working with Gemalto HSM

Configuring a Second Interface on a Gemalto HSM Appliance for NTLS

Step Instructions

1 Connect to the HSM Appliance over SSH.

2 Examine all the configured interfaces:

lunash:> network show

3 Add a new interface:

lunash:> network interface -device <Name
of Interface> -ip <IP Address> -netmask
<NetMask> [-gateway <IP Address>]

4 Enable Network Trust Link Service (NTLS) on all the interfaces.

Note - For more information, see the Gemalto SafeNet Network HSM 6.2.2
Product Documentation > LunaSH Command Reference Guide > LunaSH
Commands.

Next Generation Security Gateway R81 Administration Guide      |      79

 Working with FutureX HSM

Working with FutureX HSM

Use this workflow to configure a Check Point Security Gateway (Cluster) to work with the FutureX HSM
Server.

Prerequisites
FutureX Software Packages

The FutureX vendor supplies all these packages.

Package Files Description

FutureX n fxpkcs11- Contains the FutureX PKCS #11 Library.

PKCS11 windows-4.20- Install on the:
Library 4afd.zip
n FutureX HSM Client Workstation
n fxpkcs11-
n Check Point Security Gateway (every Cluster
redhat-4.20-
Member).
4afd.tar
n fxpkcs11-
linux-4.20-
4afd.tar
n fxpkcs11-mac-
4.20-4afd.tar

FutureX CLI n fxcl-hsm- Contains the FutureX CLI Utility to manage keys and
Utility windows- certificates.
1.2.4.2- Install on the FutureX HSM Client Workstation.
37a8.zip
n fxcl-hsm-
redhat-
1.2.4.2-
37a8.tar
n fxcl-hsm-
linux-
1.2.4.2-
37a8.tar
n fxcl-hsm-mac-
1.2.4.2-
37a8.tar
n fxcli-hsm-
commands.txt

FutureX FutureX certificates for trust between the FutureX HSM

Certificates Client Workstation and the FutureX HSM Server.

Next Generation Security Gateway R81 Administration Guide      |      80

 Working with FutureX HSM

Configuration Steps
Use this workflow to configure a Check Point Security Gateway (Cluster) to work with the FutureX HSM
Server.
Step 1 of 3: Configuring the FutureX HSM Client Workstation

You use the FutureX HSM Client Workstation to:

n Create a CA Certificate on the FutureX HSM Server. The Check Point Security Gateway uses this
CA Certificate for HTTPS Inspection to store and access SSL keys on the FutureX HSM Server.
n Manage keys for fake certificate the Check Point Security Gateway created.

Step Instructions

1 Install a computer to use as a FutureX HSM Client Workstation.

Get the applicable HSM Client package from the FutureX vendor.
A FutureX HSM Client Workstation can run these operating systems (for more information,
contact the FutureX vendor):
n Windows
n Red Hat Linux
n Ubuntu Linux
n Debian Linux
n macOS

2 Transfer the applicable FutureX PKCS #11 Library package to the FutureX HSM Client
Workstation.
n For Windows OS:
fxpkcs11-windows-<BUILD>.zip
n For Red Hat Linux OS:
fxpkcs11-redhat-<BUILD>.tar
n For Ubuntu and Debian Linux OS:
fxpkcs11-linux-<BUILD>.tar
n For macOS:
fxpkcs11-mac-<BUILD>.tar
Important - Make sure to transfer the file in the binary mode.

Next Generation Security Gateway R81 Administration Guide      |      81

 Working with FutureX HSM

Step Instructions

3 Extract the contents of the FutureX PKCS #11 Library package to some directory on the
FutureX HSM Client Workstation.
In the instructions below, we show this directory as: <PKCS#11 Dir> .
Important:
n The FutureX PKCS #11 Library package (fxpkcs11-<OS>-<BUILD> )
contains the nested directory called "fxpkcs11".
You must extract the contents of this nested directory "fxpkcs11" into the
<PKCS#11 Dir> directory.
n The nested directory "fxpkcs11" contains the nested directories called
"x64" (for 64-bit OS) and "x86" (for 32-bit OS).
You must extract the contents of the applicable nested directory "x64" or
"x86" into the <PKCS#11 Dir> directory.

4 Transfer the certificates you received from the FutureX vendor to some directory on the
FutureX HSM Client Workstation.

Next Generation Security Gateway R81 Administration Guide      |      82

 Working with FutureX HSM

Step Instructions

5 Prepare the HSM Client to work with the PKCS#11 manager:

a. On a Linux-based HSM Client, install the OpenSSL package:
n On Ubuntu and Debian Linux, run:

sudo apt-get install openssl

n On Red Hat Linux, run:
sudo yum install openssl
b. Make sure this FutureX PKCS #11 Library file is located in the <PKCS#11 Dir>
directory:
n On Linux OS:

libfxpkcs11.so
n On Windows OS:
fxpkcs11.dll
c. Make sure the configuration file fxpkcs11.cfg is located in the applicable directory:
n On Linux OS:
Transfer this file from the <PKCS#11 Dir> directory to the /etc/ directory
(you must edit the copied file in the /etc/ directory).
n On Windows OS:
Keep this file in the <PKCS#11 Dir> directory.
d. Configure these settings in the file fxpkcs11.cfg:
n <LOG-FILE>
Set the path to the log file in this attribute.
n <ADDRESS>
Set the IP address of the FutureX HSM Server in this attribute.
n <PROD-PORT>
Set the port on the FutureX HSM Server in this attribute.
You can use the default port 9100, or configure a different port.
If you use a Cloud FutureX HSM, get the port number from the FutureX
Support.
Additional related attributes:
n <PROD-TLS-CA>
Contains the path to the Certificate Authority certificate file.
This attribute can appear multiple times.
You can put all the certificates of the CA chain.
n <PROD-TLS-CERT>
Contains the path to the client certificate file.
n <PROD-TLS-KEY>
Contains the path to the client private key file.

Next Generation Security Gateway R81 Administration Guide      |      83

 Working with FutureX HSM

Step Instructions

6 Test the PKCS#11 Library:

a. To test the configuration, run the tool configTest from the <PKCS#11 Dir> directory.
b. To manage keys, run the tool PKCS11Manager from the <PKCS#11 Dir> directory.
c. Examine the log file you configured in the <LOG-FILE> attribute in the fxpkcs11.cfg
file.

Important - If you have problems with the location of the configuration file or the
PKCS #11 Library file, you can set these environmental variables:
n FXPKCS11_CFG to contain the full path to the configuration file
fxpkcs11.cfg
n FXPKCS11_MODULE to contain the full path to the PKCS #11 Library file
To set an environmental variable:
n On Linux OS, use this command:
export VARIABLE=VALUE
Example:
export FXPKCS11_CFG=/home/user/fxpkcs11.cfg
n On Windows OS, use this command:
set VARIABLE=VALUE
Example:
set FXPKCS11_
CFG=C:\Users\Futurex\Desktop\fxpkcs11.cfg

7 For more information about the configuration of PKCS#11 on the FutureX HSM Client
Workstation:

a. Log in to the FutureX portal.

b. Go to:
DEVELOPER DOCUMENTATION >
GENERAL PURPOSE >
General Purpose Technical Reference >
PKCS #11 Technical Reference

8 Transfer the applicable FutureX CLI Utility package to the FutureX HSM Client Workstation.
n For Windows OS:
fxcl-hsm-windows-<BUILD>.zip
n For Red Hat Linux OS:
fxcl-hsm-redhat-<BUILD>.tar
n For Ubuntu and Debian Linux OS:
fxcl-hsm-linux-<BUILD>.tar
n For macOS:
fxcl-hsm-mac-<BUILD>.tar
Important - Make sure to transfer the file in the binary mode.

Next Generation Security Gateway R81 Administration Guide      |      84

 Working with FutureX HSM

Step Instructions

9 Extract the contents of the FutureX CLI Utility package to some directory on the FutureX
HSM Client Workstation.
In the instructions below, we show this directory as: <CLI Dir> .
Important:
n The FutureX CLI Utility package (fxcl-hsm-<OS>-<BUILD> ) contains the
nested directory called "fxcl ".
n The nested directory fxcl contains the nested directories called "x64" (for
64-bit OS) and "x86" (for 32-bit OS).
n The nested directories x64 and x86 contain the nested directories called
"OpenSSL-1.0.x " and "OpenSSL-1.1.x ".
You must extract the contents of the applicable nested directory "OpenSSL-
1.0.x " or "OpenSSL-1.1.x " into the <CLI Dir> directory.
Administrator decides, which version of the OpenSSL to use (for more
information, contact the FutureX vendor).

10 Transfer these certificates to the <CLI Dir> directory on the FutureX HSM Client
Workstation:
n The Client certificate (denoted below as <Client Certificate> )
n The CA certificate (denoted below as <CA Certificate> )

11 Establish a connection between the FutureX HSM Client and the FutureX HSM Server:

a. Go to the <CLI Dir> directory.

b. Start the shell:
fxcli-hsm
c. Run these commands in the order they are listed:
tls pki -f <Client Certificate> -p safest

tls ca -f <CA Certificate>

connect tcp -c <IP Address of URL of HSM Server>:<Port

on HSM Server>

login user -u <Username> -p <Password (default is

"safest")>

exit

Next Generation Security Gateway R81 Administration Guide      |      85

 Working with FutureX HSM

Step Instructions

12 You can use these tools on the FutureX HSM Client Workstation to manage keys and
certificates that are stored on the FutureX HSM Server:

a. PKCS11Manager
n Run this command from the <PKCS#11 Dir> directory.
n This tool can create keys and browse the content of the HSM partition (that
stores keys and certificates).
n Follow the tool's menu to see the available options.
b. fxcli-hsm
n Run this command from the <CLI Dir> directory.
n To see all available commands in this shell, run: help
n To see all available options for a command in this shell, either run only the
command, or the command with the "-h" option.

Step 2 of 3: Creating the CA Certificate on the FutureX HSM Server

Step Instructions

1 On the FutureX HSM Client Workstation, open a command prompt or a terminal window.

2 Go to the <CLI Dir> directory.

3 Start the shell:

fxcli-hsm

4 Get the list of available slots.

Run one of these commands:
keytable list

keytable reload

5 Generate the key pair for the CA certificate:

generate -a rsa -b 2048 --slot <Slot or Label of CA
Certificate> --name <Name of CA Certificate Private Key
File> --tpk-slot <Slot or Label of CA Certificate Public
Key> --tpk-name <Name of CA Certificate Public Key File> -
u sign,verify
Example:
generate -a RSA -b 2048 --slot 0 --name CAPrivateKey --
tpk-slot 1 --tpk-name CAPublicKey -u sign,verify

Important - Do not use the "... slot next" option, because it can
override keys for a fake certificate the Check Point Security Gateway (Cluster
Member) created.

Next Generation Security Gateway R81 Administration Guide      |      86

 Working with FutureX HSM

Step Instructions

6 Generate the CA certificate:

x509 sign --private-slot <Slot or Label of Private Key> --
dn "<Distinguished Name of CA Certificate>" --ca 1 --key-
usage DigitalSignature --key-usage CrlSign --key-usage
KeyCertSign --save-slot <Slot to Save the CA Certificate>
--save-name <Label of CA Certificate File> -o <Full Path
and Name of CA Certificate File>.cer --validity-period
'<Period>'
Example:
x509 sign --private-slot 0 --dn "CN=www.futurexhsm.cp" --
ca 1 --key-usage DigitalSignature --key-usage KeyCertSign
--key-usage CrlSign --save-slot 2 --save-name CACert -o
Z:\FutureXhsm.cer --validity-period '5 years'
Important:
n Do not use the "... slot next" option, because it can override
keys for a fake certificate the Check Point Security Gateway (Cluster
Member) created.
n See the Note below this procedure.

7 Get the list of slots used for the CA certificate and CA certificate's key pair.
Run one of these commands:
keytable list

keytable reload

Note - The command "keytable list" shows the slot numbers as the
PKCS#11 handles plus one. For example, it shows slot 0 as handle 1, slot 1 as
handle 2, and so on.

8 Write down the handles of the:

n CA certificate
n CA certificate public key
n CA certificate private key
Example:
CAPublicKey (1)
CAPrivateKey (2)
CACert (3)

Important - You use the numbers of these three handles when you configure
the $FWDIR/conf/hsm_configuration.C file on the Check Point
Security Gateway (Cluster Members).

Next Generation Security Gateway R81 Administration Guide      |      87

 Working with FutureX HSM

Note - The "x509 sign" command in step 6 can create a CA certificate that the
Mozilla Firefox browser cannot read.

If this issue occurs, you can create the required certificate with the FutureX API "excrypt".
1. Send this API to the HSM Server:

excrypt -m
[AORSGC;AD1;AL2;KUdigitalSignature,keyCertSign,cRLSign;BCCA:TRUE
;RC<Slot or Label of Private Key>;RG2;RT<Distinguished Name of
CA Certificate>;RY3;SG91234;XE002100;BF<Not Before Date
YYYYMMDD>;AF<Not After Date YYYYMMDD>;]

Example:

excrypt -m
[AORSGC;AD1;AL2;KUdigitalSignature,keyCertSign,cRLSign;BCCA:TRUE
;RC0;RG2;RTwww.hsmfx.cp;RY3;SG91234;XE002100;BF20200101;AF202501
01;]

2. Response to this API:

recv: "[AORSGC;AG44;RV<Generated Certificate in Hex format>;]"

Example:

recv: "[AORSGC;AG44;RV308202...(cut for brevity) ...BF64;]"

3. Decode the certificate Hex string and save it as a certificate file in DER format.
In the above example, the Hex string is:

308202...(cut for brevity) ...BF64

Example command for Linux OS:

echo "<Generated Certificate in Hex format>" | xxd -r -p - |

openssl ec -inform der -out <Full Path and Name of CA
Certificate File in DER format>.cer

4. Export the certificate file in DER format to the HSM Server:

certs import -n <Label of CA Certificate> -s <Slot to Save the

CA Certificate> -i <Full Path and Name of CA Certificate File in
DER format>.cer

Example:

certs import -n "CACert" -s 2 -i Z:\FutureXhsm.cer

Next Generation Security Gateway R81 Administration Guide      |      88

 Working with FutureX HSM

Step 3 of 3: Configuring the Security Gateway to Work with the FutureX HSM Server

This step has four sub-steps.

Sub-Step 3-A: Configuring HTTPS Inspection on the Security Gateway (Cluster

Members) to work without the FutureX HSM Server
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of every
Virtual System (on the VSX Gateway or every VSX Cluster Member).

Step Instructions

1 In SmartConsole, configure the HTTPS Inspection.

See the R81 Security Management Administration Guide > Chapter HTTPS Inspection.

2 On the Security Gateway (every Cluster Member), disable the HSM in the
$FWDIR/conf/hsm_configuration.C file.
a. Connect to the command line.
b. Log in to the Expert mode.
c. Edit the file:
vi $FWDIR/conf/hsm_configuration.C
d. Configure the value "no" for the parameter "enabled":
:enabled ("no")
e. Save the changes in the file and exit the editor.

3 In SmartConsole, install the applicable Access Control Policy on the Security Gateway
(Cluster).

4 Make sure that HTTPS Inspection works correctly without the HSM Server:
a. From an internal computer, connect to any HTTPS web site.
b. On the internal computer, in the web browser, you must receive the signed CA
certificate from the Security Gateway (Cluster).

Next Generation Security Gateway R81 Administration Guide      |      89

 Working with FutureX HSM

Sub-Step 3-B: Installing the required software packages on the Security Gateway
(Cluster Members)
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of the
VSX Gateway or every VSX Cluster Member (context of VS 0).

Step Instructions

1 Transfer the FutureX PKCS #11 binary files to the Security Gateway (every Cluster
Member):

a. Open the FutureX PKCS#11 Library package.

b. Go to this folder:
fxpkcs11-linux-<BUILD> > fxpkcs11 > x86 > OpenSSL-1.1.x
c. Transfer these files to the Security Gateway (every Cluster Member) to the
/usr/lib/hsm_client/ directory:
n libfxpkcs11.so
n configTest
Important - Make sure to transfer the files in the binary mode.

2 Transfer the FutureX PKCS #11 configuration file to the Security Gateway (every Cluster
Member):

a. Open the FutureX PKCS#11 Library package.

b. Go to this folder:
fxpkcs11-linux-<BUILD> > fxpkcs11
c. Transfer this file to the Security Gateway (every Cluster Member) to the /etc/
directory:
fxpkcs11.cfg

Next Generation Security Gateway R81 Administration Guide      |      90

 Working with FutureX HSM

Sub-Step 3-C: Configuring a connection between the Security Gateway (Cluster

Members) and the FutureX HSM Server
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of the
VSX Gateway or every VSX Cluster Member (context of VS 0).

Step Instructions

1 Transfer the FutureX certificate files you received from the FutureX vendor to the Security
Gateway (every Cluster Member) to the /usr/futurex/ directory.

2 Connect to the command line on the Security Gateway (every Cluster Member).

3 Log in to the Expert mode.

4 Back up the configuration file /etc/fxpkcs11.cfg:

cp -v /etc/fxpkcs11.cfg{,_BKP}

5 Edit the configuration file /etc/fxpkcs11.cfg:

vi /etc/fxpkcs11.cfg

6 Configure these attribute values:

Attribute Attribute Value

<LOG-FILE> /var/log/fxpkcs11.log

<ADDRESS> The IP address (or URL) of the FutureX HSM Server.

<PROD-PORT> The port on the FutureX HSM Server.

You can use the default port 9100, or configure a different
port.

<PROD-TLS-CA> The path to the Certificate Authority certificate file.

This attribute can appear multiple times.

<PROD-TLS- The path to the client certificate file.

CERT>

<PROD-TLS-KEY> The path to the client private key file.

7 Save the changes in the file and exit the editor.

8 Create the required symbolic link:

ln -s /var/log/fxpkcs11.log /tmp/fxpkcs11.log

Next Generation Security Gateway R81 Administration Guide      |      91

 Working with FutureX HSM

Sub-Step 3-D: Configuring HTTPS Inspection on the Security Gateway (Cluster

Members) to work with the FutureX HSM Server
Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of the
VSX Gateway or every VSX Cluster Member (context of VS 0).

Notes:
n After you apply the HSM configuration for the first time, you can get an
HSM connection error.
Most common scenario is when you configure several Security Gateways
(Cluster Members) to use the same HSM Server, and they access it at the
same time.
In this case:
a. Run the "fw fetch local" command on the Security Gateway
(Cluster Member) that has an HSM connection issue.
In a VSX environment, run this command in the context of the
problematic VSX Virtual System.
b. When you see "HSM on" on the screen, continue to configure the
next Security Gateway, Cluster Member, or VSX Virtual System.
n After any change in the $FWDIR/conf/hsm_configuration.C file,
you must fetch the local policy (with the "fw fetch local" command)
or install the policy on the Security Gateway (Cluster, VSX Virtual System)
in SmartConsole.
n If the HSM Server is not available when you fetch the local policy or install
the policy in SmartConsole, the HTTPS Inspection cannot inspect the
Outbound HTTPS traffic. As a result, internal computers behind the
Security Gateway (Cluster, VSX Virtual System) cannot access HTTPS
web sites.
In addition, see "Disabling Communication from the Security Gateway to
the HSM Server" on page 95.

Step Instructions

1 Connect to the command line on the Security Gateway (every Cluster Member).

2 Log in to the Expert mode.

3 Back up the $FWDIR/conf/hsm_configuration.C file:

cp -v $FWDIR/conf/hsm_configuration.C{,_BKP}

4 Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

Next Generation Security Gateway R81 Administration Guide      |      92

 Working with FutureX HSM

Step Instructions

5 Configure the required values for these attributes:

(
:enabled ("yes")
:hsm_vendor_name ("FutureX HSM")
:lib_filename ("")
:CA_cert_public_key_handle (<Number of "CAPublicKey" Handle
for CA certificate>)
:CA_cert_private_key_handle (<Number of "CAPrivateKey"
Handle for CA certificate>)
:CA_cert_buffer_handle (<Number of "CACert" Handle for CA
certificate>)
:token_id ("<Password for Partition on FutureX HSM
Server>")
)

Notes:
n The ":enabled ()" attribute must have the value of either "yes " (to enable
the HSM), or "no" (to disable the HSM).
n The ":hsm_vendor_name ()" attribute must contain the string "FutureX
HSM ".
n The ":lib_filename ()" attribute must contain the full path to the file
libfxpkcs11.so (from the FutureX PKCS #11 Library) on the Security
Gateway (Cluster Member).
You must configure this full path explicitly, if this file is not located at the
default path: /usr/lib/libfxpkcs11.so
n The ":CA_cert_<XXX> ()" attributes must have the required values of
handles from the output of the "keytable" command on the FutureX
HSM Server.
See "Step 2 of 3: Creating the CA Certificate on the FutureX HSM
Server" on page 86.
n The ":token_id ()" attribute must have the contain the password for the
partition on the FutureX HSM Server.

Example:
(
:enabled ("yes")
:hsm_vendor_name ("FutureX HSM")
:lib_filename ("")
:CA_cert_public_key_handle (1)
:CA_cert_private_key_handle (2)
:CA_cert_buffer_handle (3)
:token_id ("p@ssw0rd")
)

Next Generation Security Gateway R81 Administration Guide      |      93

 Working with FutureX HSM

Step Instructions

6 Apply the new configuration.

n If you explicitly defined (or changed) the value of the ":hsm_vendor_name ()"
attribute to the string "FutureX HSM ", then restart all Check Point services with this
command:
cprestart

Important - This blocks all traffic until all services restart. In a cluster, this
can cause a failover.

n If the value of the ":hsm_vendor_name ()" attribute already contained the string
"FutureX HSM ", then fetch the local policy with this command:
fw fetch local

7 Make sure that the Security Gateway (every Cluster Member) can connect to the HSM
Server and that HTTPS Inspection is activated successfully on the outbound traffic.
Run this command:
cpstat https_inspection -f all
The output must show:
n HSM partition access (Accessible/Not Accessible):
Accessible
n Outbound status (HSM on/HSM off/HSM error): HSM on

For more information, see "Monitoring HTTPS Inspection with HSM in CLI" on page 110.

8 Make that HTTPS Inspection is activated successfully on the outbound traffic:

a. From an internal computer, connect to any HTTPS web site.
b. On the internal computer, in the web browser, you must receive the signed CA
certificate from the HSM Server.

Note - If there is a connectivity issue from the Check Point Security Gateway
(Cluster Member) to the FutureX HSM Server, then perform these steps on the
Security Gateway (Cluster Member):
1. Examine the /var/log/fxpkcs11.log file.
If you do not see a root cause in this log file, continue to the next step to
configure verbose logs.
2. Configure these logging settings in the /etc/fxpkcs11.cfg file to see more
information in the log file:
n LOG-TRAFFIC: YES
n LOG-MODE: INFO
or
LOG-MODE: ERROR

Next Generation Security Gateway R81 Administration Guide      |      94

 Disabling Communication from the Security Gateway to the HSM Server

Disabling Communication from the Security

Gateway to the HSM Server
You can disable communication from the Check Point Security Gateway (Cluster Members) to an HSM
Server. For example, when the HSM Server is under maintenance.

Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In a VSX environment, you must perform this step in the context of every Virtual
System (on the VSX Gateway or every VSX Cluster Member).

Step Instructions

1 Connect to the command line on the Security Gateway (every Cluster Member).

2 Log in to the Expert mode.

3 Edit the $FWDIR/conf/hsm_configuration.C file:

vi $FWDIR/conf/hsm_configuration.C

4 Configure the value "no" for the parameter "enabled":

:enabled ("no")

5 Save the changes in the file and exit the editor.

6 Fetch the local policy:

fw fetch local

Next Generation Security Gateway R81 Administration Guide      |      95

 Monitoring HTTPS Inspection When Security Gateway Works with HSM

Monitoring HTTPS Inspection When Security

Gateway Works with HSM
When HTTPS Inspection daemon wstlsd initializes on a Check Point Security Gateway (Cluster Member),
it checks whether this Security Gateway (Cluster Member) is configured to work with an HSM Server.
n You can see the applicable logs in SmartConsole > Logs & Monitor > Logs tab.
See "Monitoring HTTPS Inspection with HSM in SmartConsole Logs" on page 97.
n You can query the HTTPS Inspection on the Security Gateway or Cluster Members over SNMP.
See "Monitoring HTTPS Inspection with HSM over SNMP" on page 101.
n You can run the "cpstat https_inspection" command on the Security Gateway or Cluster
Members.
See "Monitoring HTTPS Inspection with HSM in CLI" on page 110.

Note - To see detailed information about wstlsd initialization, follow sk105559: How to
debug WSTLSD daemon.

Next Generation Security Gateway R81 Administration Guide      |      96

 Monitoring HTTPS Inspection with HSM in SmartConsole Logs

Monitoring HTTPS Inspection with HSM in SmartConsole

Logs
To see the HTTPS Inspection logs about the Gemalto HSM Server in SmartConsole:

Step Description

1 From the left navigation panel, click Logs & Monitor > Logs .

2 In the search field, enter:

type:Control

3 Double-click the applicable log.

4 In the log, refer to the More section.

Possible logs are:

Log Additional
Log Description Explanation
Information

HSM is enabled n The value of the :enabled() attribute is

for outbound set to "yes" in the $FWDIR/conf/hsm_
HTTPS inspection configuration.C file on the Security
with <HSM Gateway (Cluster Member).
Vendor> n The < HSM Vendor> is the value of the
":hsm_vendor_name ()" attribute in the
$FWDIR/conf/hsm_
configuration.C file on the on the
Security Gateway (Cluster Member).

Next Generation Security Gateway R81 Administration Guide      |      97

 Monitoring HTTPS Inspection with HSM in SmartConsole Logs

Log Additional
Log Description Explanation
Information

HSM is disabled One of these:

for outbound
n The HSM Client software packages are
HTTPS inspection
not installed on the Security Gateway
(Cluster Member).
n The $FWDIR/conf/hsm_
configuration.C file does not exist
on the Security Gateway (Cluster
Member).
n The value of the :enabled() attribute is
set to "no" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).
n The :enabled() attribute is corrupted in
the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).

Important - In these cases, outbound

HTTPS Inspection works without the
HSM Server, and SSL keys are stored
on the Security Gateway (Cluster
Member).

Outbound HTTPS Gateway is All these conditions were met:

inspection works connected to HSM
with HSM 1. The value of the ":enabled()" attribute is
set to "yes" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).
2. Security Gateway (Cluster Member)
could connect to the HSM Server.

Next Generation Security Gateway R81 Administration Guide      |      98

 Monitoring HTTPS Inspection with HSM in SmartConsole Logs

Log Additional
Log Description Explanation
Information

Outbound HTTPS One of these strings: See the section Log Additional Information in
inspection is the log.
n HSM
off due to HSM
configuration
error
file is
corrupted
n Loading HSM
library
failed
n There is no
trust or no
connectivity
with HSM
server
n Login to HSM
partition
failed
n Error
importing CA
certificate
from HSM
server
n Error
generating
key pair on
HSM server

Next Generation Security Gateway R81 Administration Guide      |      99

 Monitoring HTTPS Inspection with HSM in SmartConsole Logs

Example:

Next Generation Security Gateway R81 Administration Guide      |      100

 Monitoring HTTPS Inspection with HSM over SNMP

Monitoring HTTPS Inspection with HSM over SNMP

You can query the HTTPS Inspection status and the status of connection to the HSM Server on the
Security Gateway (Cluster Member) over SNMP:
n Full OID is:

.iso.org.dod.internet.private.enterprises.checkpoint.products.http
sInspection

n Numerical OID is:

.1.3.6.1.4.1.2620.1.54

"HTTPS Inspection status"

To get the HTTPS Inspection status , query this SNMP object:

Returned
SNMP OID Explanation
strings

httpsInspectionStatus On HTTPS Inspection feature is configured on the

Security Gateway (Cluster Member).
.1.3.6.1.4.1.2620.1.54.1
Off HTTPS Inspection feature is not configured on the
Security Gateway (Cluster Member).

"HTTPS Inspection status description"

To get the HTTPS Inspection status description, query this SNMP object:

Returned
SNMP OID Explanation
strings

httpsInspectionStatusDescription HTTPS HTTPS Inspection feature is

Inspection configured on the Security
.1.3.6.1.4.1.2620.1.54.2 is on Gateway (Cluster Member).

HTTPS HTTPS Inspection feature is not

Inspection configured on the Security
is off Gateway (Cluster Member).

Next Generation Security Gateway R81 Administration Guide      |      101

 Monitoring HTTPS Inspection with HSM over SNMP

"HSM configuration status"

To get the HSM configuration status , query this SNMP object:

Returned
SNMP OID Explanation
strings

hsmStatus.hsmEnabled Enabled The value of the ":enabled()" attribute is set to "yes"

in the $FWDIR/conf/hsm_configuration.C
.1.3.6.1.4.1.2620.1.54.3.1 file on the Security Gateway (Cluster Member).

Disabled One of these:

n The HSM Client software packages are not
installed on the Security Gateway (Cluster
Member).
n The $FWDIR/conf/hsm_
configuration.C file does not exist on the
Security Gateway (Cluster Member).
n The value of the ":enabled()" attribute is set to
"no" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).
n The ":enabled()" attribute is corrupted in the
$FWDIR/conf/hsm_configuration.C
file on the Security Gateway (Cluster Member).

Important - In these cases, outbound

HTTPS Inspection works without the HSM
Server, and SSL keys are stored on the
Security Gateway (Cluster Member).

Next Generation Security Gateway R81 Administration Guide      |      102

 Monitoring HTTPS Inspection with HSM over SNMP

"HSM configuration status description"

To get the HSM configuration status description, query this SNMP object:

Returned
SNMP OID Explanation
strings

hsmStatus.hsmEnabledDescription HSM is n The value of the :enabled()

enabled attribute is set to "yes" in the
.1.3.6.1.4.1.2620.1.54.3.2 for HTTPS $FWDIR/conf/hsm_
inspection configuration.C file on
with <HSM the Security Gateway
Vendor> (Cluster Member).
n The < HSM Vendor> is the
value of the ":hsm_vendor_
name ()" attribute in the
$FWDIR/conf/hsm_
configuration.C file on
the Security Gateway
(Cluster Member).

HSM is One of these:

disabled
n The HSM Client software
for HTTPS
packages are not installed
inspection
on the Security Gateway
(Cluster Member).
n The $FWDIR/conf/hsm_
configuration.C file
does not exist on the
Security Gateway (Cluster
Member).
n The HTTPS Inspection
daemon wstlsd could not
read the value of the
":enabled()" attribute in the
$FWDIR/conf/hsm_
configuration.C file on
the Security Gateway
(Cluster Member).
n The ":enabled()" attribute is
corrupted in the
$FWDIR/conf/hsm_
configuration.C file on
the Security Gateway
(Cluster Member).

Important - In these
cases, outbound HTTPS
Inspection works without
the HSM Server, and
SSL keys are stored on
the Security Gateway
(Cluster Member).

Next Generation Security Gateway R81 Administration Guide      |      103

 Monitoring HTTPS Inspection with HSM over SNMP

"HSM partition access status"

To get the HSM partition access status , query this SNMP object:

Returned
SNMP OID Explanation
strings

hsmStatus.hsmPartitionAccess N/A Security Gateway (Cluster Member)

could not check the access to its
.1.3.6.1.4.1.2620.1.54.3.3 partition on the HSM Server.
Most probably, because HSM
configuration is disabled on the
Security Gateway (Cluster Member).

Accessible Security Gateway (Cluster Member)

could access its partition on the HSM
Server.

Not Security Gateway (Cluster Member)

Accessible could not access its partition on the
HSM Server because of an error.

Next Generation Security Gateway R81 Administration Guide      |      104

 Monitoring HTTPS Inspection with HSM over SNMP

"HSM partition access status description"

To get the HSM partition access status description, query this SNMP object:

Returned
SNMP OID Explanation
strings

hsmStatus.hsmPartitionAccessDescripti HSM Security Gateway

on partition (Cluster Member) could
access not check the access to
.1.3.6.1.4.1.2620.1.54.3.4 cannot be its partition on the HSM
checked Server.

Gateway Security Gateway

can access (Cluster Member) could
HSM access its partition on
partition the HSM Server.
for HTTPS
inspection

Gateway Security Gateway

cannot (Cluster Member) could
access HSM not access its partition
partition on the HSM Server
for HTTPS because of an error.
inspectio Possible error
n: <Error messages are:
Message> n HSM
configuratio
n file is
corrupted
n Loading HSM
library
failed
n There is no
trust or no
connectivity
with HSM
server
n Login to HSM
partition
failed

Next Generation Security Gateway R81 Administration Guide      |      105

 Monitoring HTTPS Inspection with HSM over SNMP

"Outbound HTTPS Inspection status"

To get the Outbound HTTPS Inspection status , query this SNMP object:

Returned
SNMP OID Explanation
strings

hsmStatus.outboundStatus N / A When the HTTPS Inspection daemon wstlsd

starts, it is necessary to wait for one minute or
.1.3.6.1.4.1.2620.1.54.3.5 less, until you can get the actual status.

HSM on All these conditions were met:

1. The value of the ":enabled()" attribute is set

to "yes" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).
2. Security Gateway (Cluster Member) could
connect to the HSM Server.

HSM One of these:

off
n The HSM Client software packages are not
installed on the Security Gateway (Cluster
Member).
n The $FWDIR/conf/hsm_
configuration.C file does not exist on
the Security Gateway (Cluster Member).
n The value of the ":enabled()" attribute is set
to "no" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).
n The ":enabled()" attribute is corrupted in
the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).

Important - In these cases, outbound

HTTPS Inspection works without the
HSM Server, and SSL keys are stored
on the Security Gateway (Cluster
Member).

HSM All these conditions were met:

error
1. The value of the ":enabled()" attribute is set
to "yes" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member).
2. An error occurred.

Important - In this case, outbound

HTTPS Inspection does not work, and
HTTPS traffic does not pass through.

Next Generation Security Gateway R81 Administration Guide      |      106

 Monitoring HTTPS Inspection with HSM over SNMP

Note - The conditions for the returned strings are calculated on the Security
Gateway (Cluster Member) during the start of the HTTPS Inspection daemon
wstlsd, or during policy installation. For example, you can get
"hsmStatus.hsmEnabled = HSM enabled" and
"hsmStatus.outboundStatus = HSM off", because when the wstlsd
daemon started, or during last policy installation, the HSM configuration was
disabled.
"Outbound HTTPS Inspection status description"

To get the Outbound HTTPS Inspection status description, query this SNMP object:

SNMP OID Returned strings Explanation

hsmStatus.outboundStatusDescript Cannot get When the HTTPS

ion HTTPS Inspection daemon wstlsd
inspection starts, it is necessary to
.1.3.6.1.4.1.2620.1.54.3.6 outbound wait for one minute or less,
status. until you can get the actual
Process may status.
be under
initializatio
n. Please try
again in a
minute.

Outbound All these conditions were

HTTPS met:
inspection
1. The value of the
works with
":enabled()"
HSM
attribute is set to
"yes" in the
$FWDIR/conf/hs
m_
configuration.
C file on the Security
Gateway (Cluster
Member).
2. Security Gateway
(Cluster Member)
could connect to the
HSM Appliance
Server.

Outbound The value of the ":enabled

HTTPS ()" attribute is set to "no" in
inspection the $FWDIR/conf/hsm_
works without configuration.C file
HSM on the Security Gateway
(Cluster Member), or this
file does not exist.

Next Generation Security Gateway R81 Administration Guide      |      107

 Monitoring HTTPS Inspection with HSM over SNMP

SNMP OID Returned strings Explanation

Outbound All these conditions were

HTTPS met:
inspection is
1. The value of the
off due to
":enabled()"
HSM error:
attribute is set to
<Error
"yes" in the
Message> $FWDIR/conf/hs
m_
configuration.
C file on the Security
Gateway (Cluster
Member).
2. An error occurred.

Important - In
this case,
outbound
HTTPS
Inspection does
not work, and
HTTPS traffic
does not pass
through.
Possible error messages
are:
n HSM
configuration
file is
corrupted
n Loading HSM
library failed
n There is no
trust or no
connectivity
with HSM
server
n Login to HSM
partition
failed
n Error
importing CA
certificate
from HSM
server
n Error
generating key
pair on HSM
server

Next Generation Security Gateway R81 Administration Guide      |      108

 Monitoring HTTPS Inspection with HSM over SNMP

Note - The conditions for the returned strings are calculated on the Security
Gateway (Cluster Member) during the start of the HTTPS Inspection daemon
wstlsd, or during policy installation. For example, you can get
"hsmStatus.hsmEnabledDescription = HSM is enabled for
HTTPS inspection with <HSM Vendor>" and
"hsmStatus.outboundStatusDescription = Outbound HTTPS
inspection works without HSM", because when the wstlsd daemon
started, or during last policy installation, the HSM configuration was disabled.
Examples
# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -On -v 2c -c public localhost 1.3.6.1.4.1.2620.1.54

.1.3.6.1.4.1.2620.1.54.1.0 =
.1.3.6.1.4.1.2620.1.54.2.0 =
.1.3.6.1.4.1.2620.1.54.3.1.0
.1.3.6.1.4.1.2620.1.54.3.2.0
.1.3.6.1.4.1.2620.1.54.3.3.0
.1.3.6.1.4.1.2620.1.54.3.4.0
.1.3.6.1.4.1.2620.1.54.3.5.0
.1.3.6.1.4.1.2620.1.54.3.6.0
STRING: On
STRING: HTTPS Inspection is on
= STRING: Enabled
= STRING: HSM is enabled for HTTPS inspection with Gemalto HSM
= STRING: Accessible
= STRING: Gateway can access HSM partition for HTTPS inspection
= STRING: HSM on
= STRING: Outbound HTTPS inspection works with HSM

# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -Oa -v 2c -c public localhost 1.3.6.1.4.1.2620.1.54

CHECKPOINT-MIB::httpsInspectionStatus.0 = STRING: On
CHECKPOINT-MIB::httpsInspectionStatusDescription.0 = STRING: HTTPS Inspection is on
CHECKPOINT-MIB::hsmEnabled.0 = STRING: Enabled
CHECKPOINT-MIB::hsmEnabledDescription.0 = STRING: HSM is enabled for HTTPS inspection with Gemalto HSM
CHECKPOINT-MIB::hsmPartitionAccess.0 = STRING: Accessible
CHECKPOINT-MIB::hsmPartitionAccessDescription.0 = STRING: Gateway can access HSM partition for HTTPS
inspection
CHECKPOINT-MIB::outboundStatus.0 = STRING: HSM on
CHECKPOINT-MIB::outboundStatusDescription.0 = STRING: Outbound HTTPS inspection works with HSM

For more information about SNMP on Gaia OS, see the R81 Gaia Administration Guide > Chapter System
Management > Section SNMP.

Next Generation Security Gateway R81 Administration Guide      |      109

 Monitoring HTTPS Inspection with HSM in CLI

Monitoring HTTPS Inspection with HSM in CLI

Run the "cpstat https_inspection" command on the Security Gateway (Cluster Member) to see the
HTTPS Inspection status and the status of connection to the HSM Server.

Syntax

cpstat -h

cpstat https_inspection -f {default | hsm_status | all}

For more information about this command, see the R81 CLI Reference Guide > Chapter Security
Gateway Commands > Section cpstat.
Example outputs
[Expert@GW:0]# cpstat https_inspection -f default

HTTPS inspection status (On/Off): On

HTTPS inspection status description: HTTPS Inspection is on

[Expert@GW:0]#

[Expert@GW:0]# cpstat https_inspection -f hsm_status

HSM enabled (Enabled/Disabled): Enabled

HSM enabled description: HSM is enabled for HTTPS inspection with Gemalto HSM
HSM partition access (Accessible/Not Accessible): Accessible
HSM partition access description: Gateway can access to HSM partition for HTTPS
inspection
Outbound status (HSM on/HSM off/HSM error): HSM on
Outbound status description: Outbound HTTPS inspection works with HSM

[Expert@GW:0]#

[Expert@GW:0]# cpstat https_inspection -f all

HTTPS inspection status (On/Off): On

HTTPS inspection status description: HTTPS Inspection is on
HSM enabled (Enabled/Disabled): Enabled
HSM enabled description: HSM is enabled for HTTPS inspection with Gemalto HSM
HSM partition access (Accessible/Not Accessible): Accessible
HSM partition access description: Gateway can access to HSM partition for HTTPS
inspection
Outbound status (HSM on/HSM off/HSM error): HSM on
Outbound status description: Outbound HTTPS inspection works with HSM

[Expert@GW:0]#

Next Generation Security Gateway R81 Administration Guide      |      110

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "HTTPS Inspection status"

Possible
Item returned Explanation
strings

HTTPS inspection On HTTPS Inspection feature is configured on the

status (On/Off) Security Gateway (Cluster Member).

Off HTTPS Inspection feature is not configured on the

Security Gateway (Cluster Member).

Explanation about the "HTTPS Inspection status description"

Possible
Item Explanation
returned strings

HTTPS inspection HTTPS HTTPS Inspection feature is configured on the

status description Inspection Security Gateway (Cluster Member).
is on

HTTPS HTTPS Inspection feature is not configured on

Inspection the Security Gateway (Cluster Member).
is off

Next Generation Security Gateway R81 Administration Guide      |      111

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "HSM configuration status"

Possible
Item returned Explanation
strings

HSM enabled Enabled The value of the :enabled() attribute is set to "yes" in the
(Enabled/Disabled) $FWDIR/conf/hsm_configuration.C file on the
Security Gateway (Cluster Member).

Disabled One of these:

n The HSM Client software packages are not
installed on the Security Gateway (Cluster
Member).
n The $FWDIR/conf/hsm_configuration.C
file does not exist on the Security Gateway
(Cluster Member).
n The value of the :enabled() attribute is set to "no"
in the $FWDIR/conf/hsm_
configuration.C file on the Security Gateway
(Cluster Member).
n The :enabled() attribute is corrupted in the
$FWDIR/conf/hsm_configuration.C file
on the Security Gateway (Cluster Member).

Important - In these cases, outbound HTTPS

Inspection works without the HSM Server, and
SSL keys are stored on the Security Gateway
(Cluster Members).

Next Generation Security Gateway R81 Administration Guide      |      112

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "HSM configuration status description"

Possible returned
Item Explanation
strings

HSM enabled HSM is enabled n The value of the :enabled() attribute is set to "yes"
description for HTTPS in the $FWDIR/conf/hsm_
inspection configuration.C file on the Security Gateway
with <HSM (Cluster Member).
Vendor> n The < HSM Vendor> is the value of the ":hsm_
vendor_name ()" attribute in the
$FWDIR/conf/hsm_configuration.C file
on the Security Gateway (Cluster Member).

HSM is One of these:

disabled for
HTTPS n The HSM Client software packages are not
installed on the Security Gateway (Cluster
inspection
Member).
n The $FWDIR/conf/hsm_configuration.C
file does not exist on the Security Gateway
(Cluster Member).
n The HTTPS Inspection daemon wstlsd could not
read the value of the ":enabled()" attribute in the
$FWDIR/conf/hsm_configuration.C file
on the Security Gateway (Cluster Member).
n The ":enabled()" attribute is corrupted in the
$FWDIR/conf/hsm_configuration.C file
on the Security Gateway (Cluster Member).

Important - In these cases, outbound HTTPS

Inspection works without the HSM Server, and
SSL keys are stored on the Security Gateway
(Cluster Members).

Next Generation Security Gateway R81 Administration Guide      |      113

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "HSM partition access status"

Possible
Item returned Explanation
strings

HSM partition access N/A Security Gateway (Cluster Member) could not
(Accessible/Not check the access to its partition on the HSM
Accessible) Server.

Accessible Security Gateway (Cluster Member) could

access its partition on the HSM Server.

Not Security Gateway (Cluster Member) could not

Accessible access its partition on the HSM Server because
of an error.
Important - In this case, outbound
HTTPS Inspection does not work,
and HTTPS traffic does not pass
through.

Next Generation Security Gateway R81 Administration Guide      |      114

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "HSM partition access status description"

Item Possible returned strings Explanation

HSM HSM partition access Security Gateway (Cluster Member) could not
partition cannot be checked check the access to its partition on the HSM
access Server.
description Most probably, because HSM configuration is
disabled on the Security Gateway (Cluster
Member).

Gateway can access HSM Security Gateway (Cluster Member) could

partition for HTTPS access its partition on the HSM Server.
inspection

Gateway cannot access Security Gateway (Cluster Member) could not

HSM partition for access its partition on the HSM Server
HTTPS inspection: because of an error.
<Error Message> All these conditions were met:

1. The value of the :enabled() attribute is

set to "yes" in the
$FWDIR/conf/hsm_
configuration.C file on the
Security Gateway (Cluster Member).
2. An error occurred.

Possible error messages are:

n HSM configuration file is
corrupted
n Loading HSM library failed
n There is no trust or no
connectivity with HSM
server
n Login to HSM partition
failed

Important - In this case, outbound

HTTPS Inspection does not work,
and HTTPS traffic does not pass
through.

Next Generation Security Gateway R81 Administration Guide      |      115

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "Outbound HTTPS Inspection status"

Possible
Item returned Explanation
strings

Outbound status N / A When the HTTPS Inspection daemon wstlsd starts, it is

(HSM on/HSM necessary to wait for one minute or less, until you can get the
off/HSM error) actual status.

HSM on All these conditions were met:

1. The value of the :enabled() attribute is set to "yes" in

the $FWDIR/conf/hsm_configuration.C file
on the Security Gateway (Cluster Member).
2. Security Gateway (Cluster Member) could connect to
the HSM Server.

HSM One of these:

off
n The HSM Client software packages are not installed on
the Security Gateway (Cluster Member).
n The $FWDIR/conf/hsm_configuration.C file
does not exist on the Security Gateway (Cluster
Member).
n The value of the :enabled() attribute is set to "no" in the
$FWDIR/conf/hsm_configuration.C file on
the Security Gateway (Cluster Member).
n The ":enabled()" attribute is corrupted in the
$FWDIR/conf/hsm_configuration.C file on
the Security Gateway (Cluster Member).

Important - In these cases, outbound HTTPS

Inspection works without the HSM Server, and SSL
keys are stored on the Security Gateway (Cluster
Members).

HSM All these conditions were met:

error
1. The value of the :enabled() attribute is set to "yes" in
the $FWDIR/conf/hsm_configuration.C file
on the Security Gateway (Cluster Member).
2. An error occurred.

Important - In this case, outbound HTTPS

Inspection does not work, and HTTPS traffic does
not pass through.

Note - The conditions for the returned strings are calculated on the Security
Gateway (Cluster Member) during the start of the HTTPS Inspection daemon
wstlsd, or during policy installation. For example, you can get "HSM enabled
(Enabled/Disabled) = Enabled" and "Outbound status (HSM
on/HSM off/HSM error) = HSM off", because when the wstlsd daemon
started, or during last policy installation, the HSM configuration was disabled.

Next Generation Security Gateway R81 Administration Guide      |      116

 Monitoring HTTPS Inspection with HSM in CLI

Explanation about the "Outbound HTTPS Inspection status description"

Item Possible returned strings Explanation

Outbound Cannot get HTTPS When the HTTPS Inspection daemon

status inspection outbound wstlsd starts, it is necessary to wait for
description status. Process may be one minute or less, until you can get the
under initialization. actual status.
Please try again in a
minute.

Outbound HTTPS inspection All these conditions were met:

works with HSM
1. The value of the :enabled()
attribute is set to "yes" in the
$FWDIR/conf/hsm_
configuration.C file on the
Security Gateway (Cluster
Member).
2. Security Gateway (Cluster
Member) could connect to the
HSM Server.

Outbound HTTPS inspection The value of the :enabled() attribute is

works without HSM set to "no" in the $FWDIR/conf/hsm_
configuration.C file on the Security
Gateway (Cluster Member), or this file
does not exist.

Next Generation Security Gateway R81 Administration Guide      |      117

 Monitoring HTTPS Inspection with HSM in CLI

Item Possible returned strings Explanation

Outbound HTTPS inspection All these conditions were met:

is off due to HSM error:
<Error Message> 1. The value of the :enabled()
attribute is set to "yes" in the
$FWDIR/conf/hsm_
configuration.C file on the
Security Gateway (Cluster
Member).
2. An error occurred.

Possible error messages are:

n HSM configuration file
is corrupted
n Loading HSM library
failed
n There is no trust or no
connectivity with HSM
server
n Login to HSM partition
failed
n Error importing CA
certificate from HSM
server
n Error generating key
pair on HSM server

Important - In this case,

outbound HTTPS Inspection
does not work, and HTTPS
traffic does not pass through.

Note - The conditions for the returned strings are calculated on the Security
Gateway (Cluster Member) during the start of the HTTPS Inspection daemon
wstlsd, or during policy installation. For example, you can get "HSM enabled
(Enabled/Disabled) = Enabled" and "Outbound status
description = Outbound HTTPS inspection works without
HSM", because when the wstlsd daemon started, or during last policy installation,
the HSM configuration was disabled.

Next Generation Security Gateway R81 Administration Guide      |      118

 ISP Redundancy on a Security Gateway

ISP Redundancy on a Security

Gateway
In This Section:

Introduction 119
ISP Redundancy Modes 123
Outgoing Connections 124
Incoming Connections 125

Note - For information about ISP Redundancy on a Cluster, see the R81 ClusterXL
Administration Guide.

Introduction
ISP Redundancy connects a Security Gateway to the Internet through redundant Internet Service Provider
(ISP) links.
ISP Redundancy monitors the ISP links and chooses the best current link.

Notes:
n R81 supports two ISPs.
n ISP Redundancy is intended to traffic that originates on your internal networks
and goes to the Internet.

Next Generation Security Gateway R81 Administration Guide      |      119

 ISP Redundancy on a Security Gateway

Example of a typical deployment with a single ISP link

Item Description

1 Internal network

2 Security Gateway

3 ISP

4 Internet

Next Generation Security Gateway R81 Administration Guide      |      120

 ISP Redundancy on a Security Gateway

Example of a typical deployment with two dedicated physical interfaces for two ISP links

Best Practice - We recommend this deployment, because it is simpler than

deployment with one dedicated physical interface.

Item Description

1 Internal network

2 Security Gateway

3 ISP A

4 ISP B

5 Internet

Next Generation Security Gateway R81 Administration Guide      |      121

 ISP Redundancy on a Security Gateway

Example of a typical deployment with one dedicated physical interface for two ISP links
If only one external interface is available on the Security Gateway, you can configure two subnets on the
same external interface.
(See the R81 Gaia Administration Guide > Chapter Network Management > Section Network Interfaces >
Section Aliases.)
Both ISP links are then connected to the same Security Gateway interface, but to different next hop
routers, usually through a switch.

Item Description

1 Internal network

2 Security Gateway

3 Switch

4 ISP A

5 ISP B

6 Internet

Next Generation Security Gateway R81 Administration Guide      |      122

 ISP Redundancy on a Security Gateway

ISP Redundancy Modes

ISP Redundancy configuration modes control the behavior of outgoing connections from internal clients to
the Internet:

Mode Description

Load Sharing Uses the two links to distribute load of connections.

Connections coming in are alternated.
You can configure best relative loads for the links (set a faster link to handle more
load).
New connections are randomly assigned to a link.
If one link fails, the other link takes the load.
In this mode, incoming connections can reach the application servers through
either ISP link because the Security Gateway can answer DNS requests for the IP
address of internal servers with IP addresses from both ISPs by alternating their
order.

Primary/Backup Uses one link for connections.

It switches to the Backup link if the Primary link fails.
When the Primary link is restored, new connections are assigned to it.
Existing connections continue on the Backup link until they are complete.
In this mode, incoming connections (from the Internet to application servers in the
DMZ or internal networks) also benefit, because the Security Gateway returns
packets using the same ISP Link, through which the connection was initiated.

Best Practice:
n If both ISPs are basically the same, use the Load Sharing mode to ensure that
you are making the best use of both ISPs.
n You may prefer to use one of your two ISPs that is more cost-effective in terms of
price and reliability. In that case, use Primary/Backup mode and set the more
cost-effective ISP as the Primary ISP link.

Next Generation Security Gateway R81 Administration Guide      |      123

 ISP Redundancy on a Security Gateway

Outgoing Connections
n In ISP Redundancy Load Sharing mode, outgoing traffic that exits the Security Gateway on its way
to the Internet is distributed between the ISP Links. You can set a relative weight for how much you
want each of the ISP Links to be used.
For example, if one link is faster, it can be configured to route more traffic across that ISP link than
the other.
n In ISP Redundancy Primary/Backup mode, outgoing traffic uses an active primary link.
Hide NAT is used to change the source address of outgoing packets to the address of the interface,
through which the packet leaves the Security Gateway. This allows return packets to be
automatically routed through the same ISP link, because their destination address is the address of
the correct link. Hide NAT is configured by the administrator.

Next Generation Security Gateway R81 Administration Guide      |      124

 ISP Redundancy on a Security Gateway

Incoming Connections
For external users to make incoming connections, the administrator must give each application server two
routable IP addresses, one for each ISP. The administrator must also configure Static NAT to translate the
routable addresses to the real server address.
If the servers handle different services (for example, HTTP and FTP), you can use NAT to employ only two
routable IP addresses for all the publicly available servers.
External clients use one of the two addresses. In order to connect, the clients must be able to resolve the
DNS name of the server to the correct IP address.

Note - In the following example, the subnets 172.16.0.0/24 and 192.168.0.0/24

represent public routable addresses.

In the following example, the Web server www.example.com is assigned an IP address from each ISP:
n 192.168.1.2 from ISP A
n 172.16.2.2 from ISP B
If the ISP Link A is down, then IP address 192.168.1.2 becomes unavailable, and the clients must be able
to resolve the URL www.example.com to the IP address 172.16.2.2.
An incoming connection is established, based on this example, in the following sequence:
1. When an external client on the Internet contacts www.example.com , the client sends a DNS query
for the IP address of this URL.
The DNS query reaches the Security Gateway. The Security Gateway has a built-in mini-DNS server
that can be configured to intercept DNS queries (of Type A) for servers in its domain.
2. A DNS query arriving at an interface that belongs to one of the ISP links, is intercepted by the
Security Gateway.
3. If the Security Gateway recognizes the name of the host, it sends one of the following replies:
n In ISP Redundancy Primary/Backup mode, the Security Gateway replies only with the IP
addresses associated with the Primary ISP link, as long as the Primary ISP link is active.
n In ISP Redundancy Load Sharing mode, the Security Gateway replies with two IP addresses,
alternating their order.
4. If the Security Gateway is unable to handle DNS requests (for example, it may not recognize the
host name), it passes the DNS query to its original destination or the DNS server of the domain
example.com .
5. When the external client receives the reply to its DNS query, it opens a connection. Once the
packets reach the Security Gateway, the Security Gateway uses Static NAT to translate the
destination IP address 192.168.1.2 or 172.16.2.2 to the real server IP address 10.0.0.2.
6. The Security Gateway routes the reply packets from the server to the client through the same ISP
link that was used to initiate the connection.

Next Generation Security Gateway R81 Administration Guide      |      125

 Configuring ISP Redundancy on a Security Gateway

Configuring ISP Redundancy on a Security

Gateway
1. Connect with SmartConsole to the Security Management Server or Domain Management Server
that manages this Security Gateway.
2. From the left navigation panel, click Gateways & Servers .
3. Open the Security Gateway object.
4. Click Other > ISP Redundancy .
5. Select Support ISP Redundancy .
6. Select the redundancy mode - Load Sharing or Primary/Backup.
7. Configure the ISP Links.
Procedure

Make sure you have the ISP data - the speed of the link and next hop IP address.
Automatic vs Manual configuration:
n If the Security Gateway object has two interfaces with Topology "External " in the Network
Management page, you can configure the ISP links automatically.
Configuring ISP links automatically

a. Click Other > ISP Redundancy .

b. Click Set initial configuration.
The ISP Links are added automatically.
c. For Primary/Backup mode, make sure the Primary interface is first in the list. Use
the arrows on the right to change the order.
d. Click OK.

Next Generation Security Gateway R81 Administration Guide      |      126

 Configuring ISP Redundancy on a Security Gateway

n If the Security Gateway object only one interface with Topology "External " in the Network
Management page, you must configure the ISP links manually.
Configuring ISP links manually

a. Click Other > ISP Redundancy .

b. In the IPS Links section, click Add.
The ISP Link window opens.
c. Click the General tab.
d. In the Name field, enter a name of this link (desired text).
The name you enter here is used in the ISP Redundancy commands (see
"Controlling ISP Redundancy from CLI" on page 132).
e. Select the Interface of the Security Gateway for this ISP link.
l If the Security Gateway object has two interfaces with Topology "External "
in the Network Management page, set each ISP link to a different
interface.
If one of the ISP links is the connection to a backup ISP, configure the ISP
Redundancy Script (see "Controlling ISP Redundancy from CLI" on
page 132).
l If the Security Gateway object only one interface with Topology "External "
in the Network Management page, set each ISP link to connect to this
interface.
f. Configure the Next Hop IP Address .
l If the Security Gateway object has two interfaces with Topology "External "
in the Network Management page, leave this field empty and click Get
from routing table. The next hop is the default gateway.
l If the Security Gateway object only one interface with Topology "External "
in the Network Management page, set each ISP link to a different next hop
router.
g. For ISP Redundancy in Load Sharing mode, enter the Weight value.
For equal traffic distribution between the two IPS link, enter 50 in each ISP link.
If one ISP link is faster, increase this value and decrease it for the other ISP link,
so that the sum of these two values is always equal 100.
h. Click the Advanced tab.
i. Define hosts to be monitored, to make sure the link is working.
Add the applicable objects to the Selected hosts section.
j. Click OK.

8. Configure the Security Gateway to be the DNS server.

Next Generation Security Gateway R81 Administration Guide      |      127

 Configuring ISP Redundancy on a Security Gateway

Procedure

The Security Gateway, or a DNS server behind it, must respond to DNS queries.
It resolves IP addresses of servers in the DMZ (or another internal network).
Get a public IP address from each ISP.
If public IP addresses are not available, register the domain to make the DNS server accessible
from the Internet.
The Security Gateway intercepts DNS queries "Type A" for the web servers in its domain that
come from external hosts.
n If the Security Gateway recognizes the external host, it replies:
l In ISP Redundancy Load Sharing mode, the Security Gateway replies with two IP
addresses, alternating their order.
l In ISP Redundancy Primary/Backup mode, the Security Gateway replies with the IP
addresses of the active ISP link.
n If the Security Gateway does not recognize the host, it passes the DNS query on to the
original destination, or to the domain DNS server.

To enable DNS server:

a. Click Other > ISP Redundancy .
b. Select Enable DNS Proxy .
c. Click Configure.
d. Add your DMZ or Web servers. Give each server two public IP addresses - one from each
ISP.
e. In the DNS TTL, enter a number of seconds.
This sets a Time To Live for each DNS reply.
DNS servers in the Internet cannot cache your DNS data in the reply for longer than the
TTL.
f. Click OK.
g. Configure Static NAT to translate the public IP addresses to the real server's IP address.
External clients use one of the two IP addresses.

Note - If the servers use different services (for example, HTTP and
FTP), you can use NAT for only two public IP addresses.

h. Define an Access Control Policy rule:

Services & Install

Name Source Destination VPN Action Track
Applications On

DNS Applicable Applicable DNS Any domain_udp Accept None Policy

Proxy sources Servers Targets

Next Generation Security Gateway R81 Administration Guide      |      128

 Configuring ISP Redundancy on a Security Gateway

To register the domain and get IP addresses:

a. Register your domain with the two ISP.
b. Tell the ISP the two IP addresses of the DNS server that respond to DNS queries for the
domain.
c. For each server in the DMZ, get two public IP addresses, one from each ISP.
d. In SmartConsole, click Menu > Global properties .
e. From the left tree, click NAT - Network Address Translation.
f. In the Manual NAT rules section, select Translate destination on client side.
g. Click OK.

9. Configure the Access Control Policy for ISP Redundancy.

Procedure

The Access Control Policy must allow connections through the ISP links, with Automatic Hide NAT
on network objects that start outgoing connections.
a. In the properties of the object for an internal network, select NAT > Add Automatic
Address Translation Rules .
b. Select Hide behind the gateway .
c. Click OK.

Next Generation Security Gateway R81 Administration Guide      |      129

 Configuring ISP Redundancy on a Security Gateway

d. Define rules for publicly reachable servers (Web servers, DNS servers, DMZ servers).
n If you have one public IP address from each ISP for the Security Gateway, define
Static NAT.
Allow specific services for specific servers.
For example, make NAT rules, so that incoming HTTP connections from the two
ISPs reach a Web server, and DNS traffic from the ISP reach the DNS server.
Example: Manual Static Rules for a Web Server and a DNS Server

Origi Origin Translat Translat

Original Translat Inst
nal al ed ed Comm
Destinat ed all
Sour Servic Destinat Service ent
ion Source On
ce es ion s

Any Host object http = S 50.50.50.2 = Polic Incoming

with IP Original Original y Web - ISP
address of Targe A
Web Server
ts

Any Host object http = S 60.60.60.2 = Polic Incoming

with IP Original Original y Web - ISP
address of Targe B
Web Server
ts

Any Host object domain_ = S 50.50.50.3 = Polic Incoming

with IP udp Original Original y DNS - ISP
address of Targe A
DNS Server
ts

Any Host object domain_ = S 60.60.60.3 = Polic Incoming

with IP udp Original Original y DNS - ISP
address of Targe B
DNS Server
ts

n If you have a public IP address from each ISP for each publicly reachable server (in
addition to the Security Gateway), define NAT rules:
i. Give each server a private IP address.
ii. Use the public IP addresses in the Original Destination.
iii. Use the private IP address in the Translated Destination.
iv. Select Any as the Original Service.

Note - If you use Manual NAT, then automatic ARP does not work for the IP
addresses behind NAT. You must configure the local.arp file as
described in sk30197.

10. Install the Access Control Policy on this Security Gateway object.

Next Generation Security Gateway R81 Administration Guide      |      130

 ISP Redundancy and VPN

ISP Redundancy and VPN

Note - ISP Redundancy settings override the VPN Link Selection settings.

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link.
The settings in the ISP Redundancy page override settings in the IPsec VPN > Link Selection page.

Configuring ISP Redundancy for VPN with a Check Point peer

Step Instructions

1 Connect with SmartConsole to the Security Management Server or Domain Management

Server that manages this Security Gateway.

2 From the left navigation panel, click Gateways & Servers .

3 Open the Security Gateway object.

4 In the left navigation tree, go to Other > ISP Redundancy .

5 Select Apply settings to VPN traffic .

6 In the left navigation tree, go to IPsec VPN > Link Selection.

7 Make sure that Use ongoing probing. Link redundancy mode shows the mode of the ISP
Redundancy:
High Availability (for Primary/Backup) or Load Sharing.
The VPN Link Selection now only probes the ISP configured in ISP Redundancy.

Configuring ISP Redundancy for VPN with a third-party peer

If the VPN peer is not a Check Point Security Gateway, the VPN may fail, or the third-party device may
continue to encrypt traffic to a failed ISP link.
n Make sure the third-party VPN peer recognizes encrypted traffic from the secondary ISP link as
coming from the Check Point cluster.
n Change the configuration of ISP Redundancy to not use these Check Point technologies:
l Use Probing - Makes sure that Link Selection uses another option.
l The options Load Sharing, Service Based Link Selection, and Route based probing
work only on Check Point Security Gateways and Clusters.
If used, the Security Gateway or Cluster Members use one link to connect to the third-party
VPN peer.
The link with the highest prefix length and lowest metric is used.

Next Generation Security Gateway R81 Administration Guide      |      131

 Controlling ISP Redundancy from CLI

Controlling ISP Redundancy from CLI

You can control the ISP Redundancy behavior from CLI.

Force ISP Link State

Use the "fw isp_link" command to force the ISP link state to Up or Down.
Use this to test installation and deployment, or to force the Security Gateway to recognize the true link state
if it cannot (the ISP link is down but the gateway sees it as up).
n You can run this command on the Security Gateway:

fw isp_link <Name of ISP Link in SmartConsole> {up | down}

n You can run this command on the Security Management Server:

fw isp_link <Name of Security Gateway Object> <Name of ISP Link in

SmartConsole> {up | down}

For more information, see the R81 CLI Reference Guide > Chapter Security Gateway Commands -
Section fw - Section fw isp_link.

The ISP Redundancy Script

When the Security Gateway starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update
script runs on the Security Gateway.
This script changes the default route of the Security Gateway.
For example, you can force the Security Gateway to change the state of a dialup interface to match that
state of its ISP link.
Edit this script to enable a dialup connection for one of the ISP links.

To configure a dialup connection:

1. In the script on the Security Gateway, enter the command to change the dialup interface state:
n If the ISP link goes down:

fw isp_link <Name of ISP Link in SmartConsole> down

n If the ISP link goes up:

fw isp_link <Name of ISP Link in SmartConsole> up

2. If you use PPPoE or PPTP xDSL modems, in the PPPoE or PPTP configuration, the Use Peer as
Default Gateway option must be cleared.

Next Generation Security Gateway R81 Administration Guide      |      132

 Mirror and Decrypt

Mirror and Decrypt

The Mirror and Decrypt feature performs these actions on your Security Gateway, or Cluster:

Action Description

Only mirror of Your Security Gateway or Cluster clones all traffic (including HTTPS without
all traffic decryption) that passes through it, and sends it out of the designated physical
interface.

Mirror and Your Security Gateway or Cluster clones all HTTPS traffic that passes through it,
Decrypt of decrypts it, and sends it in clear-text out of the designated physical interface.
HTTPS traffic
Note - If you wish to decrypt the HTTPS traffic, you must enable and
configure the HTTPS Inspection on your Security Gateway, or Cluster.

You can add a third-party Recorder or Packet-Broker in your environment and forward to it the traffic that
passes through your Security Gateway, or Cluster.
This Recorder or Packet-Broker must work in monitor (promiscuous) mode to accept the decrypted and
mirrored traffic from your Security Gateway, or Cluster.
Security Gateway, or Cluster works only with one Recorder, which is directly connected to a designated
physical network interface (NIC) on the Check Point Gateway, or Cluster Members.

Next Generation Security Gateway R81 Administration Guide      |      133

 Mirror and Decrypt

Example Topology and Traffic Flow:

Item Description

1 First network that sends and receives traffic through the Security Gateway (2).

2 Security Gateway, through which networks (1) and (3) send and receive their traffic.

3 Second network that sends and receives traffic through the Security Gateway (2).

4 Designated physical interface on the Security Gateway (2).

5 Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

A Traffic flow between the first network (1) and the Security Gateway (2).

B Traffic flow between the second network (3) and the Security Gateway (2).

C Flow of the decrypted and mirrored traffic from the Security Gateway (2) to the Recorder, or
Packet-Broker (5).

Next Generation Security Gateway R81 Administration Guide      |      134

 Mirror and Decrypt

Source MAC address of the decrypted and mirrored packets

Source MAC address of the decrypted

Traffic and mirrored packets the Security Gateway
and Cluster Members send

Mirror only of all traffic MAC address of the designated physical interface.

Mirror and Decrypt of HTTPS traffic 00:00:00:00:00:00:

Next Generation Security Gateway R81 Administration Guide      |      135

 Mirror and Decrypt Requirements

Mirror and Decrypt Requirements

Item Description

1 Designated network interface for Mirror and Decrypt:

a. Select a designated physical interface on your Security Gateway, or each cluster

member.
Important:
n On cluster members, you must select an interface with the same name
(for example, eth3 on each cluster member).
n Select an interface with the largest available throughput (for example,
10G, 40G), because this interface passes the combined traffic from all
other interfaces.
b. Assign a dummy IP address to the designated interface.
Important - This IP address cannot collide with other IP addresses used in your
environment. This IP address cannot belong to subnets used in your
environment. Make sure to configure the correct subnet mask. After you enable
traffic mirroring on this interface in SmartConsole, all other traffic that is routed
to this interface is dropped.
c. On cluster members, you must configure this designated physical interface in the
$FWDIR/conf/discntd.if file.
Note - This prevents the interfaces that are not used from sending Cluster
Control Protocol (CCP) packets that can overwhelm the Mirror and Decrypt
recorders.

2 Maximum Transmission Unit (MTU) on the Mirror and Decrypt designated physical interface:

n MTU value has to be 1500 (default), or at least the maximum MTU value from other
interfaces on the Security Gateway.

3 HTTPS Inspection for decrypting the HTTPS traffic:

n You must enable the HTTPS Inspection in SmartConsole in the object of the Security
Gateway, Cluster, or VSX Virtual System.
n You must configure the HTTPS Inspection Rule Base.

4 Access Rules for traffic you wish to Mirror and Decrypt:

n You must create special rules in the Access Control Policy for the traffic you wish to mirror
and decrypt.

Next Generation Security Gateway R81 Administration Guide      |      136

 Configuring Mirror and Decrypt in Gateway mode

Configuring Mirror and Decrypt in Gateway

mode
Example topology:

Item Description

1 Security Gateway, through which your networks send and receive their traffic.

2 Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

3 Flow of the decrypted and mirrored traffic from the Security Gateway (1) to the Recorder, or
Packet-Broker (2).

eth4 Designated physical interface on the Security Gateway (1).

Workflow for configuring Mirror and Decrypt in Gateway mode:

Step Description

1 Read and follow the "Mirror and Decrypt Requirements" on page 136.

2 Prepare the Security Gateway, or each cluster member.

See "Preparing the Security Gateway or each Cluster Member" on page 138.

3 Configure the Mirror and Decrypt in the Security Gateway, or Cluster object in SmartConsole.
See "Configuring Mirror and Decrypt in SmartConsole for Gateway Mode" on page 139.

Next Generation Security Gateway R81 Administration Guide      |      137

 Preparing the Security Gateway or each Cluster Member

Preparing the Security Gateway or each Cluster Member

Step Description

1 Select a designated physical interface for Mirror and Decrypt on the Security Gateway, or each
cluster member.

Important - On cluster members, you must select an interface with the same name
(for example, eth3 on each cluster member).

2 Configure a dummy IP address on this designated physical interface.

Important - This IP address cannot collide with other IP addresses used in your
environment. This IP address cannot belong to subnets used in your environment.
Make sure to configure the correct subnet mask. After you enable traffic mirroring on
this interface in SmartConsole, all other traffic that is routed to this interface is
dropped.
For instructions about configuring an IP address on a physical interface, see the R81 Gaia
Administration Guide - Chapter Network Management - Section Network Interfaces - Section
Physical Interfaces.

3 Configure the required Maximum Transmission Unit (MTU) on this designated physical
interface.
MTU has to be the default 1500, or at least the maximal MTU value from other interfaces on the
Security Gateway.
For instructions about configuring an MTU on a physical interface, see the R81 Gaia
Administration Guide - Chapter Network Management - Section Network Interfaces - Section
Physical Interfaces.

4
Important - On cluster members, you must configure this designated physical
interface in the $FWDIR/conf/discntd.if file on each Cluster Member.

a. Connect to the command line on each Cluster Member.

b. Log in to the Expert mode.
c. Create the $FWDIR/conf/discntd.if file:
touch $FWDIR/conf/discntd.if
d. Edit the $FWDIR/conf/discntd.if file in the Vi editor:
vi $FWDIR/conf/discntd.if
e. Write the name of the designated physical interface. After the interface name, you must
press Enter.
Note - Comments are not allowed in this file.
f. Save the changes in the file and exit the editor.

Note - To apply the configuration from the file and make it persistent, install an Access
Control Policy on the cluster object. You install the Access Control Policy later, after
the required configuration steps in the SmartConsole.

Next Generation Security Gateway R81 Administration Guide      |      138

 Configuring Mirror and Decrypt in SmartConsole for Gateway Mode

Configuring Mirror and Decrypt in SmartConsole for

Gateway Mode
Workflow for Security Gateway, or Cluster in Gateway mode:
1. Enable the HTTPS Inspection in the object of your Security Gateway, or Cluster (for decrypting the
HTTPS traffic).

Procedure

Step Description

a Connect with SmartConsole to the Management Server.

b From the left navigation panel, click Gateways & Servers .

c Open the object of the Security Gateway, or Cluster.

d From the navigation tree, click HTTPS Inspection.

e View and export the certificate.

f Check Enable HTTPS Inspection.

g Click OK.

2. Configure the HTTPS Inspection Rule Base (for decrypting the HTTPS traffic).
Procedure

Step Description

a From the left navigation panel, click Security Policies .

b From the left tree, click HTTPS Inspection.

d Configure the HTTPS Inspection Rule Base.

See R81 Security Management Administration Guide.
For more settings, in the HTTPS Tools section, click Additional Settings .

e Publish the SmartConsole session.

3. Activate the Mirror and Decrypt in the object of your Security Gateway, or Cluster.
Procedure

Step Description

a From the left navigation panel, click Gateways & Servers .

Next Generation Security Gateway R81 Administration Guide      |      139

 Configuring Mirror and Decrypt in SmartConsole for Gateway Mode

Step Description

b Open the object of the Security Gateway, or Cluster.

c From the left tree, click Network Management.

d From the top toolbar, click Get Interfaces Without Topology .

e Make sure the interface designated for Mirror and Decrypt is listed with the dummy IP
address.

f Select the interface designated for Mirror and Decrypt and click Edit.

g From the navigation tree, click General .

h In the General section:

In the Network Type field, select Private.

Note - This field shows only in Cluster objects.

i In the Topology section:

Click Modify . The Topology Settings window opens.

j In the Leads To section:

i. Select Override.
ii. Select This Network (Internal).
iii. Select Network defined by the interface IP and Net Mask .

k In the Security Zone section:

i. Select User defined.
ii. Do not check the Specify Security Zone.

l In the Anti-Spoofing section:

Clear the Perform Anti-Spoofing based on interface topology .

m Click OK to save the changes and close the Topology Settings window.

n From the navigation tree of the Security Gateway, or Cluster object:

Click the [+] near the Other and click Mirror and Decrypt.

o Check Mirror gateway traffic to interface.

The Mirror and Decrypt - User Disclaimer window opens.
i. Read the text carefully.
ii. Check I agree to the terms and conditions .
iii. Click OK to accept and close the disclaimer.

p In the Mirror gateway traffic to interface field, select the designated physical
interface.

Next Generation Security Gateway R81 Administration Guide      |      140

 Configuring Mirror and Decrypt in SmartConsole for Gateway Mode

Step Description

q Click OK to save the changes and close the Security Gateway, or Cluster properties
window.

4. Configure the Mirror and Decrypt rules in the Access Control Policy for the traffic you wish to mirror
and decrypt.

Procedure
Best Practice - We recommend you to configure a new separate Access
Control Layer to contain Mirror and Decrypt rules. Alternatively, you can
configure the Mirror and Decrypt rules in the regular Rule Base.
Important - When you configure the Mirror and Decrypt rules, these
limitations apply:
n In the Mirror and Decrypt rules, you must not select Content criteria,
such as Application, URL Filtering, Service matched by IP Protocol,
Content Awareness.
n Above the Mirror and Decrypt rules, you must not configure other rules
that contain Content criteria, such as Application, URL Filtering,
Service matched by IP Protocol, Content Awareness.
n You must configure rules that contain an excluded source or an
excluded destination above the Mirror and Decrypt rules.
The Name column of these rules cannot contain these strings:
<M&D>, <M&d>, <m&D>, or <m&d>.
The procedure below describes how to configure the Mirror and Decrypt rules in a separate
Access Control Layer in SmartConsole:

Step Description

a From the left navigation panel, click Security Policies .

b Create a new Access Control Layer in the Access Control Policy.

c In SmartConsole top left corner, click Menu > Manage policies and layers .

d Select the existing policy and click Edit (the pencil icon).
Alternatively, create a new policy.

e From the navigation tree of the Policy window, click General .

f In the Policy Types section, make sure you select only the Access Control .

g In Access Control section, click on the + (plus) icon. A pop up window opens.

h In the top right corner of this pop up window, click New Layer.
The Layer Editor window opens.

i From the navigation tree of the Layer Editor window, click General .

Next Generation Security Gateway R81 Administration Guide      |      141

 Configuring Mirror and Decrypt in SmartConsole for Gateway Mode

Step Description

j In the Blades section, make sure you select only the Firewall .

k On other pages of the Layer Editor window, configure additional applicable settings.
Click OK.

l In the Access Control section, you see the Network Layer and the new Access
Control Layer.

m Click OK to save the changes and close the Policy window.

n In SmartConsole, at the top, click the tab of the applicable policy.

o In the Access Control section, click the new Access Control Layer.
In the default rule, you must change the Action column from Drop to Accept to not
affect the policy enforcement:
n Name - Your text

Important - You cannot use these strings:

<M&D>, <M&d>, <m&D>, or <m&d>

n Source - *Any
n Destination - *Any
n VPN - *Any
n Services & Applications - *Any
n Action - Must contain Accept
n Track - None
n Install On - *Policy Targets

Next Generation Security Gateway R81 Administration Guide      |      142

 Configuring Mirror and Decrypt in SmartConsole for Gateway Mode

Step Description

p Above the existing Cleanup rule, add the applicable rules for the traffic you wish to
Mirror and Decrypt.
You must configure the Mirror and Decrypt rules as follows:
n Name - Must contain one of these strings (the angle brackets <> are
mandatory):
l <M&D>

l <M&d>

l <m&D>

l <m&d>

n Source - Select the applicable objects

n Destination - Select the applicable objects
n VPN - Must leave the default *Any
n Services & Applications - Select the applicable services (to decrypt the
HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services)
n Action - Must contain Accept
n Track - Select the applicable option ( None, Log, or Alert)
n Install On - Must contain one of these objects:
l *Policy Targets (this is the default)

l The Security Gateway, or Cluster object, whose version is R80.20 or

higher

Important:
n In the Mirror and Decrypt rules, you must not select Content criteria,
such as Application, URL Filtering, Service matched by IP Protocol,
Content Awareness.
n Above the Mirror and Decrypt rules, you must not configure other
rules that contain Content criteria, such as Application, URL Filtering,
Service matched by IP Protocol, Content Awareness.
n You must configure rules that contain an excluded source or an
excluded destination above the Mirror and Decrypt rules.
The Name column of these rules cannot contain these strings:
<M&D>, <M&d>, <m&D>, or <m&d>.

q Publish the SmartConsole session.

r Install the Access Control Policy.

s If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for
this rule by the Access Rule Name, which contains the configured string:
<M&D>, <M&d>, <m&D>, or <m&d>.

Next Generation Security Gateway R81 Administration Guide      |      143

 Configuring Mirror and Decrypt in VSX mode

Configuring Mirror and Decrypt in VSX mode

Example topology for one Virtual System:

Item Description

1 VSX Gateway.

2 Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

3 Virtual System, through which your networks send and receive their traffic.

4 Flow of the decrypted and mirrored traffic from the VSX Gateway (1) to the Recorder, or
Packet-Broker (2).

eth4 Designated physical interface on the VSX Gateway (1).

Virtual System (3) connects directly to this physical interface.

wrp128 One of the virtual interfaces on the Virtual System (3).

Next Generation Security Gateway R81 Administration Guide      |      144

 Configuring Mirror and Decrypt in VSX mode

Example topology for several Virtual Systems:

Note - This topology requires you to configure a VLAN Trunk on the Recorder or
Packet-Broker. The VLAN Trunk on the Recorder or Packet-Broker must accept all
VLAN IDs that you configure in the objects of the applicable Virtual Systems in
SmartConsole.

Item Description

1 VSX Gateway.

2 First Virtual System, through which your networks send and receive their traffic.

3 Second Virtual System, through which your networks send and receive their traffic.

4 Flow of the decrypted and mirrored traffic from the VSX Gateway (1) to the Recorder, or
Packet-Broker (5).

5 Recorder, or Packet-Broker.

eth4 Designated physical interface on the VSX Gateway (1).

This interface is configured as VLAN Trunk in the VSX Gateway object in SmartConsole.
Virtual Systems (2 and 3) connect to this VLAN Trunk interface with VLAN interfaces.

eth4.55 VLAN interface on the first Virtual System (2).

eth4.66 VLAN interface on the second Virtual System (3).

wrp128 One of the virtual interfaces on the Virtual Systems (2 and 3).

Important - It is not supported to change the designated physical interface with the
"vsx_util change_interfaces" command. For information about this
command, see the R81 VSX Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      145

 Configuring Mirror and Decrypt in VSX mode

Workflow for configuring Mirror and Decrypt in VSX mode:

Step Description

1 Read and follow the "Mirror and Decrypt Requirements" on page 136.

2 Prepare the VSX Gateway, or each VSX Cluster Member.

See "Preparing the VSX Gateway or each VSX Cluster Member" on page 147.

3 Configure the Mirror and Decrypt in the Virtual System object in SmartConsole.
See:
n "Configuring Mirror and Decrypt in SmartConsole for One Virtual System" on
page 148.
n "Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems" on
page 153.

Next Generation Security Gateway R81 Administration Guide      |      146

 Preparing the VSX Gateway or each VSX Cluster Member

Preparing the VSX Gateway or each VSX Cluster Member

Item Description

1 Select a designated physical interface for Mirror and Decrypt on the VSX Gateway, or each VSX
Cluster Member.

Important - On VSX Cluster Members, you must select an interface with the same
name (for example, eth3 on each VSX Cluster Member).

2 Do not configure an IP address on this designated physical interface.

3 Configure the required Maximum Transmission Unit (MTU) on this designated physical
interface.
MTU has to be the default 1500, or at least the maximal MTU value from other interfaces on the
VSX Gateway, or VSX Cluster Member.
For instructions about configuring an MTU on a physical interface, see R81 Gaia Administration
Guide - Chapter Network Management - Section Network Interfaces - Section Physical
Interfaces.

4
Important - In VSX Cluster, you must configure this designated physical interface in
the $FWDIR/conf/discntd.if file on each VSX Cluster Member.

a. Connect to the command line.

b. Log in to the Expert mode.
c. Go to the context of the Virtual System 0:
vsenv 0
Output shows:
Context is set to Virtual Device <Name of VSX Gateway> (ID
0).
d. Create the $FWDIR/conf/discntd.if file:
touch $FWDIR/conf/discntd.if
e. Edit the $FWDIR/conf/discntd.if file in the Vi editor:
vi $FWDIR/conf/discntd.if
f. Write the name of the designated physical interface. After the interface name, you must
press Enter.
Note - Comments are not allowed in this file.
g. Save the changes in the file and exit the Vi editor.

Note - To apply the configuration from the file and make it persistent, install an Access
Control Policy on the VSX Cluster object. You install the Access Control Policy later,
after the required configuration steps in the SmartConsole.

Next Generation Security Gateway R81 Administration Guide      |      147

 Configuring Mirror and Decrypt in SmartConsole for One Virtual System

Configuring Mirror and Decrypt in SmartConsole for One

Virtual System
Workflow for one Virtual System:
1. Enable the HTTPS Inspection in the object of the Virtual System (for decrypting the HTTPS traffic).
Procedure

Step Description

a Connect with SmartConsole to the Management Server.

b From the left navigation panel, click Gateways & Servers .

c Open the Virtual System object.

d From the navigation tree, click HTTPS Inspection.

e View and export the certificate.

f Check Enable HTTPS Inspection.

g Click OK.

2. Configure the HTTPS Inspection Rule Base (for decrypting the HTTPS traffic).
Procedure

Step Description

a From the left navigation panel, click Security Policies .

b From the left tree, click HTTPS Inspection.

d Configure the HTTPS Inspection Rule Base.

See R81 Security Management Administration Guide.
For more settings, in the HTTPS Tools section, click Additional Settings .

e Publish the SmartConsole session.

3. Add the designated physical interface in the object of the Virtual System.
Procedure

Step Description

a In SmartConsole, open the Virtual System object.

b From the navigation tree, click Topology .

Next Generation Security Gateway R81 Administration Guide      |      148

 Configuring Mirror and Decrypt in SmartConsole for One Virtual System

Step Description

c From the top toolbar, click New > Regular.

d On the General tab:

i. In the Interface field, select the designated physical interface.
ii. In the IPv4 Configuration section:
n In the IP Address field, enter a dummy IP address.
n In the Net Mask field, enter the applicable net mask.

Important - This IP address cannot collide with other IP

addresses used in your environment. This IP address
cannot belong to subnets used in your environment.
Make sure to configure the correct subnet mask. After
you enable traffic mirroring on this interface in
SmartConsole, all other traffic that is routed to this
interface is dropped.
iii. Do not check the Propagate route to adjacent Virtual Devices
(IPv4).
iv. In the MTU field, enter the applicable MTU.
See "Mirror and Decrypt Requirements" on page 136.
v. In the Security Zone field, leave the default None.
vi. Click OK.

4. Activate the Mirror and Decrypt in the object of the Virtual System.
Procedure

Step Description

a From the left navigation panel, click Gateways & Servers .

b Open the Virtual System object.

c From the left tree, click the [+] near the Other and click Mirror and Decrypt.

d Check Mirror gateway traffic to interface.

The Mirror and Decrypt - User Disclaimer window opens.
i. Read the text carefully.
ii. Check I agree to the terms and conditions .
iii. Click OK to accept and close the disclaimer.

e In the Mirror gateway traffic to interface field, select the designated physical
interface.

f Click OK to save the changes and close the Virtual System properties window.

5. Configure the Mirror and Decrypt rules in the Access Control Policy for the traffic you wish to mirror
and decrypt.

Next Generation Security Gateway R81 Administration Guide      |      149

 Configuring Mirror and Decrypt in SmartConsole for One Virtual System

Procedure
Best Practice - We recommend you to configure a new separate Access
Control Layer to contain Mirror and Decrypt rules. Alternatively, you can
configure the Mirror and Decrypt rules in the regular Rule Base.
Important - When you configure the Mirror and Decrypt rules, these
limitations apply:
n In the Mirror and Decrypt rules, you must not select Content criteria,
such as Application, URL Filtering, Service matched by IP Protocol,
Content Awareness.
n Above the Mirror and Decrypt rules, you must not configure other rules
that contain Content criteria, such as Application, URL Filtering,
Service matched by IP Protocol, Content Awareness.
n You must configure rules that contain an excluded source or an
excluded destination above the Mirror and Decrypt rules.
The Name column of these rules cannot contain these strings:
<M&D>, <M&d>, <m&D>, or <m&d>.
The procedure below describes how to configure the Mirror and Decrypt rules in a separate
Access Control Layer in SmartConsole:

Step Description

a From the left navigation panel, click Security Policies .

b Create a new Access Control Layer in the Access Control Policy.

c In SmartConsole top left corner, click Menu > Manage policies and layers .

d Select the existing policy and click Edit (the pencil icon).
Alternatively, create a new policy.

e From the navigation tree of the Policy window, click General .

f In the Policy Types section, make sure you select only the Access Control .

g In Access Control section, click on the + (plus) icon. A pop up window opens.

h In the top right corner of this pop up window, click New Layer.
The Layer Editor window opens.

i From the navigation tree of the Layer Editor window, click General .

j In the Blades section, make sure you select only the Firewall .

k On other pages of the Layer Editor window, configure additional applicable settings.
Click OK.

l In the Access Control section, you see the Network Layer and the new Access
Control Layer.

m Click OK to save the changes and close the Policy window.

Next Generation Security Gateway R81 Administration Guide      |      150

 Configuring Mirror and Decrypt in SmartConsole for One Virtual System

Step Description

n In SmartConsole, at the top, click the tab of the applicable policy.

o In the Access Control section, click the new Access Control Layer.
In the default rule, you must change the Action column from Drop to Accept to not
affect the policy enforcement:
n Name - Your text

Important - You cannot use these strings:

<M&D>, <M&d>, <m&D>, or <m&d>

n Source - *Any
n Destination - *Any
n VPN - *Any
n Services & Applications - *Any
n Action - Must contain Accept
n Track - None
n Install On - *Policy Targets

p Above the existing Cleanup rule, add the applicable rules for the traffic you wish to
Mirror and Decrypt.
You must configure the Mirror and Decrypt rules as follows:
n Name - Must contain one of these strings (the angle brackets <> are
mandatory):
l <M&D>

l <M&d>

l <m&D>

l <m&d>

n Source - Select the applicable objects

n Destination - Select the applicable objects
n VPN - Must leave the default *Any
n Services & Applications - Select the applicable services (to decrypt the
HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services)
n Action - Must contain Accept
n Track - Select the applicable option ( None, Log, or Alert)
n Install On - Must contain one of these objects:
l *Policy Targets (this is the default)

l The Security Gateway, or Cluster object, whose version is R80.20 or

higher

Next Generation Security Gateway R81 Administration Guide      |      151

 Configuring Mirror and Decrypt in SmartConsole for One Virtual System

Step Description

Important:
n In the Mirror and Decrypt rules, you must not select Content criteria,
such as Application, URL Filtering, Service matched by IP Protocol,
Content Awareness.
n Above the Mirror and Decrypt rules, you must not configure other
rules that contain Content criteria, such as Application, URL Filtering,
Service matched by IP Protocol, Content Awareness.
n You must configure rules that contain an excluded source or an
excluded destination above the Mirror and Decrypt rules.
The Name column of these rules cannot contain these strings:
<M&D>, <M&d>, <m&D>, or <m&d>.

q Publish the SmartConsole session.

r Install the Access Control Policy.

s If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for
this rule by the Access Rule Name, which contains the configured string:
<M&D>, <M&d>, <m&D>, or <m&d>.

Next Generation Security Gateway R81 Administration Guide      |      152

 Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems

Configuring Mirror and Decrypt in SmartConsole for Several

Virtual Systems
Workflow for several Virtual Systems:
1. Enable the HTTPS Inspection in the objects of applicable Virtual Systems (for decrypting the HTTPS
traffic).

Procedure

Step Description

a Connect with SmartConsole to the Management Server.

b From the left navigation panel, click Gateways & Servers .

c Open the Virtual System object.

d From the navigation tree, click HTTPS Inspection.

e View and export the certificate.

f Check Enable HTTPS Inspection.

g Click OK.

2. Configure the HTTPS Inspection Rule Base (for decrypting the HTTPS traffic).
Procedure

Step Description

a From the left navigation panel, click Security Policies .

b From the left tree, click HTTPS Inspection.

d Configure the HTTPS Inspection Rule Base.

See R81 Security Management Administration Guide.
For more settings, in the HTTPS Tools section, click Additional Settings .

e Publish the SmartConsole session.

3. Define the designated physical interface as VLAN Trunk in the object of the VSX Gateway, or VSX
Cluster.

Procedure
Note - If the Recorder or Packet-Broker connects to the VSX Gateway, or
VSX Cluster members through a Switch, configure a VLAN Trunk on the
applicable Switch port. The VLAN Trunk port on the Switch must accept all
VLAN IDs that you configure in the applicable Virtual Systems.

Next Generation Security Gateway R81 Administration Guide      |      153

 Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems

Step Description

1 In SmartConsole, open the object of the VSX Gateway, or VSX Cluster.

2 From the navigation tree, click Physical Interfaces .

3 Check the box VLAN Trunk near the designated physical interface.

4 Click OK.

4. Add the designated physical interface in the object of each applicable Virtual System.
Procedure

Step Description

a In SmartConsole, open the Virtual System object.

b From the navigation tree, click Topology .

c From the top toolbar, click New > Regular.

d On the General tab:

i. In the Interface field, select the designated physical interface.
ii. In the IPv4 Configuration section:
n In the IP Address field, enter a dummy IP address.
n In the Net Mask field, enter the applicable net mask.

Important - This IP address cannot collide with other IP

addresses used in your environment. This IP address
cannot belong to subnets used in your environment.
Make sure to configure the correct subnet mask. After
you enable traffic mirroring on this interface in
SmartConsole, all other traffic that is routed to this
interface is dropped.
iii. Do not check the Propagate route to adjacent Virtual Devices
(IPv4).
iv. In the MTU field, enter the applicable MTU.
See "Mirror and Decrypt Requirements" on page 136.
v. In the Security Zone field, leave the default None.
vi. Click OK.

5. Activate the Mirror and Decrypt in the object of each applicable Virtual System.
Procedure

Step Description

a From the left navigation panel, click Gateways & Servers .

b Open the Virtual System object.

Next Generation Security Gateway R81 Administration Guide      |      154

 Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems

Step Description

c From the left tree, click the [+] near the Other and click Mirror and Decrypt.

d Check Mirror gateway traffic to interface.

The Mirror and Decrypt - User Disclaimer window opens.
i. Read the text carefully.
ii. Check I agree to the terms and conditions .
iii. Click OK to accept and close the disclaimer.

e In the Mirror gateway traffic to interface field, select the designated physical
interface.

f Click OK to save the changes and close the Virtual System properties window.

6. Configure the Mirror and Decrypt rules in the Access Control Policy for the traffic you wish to mirror
and decrypt.

Procedure
Best Practice - We recommend you to configure a new separate Access
Control Layer to contain Mirror and Decrypt rules. Alternatively, you can
configure the Mirror and Decrypt rules in the regular Rule Base.
Important - When you configure the Mirror and Decrypt rules, these
limitations apply:
n In the Mirror and Decrypt rules, you must not select Content criteria,
such as Application, URL Filtering, Service matched by IP Protocol,
Content Awareness.
n Above the Mirror and Decrypt rules, you must not configure other rules
that contain Content criteria, such as Application, URL Filtering,
Service matched by IP Protocol, Content Awareness.
n You must configure rules that contain an excluded source or an
excluded destination above the Mirror and Decrypt rules.
The Name column of these rules cannot contain these strings:
<M&D>, <M&d>, <m&D>, or <m&d>.
The procedure below describes how to configure the Mirror and Decrypt rules in a separate
Access Control Layer in SmartConsole:

Step Description

a From the left navigation panel, click Security Policies .

b Create a new Access Control Layer in the Access Control Policy.

c In SmartConsole top left corner, click Menu > Manage policies and layers .

d Select the existing policy and click Edit (the pencil icon).
Alternatively, create a new policy.

e From the navigation tree of the Policy window, click General .

Next Generation Security Gateway R81 Administration Guide      |      155

 Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems

Step Description

f In the Policy Types section, make sure you select only the Access Control .

g In Access Control section, click on the + (plus) icon. A pop up window opens.

h In the top right corner of this pop up window, click New Layer.
The Layer Editor window opens.

i From the navigation tree of the Layer Editor window, click General .

j In the Blades section, make sure you select only the Firewall .

k On other pages of the Layer Editor window, configure additional applicable settings.
Click OK.

l In the Access Control section, you see the Network Layer and the new Access
Control Layer.

m Click OK to save the changes and close the Policy window.

n In SmartConsole, at the top, click the tab of the applicable policy.

o In the Access Control section, click the new Access Control Layer.
In the default rule, you must change the Action column from Drop to Accept to not
affect the policy enforcement:
n Name - Your text

Important - You cannot use these strings:

<M&D>, <M&d>, <m&D>, or <m&d>

n Source - *Any
n Destination - *Any
n VPN - *Any
n Services & Applications - *Any
n Action - Must contain Accept
n Track - None
n Install On - *Policy Targets

Next Generation Security Gateway R81 Administration Guide      |      156

 Configuring Mirror and Decrypt in SmartConsole for Several Virtual Systems

Step Description

p Above the existing Cleanup rule, add the applicable rules for the traffic you wish to
Mirror and Decrypt.
You must configure the Mirror and Decrypt rules as follows:
n Name - Must contain one of these strings (the angle brackets <> are
mandatory):
l <M&D>

l <M&d>

l <m&D>

l <m&d>

n Source - Select the applicable objects

n Destination - Select the applicable objects
n VPN - Must leave the default *Any
n Services & Applications - Select the applicable services (to decrypt the
HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services)
n Action - Must contain Accept
n Track - Select the applicable option ( None, Log, or Alert)
n Install On - Must contain one of these objects:
l *Policy Targets (this is the default)

l The Security Gateway, or Cluster object, whose version is R80.20 or

higher

Important:
n In the Mirror and Decrypt rules, you must not select Content criteria,
such as Application, URL Filtering, Service matched by IP Protocol,
Content Awareness.
n Above the Mirror and Decrypt rules, you must not configure other
rules that contain Content criteria, such as Application, URL Filtering,
Service matched by IP Protocol, Content Awareness.
n You must configure rules that contain an excluded source or an
excluded destination above the Mirror and Decrypt rules.
The Name column of these rules cannot contain these strings:
<M&D>, <M&d>, <m&D>, or <m&d>.

q Publish the SmartConsole session.

r Install the Access Control Policy.

s If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for
this rule by the Access Rule Name, which contains the configured string:
<M&D>, <M&d>, <m&D>, or <m&d>.

Next Generation Security Gateway R81 Administration Guide      |      157

 Mirror and Decrypt Logs

Mirror and Decrypt Logs

To Mirror and Decrypt the traffic, you create special rules in the Access Control Policy.
The Mirror and Decrypt feature adds the applicable information to the regular Security Gateway logs.

To see the Mirror and Decrypt logs in SmartConsole:

Item Description

1 Connect with SmartConsole to the Management Server.

2 From the left navigation panel, click Logs & Monitor > Logs .

3 In the search field, enter:

type:Control

4 Double-click on the log and refer to the More section.

The Mirror and Decrypt logs show this information in the More section > Mirror and Decrypt field:

Action Description

Mirror only Security Gateway only mirrored the traffic.

Decrypt and mirror Security Gateway decrypted and mirrored the HTTP / HTTPS traffic
Note - This can be the case even for a clear-text HTTP connection, because
the HTTPS Inspection inspects it first (example is all connections that use
proxy 8080).

Partial mirroring Security Gateway started to decrypt the traffic, but stopped later due to a
(HTTPS inspection Bypass rule (for example, a rule with a Category).
Bypass) Therefore, the mirrored connection is not complete.

Next Generation Security Gateway R81 Administration Guide      |      158

 ConnectControl - Server Load Balancing

ConnectControl - Server Load

Balancing
ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security
Gateway or Cluster towards servers behind the Check Point Security Gateway or Cluster.
ConnectControl does not consume more memory or CPU processing power on Security Gateway or
Cluster Members.

ConnectControl Packet Flow

Load-balanced servers are represented by one Virtual IP address.
In SmartConsole, you define a Logical Server object that represents a group of physical servers.
The Logical Server takes service requests for the load-balanced application and directs the requests to the
applicable physical server.

When a client requests access to an application that is load balanced by ConnectControl, the request goes
through the Security Gateway or Cluster.

Item Description

1 Client request - A client starts a connection with the logical IP address of the application server
(the address assigned to the Logical server).

2 Internet - The service request goes through the Internet.

3 Security Gateway - The service request arrives at the destination public IP address of the
Logical Server, which is on the Security Gateway. The request is matched to the Logical Server
rule in the Rule Base. The Security Gateway directs the request to the internal IP address of the
Logical Server group.

4 Logical Server - ConnectControl determines which server in the Logical Server group is best for
the request, based on the selected load-balancing method.

Note - Make sure that rules that allow traffic for services to ConnectControl Logical
Servers and that server groups are before Access Control Policy rules that allow traffic
for those services.

Next Generation Security Gateway R81 Administration Guide      |      159

 ConnectControl - Server Load Balancing

Configuring ConnectControl
This procedure explains the steps to set up ConnectControl in your environment.

Procedure

1. In the SmartConsole, click Objects menu > Object Explorer (or press Ctrl+E).
2. Define a Host object for each of the servers that will be load-balanced.
In the Object Explorer, from the toolbar, click New > Host.
3. Define a Network Group object to contain all Host objects for each of the servers that will be
load-balanced.

Instructions

In the Object Explorer, from the toolbar, click New > Network Group.
a. Name the group (for example, HTTP_Server_Group).
b. Add the Host objects for each of the servers.

Best Practice - We recommend adding no more than 29 objects.

4. Define the Logical Server object.

Instructions

a. In the Object Explorer, from the toolbar, click New > Network Object > More > Logical
Server.
b. In the New Logical Server window, enter a name for the ConnectControl Logical
Server.
c. Enter a Virtual IP address.
Make sure the IP address is a public IP address.
All traffic to be load-balanced, must be directed through the cluster.

Note for a cluster environment

If the assigned IP address is on the same subnet as a Cluster Virtual IP address, you
also need to configure a Manual ARP proxy entry for this IP address.
i. Click Menu >Global properties > NAT - Network Address Translation.
ii. Select Merge manual proxy ARP configuration.
iii. Click OK.
iv. Configure the $FWDIR/conf/local.arp file as described in sk30197.
v. Install the Access Control Policy on this cluster object.

Next Generation Security Gateway R81 Administration Guide      |      160

 ConnectControl - Server Load Balancing

d. Select the Server type.

Logical Server Types

When you create the Logical server object, configure the server type as HTTP or
Other. This distinction is important. ConnectControl handles the connection to the
client differently for each server type.
n The HTTP server type uses HTTP redirection.
This type supports offsite HTTP servers and form-based applications, but only
works with the HTTP protocol. An HTTP Logical server makes sure that all
HTTP-connection sessions are directed to one server, which is a requirement
for many Web applications. ConnectControl finds the correct physical server,
behind the Security Gateway or offsite, based on the selected load-balancing
method. The session connections continue to go to that one server.
n The Other server type uses NAT (address translation) to send traffic to the
grouped servers.
This Logical server supports all protocols (including HTTP) and gives the most
effectively balanced load. It requires servers to be NATed by the Security
Gateway. ConnectControl mediates each service request and then selects the
server to get that request. It uses NAT to change the destination IP address of
the incoming packet. If a return connection is opened, the connection is
automatically established between the server and the client. The server's
source address in the packet is translated to the IP address of the Logical
server. On the packet's return, the Security Gateway translates the packet's
original address to the IP address of the Logical server.

e. Select the Server group.

Select the Server Group object that you defined earlier (or define a new Server Group
object).
The members of the group must be hosts, Security Gateways, or OSE devices.
f. Select Use persistent server mode that fits your environment.
Persistency

This setting maintains a client's connection to the server that ConnectControl first
selected.
n Persistency by server is useful for HTTP applications, such as forms, in a
load-balanced environment with multiple Web servers. ConnectControl directs
an HTTP client to one server for all requests. This allows clients to fill forms
without the data loss that occurs if different servers take the requests.
n Persistency by service is useful if you are load balancing multiple services in
your server group. For example, in a redundant environment of two servers,
each running HTTP and FTP, ConnectControl directs traffic from one client to
the server of the correct service. This prevents heavy load on one server,
which can happen with Persistency by server.

Next Generation Security Gateway R81 Administration Guide      |      161

 ConnectControl - Server Load Balancing

Item Description

1 Multiple client requests for HTTP and FTP.

2 Internet.

3 Security Gateway.
The service requests arrive at the destination public IP address of the
Logical Server, which is on the Security Gateway.
The Security Gateway directs the requests to the internal IP address of the
Logical Server group.

4 Logical Server group with two servers, each with FTP and HTTP services.
ConnectControl balances the load between the servers.

g. Select a Balance method that fits your environment.

Load Balancing Methods

ConnectControl distributes network traffic to load-balanced servers according to one

of these predefined balancing methods:

Method Description

Random The Security Gateway directs service requests to servers at random.

This method is a good choice when all the load-balanced servers
have similar RAM and CPU and are located on the same segment.

Server The Security Gateway determines which server is best equipped to

load handle the new connection.

Round The Security Gateway directs service requests to the next server in
Robin the sequence.
This method is a good choice when all the load balanced servers have
similar RAM and CPU and are on the same segment.

Round Not supported.

Trip

Domain Not supported.

h. Click OK.

5. Close the Object Explorer window.

Next Generation Security Gateway R81 Administration Guide      |      162

 ConnectControl - Server Load Balancing

6. From the left navigation panel, click Security Policies and click Access Control .
7. Add the Load Balancing rule to the Access Control Policy Rule Base:

Source Destination Services & Applications Action

*Any Logical Server object Load-balanced Services Accept

or
User Auth
or
Client Auth

8. For applications that use HTTP redirection, add a rule to allow the Network Group object (that
contains load-balanced server objects) to communicate directly with the clients:

Source Destination Services & Applications Action

*Any Network Group object http Accept

9. Configure global settings for ConnectControl.

Instructions

a. At the top, click Menu > Global properties .

b. From the left tree, click ConnectControl .
c. Configure the settings that fit your environment:
n Server Availability
This configures how ConnectControl finds available servers.
l The Server availability check interval control the number of seconds
between pings from the Security Gateway or Cluster to the load-balanced
servers.
l The Server check retries controls the number of attempts to contact a
non-responsive server after ConnectControl stops directing connections to
it.
n Server Persistency
If you enabled Persistency by server, you can set a timeout for a client to use
one server. If a server becomes unavailable, ConnectControl directs new
connections to a new, available server. This bypasses the persistency and
optimizes load balancing.
n Server Load Balancing
Not supported.
d. Click OK.

10. Install the Access Control Policy on this Security Gateway or Cluster object.

Next Generation Security Gateway R81 Administration Guide      |      163

 Monitoring Software Blade

Monitoring Software Blade

This Software Blade enables administrator to monitor these counters in real-time:
n System counters (CPU usage, Used Virtual Memory, Free Disk Space, and so on)
n Traffic connections
n Traffic throughput

To see System and Traffic counters in SmartConsole:

1. From the left navigation panel, click Gateways & Servers .
2. In the top pane, select the Security Gateway (or Cluster) object.
3. In the bottom pane, click the Summary tab and click the Device & License Information link at the
bottom.
4. From the left tree, click System Counters and Traffic .
5. For a cluster object, from the top drop-down menu, select the Cluster Member.

To see User and VPN Tunnel counters in SmartView Monitor:

1. From the left navigation panel, click Logs & Monitor > Logs .
2. At the bottom, click the Tunnel & User Monitoring link.
For more information, see:
n R81 Logging and Monitoring Administration Guide
n R77 SmartView Monitor Administration Guide

Next Generation Security Gateway R81 Administration Guide      |      164

 Cloud Security

Cloud Security
Check Point cloud security protects assets in the cloud from the most sophisticated threats with dynamic
scalability, intelligent provisioning and consistent control across physical and virtual networks.
For more information, see:
n R81 CloudGuard Controller Administration Guide
n https://www.checkpoint.com/products/

Next Generation Security Gateway R81 Administration Guide      |      165

 Advanced Routing

Advanced Routing
Gaia OS supports:
n Dynamic Routing protocols - OSPF, BGP, and RIP.
n Dynamic Multicast Routing - PIM Sparse Mode (SM), PIM Dense Mode (DM), PIM Source-Specific
Multicast (SSM), and IGMP.
n Different routing options.
You can configure these routing protocols and options in Gaia Portal and Gaia Clish.
For more information, see the R81 Gaia Advanced Routing Administration Guide.

Next Generation Security Gateway R81 Administration Guide      |      166

 SNMP

SNMP
SNMP, as implemented on Check Point platforms, enables an SNMP manager to monitor the device using
GetRequest, GetNextRequest, GetBulkRequest, and a select number of traps.
The Check Point implementation also supports using SetRequest to change these attributes:
sysContact, sysLocation, and sysName. You must configure read-write permissions for set
operations to work.
Check Point Gaia supports SNMP v1, v2, and v3.
For more information, see the R81 Gaia Administration Guide > Chapter System Management > Section
SNMP.

Next Generation Security Gateway R81 Administration Guide      |      167

 Deploying a Single Security Gateway in Monitor Mode

Deploying a Single Security

Gateway in Monitor Mode
Introduction to Monitor Mode
You can configure Monitor Mode on a single Check Point Security Gateway's interface.
This lets the Check Point Security Gateway listen to traffic from a Mirror Port or Span Port on a connected
switch.
Use the Monitor Mode to analyze network traffic without changing the production environment.
The mirror port on a switch duplicates the network traffic and sends it to the Security Gateway with an
interface configured in Monitor Mode to record the activity logs.
You can use the Monitor Mode:
n To monitor the use of applications as a permanent part of your deployment
n To evaluate the capabilities of the Software Blades:
l The Security Gateway neither enforces any security policy, nor performs any active
operations (prevent / drop / reject) on the interface in the Monitor Mode.
l The Security Gateway terminates and does not forward all packets that arrive at the interface
in the Monitor Mode.
l The Security Gateway does not send any traffic through the interface in the Monitor Mode.
Benefits of the Monitor Mode include:
n There is no risk to your production environment.
n It requires minimal set-up configuration.
n It does not require TAP equipment, which is expensive.

Next Generation Security Gateway R81 Administration Guide      |      168

 Deploying a Single Security Gateway in Monitor Mode

Example Topology for Monitor Mode

Item Description

1 Switch with a mirror or SPAN port that duplicates all incoming and outgoing packets.
The Security Gateway connects to a mirror or SPAN port on the switch.

2 Servers.

3 Clients.

4 Security Gateway with an interface in Monitor Mode.

5 Security Management Server that manages the Security Gateway.

For More About Monitor Mode

See the R81 Installation and Upgrade Guide > Chapter Special Scenarios for Security Gateways >
Section Deploying a Security Gateway in Monitor Mode.

Next Generation Security Gateway R81 Administration Guide      |      169

 Deploying a Single Security Gateway or ClusterXL in Bridge Mode

Deploying a Single Security

Gateway or ClusterXL in Bridge
Mode
Introduction to Bridge Mode
If you cannot divide the existing network into several networks with different IP addresses, you can install a
Check Point Security Gateway (or a ClusterXL) in the Bridge Mode.
A Security Gateway (or ClusterXL) in Bridge Mode is invisible to Layer 3 traffic.
When traffic arrives at one of the bridge slave interfaces, the Security Gateway (or Cluster Members)
inspects it and passes it to the second bridge slave interface.

Next Generation Security Gateway R81 Administration Guide      |      170

 Deploying a Single Security Gateway or ClusterXL in Bridge Mode

Example Topology for a single Security

Gateway in Bridge Mode

Item Description

1 Network, which an administrator needs to divide into two Layer 2 segments.

The Security Gateway in Bridge Mode connects between these segments.

2 First network segment.

3 Switch that connects the first network segment to one bridged slave interface (4) on the Security
Gateway in Bridge Mode.

4 One bridged slave interface (for example, eth1) on the Security Gateway in Bridge Mode.

5 Security Gateway in Bridge Mode.

6 Another bridged slave interface (for example, eth2) on the Security Gateway in Bridge Mode.

7 Dedicated Gaia Management Interface (for example, eth0) on the Security Gateway.

8 Switch that connects the second network segment to the other bridged slave interface (6) on the
Security Gateway in Bridge Mode.

9 Second network segment.

For More About Bridge Mode

See the R81 Installation and Upgrade Guide > Chapter Special Scenarios for Security Gateways >
Section Deploying a Security Gateway or a ClusterXL in Bridge Mode.

Next Generation Security Gateway R81 Administration Guide      |      171

 Security Before Firewall Activation

Security Before Firewall Activation

To protect the Security Gateway and network, Check Point Security Gateway has baseline security:

Baseline
Name of Policy Description
Security

Boot defaultfilter Security during boot process.

Security

Initial Policy InitialPolicy Security before a policy is installed for the first time, or when
Security Gateway failed to load the policy.

Important - If you disable the boot security or unload the currently installed policy, you
leave your Security Gateway, or a Cluster Member without protection.
Best Practice - Before you disable the boot security, we recommend to
disconnect your Security Gateway, or a Cluster Member from the network
completely.

For additional information, see these commands:

Command Description

$CPDIR/bin/cpstat -f policy fw Shows the currently installed policy.

See "cpstat" on page 220.

$FWDIR/bin/control_bootsec {-r | -R} Disables the boot security.

See "control_bootsec" on page 186.

$FWDIR/bin/control_bootsec [-g | -G] Enables the boot security.

See "control_bootsec" on page 186.

$FWDIR/bin/comp_init_policy [-u | -U] Deletes the local state policy.

See "comp_init_policy" on page 183.

$FWDIR/bin/comp_init_policy [-g | -G] Creates the local state Initial Policy.

See "comp_init_policy" on page 183.

$FWDIR/bin/fw unloadlocal Unloads the currently installed policy.

See "fw unloadlocal" on page 391.

Next Generation Security Gateway R81 Administration Guide      |      172

 Boot Security

Boot Security
The Boot Security protects the Security Gateway and its networks, during the boot:
n Disables the IP Forwarding in Linux OS kernel
n Loads the Default Filter Policy

Important - In a Cluster, you must configure all the Cluster Members in the same way.

The Default Filter Policy

The Default Filter Policy (defaultfilter) protects the Security Gateway from the time it boots up
until it installs the user-defined Security Policy.
Boot Security disables IP Forwarding and loads the Default Filter Policy.
There are three Default Filters templates on the Security Gateway:

Default Filter
Default Filter Policy File Description
Mode

Boot Filter $FWDIR/lib/defaultfilter.boot This filter:

n Drops all incoming packets
that have the same source
IP addresses as the IP
addresses assigned to the
Security Gateway interfaces
n Allows all outbound packets
from the Security Gateway

Drop Filter $FWDIR/lib/defaultfilter.drop This filter drops all inbound and

outbound packets on the Security
Gateway.
Best Practice - If the
boot process requires
that the Security
Gateway communicate
with other hosts, do not
use the Drop Filter.

Next Generation Security Gateway R81 Administration Guide      |      173

 Boot Security

Default Filter
Default Filter Policy File Description
Mode

Filter for $FWDIR/lib/defaultfilter.dag This filter for Security Gateways

Dynamically with Dynamically Assigned IP
Assigned address:
Gateways
(DAG) n Allows all DHCP Requests
n Allows all DHCP Replies
n Uses Boot Filter:
a. Drops all incoming
packets that have the
same source IP
addresses as the IP
addresses assigned
to the Security
Gateway interfaces
b. Allows all outbound
packets from the
Security Gateway

Selecting the Default Filter Policy

Step Description

1 Make sure to configure and install a Security Policy on the Security Gateway.

2 Connect to the command line on the Security Gateway.

3 Log in to the Expert mode.

4 Back up the current Default Filter Policy file:

cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5 Create a new Default Filter Policy file.

n To create a new Boot Filter, run:
cp -v $FWDIR/lib/defaultfilter.boot
$FWDIR/conf/defaultfilter.pf
n To create a new Drop Filter, run:
cp -v $FWDIR/lib/defaultfilter.drop
$FWDIR/conf/defaultfilter.pf
n To create a new DAG Filter, run:
cp -v $FWDIR/lib/defaultfilter.dag
$FWDIR/conf/defaultfilter.pf

Next Generation Security Gateway R81 Administration Guide      |      174

 Boot Security

Step Description

6 Compile the new Default Filter file:

fw defaultgen

n The new complied Default Filter file for IPv4 traffic is:
$FWDIR/state/default.bin
n The new complied Default Filter file for IPv6 traffic is:
$FWDIR/state/default.bin6

7 Get the path of the Default Filter Policy file:

$FWDIR/boot/fwboot bootconf get_def
Example:
[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

8 Copy new complied Default Filter file to the path of the Default Filter Policy file.
n For IPv4 traffic, run:
cp -v $FWDIR/state/default.bin
/etc/fw.boot/default.bin
n For IPv6 traffic, run:
cp -v $FWDIR/state/default.bin6
/etc/fw.boot/default.bin6

9 Make sure to connect to the Security Gateway over a serial console.

Important - If the new Default Filter Policy fails and blocks all access
through the network interfaces, you can unload that Default Filter
Policy and install the working policy.

10 Reboot the Security Gateway.

Defining a Custom Default Filter

Administrators with Check Point INSPECT language knowledge can define customized Default Filters.

Important - Make sure your customized Default Filter policy does not interfere with
the Security Gateway boot process.

Step Description

1 Make sure to configure and install a Security Policy on the Security Gateway.

2 Connect to the command line on the Security Gateway.

Next Generation Security Gateway R81 Administration Guide      |      175

 Boot Security

Step Description

3 Log in to the Expert mode.

4 Back up the current Default Filter Policy file:

cp -v $FWDIR/conf/defaultfilter.pf{,_BKP}

5 Create a new Default Filter Policy file.

n To use the Boot Filter as a template, run:
cp -v $FWDIR/lib/defaultfilter.boot
$FWDIR/conf/defaultfilter.pf
n To use the Drop Filter as a template, run:
cp -v $FWDIR/lib/defaultfilter.drop
$FWDIR/conf/defaultfilter.pf
n To use the DAG Filter as a template, run:
cp -v $FWDIR/lib/defaultfilter.dag
$FWDIR/conf/defaultfilter.pf

6 Edit the new Default Filter Policy file to include the applicable INSPECT code.
Important - Your customized Default Filter must not use these
functions:
n Logging
n Authentication
n Encryption
n Content Security

7 Compile the new Default Filter file:

fw defaultgen

n The new complied Default Filter file for IPv4 traffic is:
$FWDIR/state/default.bin
n The new complied Default Filter file for IPv6 traffic is:
$FWDIR/state/default.bin6

8 Get the path of the Default Filter Policy file:

$FWDIR/boot/fwboot bootconf get_def
Example:
[Expert@MyGW:0]# $FWDIR/boot/fwboot bootconf get_def
/etc/fw.boot/default.bin
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      176

 Boot Security

Step Description

9 Copy new complied Default Filter file to the path of the Default Filter Policy file.
n For IPv4 traffic, run:
cp -v $FWDIR/state/default.bin
/etc/fw.boot/default.bin
n For IPv6 traffic, run:
cp -v $FWDIR/state/default.bin6
/etc/fw.boot/default.bin6

10 Make sure to connect to the Security Gateway over a serial console.

Important - If the new Default Filter Policy fails and blocks all access
through the network interfaces, you can unload that Default Filter
Policy and install the working policy.

11 Reboot the Security Gateway.

Using the Default Filter Policy for Maintenance

It is sometimes necessary to stop the Security Gateway for maintenance. It is not always practical to
disconnect the Security Gateway from the network (for example, if the Security Gateway is on a remote
site).
To stop the Security Gateway for maintenance and maintain security, you can run:

Command Description

cpstop n Shuts down Check Point processes

-fwflag n Loads the Default Filter policy (defaultfilter)
-
default

cpstop n Shuts down Check Point processes

-fwflag n Keeps the currently loaded kernel policy
-proc n Maintains the Connections table, so that after you run the cpstart
command, you do not experience dropped packets because they are "out of
state"

Note - Only security rules that do not use user space processes continue
to work.

Next Generation Security Gateway R81 Administration Guide      |      177

 The Initial Policy

The Initial Policy

Until the Security Gateway administrator installs the Security Policy on the Security Gateway for the first
time, security is enforced by an Initial Policy.
The Initial Policy operates by adding the predefined implied rules to the Default Filter policy.
These implied rules forbid most communication, yet allow the communication needed for the installation of
the Security Policy.
The Initial Policy also protects the Security Gateway during Check Point product upgrades, when a SIC
certificate is reset on the Security Gateway, or in the case of a Check Point product license expiration.

Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the
Initial Policy overwrites the user-defined policy.

The sequence of actions during boot of the Security Gateway until a Security Policy is loaded for the first
time:

Step Description

1 The Security Gateway boots up.

2 The Security Gateway disables IP Forwarding and loads the Default Filter policy.

3 The Security Gateway configures the interfaces.

4 The Security Gateway services start.

5 The Security Gateway fetches the Initial Policy from the local directory.

6 Administrator installs the user-defined Security Policy from the Management Server.

Next Generation Security Gateway R81 Administration Guide      |      178

 The Initial Policy

The Security Gateway enforces the Initial Policy until administrator installs a user-defined policy.
In subsequent boots, the Security Gateway loads the user-defined policy immediately after the Default
Filter policy.
There are different Initial Policies for Standalone and distributed setups:
n In a Standalone configuration, where the Security Management Server and the Security Gateway
are on the same computer, the Initial Policy allows CPMI management communication only.
This permits SmartConsole clients to connect to the Security Management Server.
n In a distributed configuration, where the Security Management Server is on one computer and the
Security Gateway is on a different computer, the Initial Policy:
l Allows the cpd and fwd daemons to communicate for SIC (to establish trust) and for Policy
installation.
l Does not allow CPMI connections through the Security Gateway.
The SmartConsole is not be able to connect to the Security Management Server, if the
SmartConsole must access the Security Management Server through a Security Gateway
with the Initial Policy.

Next Generation Security Gateway R81 Administration Guide      |      179

 Troubleshooting: Cannot Complete Reboot

Troubleshooting: Cannot Complete Reboot

In some configurations, the Default Filter policy prevents the Security Gateway from completing the reboot
after installation.
Firstly, look at the Default Filter. Does the Default Filter allow traffic required by the boot procedures?
Secondly, if the boot process cannot finish successfully, remove the Default Filter:

Step Description

1 Connect to the Security Gateway over serial console.

2 Reboot the Security Gateway.

3 During boot, press any key to enter the Boot Menu.

4 Select the Start in maintenance mode.

5 Enter the Expert mode password.

6 Set the Default Filter to not load again:

a. Go to the $FWDIR directory:
cd /opt/CPsuite-<VERSION>/fw1/
b. Set the Default Filter to not load again:
./fwboot bootconf set_def

7 In the $FWDIR/boot/boot.conf file, examine the value of the "DEFAULT_FILTER_

PATH":
a. Go to the $FWDIR directory:
cd /opt/CPsuite-<VERSION>/fw1/
b. examine the value of the "DEFAULT_FILTER_PATH":
grep DEFAULT_FILTER_PATH boot/boot.conf

8 Reboot the Security Gateway.

Next Generation Security Gateway R81 Administration Guide      |      180

 Command Line Reference

Command Line Reference

See the R81 CLI Reference Guide.
Below is a limited list of applicable commands.

Next Generation Security Gateway R81 Administration Guide      |      181

 Syntax Legend

Syntax Legend
Whenever possible, this guide lists commands, parameters and options in the alphabetical order.
This guide uses this convention in the Command Line Interface (CLI) syntax:

Character Description

TAB Shows the available nested subcommands:

main command
→ nested subcommand 1
→ → nested subsubcommand 1-1
→ → nested subsubcommand 1-2
→ nested subcommand 2
Example:
cpwd_admin
    config
        -a <options>
        -d <options>
        -p
        -r
    del <options>
Meaning, you can run only one of these commands:

n This command:
cpwd_admin config -a <options>
n Or this command:
cpwd_admin config -d <options>
n Or this command:
cpwd_admin config -p
n Or this command:
cpwd_admin config -r
n Or this command:
cpwd_admin del <options>

Curly brackets or braces Enclose a list of available commands or parameters, separated by the
{ } vertical bar |.
User can enter only one of the available commands or parameters.

Angle brackets Enclose a variable.

<> User must explicitly specify a supported value.

Square brackets or Enclose an optional command or parameter, which user can also enter.
brackets
[ ]

Next Generation Security Gateway R81 Administration Guide      |      182

 comp_init_policy

comp_init_policy
Description
Generates, loads, or removes the Initial Policy on a Security Gateway, or a Cluster Member.
Until the Security Gateway or cluster administrator installs the user-defined Security Policy on the Security
Gateway or Cluster Members for the first time, security is enforced by an Initial Policy.
The Initial Policy operates by adding "implied rules" to the Default Filter.
These rules forbid most of the communication, but allow the communication needed for the installation of
the Security Policy.
The Initial Policy also protects a Security Gateway or Cluster Members in these cases:
n During Check Point product upgrades
n When a SIC certificate is reset on the Security Gateway or Cluster Member
n When Check Point product license expires
The Initial Policy is enforced until a policy is installed, and is never loaded again. In subsequent boots, the
regular policy is loaded immediately after the Default Filter.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Notes:
n You must run this command from the Expert mode.
n The Initial Policy overwrites the user-defined policy.
n Output of the "cpstat -f policy fw" command (see "cpstat" on
page 220) shows the name of this policy as "InitialPolicy".
n Security Gateway, or Cluster Member stores the installed Access Control Policy
in these directories:
l $FWDIR/state/__tmp/FW1/

l $FWDIR/state/local/FW1/

l $FWDIR/state/<Name of Cluster Object>/FW1/

n Refer to these related commands:

l "control_bootsec" on page 186
l "fwboot bootconf" on page 402
l "fw defaultgen" on page 295
l "fwboot default" on page 414

Syntax

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U]

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G]

Next Generation Security Gateway R81 Administration Guide      |      183

 comp_init_policy

Parameters

Parameter Description

No The command runs with the last used parameter.

Parameters

-u Performs these steps:

-U
1. Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section the
Check Point Registry file ($CPDIR/registry/HKLM_registry.data).
2. Removes the policy files from the $FWDIR/state/local/FW1/ directory.

-g Performs these steps:

-G
1. Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section in the
Check Point Registry file ($CPDIR/registry/HKLM_registry.data).
2. Generates the Initial Policy in the $FWDIR/state/local/FW1/ directory.

You can use this parameter, if there is no Initial Policy generated.

If Initial Policy was already generated, make sure that after removing the Initial Policy,
you delete the $FWDIR/state/local/FW1/ directory on the Security Gateway, or
Cluster Member.
This parameter generates the Initial Policy and ensures that Security Gateway loads it
the next time it fetches a policy (at "cpstart", at next boot, or with the "fw fetch
localhost" command).
The "comp_init_policy -g" command only works, if currently there is no policy
installed on the Security Gateway, or Cluster Member.
If you run one of these pairs of the commands, the original policy is still loaded:
n comp_init_policy -g
fw fetch localhost
n comp_init_policy -g
cpstart
n comp_init_policy -g
reboot

Next Generation Security Gateway R81 Administration Guide      |      184

 comp_init_policy

Example

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R81/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7744
-rw-r--r-- 1 admin root 20166 Jun 13 16:34 install_policy_report.txt
-rw-r--r-- 1 admin root 55 Jun 13 16:34 install_policy_report_timing.txt
-rw-r--r-- 1 admin root 37355 Jun 13 16:34 local.Sandbox-persistence.xml
... output was cut for brevity ...
-rw-r--r-- 1 admin root 2278 Jun 13 16:34 local.vsx_cluster_netobj
-rw-r--r-- 1 admin root 5172 Jun 13 16:34 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r--r-- 1 admin root 10328 Jun 13 16:34 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-r----- 1 admin root 14743 Jun 13 16:34 manifest.C
-rw-r--r-- 1 admin root 7381 Jun 13 16:34 policy.info
-rw-r--r-- 1 admin root 2736 Jun 13 16:34 policy.map
-rw-r--r-- 1 admin root 51 Jun 13 16:34 sig.map
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -u
erasing local state..
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -g
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 19:51 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 19:51 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 19:51 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 19:51 local.ft
-rw-rw---- 1 admin root 317 Jul 19 19:51 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 19:51 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 19:51 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 19:51 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 19:51 local.magic
-rw-rw---- 1 admin root 3 Jul 19 19:51 local.set
-rw-rw---- 1 admin root 51 Jul 19 19:51 sig.map
[Expert@GW:0]#

Next Generation Security Gateway R81 Administration Guide      |      185

 control_bootsec

control_bootsec
Description
Controls the boot security - loading of both the Default Filter policy (defaultfilter) and the Initial
Policy (InitialPolicy) during boot on a Security Gateway, or a Cluster Member.

Warning - If you disable the boot security, you leave your Security Gateway, or a
Cluster Member without any protection during the boot. Before you disable the boot
security, we recommend to disconnect your Security Gateway, or a Cluster Member
from the network completely.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Notes:
n You must run this command from the Expert
mode.
n The changes made with this command survive
reboot.
n Refer to these related commands:
l "comp_init_policy" on page 183
l "fwboot bootconf" on page 402
l "fw defaultgen" on page 295
l "fwboot default" on page 414

Syntax

[Expert@GW:0]# $FWDIR/bin/control_bootsec [-g | -G]

[Expert@GW:0]# $FWDIR/bin/control_bootsec {-r | -R}

Next Generation Security Gateway R81 Administration Guide      |      186

 control_bootsec

Parameters

Parameter Description

No Enables the boot security:

Parameter
-g 1. Executes the "$FWDIR/boot/fwboot bootconf set_def
-G $FWDIR/boot/default.bin" command that updates the path to the Default
Filter policy in the $FWDIR/boot/boot.conf file to point to the correct policy file
(DEFAULT_FILTER_PATH /etc/fw.boot/default.bin).
2. Executes the "$FWDIR/bin/comp_init_policy -g" command that:
a. Removes the attribute ":InitialPolicySafe (true)" from the section ": (FW1"
in the Check Point Registry (the $CPDIR/registry/HKLM_
registry.data file).
b. Generates the Initial Policy files in the $FWDIR/state/local/FW1/
directory.

-r Disables the boot security:

-R
1. Executes the "$FWDIR/boot/fwboot bootconf set_def" command that
updates the path to the Default Filter policy in the $FWDIR/boot/boot.conf file
to point nowhere (DEFAULT_FILTER_PATH 0).
2. Executes the "$FWDIR/bin/comp_init_policy -u" command that:
a. Adds the attribute ":InitialPolicySafe (true)" to the section ": (FW1" in the
Check Point Registry (the $CPDIR/registry/HKLM_registry.data
file).
b. Deletes all files in the $FWDIR/state/local/FW1/ directory.

Next Generation Security Gateway R81 Administration Guide      |      187

 control_bootsec

Example 1 - Disabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R81/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7736
-rw-rw---- 1 admin root 11085 Jul 19 20:16 install_policy_report.txt
-rw-rw---- 1 admin root 56 Jul 19 20:16 install_policy_report_timing.txt
-rw-rw---- 1 admin root 37355 Jul 19 20:16 local.Sandbox-persistence.xml
-rw-rw---- 1 admin root 3 Jul 19 20:16 local.ad_query_profiles
... ... ...
-rw-r----- 1 admin root 14743 Jul 19 20:16 manifest.C
-rw-rw---- 1 admin root 7381 Jul 19 20:16 policy.info
-rw-rw---- 1 admin root 2736 Jul 19 20:16 policy.map
-rw-rw---- 1 admin root 51 Jul 19 20:16 sig.map
[Expert@GW:0]#

[Expert@GW:0]# $FWDIR/bin/control_bootsec -r
Disabling boot security
FW-1 will not load a default filter on boot
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

:InitialPolicySafe (true)
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

Next Generation Security Gateway R81 Administration Guide      |      188

 control_bootsec

Example 2 - Enabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R81/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# control_bootsec -g
Enabling boot security
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH /opt/CPsuite-R81/fw1/boot/default.bin
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 20:22 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 20:22 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 20:22 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 20:22 local.ft
-rw-rw---- 1 admin root 317 Jul 19 20:22 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 20:22 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 20:22 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 20:22 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 20:22 local.magic
-rw-rw---- 1 admin root 3 Jul 19 20:22 local.set
-rw-rw---- 1 admin root 51 Jul 19 20:22 sig.map
[Expert@GW:0]#

Next Generation Security Gateway R81 Administration Guide      |      189

 cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Security Gateway

cp_conf
      -h
      adv_routing <options>
      auto <options>
      corexl <options>
      fullha <options>
      ha <options>
      intfs <options>
      lic <options>
      sic <options>
      snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

adv_routing Enables or disables the Advanced Routing feature on this Security Gateway.
<options>
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R81 Gaia Advanced Routing
Administration Guide.

auto <options> Shows and configures the automatic start of Check Point products during boot.
See "cp_conf auto" on page 192.

corexl Enables or disables CoreXL on this Security Gateway.

<options> See "cp_conf corexl" on page 193.

fullha Manages Full High Availability Cluster.

<options> See "cp_conf fullha" on page 195.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 196.

Next Generation Security Gateway R81 Administration Guide      |      190

 cp_conf

Parameter Description

intfs Sets the topology of interfaces on a Security Gateway, which you manage with
<options> SmartProvisioning.
See "cp_conf intfs" on page 197.

lic <options> Manages Check Point licenses.

See "cp_conf lic" on page 198.

sic <options> Manages SIC on this Security Gateway.

See "cp_conf sic" on page 200.

snmp <options> Do not use these outdated commands.

To configure SNMP, see the R81 Gaia Administration Guide - Chapter System
Management - Section SNMP.

Next Generation Security Gateway R81 Administration Guide      |      191

 cp_conf auto

cp_conf auto
Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 201 menu.

Syntax

cp_conf auto
      -h
{enable | disable} <Product1> <Product2> ...
      get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} <Product1> Controls whether the installed Check Point products start
<Product2> ... automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

Next Generation Security Gateway R81 Administration Guide      |      192

 cp_conf corexl

cp_conf corexl
Description
Enables or disables CoreXL.
For more information, see the R81 Performance Tuning Administration Guide.

Important:
n This command is for Check Point use only.
To configure CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 201
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must reboot it.
n In Custer, you must configure all the Cluster Members in the same way.

Syntax
n To enable CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall instances:

cp_conf corexl [-v] enable [n] [-6 k]

n To disable CoreXL:

cp_conf corexl [-v] disable

The related command is:"fwboot corexl" on page 406.

Parameters

Parameter Description

-v Leaves the high memory (vmalloc) unchanged.

n Denotes the number of IPv4 CoreXL Firewall instances.

k Denotes the number of IPv6 CoreXL Firewall instances.

Next Generation Security Gateway R81 Administration Guide      |      193

 cp_conf corexl

Example
Currently, the Security Gateway runs two IP4v CoreXL Firewall instances (KERN_INSTANCE_NUM = 2).
We change the number of IP4v CoreXL Firewall instances to three.

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2 | 7 | 28
1 | Yes | 1 | 0 | 11
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 2
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cp_conf corexl -v enable 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# reboot
.. ... ...
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 7 | 28
1 | Yes | 2 | 0 | 11
2 | Yes | 1 | 4 | 10
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      194

 cp_conf fullha

cp_conf fullha
Description
Manages the state of the Full High Availability Cluster:
n Enables the Full High Availability Cluster
n Disables the Full High Availability Cluster
n Deletes the Full High Availability peer
n Shows the Full High Availability state

Important - To configure a Full High Availability cluster, follow the R81 Installation and
Upgrade Guide.

Syntax

cp_conf fullha
      enable
      del_peer
      disable
      state

Parameters

Parameter Description

enable Enables the Full High Availability on this computer.

del_peer Deletes the Full High Availability peer from the configuration.

disable Disables the Full High Availability on this computer.

state Shows the Full High Availability state on this computer.

Example

[Expert@Cluster_Member:0]# cp_conf fullha state

FullHA is currently enabled
[Expert@Cluster_Member:0]#

Next Generation Security Gateway R81 Administration Guide      |      195

 cp_conf ha

cp_conf ha
Description
Enables or disables cluster membership on this Security Gateway.

Important - This command is for Check Point use only. To configure cluster
membership, you must use the "cpconfig" on page 201 command.
For more information, see the R81 ClusterXL Administration Guide.

Syntax

cp_conf ha {enable | disable} [norestart]

Parameters

Parameter Description

enable Enables cluster membership on this Security Gateway.

This command is equivalent to the option Enable cluster membership for this
gateway in the "cpconfig" on page 201 menu.

disable Disables cluster membership on this Security Gateway.

This command is equivalent to the option Disable cluster membership for this
gateway in the "cpconfig" on page 201 menu.

norestart Optional: Specifies to apply the configuration change without the restart of Check Point
services. The new configuration takes effect only after reboot.

Example 1 - Enable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

Example 2 - Disable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      196

 cp_conf intfs

cp_conf intfs
Description
Sets the topology of interfaces on a Security Gateway, which you manage with SmartProvisioning.
For more information, see the R81 SmartProvisioning Administration Guide.

Syntax

cp_conf intfs
      get
      set
            auxiliary <Name of Interface>
            DMZ <Name of Interface>
            external <Name of Interface>
            internal <Name of Interface>

Parameters

Parameter Description

get Shows the list of configured interfaces.

set Configures the topology of the specified interface:

n auxiliary
n DMZ
n external
n internal

Next Generation Security Gateway R81 Administration Guide      |      197

 cp_conf lic

cp_conf lic
Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 201 menu.

Syntax

cp_conf lic
      -h
      add -f <Full Path to License File>
      add -m <Host> <Date> <Signature Key> <SKU/Features>
      del <Signature Key>
      get [-x]

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to License Adds a license from the specified Check Point license
File> file.
You get this license file in the Check Point User Center.

add -m <Host> <Date> Adds the license manually.

<Signature Key> <SKU/Features> You get these license details in the Check Point User
Center.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 211.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also shows the
signature key for every installed license.
This is the same command as the "cplic print" on
page 212.

Next Generation Security Gateway R81 Administration Guide      |      198

 cp_conf lic

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-

XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      199

 cp_conf sic

cp_conf sic
Description
Manages SIC on the Security Gateway.
For additional information, see sk65764: How to reset SIC.

Note - This command corresponds to the option Secure Internal Communication in

the "cpconfig" on page 201 menu.

Syntax

cp_conf
      -h
      sic
            cert_pull <Management Server> <DAIP GW object>
            init <Activation Key> [norestart]
            state

Parameters

Parameter Description

-h Shows the built-in usage.

cert_pull <Management For DAIP Security Gateways, pulls a SIC certificate from the
Server> <DAIP GW specified Management Server for the specified DAIP Security
object> Gateway:
n <Management Server> - IPv4 address or HostName of the
Security Management Server or Domain Management
Server
n <DAIP GW object> - Name of the DAIP Security Gateway
object as configured in SmartConsole

init <Activation Key> Resets the one-time SIC activation key.

[norestart] The optional parameter "norestart" specifies not to restart
Check Point services.

state Shows the current state of the SIC Trust.

Example

[Expert@MyGW:0]# cp_conf sic state

Trust State: Trust established

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      200

 cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool lets you configure specific settings for the installed Check Point products.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this Security
Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R81 Gaia Administration Guide -
Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Secure Internal Communication
Manages SIC on the Security Gateway or Cluster Member.
This change requires a restart of Check Point services on the
Security Gateway or Cluster Member.
For more information, see:
n The R81 Security Management Administration Guide.
n sk65764: How to reset SIC.

Next Generation Security Gateway R81 Administration Guide      |      201


Menu Option
Enable cluster membership for
this gateway
Disable cluster membership for
this gateway
Enable Check Point Per Virtual
System State
Disable Check Point Per Virtual
System State
Enable Check Point ClusterXL
for Bridge Active/Standby
Disable Check Point ClusterXL
for Bridge Active/Standby
Check Point CoreXL
Automatic start of Check Point
Products
Exit
cpconfig
Description
Enables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R81 Installation and Upgrade Guide.
n R81 ClusterXL Administration Guide.
Disables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R81 Installation and Upgrade Guide.
n R81 ClusterXL Administration Guide.
Enables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R81 VSX Administration Guide.
Disables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R81 VSX Administration Guide.
Enables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R81 Installation and Upgrade Guide.
n R81 ClusterXL Administration Guide.
Disables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R81 Installation and Upgrade Guide.
n R81 ClusterXL Administration Guide.
Manages CoreXL on the Security Gateway or Cluster Member.
After all changes in CoreXL configuration, you must reboot the
Security Gateway or Cluster Member.
For more information, see the R81 Performance Tuning
Administration Guide.
Shows and controls which of the installed Check Point products
start automatically during boot.
Exits from the Check Point Configuration Tool.
Next Generation Security Gateway R81 Administration Guide      |      202
 cpconfig

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Check Point CoreXL
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

Next Generation Security Gateway R81 Administration Guide      |      203

 cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on your Check
Point computer.
For more information, see sk92739.

Next Generation Security Gateway R81 Administration Guide      |      204

 cplic

cplic
Description
The cplic command lets you manage Check Point licenses.
You can run this command in Gaia Clish or in the Expert Mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local Management You execute these commands locally on the Check Point computers.
licensing Servers,
commands Security
Gateways and
Cluster
Members

Remote Management You execute these commands on the Security Management Server or
licensing Servers only Domain Management Server. These changes affect the managed
commands Security Gateways and Cluster Members.

License Management You execute these commands on the Security Management Server or
Repository Servers only Domain Management Server. These changes affect the licenses
commands stored in the local license repository.

For more about managing licenses, see the R81 Security Management Administration Guide.

Syntax for Local Licensing on a Security Gateway or Cluster Member

cplic [-d]
{-h | -help}
      check <options>
      contract <options>
      del <options>
      print <options>
      put <options>

Next Generation Security Gateway R81 Administration Guide      |      205

 cplic

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security Gateway or
<options> Security Management Server.
See "cplic check" on page 207.

contract Manages (deletes and installs) the Check Point Service Contract on the local
<options> Check Point computer.
See "cplic contract" on page 209.

del <options> Deletes a Check Point license on a host, including unwanted evaluation, expired,
and other licenses.
See "cplic del" on page 211.

print Prints details of the installed Check Point licenses on the local Check Point
<options> computer.
See "cplic print" on page 212.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 214.

Next Generation Security Gateway R81 Administration Guide      |      206

 cplic check

cplic check
Description
Confirms that the license includes the feature on the local Security Gateway or Management Server. See
sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product> Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member (all
blades), or Management Server (all blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

<Version>

{-c | - Outputs the number of licenses connected to this feature.

count}

-t <Date> Checks license status on future date.

Use the format ddmmyyyy .
A feature can be valid on a given date on one license, but invalid on another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

Next Generation Security Gateway R81 Administration Guide      |      207

 cplic check

Parameter Description

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Security Gateway

[Expert@GW]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf
fw1:6.0:av fw1:6.0:vsx5 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:connect
fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited
fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps fw1:6.0:pam
fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm
fw1:6.0:blades fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u
cplic check 'cluster-u': 9 licenses
[Expert@GW]#

Next Generation Security Gateway R81 Administration Guide      |      208

 cplic contract

cplic contract
Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member, you must update the license repository on the applicable Management
Server - either with the "cplic get" command, or in SmartUpdate.

Syntax

cplic contract -h

cplic [-d] contract

      del
            -h
            <Service Contract ID>
      put
            -h
[{-o | -overwrite}] <Service Contract File>

Next Generation Security Gateway R81 Administration Guide      |      209

 cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the $CPDIR/conf/cp.contract file

on the local Check Point computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract file on

the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check Point
User Center account.

Next Generation Security Gateway R81 Administration Guide      |      210

 cplic del

cplic del
Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other licenses.
This command can delete a license on both local computer, and on remote managed computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 212 command.

<Object Name> The name of the Security Gateway / Cluster Member object as defined in
SmartConsole.

Next Generation Security Gateway R81 Administration Guide      |      211

 cplic print

cplic print
Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output

File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      212

 cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      213

 cplic put

cplic put
Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -

select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-only}] -
l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-o | - On a Security Gateway / Cluster Member, this command erases only the local
overwrite} licenses, but not central licenses that are installed remotely.

{-c | - Verifies the license. Checks if the IP of the license matches the Check Point
check-only} computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP address of the
select} Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the Check Point
boot} computer.
Use of this option will prevent certain error messages.

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

Next Generation Security Gateway R81 Administration Guide      |      214

 cplic put

Parameter Description

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for a local
license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the license.
SKU/Features For example: CPSUITE-EVAL-3DES-vNG
>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration date The license expiration date. It can be never.

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      215

 cpprod_util

cpprod_util
Description
This utility lets you work with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4} "<Value>"

{0|1}

cpprod_util -dump

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue
Important - Do not run these commands unless explicitly instructed by Check
Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified product or feature:

n One of these integers: 0, 1, 4

n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the output file is
RegDump.

Next Generation Security Gateway R81 Administration Guide      |      216

 cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant Domain
Management Server.
n If you run the cpprod_util command without parameters, it prints:
l The list of all available products and features (for example, "FwIsFirewallMgmt",
"FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the cpprod_util command, it is necessary to redirect the stderr to
stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Showing a list of all installed Check Point Products Packages on a Security
Gateway
[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      217

 cpprod_util

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP

(DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      218

 cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Syntax

cpstart [-fwflag {-default | -proc | -driver}]

Parameters

Important - These parameters are for Check Point internal use. Do not use them,
unless explicitly instructed by Check Point Support or R&D to do so.

Parameter Description

-fwflag - Starts Check Point processes and loads the Default Filter policy
default (defaultfilter).

-fwflag -proc Starts Check Point processes.

-fwflag - Loads the Check Point kernel modules.

driver

Next Generation Security Gateway R81 Administration Guide      |      219

 cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o
<Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

The output shows the SNMP queries and SNMP responses for the applicable SNMP
OIDs.

-h <Host> Optional.
When you run this command on a Management Server, this parameter specifies the
managed Security Gateway.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object name.
The default is localhost.
Note - On a Multi-Domain Server, you must run this command in the
context of the applicable Domain Management Server:mdsenv <IP
Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s Optional.
<SICname> Secure Internal Communication (SIC) name of the Application Monitoring (AMON)
server.

Next Generation Security Gateway R81 Administration Guide      |      220

 cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor in the
<Application Flag>. To see all flavors, run the cpstat command without any
parameters.

-o <Polling Optional.
Interval> Specifies the polling interval (in seconds) - how frequently the command collects and
shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this is the default
value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the "-e
<Period>" parameter.
Example:
cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results before it stops.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling Interval>
and then stops.
Example:
cpstat os -f perf -o 2 -c 2

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the statistics.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
You can use this parameter together with the "-c <Count>" parameter.
Example:
cpstat os -f perf -o 2 -c 2 -e 60

Next Generation Security Gateway R81 Administration Guide      |      221

 cpstat

Parameter Description

< Mandatory.
Application See the table below with flavors for the application flags.
Flag>

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Software Flag Flavors
Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn, aspm, dlp,
Software appi, anti_bot, default, content_
Blades awareness, threat-emulation, default

Operating os default, ifconfig, routing, routing6,

System memory, old_memory, cpu, disk, perf,
multi_cpu, multi_disk, raidInfo, sensors,
power_supply, hw_info, all, average_cpu,
average_memory, statistics, updates,
licensing, connectivity, vsx

Firewall fw default, interfaces, policy, perf, hmem,

kmem, inspect, cookies, chains, fragments,
totals, totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_connection,
all

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins, ldap,

Awareness components, adquery, idc, muh

Application appi default, subscription_status, update_

Control status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

URL Filtering urlf default, subscription_status, update_

status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Next Generation Security Gateway R81 Administration Guide      |      222

 cpstat

Feature or
Software Flag Flavors
Blade

Threat antimalware default, scanned_hosts, scanned_mails,

Prevention subscription_status, update_status, ab_
prm_contracts, av_prm_contracts, ab_prm_
contracts, av_prm_contracts

Threat threat- default, general_statuses, update_status,

Emulation emulation scanned_files, malware_detected, scanned_
on_cloud, malware_on_cloud, average_
process_time, emulated_file_size, queue_
size, peak_size, file_type_stat_file_
scanned, file_type_stat_malware_detected,
file_type_stat_cloud_scanned, file_type_
stat_cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_type_stat_
cache_hit_rate, file_type_stat_error_
count, file_type_stat_no_resource_count,
contract, downloads_information_current,
downloading_file_information, queue_table,
history_te_incidents, history_te_comp_
hosts

Threat scrub default, subscription_status, threat_

Extraction extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns, cpu, all,

memory, cpu_usage_per_core

IPsec VPN vpn default, product, IKE, ipsec, traffic,

compression, accelerator, nic, statistics,
watermarks, all

Data Loss dlp default, dlp, exchange_agents, fingerprint

Prevention

Content ctnt default

Awareness

QoS fg all

High ha default, all

Availability

Policy Server polsrv default, all

for Remote
Access VPN
clients

Next Generation Security Gateway R81 Administration Guide      |      223

 cpstat

Feature or
Software Flag Flavors
Blade

Desktop Policy dtps default, all

Server for
Remote
Access VPN
clients

LTE / GX gx default, contxt_create_info, contxt_

delete_info, contxt_update_info, contxt_
path_mng_info, GXSA_GPDU_info, contxt_
initiate_info, gtpv2_create_info, gtpv2_
delete_info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation
Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds, destinations,

configured error
with the
threshold_
config
command

Historical persistency product, TableConfig, SourceConfig

status values

Next Generation Security Gateway R81 Administration Guide      |      224

 cpstat

Examples

Example - Interfaces on a Security Gateway

[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
--------------------------------------------------------------------------------------------------------
------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy name|Slaves|Ports|IPv6
Address|IPv6 Len|
--------------------------------------------------------------------------------------------------------
------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
--------------------------------------------------------------------------------------------------------
------------

[Expert@MyGW:0]#

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      225

 cpstat

Example - CPU utilization
[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      226

 cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Syntax

cpstop [-fwflag {-default | -proc | -driver}]

Parameters

Important - These parameters are for Check Point internal use. Do not use them,
unless explicitly instructed by Check Point Support or R&D to do so.

Parameter Description

-fwflag n Shuts down Check Point processes

-default n Loads the Default Filter policy (defaultfilter)

-fwflag n Shuts down Check Point processes

-proc n Keeps the currently loaded kernel policy
n Maintains the Connections table, so that after you run the "cpstart" on page 219
command, you do not experience dropped packets because they are "out of state"

Note - Only security rules that do not use user space processes continue to work.

-fwflag Unloads the Check Point kernel modules.

-driver Therefore, no policy is loaded.

Warning - This leaves your Security Gateway, or a Cluster Member without

protection. Before you run this command, we recommend to disconnect your
Security Gateway, or a Cluster Member from the network completely.

Example
See these articles:
n sk35496
n sk113045

Next Generation Security Gateway R81 Administration Guide      |      227

 cpview

cpview
Overview of CPView
Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk
space) and information for different Software Blades (only on Security Gateway).
The CPView continuously updates the data in easy to access views.
On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

Next Generation Security Gateway R81 Administration Guide      |      228

 cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow keys Moves between menus and views. Scrolls in a view.

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the capture>

H Shows a tooltip with CPView options.

Space bar Immediately refreshes the statistics.

Next Generation Security Gateway R81 Administration Guide      |      229

 dynamic_objects

dynamic_objects
Description
Manages dynamic objects and their applicable ranges of IP addresses on the Security Gateway.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Workflow

Step Description

1 In SmartConsole:
1. Define the applicable dynamic object.
2. Install the Access Control Policy on the Security Gateway.

2 On the Security Gateway, run the dynamic_objects command to:

1. Create the applicable dynamic object with the same name

2. Assign the applicable ranges of IP address to the new dynamic
object.

Next Generation Security Gateway R81 Administration Guide      |      230

 dynamic_objects

Syntax
n To show all configured dynamic objects and their ranges of IP addresses:

dynamic_objects -l

n To create a new dynamic object (and assign a range of IP addresses to it):

dynamic_objects -n <object_name> [-r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -a]

n To add a new a range of IP addresses to the specific existing dynamic object:

dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -a

n To delete a range of IP addresses from the specific existing dynamic object:

dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -d

n To update the specific existing dynamic object (and assign a different range of IP addresses to it):

dynamic_objects -u <object_name> [-r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>]]

n To compare the configured dynamic objects and objects configured in SmartConsole:

dynamic_objects -c

n To delete the specific existing dynamic object (and all ranges of IP addresses assigned to it):

dynamic_objects -do <object_name>

n To delete all the existing dynamic objects (and all ranges of IP addresses assigned to them):

dynamic_objects -e

Next Generation Security Gateway R81 Administration Guide      |      231

 dynamic_objects

Parameters

Parameter Description

<object_name> Specifies the name of the object:

n As defined in SmartConsole
n As defined with the "dynamic_objects -n <object
name>" command

-r <FromIP1> Specifies the ranges of IP addresses in the format of pairs:

<ToIP2> ... <From_IP_Address> <To_IP_Address>
[<FromIPx> <ToIPy>]
For example, to specify two ranges, from 192.168.2.30 to 192.168.2.40
and from 192.168.2.50 to 192.168.2.60, enter these four IP addresses:
192.168.2.30 192.168.2.40 192.168.2.50
192.168.2.60

-a Adds the specified ranges of IP addresses to the specified dynamic

object.

-c Compare the dynamic objects in the dynamic objects database

($FWDIR/database/dynamic_objects.db) and in the
$FWDIR/conf/objects.C file.

-d Deletes range of IP addresses from the dynamic object.

-do Deletes the specified dynamic object.

-e Deletes all configured dynamic objects from the dynamic objects

database ($FWDIR/database/dynamic_objects.db).

-l Lists the configured dynamic objects in the dynamic objects database

($FWDIR/database/dynamic_objects.db).

-n Creates a new dynamic object.

-u Updates the specified dynamic object.

If you specify a range of IP addresses, then the new range replaces all
current ranges that are currently assigned to this dynamic object.

Example 1 - Create a new dynamic object named "bigserver" and assign to it the range of IP addresses
192.168.2.30-192.168.2.40
Run either these two commands:
dynamic_objects -n bigserver
dynamic_objects -o bigserver -r 192.168.2.30 192.168.2.40 -a

Or this single command:

dynamic_objects -n bigserver -r 192.168.2.20 192.168.2.40 -a

Next Generation Security Gateway R81 Administration Guide      |      232

 dynamic_objects

Example 2 - Update the ranges of IP addresses assigned to the dynamic object named "bigserver" from
the current range to the new range 192.168.2.60-192.168.2.80
dynamic_objects -u bigserver -r 192.168.2.60 192.168.2.80

Next Generation Security Gateway R81 Administration Guide      |      233

 cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes such as
Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products and
Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log file.
The cpwd_admin utility shows the status of the monitored processes, and configures the Check Point
WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates abnormally.
In the output of the cpwd_admin list command, the MON column shows N for
passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning (not stuck on
deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows Y for actively
monitored processes.
The list of actively monitored processes is predefined by Check Point. Users cannot
change or configure it.

Syntax

cpwd_admin
      config <options>
      del <options>
      detach <options>
      exist
      flist <options>
      getpid <options>
      kill
      list <options>
      monitor_list
      start <options>
      start_monitor
      stop <options>
      stop_monitor

Next Generation Security Gateway R81 Administration Guide      |      234

 cpwd_admin

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 236.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 239.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 240.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 241.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_list_

<options> <Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 242.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 244.

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 245.

Important - Do not run this command unless explicitly instructed by Check

Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 246.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 249.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 250.

start_ Starts the active WatchDog monitoring - WatchDog monitors the predefined
monitor processes actively.
See "cpwd_admin start_monitor" on page 252.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 253.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes only
monitor passively.
See "cpwd_admin stop_monitor" on page 255.

Next Generation Security Gateway R81 Administration Guide      |      235

 cpwd_admin config

cpwd_admin config
Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
      -h
      -a <options>
      -d <options
      -p
      -r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_1> Adds the WatchDog configuration

<Configuration_Parameter_2>=<Value_2> ... parameters.
<Configuration_Parameter_N>=<Value_N> Note - Spaces are not
allowed between the name of
the configuration parameter,
the equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog configuration

<Configuration_Parameter_2> ... parameters that user added with the
<Configuration_Parameter_N> "cpwd_admin config -a"
command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

Next Generation Security Gateway R81 Administration Guide      |      236

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ Text string up On a VSX Gateway, configures the CTX value that is assigned to
ctx to 128 monitored processes, for which no CTX is specified.
characters

display_ n 0 On a VSX Gateway, configures whether the WatchDog shows the

ctx (default) CTX column in the output of the cpwd_admin list command
n 1 (between the APP and the PID columns):

n 0 - Does not show the CTX column

n 1 - Shows the CTX column

no_limit n Range: If rerun_mode=1, specifies the maximal number of times the

-1, 0, >0 WatchDog tries to restart a process.
n Default:
5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_ n Range: Configures the maximal number of processes managed by the

procs 30 - WatchDog.
2000
n Default:
2000

rerun_ n 0 Configures whether the WatchDog restarts processes after they fail:
mode n 1
(default) n 0 - Does not restart a failed process. Monitor and log only.
n 1 - Restarts a failed process (this is the default).

reset_ n Range: Configures the time (in seconds) the WatchDog waits after the
startups >0 process starts and before the WatchDog resets the process's
n Default: startup_counter to 0.
3600 To see the process's startup counter, in the output of the cpwd_
admin list command, refer to the #START column.

sleep_ n 0 Configures how the WatchDog restarts the process:

mode n 1
(default) n 0 - Ignores timeout and restarts the process immediately
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: If rerun_mode=1, specifies how much time (in seconds) passes
timeout 0 - 3600 from a process failure until WatchDog tries to restart it.
n Default:
60

stop_ n Range: Configures the time (in seconds) the WatchDog waits for a process
timeout >0 stop command to complete.
n Default:
60

Next Generation Security Gateway R81 Administration Guide      |      237

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

zero_ n Range: After failing no_limit times to restart a process, the WatchDog
timeout >0 waits zero_timeout seconds before it tries again.
n Default: The value of the zero_timeout must be greater than the value of
7200 the timeout.

The WatchDog saves the user defined configuration parameters in the $CPDIR/registry/HKLM_
registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      238

 cpwd_admin del

cpwd_admin del
Description
Temporarily deletes a monitored process from the WatchDog database of monitored processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 246 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 219 command.

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 246 command in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      239

 cpwd_admin detach

cpwd_admin detach
Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 246 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 219 command.

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 246 command in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin detach-name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      240

 cpwd_admin exist

cpwd_admin exist
Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      241

 cpwd_admin flist

cpwd_admin flist
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin" on page 234).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 234):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Next Generation Security Gateway R81 Administration Guide      |      242

 cpwd_admin flist

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R81/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#
[Expert@HostName:0]# date --date="@1564617600"
Thu Aug 1 03:00:00 IDT 2019
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      243

 cpwd_admin getpid

cpwd_admin getpid
Description
Shows the PID of a WatchDog monitored process.

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 246 command in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      244

 cpwd_admin kill

cpwd_admin kill
Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 227 and "cpstart" on page 219 commands.

Syntax

cpwd_admin kill

Next Generation Security Gateway R81 Administration Guide      |      245

 cpwd_admin list

cpwd_admin list
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin" on page 234).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 234):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Next Generation Security Gateway R81 Administration Guide      |      246

 cpwd_admin list

Examples

Example - Default output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list
APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2019 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 N mpdaemon /opt/CPshrd-
R81/log/mpdaemon.elg /opt/CPshrd-R81/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 N ci_http_server -j -f
/opt/CPsuite-R81/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2019 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2019 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 N DAService_script
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      247

 cpwd_admin list

Example - Verbose output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list -full
APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R81/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 3/u N
PATH = /opt/CPsuite-R81/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R81/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R81/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R81/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R81/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2019 60/5 Y
PATH = /opt/CPshrd-R81/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R81/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R81/log/mpdaemon.elg /opt/CPshrd-
R81/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R81/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R81/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R81/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R81/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R81/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      248

 cpwd_admin monitor_list

cpwd_admin monitor_list
Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 234.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      249

 cpwd_admin start

cpwd_admin start
Description
Starts a process as monitored by the WatchDog.

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Parameters

Parameter Description

-name <Application Name, under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

-path "<Full Path
to Executable>"
The full path (with or without Check Point environment variables) to the
executable including the executable name.
Must enclose in double-quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R81/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-R81/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R81/bin/cptnl"

Next Generation Security Gateway R81 Administration Guide      |      250

 cpwd_admin start

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double-quotes.
Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-R81/fw1/scripts/cpm.sh -
s"
n For SICTUNNEL: "/opt/CPshrd-R81/bin/cptnl -c
"/opt/CPuepm-R81/engine/conf/cptnl_srv.conf""

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout" configuration

<Timeout> parameter.
See "cpwd_admin config" on page 236.

-retry_limit Configures the value of the "retry_limit" configuration parameter.

{<Limit> | u} See "cpwd_admin config" on page 236.

n <Limit> - Tries to restart the process the specified number of

times
n u - Tries to restart the process unlimited number of times

Example
For the list of process and the applicable syntax, see sk97638.

Next Generation Security Gateway R81 Administration Guide      |      251

 cpwd_admin start_monitor

cpwd_admin start_monitor
Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes actively.
See the explanation for the "cpwd_admin" on page 234 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      252

 cpwd_admin stop

cpwd_admin stop
Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

-path "<Full Path to
Executable>"
The full path (with or without Check Point environment variables) to the
executable including the executable name.
Must enclose in double-quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R81/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double-quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

Next Generation Security Gateway R81 Administration Guide      |      253

 cpwd_admin stop

Parameter Description

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

Next Generation Security Gateway R81 Administration Guide      |      254

 cpwd_admin stop_monitor

cpwd_admin stop_monitor
Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 234 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      255

 fw

fw
Description
n Fetches and unloads Threat Prevention policy.
n Controls the Firewall module.
n Generates the Default Filter policy files.
n Fetches the policy from the Management Server, peer Cluster Member, or local directory.
n Fetches the specified Security or Audit log files from the specified Check Point computer.
n Shows the list of interfaces and their IP addresses.
n Shows information about Check Point computers in High Availability configuration and their states.
n Controls ISP links in ISP Redundancy configuration.
n Kills the specified Check Point processes.
n Shows a list of hosts protected by the Security Gateway.
n Shows the content of Check Point log files.
n Switches the current active log file.
n Shows a list of Security or Audit log files.
n Merges several input log files into a single log file.
n Runs FW Monitor to capture the traffic that passes through the Security Gateway.
n Rebuilds pointer files for Security or Audit log files.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.
n Shows the contents of the Unified Policy kernel tables.
n Shows the currently installed policy.
n Shows and deletes the contents of the specified kernel tables.
n Executes the offline Unified Policy.
n Removes all policies from the Security Gateway or Cluster Member.
n Shows the Security Gateway major and minor version number and build number.

Next Generation Security Gateway R81 Administration Guide      |      256

 fw

Syntax

fw [-d] [-i]
      amw <options>
      ctl <options>
      defaultgen
      fetch <options>
      fetchlogs <options>
      getifs
      hastat <options>
isp_link <options>
      kill <options>
      lichosts <options>
      log <options>
      logswitch <options>
      lslogs <options>
      mergefiles <options>
      repairlog <options>
      sam <options>
      sam_policy <options>
      showuptables <options>
      stat
      tab <options>
      unloadlocal
      up_execute <options>
      ver <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-i Specifies the CoreXL Firewall instance.

See "fw -i" on page 260.

amw Fetches and unloads Threat Prevention policy.

<options> See "fw amw" on page 261.

ctl Controls the Firewall module.

See "fw ctl" on page 264.

defaultgen Generates the Default Filter policy files.

See "fw defaultgen" on page 295.

Next Generation Security Gateway R81 Administration Guide      |      257

 fw

Parameter Description

fetch Fetches the policy from the Management Server, peer Cluster Member, or local
<options> directory.
See "fw fetch" on page 296.

fetchlogs Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
<options> ($FWDIR/log/*.adtlog*) from the specified Check Point computer.
See "fw fetchlogs" on page 298.

getifs Shows the list with this information:

n The name of interfaces, to which the Check Point Firewall kernel attached.
n The IP addresses assigned to the interfaces.

See "fw getifs" on page 300.

hastat Shows information about Check Point computers in High Availability configuration
<options> and their states.
See "fw hastat" on page 301.

isp_link Controls ISP links in the ISP Redundancy configuration.

<options> See "fw isp_link" on page 302.

kill Kills the specified Check Point processes.

<options> See "fw kill" on page 303.

lichosts Shows a list of hosts protected by the Security Gateway.

<options> See "fw lichosts" on page 304.

log Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or
<options> Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 305.

logswitch Switches the current active log file - Security ($FWDIR/log/fw.log) or Audit
<options> ($FWDIR/log/fw.adtlog).
See "fw logswitch" on page 313.

lslogs Shows a list of Security log files ($FWDIR/log/*.log*) or Audit log files
<options> ($FWDIR/log/*.adtlog*) residing on the local computer or a remote
computer.
See "fw lslogs" on page 316.

mergefiles Merges several input log files - Security ($FWDIR/log/*.log) or Audit

<options> ($FWDIR/log/*.adtlog) - into a single log file.
See "fw mergefiles" on page 319.

monitor Runs FW Monitor to capture the traffic that passes through the Security Gateway.
<options> See "fw monitor" on page 322.

repairlog Rebuilds pointer files for Security log files ($FWDIR/log/*.log) or Audit
<options> ($FWDIR/log/*.adtlog) log files.
See "fw repairlog" on page 350.

Next Generation Security Gateway R81 Administration Guide      |      258

 fw

Parameter Description

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options> See "fw sam" on page 351.

sam_policy Manages the Suspicious Activity Policy editor.

<options> See "fw sam_policy" on page 358.

showuptables Shows the contents of the Unified Policy kernel tables.

<options> See "fw showuptables" on page 381.

stat Shows the currently installed policy.

See "fw stat" on page 382.

tab Shows and deletes the contents of the specified kernel tables.
<options> See "fw tab" on page 384.

unloadlocal Uninstalls all policies from the Security Gateway or Cluster Member.
See "fw unloadlocal" on page 391.

up_execute Executes the offline Unified Policy.

<options> See "fw up_execute" on page 395.

ver Shows the Security Gateway major and minor version number and build number.
<options> See "fw ver" on page 398.

Next Generation Security Gateway R81 Administration Guide      |      259

 fw -i

fw -i
Description
By default, the "fw" on page 256 commands apply to the entire Security Gateway.
The fw commands show aggregated information for all CoreXL Firewall instances.
The fw -i commands apply to the specified CoreXL Firewall instance.

Syntax

fw -i <ID of CoreXL Firewall instance> <Command>

Parameters

Parameter Description

<ID of CoreXL Specifies the ID of the CoreXL Firewall instance.

Firewall instance> To see the available IDs, run the command.

<Command> Only these commands support the fw -i syntax:

n fw -i <ID> conntab ...
n fw -i <ID> ctl get ...
n fw -i <ID> ctl leak ...
n fw -i <ID> ctl pstat ...
n fw -i <ID> ctl set ...
n fw -i <ID> monitor ...
n fw -i <ID> tab ...

For details and additional parameters for any of these commands, refer
to the corresponding entry for each command.

Example 1 - Show the Connections table for CoreXL Firewall instance #1

fw -i 1 tab -t connections

Example 2 - Show various internal statistics for CoreXL Firewall instance #1

fw -i 1 ctl pstat

Next Generation Security Gateway R81 Administration Guide      |      260

 fw amw

fw amw
Description
Fetches and unloads Threat Prevention policy.
Threat Prevention policy applies to these Software Blades:
n Anti-Bot
n Anti-Spam
n Anti-Virus
n IPS
n Threat Emulation
n Threat Extraction

Syntax
n To fetch the Threat Prevention policy from the Management Server:

fw [-d] amw fetch -f [-i] [-n] [-r]

n To fetch the Threat Prevention policy from a peer Cluster Member, and, if it fails, then from the
Management Server:

fw [-d] amw fetch -f -c [-i] [-n] [-r]

n To fetch the Threat Prevention policy from the specified Check Point computer(s):

fw [-d] amw fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

n To fetch the Threat Prevention policy stored locally on the Security Gateway:

fw [-d] amw fetch local [-nu]

fw [-d] amw fetch localhost [-nu]

n To fetch the Threat Prevention policy stored locally on the Security Gateway in the specified
directory:

fw [-d] amw fetchlocal [-lu] -d <Full Path to Directory>

n To unload the current Threat Prevention policy:

fw [-d] amw unload

Next Generation Security Gateway R81 Administration Guide      |      261

 fw amw

Parameters

Parameter Description

fw -d amw Runs the command in debug mode.

... Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

fw amw fetch Fetches the Threat Prevention policy from the specified Check Point computer(s).
These can be a Management Server, or a peer Cluster Member.

fw amw fetch Fetches the Threat Prevention policy that is stored locally on the Security
local Gateway in the $FWDIR/state/local/AMW/ directory.
fw amw fetch
localhost

fw amw Fetches the Threat Prevention policy that stored locally on the Security Gateway
fetchlocal in the specified directory.

fw amw Unloads the current Threat Prevention policy from the Security Gateway.
unload
Important - This significantly decreases the security on the Security
Gateway. This is the same as if you disable the Threat Prevention
Software Blades on the Security Gateway.

-c Specifies that you fetch the policy from a peer Cluster Member.
Notes:
n Must also use the "-f" parameter.
n Works only in cluster.

-f Specifies that you fetch the policy from a Management Server listed in the
$FWDIR/conf/masters file.

-i On a Security Gateway with dynamically assigned IP address (DAIP), specifies to

ignore the SIC name and object name.

-lu Specifies to perform a late update - to load signatures just after the Security
Gateway copies the policy files to the local directory
$FWDIR/state/local/AMW/.

-n Specifies not to load the fetched policy, if it is the same as the policy already
located on the Security Gateway.

-nu Specifies not to update the currently installed policy.

Next Generation Security Gateway R81 Administration Guide      |      262

 fw amw

Parameter Description

-r On a Cluster Member, specifies to ignore this option in SmartConsole Install

Policy window:
For gateway clusters, if installation on a cluster member fails, do not install on that
cluster

Best Practice - Use this parameter if a peer Cluster Member is Down.

<Master 1> Specifies the Check Point computer(s), from which to fetch the Threat Prevention
[<Master 2> policy.
...] You can fetch the Threat Prevention policy from the Management Server, or a
peer Cluster Member.
Notes:
n If you fetch the Threat Prevention policy from the Management
Server, you can enter one of these:
l The main IP address of the Management Server object.

l The object name of the Management Server.

l The hostname that the Security Gateway resolves to the

main IP address of the Management Server.

n If you fetch the Threat Prevention policy from a peer Cluster
Member, you can enter one of these:
l The main IP address of the Cluster Member object.

l The IP address of the Sync interface on the Cluster

Member.
n If the fetch from the first specified <Master> fails, the Security
Gateway fetches the policy from the second specified <Master>
, and so on. If the Security Gateway fails to connect to each
specified <Masters>, the Security Gateway fetches the policy
from the localhost.
n If you do not specify the <Masters> explicitly, the Security
Gateway fetches the policy from the localhost.

-d <Full Specifies local directory on the Security Gateway, from which to fetch the Threat
Path to Prevention policy files.
Directory>

Example

[Expert@MyGW:0]# fw amw fetch local

Installing Threat Prevention policy from local
Fetching Threat Prevention policy succeeded
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      263

 fw ctl

fw ctl
Description
Controls the Firewall kernel module.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

fw [-d] ctl
      arp <options>
      bench <options>
      block <options>
      chain
      conn
      conntab <options>
      cpasstat <options>
      debug <options>
      get <options>
      iflist
      install
      kdebug <options>
      pstat <options>
      set <options>
      tcpstrstat <options>
      uninstall

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

arp <options> Shows the configured Proxy ARP entries based on the
$FWDIR/conf/local.arp file on the Security Gateway.
See "fw ctl arp" on page 267.

Next Generation Security Gateway R81 Administration Guide      |      264

 fw ctl

Parameter Description

bench Runs the CPU benchmark tests that collect these statistics:
<options>
n FireWall Lock Statistics
n Outbound Packets Statistics
n Inbound Packets Statistics

See "fw ctl bench" on page 268.

block Blocks all connections to, from, and through the Security Gateway.
<options> See "fw ctl block" on page 270.

chain Shows the list of Firewall Chain Modules.

See "fw ctl chain" on page 271.

conn Shows the list of Firewall Connection Modules.

See "fw ctl conn" on page 273.

conntab Shows formatted list of current connections from the Connections kernel table
<options> (ID 8158).
See "fw ctl conntab" on page 274.

cpasstat Generates statistics report about Check Point Active Streaming (CPAS).
<options> See "fw ctl cpasstat" on page 278.

debug Generates kernel debug messages from Check Point Firewall kernel to a debug
<options> buffer.
See "'fw ctl debug' and 'fw ctl kdebug'" on page 279.

dlpkstat Generates statistics report about Data Loss Prevention kernel module.
<options> See "fw ctl dlpkstat" on page 280.

get <options> Shows the value of the specified kernel parameter.

See "fw ctl get" on page 281.

iflist Shows the list with this information:

n The name of interfaces, to which the Check Point Firewall kernel attached.
n The internal numbers of the interfaces in the Check Point Firewall kernel.

See "fw ctl iflist" on page 283.

install Tells the operating system to start passing packets to Firewall.

See "fw ctl install" on page 284.

kdebug Generates kernel debug messages from Check Point Firewall kernel to a debug
<options> buffer.
See "'fw ctl debug' and 'fw ctl kdebug'" on page 279.

leak Generates leak detection report.

<options> See "fw ctl leak" on page 285.

Next Generation Security Gateway R81 Administration Guide      |      265

 fw ctl

Parameter Description

pstat Shows Security Gateway various internal statistics.

<options> See "fw ctl pstat" on page 288.

set <options> Configures the specified value for the specified kernel parameter.
See "fw ctl set" on page 290.

tcpstrstat Generates statistics report about TCP Streaming.

<options> See "fw ctl tcpstrstat" on page 292.

uninstall Tells the operating system to stop passing packets to Firewall, and unloads the
current Security Policy.
See "fw ctl uninstall" on page 294.

Next Generation Security Gateway R81 Administration Guide      |      266

 fw ctl arp

fw ctl arp

Description
Shows the configured Proxy ARP entries based on the $FWDIR/conf/local.arp file on the Security
Gateway.
For more information about the Proxy ARP, see sk30197.

Syntax

fw [-d] ctl arp

[-h]
[-n]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-h Shows the built-in help.

-n Specifies not to resolve hostnames.

Next Generation Security Gateway R81 Administration Guide      |      267

 fw ctl bench

fw ctl bench

Description
The benchmark mechanism provides a way to measure the time spent in the code between two points.
This command runs the CPU benchmark tests that collect these statistics:
n FireWall Lock Statistics
n Outbound Packets Statistics
n Inbound Packets Statistics.

Note - This command writes the output of these tests to the dmesg.

Syntax

fw [-d] ctl bench

      -h
      lock
[{ioctl | packet} [<Limit>]]
[stop]
      packet [{<Limit> | stop}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-h Shows the built-in help.

lock Runs the lock benchmark that collects the FireWall Lock Statistics.
[ioctl[  Available options:
<Limit>]]
n No parameters - Starts the lock benchmark.
[packet
n ioctl - Calculates the IOCTL flow statistics.
[<Limit>]]
n packet - Calculates the packet flow statistics.
[stop]
n <Limit> - Specifies the time limit (in seconds) for the benchmark to
run. Default is 10 seconds. Maximum is 200 seconds.
n stop - Stops the current lock benchmark.

Next Generation Security Gateway R81 Administration Guide      |      268

 fw ctl bench

Parameter Description

packet Runs the packet benchmark test that collects these statistics:
[{<Limit> |
n Outbound Packets Statistics
stop}]
n Inbound Packets Statistics
Available options:
n No parameters - Starts the packet benchmark.
n <Limit> - Specifies the time limit (in seconds) for the benchmark to
run. Default is 10 seconds. Maximum is 200 seconds.
n stop - Stops the current packet benchmark.

Next Generation Security Gateway R81 Administration Guide      |      269

 fw ctl block

fw ctl block

Description
Blocks all connections to, from, and through the Security Gateway.

Important - The "fw ctl block on" command immediately blocks all connections
without a prompt and regardless the currently installed policy. To unblock the
connections, you must either reboot the Security Gateway, or connect to the Security
Gateway over a serial console (or Lights Out Management Card) and run the "fw ctl
block off" command.

Syntax

fw [-d] ctl block

      off
      on

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

off Removes the block of all connections.

on Blocks all connections.

Next Generation Security Gateway R81 Administration Guide      |      270

 fw ctl chain

fw ctl chain

Description
Shows the list of Firewall Chain Modules.
This list shows various inspection Chain Modules, through which the traffic passes on this Security
Gateway.
The available Chain Modules depend on the configuration and enabled Software Blades.

Important - In Cluster, outputs of this command must be the same on all the Cluster Members.

Syntax

fw [-d] ctl chain

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Next Generation Security Gateway R81 Administration Guide      |      271

 fw ctl chain

Example

[Expert@MyGW:0]# fw ctl chain

in chain (23):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -7d000000 (ffffffff8a96ee80) (00000003) vpn multik forward in
4: - 2000000 (ffffffff8a97d830) (00000003) vpn decrypt (vpn)
5: - 1fffffa (ffffffff8a9533a0) (00000001) l2tp inbound (l2tp)
6: - 1fffff8 (ffffffff8b67f0e0) (00000001) Stateless verifications (in) (asm)
7: - 1fffff7 (ffffffff8b67ec00) (00000001) fw multik misc proto forwarding
8: - 1fffff2 (ffffffff8a982aa0) (00000003) vpn tagging inbound (tagging)
9: - 1fffff0 (ffffffff8a983460) (00000003) vpn decrypt verify (vpn_ver)
10: 0 (ffffffff8b85a950) (00000001) fw VM inbound (fw)
11: 1 (ffffffff8a97ed70) (00000003) vpn policy inbound (vpn_pol)
12: 2 (ffffffff8b681700) (00000001) fw SCV inbound (scv)
13: 3 (ffffffff8a982130) (00000003) vpn before offload (vpn_in)
14: 4 (ffffffff8b0fa5c0) (00000003) QoS inbound offload chain module
15: 5 (ffffffff8b574730) (00000003) fw offload inbound (offload_in)
16: 10 (ffffffff8b84c9c0) (00000001) fw post VM inbound (post_vm)
17: 100000 (ffffffff8b807970) (00000001) fw accounting inbound (acct)
18: 22000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath inbound chain mod (fg_sched)
19: 7f730000 (ffffffff8b3d3aa0) (00000001) passive streaming (in) (pass_str)
20: 7f750000 (ffffffff8b17dff0) (00000001) TCP streaming (in) (cpas)
21: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (in) (ipopt_res)
22: 7fb00000 (ffffffff8a9fe8a0) (00000001) Cluster Late Correction (ha_for)
out chain (19):
0: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (ffffffff8a96ee60) (00000003) vpn multik forward out
2: - 1ffffff (ffffffff8a97fb70) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (ffffffff8b168640) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (ffffffff8b3d3aa0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (ffffffff8a982aa0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (ffffffff8b67f0e0) (00000001) Stateless verifications (out) (asm)
7: 0 (ffffffff8b85a950) (00000001) fw VM outbound (fw)
8: 10 (ffffffff8b84c9c0) (00000001) fw post VM outbound (post_vm)
9: 2000000 (ffffffff8a982900) (00000003) vpn policy outbound (vpn_pol)
10: 15000000 (ffffffff8b0fac30) (00000003) QoS outbound offload chain modul (fg_pol)
11: 1ffffff0 (ffffffff8a951790) (00000001) l2tp outbound (l2tp)
12: 20000000 (ffffffff8a978280) (00000003) vpn encrypt (vpn)
13: 21000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath outbound chain mod (fg_sched)
14: 7f000000 (ffffffff8b807970) (00000001) fw accounting outbound (acct)
15: 7f700000 (ffffffff8b17cb10) (00000001) TCP streaming post VM (cpas)
16: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (out) (ipopt_res)
17: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
18: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      272

 fw ctl conn

fw ctl conn

Description
Shows the list of Firewall Connection Modules.
This list shows various inspection Connection Modules, through which the traffic passes on this Security
Gateway.
The available Connection Modules depend on the configuration and enabled Software Blades.

Important - In Cluster, outputs of this command must be the same on all the Cluster Members.

Syntax

fw [-d] ctl conn

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Example

[Expert@MyGW:0]# fw ctl chain

Registered connections modules:
No. Name Newconn Packet End Reload Dup Type Dup
Handler
Connectivity level 0:
1: Accounting 1: Accounting 0000000000000000 0000000000000000 FFFFFFFF8B8395A0
0000000000000000 Special FFFFFFFF8B831720
2: Authentication 2: Authentication FFFFFFFF8B3150A0 0000000000000000 0000000000000000
0000000000000000 Special FFFFFFFF8B34FCC0
8: NAT 8: NAT 0000000000000000 0000000000000000 FFFFFFFF8B6D1AF0
0000000000000000 Special FFFFFFFF8B6B8410
9: RTM 9: RTM 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
10: RTM2 10: RTM2 0000000000000000 0000000000000000 FFFFFFFF8B014970
0000000000000000 None
11: SPII 11: SPII FFFFFFFF8B412060 0000000000000000 FFFFFFFF8B41AF40
FFFFFFFF8B4016A0 None
13: VPN 13: VPN FFFFFFFF8A965440 0000000000000000 FFFFFFFF8AA4CC40
0000000000000000 Special FFFFFFFF8AA60490
Connectivity level 1:
13: VPN 13: VPN 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      273

 fw ctl conntab

fw ctl conntab

Description
Shows formatted list of current connections from the Connections kernel table (ID 8158).
Use this command if you want to see the simplified information about the current connections.

Best Practices:
n Use the "fw ctl conntab" command to see the simplified information about
the current connections.
n Use the "fw tab -t connections -f" command ("fw tab" on page 384)
to see the detailed (and more technical) information about the current
connections.

Syntax

Important - You can specify many parameters at the same time.

fw [-d] ctl conntab

{-h | -help}
      -sip=<Source IP Address in Decimal Format>
      -sport=<Port Number in Decimal Format>
      -dip=<Destination IP Address>
      -dport=<Port Number in Decimal Format>
      -proto=<Protocol Name>
      -service=<Name of Service>
      -rule=<Rule Number in Decimal Format>

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-sip=<Source IP Address in Filters the output by the specified Source IP address.

Decimal Format>

-sport=<Port Number in Decimal Filters the output by the specified Source Port
Format> number.
See IANA Service Name and Port Number Registry.

Next Generation Security Gateway R81 Administration Guide      |      274

 fw ctl conntab

Parameter Description

-dip=<Destination IP Address in Filters the output by the specified Destination IP

Decimal Format> address.

-dport=<Port Number in Decimal Filters the output by the specified Destination Port
Format> number.
See IANA Service Name and Port Number Registry.

-proto=<Protocol Name> Filters the output by the specified Protocol name.

For example:
n TCP
n UDP
n ICMP

See IANA Protocol Numbers.

-service=<Name of Service> See the names of Services in SmartConsole, or in the

output of this command.

-rule=<Rule Number in Decimal See your Rule Base in SmartConsole, or in the output
Format> of the command.

Examples

Example 1 - Default output

[Expert@MyGW:0]# fw ctl conntab
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3593/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,59249], dest=[192.168.204.1,53], UDP); 20/40, rule=0, service=domain-udp(335), Ifnsout=1,
conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,37892], dest=[192.168.204.1,53], UDP); 20/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 2 - Filter by a destination port

[Expert@MyGW:0]# fw ctl conntab -dport=22
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3594/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 3 - Filter by a destination port

[Expert@MyGW:0]# fw ctl conntab -dport=53
<(outbound, src=[192.168.204.40,33585], dest=[192.168.204.1,53], UDP); 39/40, rule=0, service=domain-udp(335), Ifnsout=1,
conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,56661], dest=[192.168.204.1,53], UDP); 39/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 4 - Filter by a source port

[Expert@MyGW:0]# fw ctl conntab -sport=54201
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3600/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      275

 fw ctl conntab

Example 5 - Filter by a protocol

[Expert@MyGW:0]# fw ctl conntab -proto=UDP
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 37/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 6 - Filter by a protocol

[Expert@MyGW:0]# fw ctl conntab -proto=TCP
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3596/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 7 - Filter by a service

[Expert@MyGW:0]# fw ctl conntab -service=domain-udp
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 35/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 8 - Filter by a rule number

[Expert@MyGW:0]# fw ctl conntab -rule=2
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3597/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 9 - Filter by a destination IP address, destination port, protocol, and service

[Expert@MyGW:0]# fw ctl conntab -dip=192.168.204.40 -dport=22 -proto=TCP -service=ssh
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3599/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      276

 fw ctl conntab

Example 10 - Formatted detailed output from the Connections table (for comparison)
[Expert@MyGW:0]# fw tab -t connections -f

Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep,
sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited;
LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 54201; Dest: 192.168.204.1; DPort: 53;
Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1; Ifnsout:
1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 54201;
Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 54201; Dest_1: 192.168.204.1; DPort_1:
53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 54201;
Protocol: tcp; CPTFMT_sep_1: ->; Direction_2: 0; Source_2: 192.168.204.1; SPort_2: 54201; Dest_2: 192.168.204.40; DPort_2:
22; Protocol_2: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 54201; Dest: 192.168.204.40; DPort: 22;
Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -
1; Bits: 02007800000f9000; Expires: 3596/3600; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 44966;
Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 44966; Dest_1: 192.168.204.1; DPort_1:
53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 44966; Dest: 192.168.204.1; DPort: 53;
Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout:
1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      277

 fw ctl cpasstat

fw ctl cpasstat

Description
Generates statistics report about Check Point Active Streaming (CPAS).

Syntax

fw [-d] ctl cpasstat [-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-r Resets the counters.

Next Generation Security Gateway R81 Administration Guide      |      278

 'fw ctl debug' and 'fw ctl kdebug'

'fw ctl debug' and 'fw ctl kdebug'

Description
These commands generate kernel debug messages from Check Point Firewall kernel to a debug buffer.
For more information, see the R81 Next Generation Security Gateway Guide - Chapter Kernel Debug on
Security Gateway.

Next Generation Security Gateway R81 Administration Guide      |      279

 fw ctl dlpkstat

fw ctl dlpkstat

Description
Generates statistics report about Data Loss Prevention, inspected HTTP requests, and Identity Awareness
Captive Portal.
This report contains these statistics:

Category Information

DLP Kernel Statistics Information Emails and HTTP requests

User Mode Responses Statistics Emails and HTTP requests

Identity Awareness - Captive Portal HTTP requests redirected to the Captive Portal

Identity Awareness - Fetch Users Synchronous and asynchronous Identity Awareness

Statistics queries

Best Practice - This report is very useful when you:

n Debug problems with HTTP protocol that occur under traffic stress.
n Examine the traffic shape (for example, to know how many HTTP "POST" and
HTTP "GET" requests pass through the Security Gateway).

Syntax

fw [-d] ctl dlpkstat [-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-r Resets the counters.

Next Generation Security Gateway R81 Administration Guide      |      280

 fw ctl get

fw ctl get

Description
Shows the current value of the specified kernel parameter.

Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In VSX Gateway, the configured values of kernel parameters apply to all existing
Virtual Systems and Virtual Routers.

Notes:
n Kernel parameters let you change the advanced behavior of your Security
Gateway.
n There are two types of kernel parameters - integer and string.
n Security Gateway gets the names and the default values of the kernel
parameters from these kernel module files:
l $FWDIR/boot/modules/fw_kern_64.o

l $FWDIR/boot/modules/fw_kern_64_v6.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64_v6.o

l $PPKDIR/boot/modules/sim_kern_64.o

l $PPKDIR/boot/modules/sim_kern_64_v6.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o

n Refer to the related command "fw ctl set" on page 290.

n Refer to the related article sk33156: Creating a file with all the kernel
parameters and their values

Syntax

fw [-d] ctl get

      int <Name of Integer Kernel Parameter> [-a]
      str <Name of String Kernel Parameter> [-a]

Next Generation Security Gateway R81 Administration Guide      |      281

 fw ctl get

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

<Name of Integer Kernel Specifies the name of the integer kernel parameter.
Parameter>

<Name of String Kernel Specifies the name of the string kernel parameter.
Parameter>

-a Specifies to search for this kernel parameter in this

order:
1. In $FWDIR/modules/fw_*.o
2. In $PPKDIR/modules/sim_*.o

Example for an integer kernel parameter

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit -a

FW:
fw_kdprintf_limit = 100
PPAK 0: fw_kdprintf_limit = 10
[Expert@MyGW:0]#

Example for a string kernel parameter

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset -a

FW:
fileapp_default_encoding_charset = 'UTF-8'
PPAK 0: Get failed.
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      282

 fw ctl iflist

fw ctl iflist

Description
Shows the list with this information:
n The name of interfaces, to which the Check Point Firewall kernel attached.
n The internal numbers of the interfaces in the Check Point Firewall kernel.

Notes:
n This list shows all detected interfaces, even if there are no IP addresses
assigned on them.
n You use this list when you analyze a kernel debug, which shows only the internal
numbers of the interfaces (for example, ifn=2).
n Related "cpstat" on page 220 commands:
l cpstat -f ifconfig os

l cpstat -f interfaces fw

Syntax

fw [-d] ctl iflist

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Example

[Expert@MyGW:0]# fw ctl iflist

fw ctl iflist
1 : eth0
2 : eth1
3 : eth2
4 : eth3
5 : eth4
6 : eth5
7 : eth6
8 : eth7
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      283

 fw ctl install

fw ctl install

Description
Tells the operating system to start passing packets to Firewall.
This command runs automatically when the Security Gateway or an administrator runs the "cpstart" on
page 219 command.

Warning

If you run the "fw ctl uninstall" on page 294 command and then the "fw ctl install" command, it
does not restore the Security Policy.
You must run one of these commands: "fw fetch" on page 296, or "cpstart" on page 219.

Syntax

fw [-d] ctl install

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Next Generation Security Gateway R81 Administration Guide      |      284

 fw ctl leak

fw ctl leak

Description
Generates leak detection report. This report is for Check Point use only.

Important - This command save the report into the active /var/log/messages file
and the dmesg buffer.

Syntax

fw [-d] ctl leak

{-h | -help}
[{-a | -A}] [-t <Internal Object Type>] [-o <Internal Object
ID>]
[-d] [-l] [-p]
[-s]

Parameters

Parameter Description

fw -d ctl leak Runs the command in debug mode.

... Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the built-in help.

-a Specifies to perform leak detection for potential leaks.

This parameter is mutually exclusive with the parameter "-A".

-A Specifies to perform leak detection for all leaks.

This parameter is mutually exclusive with the parameter "-a".

-d Dumps object data.

This parameter is mutually exclusive with the parameter "-s".

-l Prints the action log.

This parameter is mutually exclusive with the parameter "-s".

-o <Internal Specifies to perform leak detection for the specified internal object ID.
Object ID>

-p Purges the internal objects from the lists.

This parameter is mutually exclusive with the parameter "-s".

Next Generation Security Gateway R81 Administration Guide      |      285

 fw ctl leak

Parameter Description

-s Shows summary only.

This parameter is mutually exclusive with the parameters "-d", "-l", and "-
p".

-t <Internal Specifies the internal object types, for which to perform leak detection.
Object Type> Available internal object types are:
n chain
n connh
n cookie
n kbuf
n num

If you do not specify the internal object type explicitly, the command performs
leak detection for all internal object types.

Procedure

Step Description

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Back up the current /var/log/messages file:

[Expert@GW_HostName:0]# cp -v
/var/log/messages{,_BKP}

4 Delete the information from the current /var/log/messages file:

[Expert@GW_HostName:0]# echo '' >
/var/log/messages

5 Delete the information from the current dmesg buffer:

[Expert@GW_HostName:0]# dmesg -c

6 Generate the leak detection report (see the Syntax section above):
[Expert@GW_HostName:0]# fw [-d] ctl leak
<options>

7 Make sure the command generated the leak detection report:

[Expert@GW_HostName:0]# dmesg

[Expert@GW_HostName:0]# cat
/var/log/messages

Next Generation Security Gateway R81 Administration Guide      |      286

 fw ctl leak

Step Description

8 Collect the leak detection report:

[Expert@GW_HostName:0]# cp -v
/var/log/messages{,_LEAK_DETECTION}

9 Analyze the leak detection report:

/var/log/messages_LEAK_DETECTION

Example

[Expert@MyGW:0]# cp -v /var/log/messages{,_BKP}
`/var/log/messages' -> `/var/log/messages_BKP'
[Expert@MyGW:0]#
[Expert@MyGW:0]# echo '' > /var/log/messages
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg -c
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl leak -s
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg
[fw4_0];fwleak_report: type chain - 0 objects
[fw4_0];fwleak_report: type cookie - 0 objects
[fw4_0];fwleak_report: type kbuf - 0 objects
[fw4_0];fwleak_report: type connh - 0 objects
[fw4_1];fwleak_report: type chain - 0 objects
[fw4_1];fwleak_report: type cookie - 0 objects
[fw4_1];fwleak_report: type kbuf - 0 objects
[fw4_1];fwleak_report: type connh - 0 objects
[fw4_2];fwleak_report: type chain - 0 objects
[fw4_2];fwleak_report: type cookie - 0 objects
[fw4_2];fwleak_report: type kbuf - 0 objects
[fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /var/log/messages
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]
[Expert@MyGW:0]# cp -v /var/log/messages{,_LEAK_DETECTION}
`/var/log/messages' -> `/var/log/messages_LEAK_DETECTION'
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      287

 fw ctl pstat

fw ctl pstat

Description
Shows Security Gateway various internal statistics:
n System Capacity Summary
n Hash kernel memory (hmem) statistics
n System kernel memory (smem) statistics
n Kernel memory (kmem) statistics
n Cookies
n Connections
n Fragments
n NAT
n Handles

Syntax

Important - You can specify many parameters at the same time.

fw [-d] ctl pstat [-c] [-h] [-k] [-l] [-m] [-o] [-s] [-v {4 | 6}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-c Shows detailed CoreXL Dispatcher statistics:

n fwmultik_global_stats splits for each CoreXL Firewall
instance.
n fwmultik_gconn_stats for each CPU.
n fwmultik_stats for each CPU.

-h Shows additional Hash kernel memory (hmem) statistics.

-k Shows additional Kernel memory (kmem) statistics.

-l Shows Handles statistics.

Next Generation Security Gateway R81 Administration Guide      |      288

 fw ctl pstat

Parameter Description

-m Shows general CoreXL Dispatcher statistics.

-o Shows additional Cookies statistics.

-s Shows additional System kernel memory (smem) statistics.

-v 4 Shows statistics for IPv4 (-v 4) traffic only, or for IPv6 (-v 4) traffic only.
-v 6 Default is to show statistics for both IPv4 and IPv6 traffic.

Examples

Example 1 - fw ctl pstat

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

Total memory allocated: 742391808 bytes in 181248 (4096 bytes) blocks using 1 pool
Total memory bytes used: 0 unused: 742391808 (100.00%) peak: 68247020
Total memory blocks used: 0 unused: 181248 (100%) peak: 17227
Allocations: 2193027 alloc, 0 failed alloc, 2154121 free

System kernel memory (smem) statistics:

Total memory bytes used: 913975068 peak: 1165010872
Total memory bytes wasted: 7883999
Blocking memory bytes used: 4896272 peak: 6916084
Non-Blocking memory bytes used: 909078796 peak: 1158094788
Allocations: 13217 alloc, 0 failed alloc, 10027 free, 0 failed free
vmalloc bytes used: 908585924 expensive: no

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2204456 alloc, 0 failed alloc
2162587 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      289

 fw ctl set

fw ctl set

Description
Configures the specified value for the specified kernel parameter.

Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In VSX Gateway, the configured values of kernel parameters apply to all existing
Virtual Systems and Virtual Routers.
n The configuration made with this command does not survive reboot.
To make this configuration permanent, you must edit one of the applicable
configuration files:
l $FWDIR/boot/modules/fwkern.conf

l $FWDIR/boot/modules/vpnkern.conf

l $PPKDIR/conf/simkern.conf.

For more information, see sk26202.

Notes:
n Kernel parameters let you change the advanced behavior of your Security
Gateway.
n There are two types of kernel parameters - integer and string.
n Security Gateway gets the names and the default values of the kernel
parameters from these kernel module files:
l $FWDIR/boot/modules/fw_kern_64.o

l $FWDIR/boot/modules/fw_kern_64_v6.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64_v6.o

l $PPKDIR/boot/modules/sim_kern_64.o

l $PPKDIR/boot/modules/sim_kern_64_v6.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o

n Refer to the related command "fw ctl get" on page 281.

n Refer to the related article sk33156: Creating a file with all the kernel
parameters and their values

Syntax

fw [-d] ctl set

      int <Name of Integer Kernel Parameter> <Integer Value>
      str <Name of String Kernel Parameter> '<String Value>'

Next Generation Security Gateway R81 Administration Guide      |      290

 fw ctl set

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

<Name of Integer Kernel Specifies the name of the integer kernel parameter.
Parameter>

<Integer Value> Specifies the integer value for the integer kernel
parameter.

<Name of String Kernel Specifies the name of the string kernel parameter.
Parameter>

'<String Value>' Specifies the string value for the string kernel
parameter.

Example for an integer kernel parameter

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit

fw_kdprintf_limit = 100
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set int fw_kdprintf_limit 50
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 50
[Expert@MyGW:0]#

Example for a string kernel parameter

[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str '__print__'

[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = '__print__'
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str ''
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = ''
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      291

 fw ctl tcpstrstat

fw ctl tcpstrstat

Description
Generates statistics report about TCP Streaming.

Syntax

fw [-d] ctl tcpstrstat

[-p]
[-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-p Shows verbose statistics.

-r Resets the counters.

Next Generation Security Gateway R81 Administration Guide      |      292

 fw ctl tcpstrstat

Example 1 - Default output

[Expert@MyGW:0]# fw ctl tcpstrstat

General Counters:
=================
Connections:
Concurrent num of connections ............. 0
Concurrent num of si connections .......... 0
Packets:
Total num of packets ...................... 2567
Total packets in bytes .................... 202394
Concurrent num of async packets ........... 0
Memory:
Allocated memory in bytes ................. 0
Referenced skbuffs num .................... 0
Referenced skbuffs size in bytes .......... 0
External packet references................. 0
Allocated memory per connection ........... 0
Rejected packets/connections:
Total num of rejected packets ............. 0
Dropped packets/connections:
Total num of dropped packets .............. 0
Stripped/Truncated packets:
Total num of stripped packets ............. 0
Total num of truncated packets ............ 0
Paused packets:
Total num of c2s|s2c paused packets ....... 0 | 0
Concurrent num of UDP held packets ........ 0

Applications Counters:
======================
Application Name: ASPII_MT
Connections:
Total num of connections .................. 954
Concurrent num of connections ............. 0
Total num of c2s|s2c connections .......... 954 | 954
Concurrent num of c2s|s2c connections ..... 0 | 0
Packets:
Total num of c2s|s2c data packets ......... 2567 | 0
Total c2s|s2c data packets in bytes ....... 130518 | 0

FastForward Counters:
=====================
FF connection:
Total num of c2s|s2c FFconns .............. 0 | 0
Total num of c2s|s2c saved packets ........ 0 | 0
Total num of c2s|s2c bytes requests ....... 0 | 0
Total num of c2s|s2c saved bytes .......... 0 | 0

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      293

 fw ctl uninstall

fw ctl uninstall

Description
1. Tells the operating system to stop passing packets to Firewall.
2. Unloads the current Security Policy.
3. Unloads the current Firewall Chain Modules (see "fw ctl chain" on page 271).
4. Unloads the current Firewall Connection Modules except for RTM (see "fw ctl conn" on page 273).

Warnings

1. If you run the "fw ctl uninstall" command, the networks behind the Security Gateway
become unprotected.
2. If you run the "fw ctl uninstall" command and then the "fw ctl install" on page 284
command, it does not restore the Security Policy.
You must run one of these commands: "fw fetch" on page 296, or "cpstart" on page 219.

Syntax

fw [-d] ctl uninstall

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Next Generation Security Gateway R81 Administration Guide      |      294

 fw defaultgen

fw defaultgen
Description
Manually generates the Default Filter policy files.
Refer to these related commands:
n "comp_init_policy" on page 183
n "control_bootsec" on page 186
n "fwboot default" on page 414
n "fwboot bootconf" on page 402

Syntax

fw [-d] defaultgen

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

defaultgen Generates the Default Filter policy files:

n For IPv4 traffic:
$FWDIR/state/default.bin
n For IPv6 traffic:
$FWDIR/state/default.bin6

If the Default Filter policy file already exists, the command creates a backup copy
($FWDIR/state/default.bin.bak and
$FWDIR/state/default.bin6.bak).

Example

[Expert@MyGW:0]# fw defaultgen
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
hostaddr(MyGW) failed
Backing up default.bin6 as default.bin6.bak
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      295

 fw fetch

fw fetch
Description
Fetches the Security Policy from the specified host and installs it to the kernel.

Syntax
n To fetch the policy from the Management Server:

fw [-d] fetch -f [-i] [-n] [-r]

n To fetch the policy from a peer Cluster Member, and, if it fails, then from the Management Server:

fw [-d] fetch -f -c [-i] [-n] [-r]

n To fetch the policy from the specified Check Point computer(s):

fw [-d] fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

n To fetch the policy stored locally on the Security Gateway:

fw [-d] fetch local [-nu]

fw [-d] fetch localhost [-nu]

n To fetch the policy stored locally on the Security Gateway in the specified directory:

fw [-d] fetchlocal -d <Full Path to Directory>

Parameters

Parameter Description

fw -d fetch... Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-c Specifies that you fetch the policy from a peer Cluster Member.
Notes:
n Must also use the "-f" parameter.
n Works only in cluster.

-f Specifies that you fetch the policy from a Management Server listed in the
$FWDIR/conf/masters file.

-i On a Security Gateway with dynamically assigned IP address (DAIP),

specifies to ignore the SIC name and object name.

Next Generation Security Gateway R81 Administration Guide      |      296

 fw fetch

Parameter Description

-n Specifies not to load the fetched policy, if it is the same as the policy already
located on the Security Gateway.

-nu Specifies not to update the currently installed policy.

-r On a Cluster Member, specifies to ignore this option in SmartConsole Install

Policy window:
For gateway clusters, if installation on a cluster member fails, do not install
on that cluster

Best Practice - Use this parameter if a peer Cluster Member is

Down.

<Master 1> Specifies the Check Point computer(s), from which to fetch the policy.
[<Master 2> ...] You can fetch the policy from the Management Server, or a peer Cluster
Member.
Notes:
n If you fetch the policy from the Management Server, you
can enter one of these:
l The main IP address of the Management Server

object.
l The object name of the Management Server.

l The hostname that the Security Gateway resolves to

the main IP address of the Management Server.

n If you fetch the policy from a peer Cluster Member, you can
enter one of these:
l The main IP address of the Cluster Member object.

l The IP address of the Sync interface on the Cluster

Member.
n If the fetch from the first specified <Master> fails, the
Security Gateway fetches the policy from the second
specified <Master> , and so on. If the Security Gateway
fails to connect to each specified <Masters>, the Security
Gateway fetches the policy from the localhost.
n If you do not specify the <Masters> explicitly, the Security
Gateway fetches the policy from the localhost.

-d <Full Path to Specifies the local directory on the Security Gateway, from which to fetch the
Directory> policy files.

Next Generation Security Gateway R81 Administration Guide      |      297

 fw fetchlogs

fw fetchlogs
Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log Notes:
File N>
n If you do not specify the log file name explicitly, the command transfers all Security
log files ($FWDIR/log/*.log*) and all Audit log files
($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for example, 2017-0?-
*.log).
If you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check Point computer
has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main IP
address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

Next Generation Security Gateway R81 Administration Guide      |      298

 fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the specified
Check Point computer. Meaning, it deletes the specified log files on the specified Check Point
computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local Check Point
computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer. The new
log file name is the concatenation of the Check Point computer's name (as configured in
SmartConsole), two underscore (_) characters, and the original log file name (for example: MyGW__
2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R81/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R81/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R81/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R81/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      299

 fw getifs

fw getifs
Description
Shows the list with this information:
n The name of interfaces, to which the Check Point Firewall kernel attached.
n The IP addresses assigned to the interfaces.

Notes:
n This list shows only interfaces that have IP addresses assigned
on them.
n Related "cpstat" on page 220 commands:
l cpstat -f ifconfig os

l cpstat -f interfaces fw

Syntax

fw [-d] getifs

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Example

[Expert@MyGW:0]# fw getifs
localhost eth0 192.168.30.40 255.255.255.0
localhost eth1 172.30.60.80 255.255.255.0
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      300

 fw hastat

fw hastat
Description
Shows information about Check Point computers in High Availability configuration and their states.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ... If you run this command on the Management Server, you can enter the applicable IP
<TargetN> address, or the resolvable HostName of the managed Security Gateway or Cluster
Member.
If you do not specify the target, the command queries the local computer.

Next Generation Security Gateway R81 Administration Guide      |      301

 fw isp_link

fw isp_link
Description
Controls the state of ISP Links in the ISP Redundancy configuration on Security Gateway.

Syntax

fw [-d] isp_link
{-h | -help}
[<Name of Object>] <Name of ISP Link>
      down
      up

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

{-h | - Shows the built-in usage.

help}

<Name of Only when you run this command on a Management Server:

Object> The name of the Security Gateway or Cluster Member object as defined in
SmartConsole (from the left navigation panel, click Gateways & Servers ).

<Name of The name of the ISP Link as defined in the Security Gateway or Cluster object:
ISP Link>
1. In SmartConsole, from the left navigation panel, click Gateways & Servers .
2. Open the Security Gateway or Cluster object.
3. From the left tree, click Other > ISP Redundancy .

down Changes the state of the specified ISP Link to DOWN.

up Changes the state of the specified ISP Link to UP.

Next Generation Security Gateway R81 Administration Guide      |      302

 fw kill

fw kill
Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-t <Signal Specifies which signal to send to the Check Point process.

Number> For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the kill and
signal.
If you do not specify the signal explicitly, the command sends Signal 15
(SIGTERM).
Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

Next Generation Security Gateway R81 Administration Guide      |      303

 fw lichosts

fw lichosts
Description
Shows IP addresses of internal hosts that Security Gateway detected and counted based on the installed
license.

Syntax

fw [-d] lichosts [-l] [-x]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-l Shows the output in the long format.

-x Shows the output in the hexadecimal format.

Example

[Expert@MyGW:0]# fw lichosts
License allows an unlimited number of hosts
[Expert@MyGW:0]

Related SK article
sk10200 - 'too many internal hosts' error in /var/log/messages on Security Gateway.

Next Generation Security Gateway R81 Administration Guide      |      304

 fw log

fw log
Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c

<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> |
all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s
"<Start Timestamp>"] [-e "<End Timestamp>"] [-u <Unification Scheme
File>] [-w] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-
#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters described in
this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-a Shows only Account log entries.

-b "<Start Shows only entries that were logged between the specified start and end
Timestamp>" times.
"<End
n The <Start Timestamp> and <End Timestamp> may be a date,
Timestamp>"
a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End Timestamp> in
single or double quotes (-b 'XX' 'YY", or -b "XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-e"
parameters.
n See the date and time format below.

Next Generation Security Gateway R81 Administration Guide      |      305

 fw log

Parameter Description

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>" Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b" parameter.
n See the date and time format below.

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with the
specified IP address or object name (as configured in SmartConsole).

-i Shows log UID.

Next Generation Security Gateway R81 Administration Guide      |      306

 fw log

Parameter Description

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries, and then
specify the time for each log entry.

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command shows
one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not show any
updates, but shows only entries that relate to the start of new
connections. To shows updates, use the semi parameter.
n semi - Step-by-step unification of log entries. For each log entry, the
output shows an entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log entry.

-p Does not perform resolution of the port numbers in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>" Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current date.
n Enclose the <Start Timestamp> in single or double quotes (-s
'...', or -s "...").
n You cannot use the "-s" parameter together with the "-b" parameter.
n See the date and time format below.

Next Generation Security Gateway R81 Administration Guide      |      307

 fw log

Parameter Description

-t This parameter:
1. Does not show the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

-u <Unification Specifies the path and name of the log unification scheme file.
Scheme File> The default log unification scheme file is:
$FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the "nature" of
the log - for example, control, audit, accounting, complementary, and so on).

-x <Start Entry Shows only entries from the specified log entry number and below, counting
Number> from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from the
Number> beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show log
entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes the
current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Next Generation Security Gateway R81 Administration Guide      |      308

 fw log

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags

Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log Key <max_null>, or empty

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc0000000)

SequenceNum Log Sequence 1

Number

Flags Internal flags that 428292

specify the "nature"
of the log - for
example, control,
audit, accounting,
complementary,
and so on

Action Action performed on n accept

this connection n dropreject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of the MyGW

Security Gateway
that generated this
log

Next Generation Security Gateway R81 Administration Guide      |      309

 fw log

Field Header Description Example

IfDir Traffic direction n <

through interface: n >
n < - Outbound
(sent by a
Security
Gateway)
n > - Inbound
(received by
a Security
Gateway)

InterfaceName Name of the n eth0

Security Gateway n daemon
interface, on which n N/A
this traffic was
logged
If a Security
Gateway performed
some internal action
(for example, log
switch), then the log
entry shows
daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Gateway Server.checkpoint.com.s6t98x
that generated this
log

inzone Inbound Security Local

Zone

outzone Outbound Security External

Zone

service_id Name of the service ftp

used to inspect this
connection

Next Generation Security Gateway R81 Administration Guide      |      310

 fw log

Field Header Description Example

src Object name or IP MyHost

address of the
connection's source
computer

dst Object name or IP MyFTPServer

address of the
connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of the 64933

connection

ProductName Name of the Check n VPN-1 & FireWall-1

Point product that n Application Control
generated this log n FloodGate-1

ProductFamily Name of the Check Network

Point product family
that generated this
log

Examples

Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      311

 fw log

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity:
2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log
flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292;
Action: drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName:
CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst:
MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-
9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_
match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END;
ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      312

 fw logswitch

fw logswitch
Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
      -h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target> Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a Security
Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP address or
Object Name as configured in SmartConsole.

Next Generation Security Gateway R81 Administration Guide      |      313

 fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the switch log
file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched log
matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is 230
characters.

+ Specifies to copy the active log from the remote computer to the local computer.
Notes:
n If you specify the name of the switched log file, you must write it immediately
after this + (plus) parameter.
n The command copies the active log from the remote computer and saves it in
the $FWDIR/log/ directory on the local computer.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

- Specifies to transfer the active log from the remote computer to the local computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/ directory
on the local computer and then deletes the switched log file on the remote
computer.
n If you specify the name of the switched log file, you must write it immediately
after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 298 command.

Next Generation Security Gateway R81 Administration Guide      |      314

 fw logswitch

Compression
When this command transfers the log files from the remote computer, it compresses the file with the gzip
command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method. The
compression ratio varies with the content of the log file and is difficult to predict. Binary data are not
compressed. Text data, such as user names and URLs, are compressed.

Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Security log on a managed Security Gateway and copying
the switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R81/fw1/log/fw.log
/opt/CPsuite-R81/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R81/fw1/log/fw.log
/opt/CPsuite-R81/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      315

 fw lslogs

fw lslogs
Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog)
residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>] ...
[-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime | etime}]
[<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-f <Name of Specifies the name of the log file to show. Need to specify name only.
Log File> Notes:
n If the log file name is not specified explicitly, the command shows all Security
log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-0?-*). If
you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command. You must use the "-f"
parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2> ... -
f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

-s {name | Specifies the sort order of the log files using one of the following sort options:
size |
stime | n name - The file name
etime} n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

Next Generation Security Gateway R81 Administration Guide      |      316

 fw lslogs

Parameter Description

<Target> Specifies the remote Check Point computer, with which this local Check Point
computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main
IP address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 4 - Showing only log files specified by the patterns and their extended information

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      317

 fw lslogs

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse order

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security Gateway with main
IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

Next Generation Security Gateway R81 Administration Guide      |      318

 fw mergefiles

fw mergefiles
Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw logswitch"
on page 313 command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw logswitch"
on page 313 command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:
Warning: The size of the files you have chosen to
merge is greater than 2GB. The merge will produce
two or more files.
The names of merged files are:
l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...

l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of Log
File 1> <Name of Log File 2> ... <Name of Log File N> <Name of Merged
Log File>

Next Generation Security Gateway R81 Administration Guide      |      319

 fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion File>
Specifies a full path and name of a file that instructs this
command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:
<IP Address of Log Server #1> <Signed
Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...
Notes
n You must specify the absolute path and the
file name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> ...
<Name of Log File N>
Specifies the log files to merge.
Notes:
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

Next Generation Security Gateway R81 Administration Guide      |      320

 fw mergefiles

Parameter Description

<Name of Merged Log File>
Specifies the output merged log file.
Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      321

 fw monitor

fw monitor
Description
Firewall Monitor is the Check Point traffic capture tool.
In a Security Gateway, traffic passes through different inspection points - Chain Modules in the Inbound
direction and then in the Outbound direction (see "fw ctl chain" on page 271).
The FW Monitor tool captures the traffic at each Chain Module in both directions.
You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like
Wireshark.

Notes:
n Only one instance of "fw monitor" can run at a time.
n You can stop the "fw monitor" instance in one of these ways:
l In the shell, in which the "fw monitor" instance runs, press CTRL + C

keys
l In another shell, run this command: fw monitor -U

n Each time you run the FW Monitor, it compiles its temporary policy files
($FWDIR/tmp/monitorfilter.*).
n From R80.20, the FW Monitor is able to show the traffic accelerated with
SecureXL.
n For more information, see sk30583 and How to use FW Monitor.

Syntax for IPv4

fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of

Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter
File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest
Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o
<Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po
<Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v
<VSID>] [-x <Offset>[,<Length>] [-w]]

Syntax for IPv6

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number
of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter
File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest
Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o
<Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po
<Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v
<VSID>] [-x <Offset>[,<Length>] [-w]]

Next Generation Security Gateway R81 Administration Guide      |      322

 fw monitor

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

-d Runs the command in debug mode and shows some information about
-D how the FW Monitor starts and compiles the specified INSPECT filter:
n -d
Simple debug output.
n -D
Verbose output.

Note - You can specify both parameters to show more

information.

-ci <Number of Specifies how many packets to capture.

Inbound Packets> The FW Monitor stops the traffic capture if it counted the specified number
-co <Number of of packets.
Outbound Packets>
n -ci
Specifies the number of inbound packets to count.
n -co
Specifies the number of inbound packets to count

Best Practice - You can use the "-ci" and the "-co"
parameters together. This is especially useful during large
volumes of traffic. In such scenarios, FW Monitor may bind so
many resources (for writing to the console, or to a file) that
recognizing the break sequence (CTRL+C) might take a very
long time.

Next Generation Security Gateway R81 Administration Guide      |      323

 fw monitor

Parameter Description

-e <INSPECT Captures only specific packets of non-accelerated traffic:

Expression>
n "-e <INSPECT Expression>"
or
Defines the INSPECT filter expression on the command line.
-f {<INSPECT
n "-f <INSPECT Filter File>"
Filter File> | -}
Reads the INSPECT filter expression from the specified file. You
must enter the full path and name of the plain-text file that contains
the INSPECT filter expression.
n "-f -"
Reads the INSPECT filter expression from the standard input. After
you enter the INSPECT filter expression, you must enter the ^D
(CTRL+D) as the EOF (End Of File) character.

Warning - These INSPECT filters do not apply to the

accelerated traffic.

Important - Make sure to enclose the INSPECT filter expression

correctly in single quotes (ASCII value 39) or double quotes
(ASCII value 34).

Notes:
n Refer to the $FWDIR/lib/fwmonitor.def file for
useful macro definitions.
n See syntax examples below ("Examples for the "-e"
parameter" on page 336).

-F "<Source Specifies the capture filter (for both accelerated and non-accelerated
IP>,<Source traffic):
Port>,<Dest
n <Source IP> - Specifies the source IP address
IP>,<Dest
Port>,<Protocol n <Source Port> - Specifies the source Port Number (see IANA
Number>" Service Name and Port Number Registry)
n <Dest IP> - Specifies the destination IP address
n <Dest Port> - Specifies the destination Port Number (see IANA
Service Name and Port Number Registry)
n <Protocol Number> - Specifies the Protocol Number (see
IANA Protocol Numbers)

Next Generation Security Gateway R81 Administration Guide      |      324

 fw monitor

Parameter Description

Notes:
n See syntax examples below ("Examples for the "-F"
parameter" on page 348).
n The "-F" parameter uses these Kernel Debug Filters.
For more information, see "Kernel Debug Filters" on
page 456.
l For the Source IP address:

simple_debug_filter_saddr_<N>
"<IP Address>"
l For the Source Ports:
simple_debug_filter_sport_<N>
<1-65535>
l For the Destination IP address:
simple_debug_filter_daddr_<N>
"<IP Address>"
l For the Destination Ports:
simple_debug_filter_dport_<N>
<1-65535>
l For the Protocol Number:
command_simple_debug_filter_
proto_<N> <0-254>
n Value 0 means "any".
n This parameter supports up to 5 capture filters (up to 5
instances of the "-F" parameter in the syntax).
The FW Monitor performs the logical "OR" between all
specified simple capture filters.

-H Creates an IP address filter.

For more information, see "Kernel Debug Filters" on page 456.
This parameter supports up to 3 capture filters (up to 3 instances of the "-
H" parameter in the syntax).
Example - Capture only HTTP traffic to and from the Host 1.1.1.1:
fw ctl debug –H "1.1.1.1"

-i Flushes the standard output.

Note - This parameter is valid only with the "-v <VSID>"

parameter.

Best Practice - Use this parameter to make sure FW Monitor

immediately writes the captured data for each packet to the
standard output. This is especially useful if you want to kill a
running FW Monitor process, and want to be sure that FW
Monitor writes all the data to the specified file.

Next Generation Security Gateway R81 Administration Guide      |      325

 fw monitor

Parameter Description

-l <Length> Specifies the maximal length of the captured packets. FW Monitor reads
only the specified number of bytes from each packet.
Notes:
n This parameter is optional.
n This parameter lets you capture only the headers from
each packet (for example, IP and TCP) and omit the
payload. This decreases the size of the output file. This
also helps the internal FW Monitor buffer not to fill too
fast.
n Make sure to capture the minimal required number of
bytes, to capture the Layer 3 IP header and Layer 4
Transport header.

-m {i, I, o, O, e, Specifies the capture mask (inspection point) in relation to Chain Modules,
E} in which the FW Monitor captures the traffic.
These are the inspection points, through which each packet passes on a
Security Gateway.
n -m i
Pre-Inbound only (before the packet enters a Chain Module in the
inbound direction)
n -m I
Post-Inbound only (after the packet passes a Chain Module in the
inbound direction)
n -m o
Pre-Outbound only (before the packet enters a Chain Module in the
outbound direction)
n -m O
Post-Outbound only (after the packet passes through a Chain
Module in the outbound direction)
n -m e
Pre-Outbound VPN only (before the packet enters a VPN Chain
Module in the outbound direction)
n -m E
Post-Outbound VPN only (after the packet passes through a VPN
Chain Module in the outbound direction)

Next Generation Security Gateway R81 Administration Guide      |      326

 fw monitor

Parameter Description

Notes:
n You can specify several capture masks (for example, to see NAT on
the egress packets, enter "... -m o O ...").
n You can use this capture mask parameter "-m {i, I, o, O,
e, E}" together with the chain module position parameter "-p{i
| I | o | O}".
n In the inbound direction:
l All chain positions before the FireWall Virtual Machine

module are Pre-Inbound (the "fw ctl chain" on page 271

command shows this module as "fw VM inbound").
l All chain modules after the FireWall Virtual Machine module

are Post-Inbound.
n In the outbound direction:
l All chain position before the FireWall Virtual Machine module

are Pre-Outbound.
l All chain modules after the FireWall Virtual Machine module

are Post-Outbound.
n By default, the FW Monitor captures the traffic only in the FireWall
Virtual Machine module.
n The packet direction relates to each specific packet, and not to the
connection's direction.
n The letters "q" and "Q" after the inspection point mean that the QoS
policy is applied to the interface.

Example packet flows:

n From a Client to a Server through the FireWall Virtual Machine
module:
[Client] --> ("i") {FW VM attached to eth1}
("I") [Security Gateway] ("o") {FW VM attached
to eth2} ("O") --> [Server]
n From a Server to a Client through the FireWall Virtual Machine
module:
[Client] <-- ("O") {FW VM attached to eth1}
("o") [Security Gateway] ("I") {FW VM attached
to eth2} ("i") <-- [Server]

-o <Output File> Specifies the output file, to which FW Monitor writes the captured raw
data.
Important - If you do not specify the path explicitly, FW Monitor
creates this output file in the current working directory. Because
this output file can grow very fast to very large size, we always
recommend to specify the full path to the largest partition
/var/log/.
The format of this output file is the same format used by tools like snoop
(refer to RFC 1761).
You can later analyze the captured traffic with the same FW Monitor tool,
or with special tools like Wireshark.

Next Generation Security Gateway R81 Administration Guide      |      327

 fw monitor

Parameter Description

-pi <Position> Inserts the FW Monitor Chain Module at the specified position between
-pI <Position> the kernel Chain Modules (see the "fw ctl chain" on page 271).
-po <Position> If the FW Monitor writes the captured data to the specified output file (with
-pO <Position> the parameter "-o <Output File>"), it also writes the position of the
or FW Monitor chain module as one of the fields.
-p all [-a] You can insert the FW Monitor Chain Module in these positions only:
n -pi <Position>
Inserts the FW Monitor Chain Module in the specified Pre-Inbound
position.
n -pI <Position>
Inserts the FW Monitor Chain Module in the specified Post-Inbound
position.
n -po <Position>
Inserts the FW Monitor Chain Module in the specified Pre-
Outbound position.
n -pO <Position>
Inserts the FW Monitor Chain Module in the specified Post-
Outbound position
n -p all [-a]
Inserts the FW Monitor Chain Module at all positions (both Inbound
and Outbound).

Warning - This parameter causes very high load on the

CPU, but provides the most complete traffic capture.

The "-a" parameter specifies to use absolute chain positions. This

parameter changes the chain ID from a relative value (which only
makes sense with the matching output from the "fw ctl chain" on
page 271 command) to an absolute value.

Next Generation Security Gateway R81 Administration Guide      |      328

 fw monitor

Parameter Description

Notes:
n <Position> can be one of these:
l A relative position number

In the output of the "fw ctl chain" on page 271 command,

refer to the numbers in the leftmost column (for example, 0,
5, 14).
l A relative position alias

In the output of the "fw ctl chain" on page 271 command,

refer to the internal chain module names in the rightmost
column in the parentheses (for example, sxl_in, fw,
cpas).
l An absolute position

In the output of the "fw ctl chain" on page 271 command,

refer to the numbers in the second column from the left (for
example, -7fffffff, -1fffff8, 7f730000). In the syntax, you must
write these numbers in the hexadecimal format (for example,
-0x7fffffff, -0x1fffff8, 0x7f730000).
n You can use this chain module position parameter "-p{i | I| o
| O} ..." together with the capture mask parameter "-m {i,
I, o, O, e, E}".
n In the inbound direction:
l All chain positions before the FireWall Virtual Machine

module are Pre-Inbound (the "fw ctl chain" on page 271

command shows this module as "fw VM inbound").
l All chain modules after the FireWall Virtual Machine module

are Post-Inbound.
n In the outbound direction:
l All chain position before the FireWall Virtual Machine module

are Pre-Outbound.
l All chain modules after the FireWall Virtual Machine module

are Post-Outbound.
n By default, the FW Monitor captures the traffic only in the FireWall
Virtual Machine module.
n The chain module position parameters "-p{i | I| o | O}
..." parameters do not apply to the accelerated traffic, which is still
monitored at the default inbound and outbound positions.
n For more information about the inspection points, see the
applicable table below.

-T Shows the timestamp for each packet:

DDMMMYYYY HH:MM:SS.mmmmmm

Best Practice - Use this parameter if you do not save the output
to a file, but print it on the screen.

Next Generation Security Gateway R81 Administration Guide      |      329

 fw monitor

Parameter Description

-u Shows UUID for each packet (it is only possible to print either the UUID, or
or the SUUID - not both):
-s n -u
Prints connection's Universal-Unique-ID (UUID) for each packet
n -s
Prints connection's Session UUID (SUUID) for each packet

-U Removes the simple capture filters specified with this parameter:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest
Port>,<Protocol Number>"

-v <VSID> On a VSX Gateway or VSX Cluster Member, captures the packets on the
specified Virtual System or Virtual Router.
By default, FW Monitor captures the packets on all Virtual Systems and
Virtual Routers.
Example:
fw monitor -v 4 -e "accept;" -o /var/log/fw_
mon.cap

-w Captures the entire packet, instead of only the header.

Must be used together with one of these parameters:
n -o <Output File>
n -x <Offset>[,<Length>]

-x <Offset> Specifies the position in each packet, where the FW Monitor starts to
[,<Length>] capture the data from each packet.
Optionally, it is also possible to limit the amount of data the FW Monitor
captures.
n <Offset>
Specifies how many bytes to skip from the beginning of each
packet. FW Monitor starts to capture the data from each packet only
after the specified number of bytes.
n <Length>
Specifies the maximal length of the captured packets. FW Monitor
reads only the specified number of bytes from each packet.
For example, to skip over the IP header and TCP header, enter "-x
52,96"

Inspection points in Security Gateway and in the FW Monitor output

Note - The Inbound and Outbound traffic direction relates to each specific packet, and not to the
connection.

Next Generation Security Gateway R81 Administration Guide      |      330

 fw monitor

n Inbound

Relation to the FireWall Notion of inspection point

Name of inspection point
Virtual Machine in the FW Monitor output

Pre-Inbound Before the inbound FireWall VM i (for example, eth4:i)

Post-Inbound After the inbound FireWall VM I (for example, eth4:I)

Pre-Inbound VPN Inbound before decrypt id (for example, eth4:id)

Post-Inbound VPN Inbound after decrypt ID (for example, eth4:ID)

Pre-Inbound QoS Inbound before QoS iq (for example, eth4:iq)

Post-Inbound QoS Inbound after QoS IQ (for example, eth4:IQ)

n Outbound

Relation to the FireWall Notion of inspection point

Name of inspection point
Virtual Machine in the FW Monitor output

Pre-Outbound Before the outbound FireWall VM o (for example, eth4:o)

Post-Outbound After the outbound FireWall VM O (for example, eth4:O)

Pre-Outbound VPN Outbound before encrypt e (for example, eth4:e)

Post-Outbound VPN Outbound after encrypt E (for example, eth4:E)

Pre-Outbound QoS Outbound before QoS oq (for example, eth4:oq)

Post-Outbound QoS Outbound after QoS OQ (for example, eth4:OQ)

Generic Examples

Example 1 - Default syntax

[Expert@MyGW:0]# fw monitor
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:I[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31790
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a47
... ... ...
monitor: caught sig 2
monitor: unloading
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      331

 fw monitor

Example 2 - Showing timestamps in the output for each packet

[Expert@MyGW:0]# fw monitor -T
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] 12Sep2018 19:08:05.453947 eth0:oq[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124
id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.453960 eth0:OQ[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124
id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454059 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454064 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454072 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454074 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.463165 eth0:iq[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
[vs_0][fw_1] 12Sep2018 19:08:05.463177 eth0:IQ[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
monitor: unloading
[Expert@MyGW:0]#

Example 3 - Capturing only three Pre-Inbound packets at the FireWall Virtual Machine
module
[Expert@MyGW:0]# fw monitor -m i -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31905
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e683b
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31906
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e68ef
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31907
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e69a3
monitor: unloading
Read 3 inbound packets and 0 outbound packets
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      332

 fw monitor

Example 4 - Inserting the FW Monitor chain is before the chain #2 and capture only three
Pre-Inbound packets

Next Generation Security Gateway R81 Administration Guide      |      333

 fw monitor

[Expert@MyGW:0]# fw ctl chain

in chain (15):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
5: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
6: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
7: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
8: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
10: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
11: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
12: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
13: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
14: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
6: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
7: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
8: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
9: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
12: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
13: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw monitor -pi 2 -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800001 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
3: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

Next Generation Security Gateway R81 Administration Guide      |      334

 fw monitor

14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)

15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228
id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228
id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412 id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412
id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716 id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716
id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
monitor: unloading
Read 3 inbound packets and 5 outbound packets
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      335

 fw monitor

Example 5 - Showing list of Chain Modules with the FW Monitor, when you do not change
the default capture positions
[Expert@MyGW:0]# fw ctl chain
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

Examples for the "-e" parameter

Example 1 - Capture everything

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

Example 2 - Capture traffic to / from specific hosts

To specify a host, you can use one of these expressions:

n Use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both
Source IP address and Destination IP address
n Use a specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>"
and a specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_
format>"
Example filters:

Next Generation Security Gateway R81 Administration Guide      |      336

 fw monitor

n Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y)

or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

n Capture everything between hosts X,Z and hosts Y,Z in all Firewall kernel chains:

[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or

dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o
/var/log/fw_mon.cap

n Capture everything to/from host X or to/from host Y or to/from host Z:

[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y)

or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x)

or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or
dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

Example 3 - Capture traffic to / from specific ports

Note - You must specify port numbers in Decimal format. Refer to the
/etc/services file on the Security Gateway, or to IANA Service Name and Port
Number Registry.

To specify a port, you can use one of these expressions:

n Use "port(<IANA_Port_Number>)", which applies to both Source Port and Destination
Port
n Use a specific Source Port "sport=<IANA_Port_Number>" and a specific Destination Port
"dport=<IANA_Port_Number>"
n In addition:
l For specific TCP port, you can use "tcpport(<IANA_Port_Number>)", which
applies to both Source TCP Port and Destination TCP Port
l For specific UDP port, you can use "udpport(<IANA_Port_Number>)", which
applies to both Source UDP Port and Destination UDP Port
Example filters:
n Capture everything to/from port X:

[Expert@HostName]# fw monitor -e "port(x), accept;" -o

/var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "(sport=x or dport=x), accept;"

-o /var/log/fw_mon.cap

n Capture everything except port X:

Next Generation Security Gateway R81 Administration Guide      |      337

 fw monitor

[Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)),

accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "not (sport=x or dport=x),

accept;" -o /var/log/fw_mon.cap

n Capture everything except SSH:

[Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)),

accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "not (sport=22 or dport=22),

accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "not tcpport(22), accept;" -o

/var/log/fw_mon.cap

n Capture everything to/from host X except SSH:

[Expert@HostName]# fw monitor -e "(host(x.x.x.x) and (sport!=22

or dport!=22)), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x)

and (not (sport=22 or dport=22))), accept;" -o /var/log/fw_
mon.cap

[Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not tcpport

(22)), accept;" -o /var/log/fw_mon.cap

n Capture everything except NTP:

[Expert@HostName]# fw monitor -e "not udpport(123), accept;" -o

/var/log/fw_mon.cap

Example 4 - Capture traffic over specific protocol

Note - You must specify protocol numbers in Decimal format. Refer to the
/etc/protocols file on the Security Gateway, or to IANA Protocol Numbers.

To specify a protocol, you can use one of these expressions:

n Use "ip_p=<IANA_Protocol_Number>"

Examples:
l To specify TCP protocol with byte offset, use "ip_p=6"

l To specify UDP protocol with byte offset, use "ip_p=11"

l To specify ICMP protocol with byte offset, use "ip_p=1"

Next Generation Security Gateway R81 Administration Guide      |      338

 fw monitor

n Use "accept [9:1]=<IANA_Protocol_Number>"

Examples:
l To specify TCP protocol with byte offset, use "accept [9:1]=6"
l To specify UDP protocol with byte offset, use "accept [9:1]=11"
l To specify ICMP protocol with byte offset, use "accept [9:1]=1"
n In addition, you can explicitly use these expressions to specify protocols:

Summary Table

Which protocol to specify On which port(s) traffic is captured Expression

TCP N/A "tcp, accept;"

UDP N/A "udp, accept;"

ICMPv4 N/A "icmp, accept;"

or
"icmp4, accept;"

ICMPv6 N/A "icmp6, accept;"

HTTP TCP 80 "http, accept;"

HTTPS TCP 443 "https, accept;"

PROXY TCP 8080 "proxy, accept;"

DNS UDP 53 "dns, accept;"

IKE UDP 500 "ike, accept;"

NAT-T UDP 4500 "natt, accept;"

ESP and IKE IP proto 50 and UDP 500 "vpn, accept;"

All VPN-related data: a. IP proto 50 "vpnall, accept;"

a. ESP b. UDP 2746
b. IPsec over UDP c. UDP 500
c. IKE d. UDP 4500
d. NAT-T e. TCP 18264
e. CRL f. UDP 259
f. RDP g. UDP 18234
g. Tunnel Test h. TCP 264
h. Topology i. TCP 1701
i. L2TP j. UDP 18233
j. SCV k. TCP 443 + TCP 444
k. Multi-Portal l. and so on
l. and so on

Multi-Portal connections TCP 443 and TCP 444 "multi, accept;"

SSH TCP 22 "ssh, accept;"

Next Generation Security Gateway R81 Administration Guide      |      339

 fw monitor

Which protocol to specify On which port(s) traffic is captured Expression

FTP TCP 20 and TCP 21 "ftp, accept;"

Telnet TCP 23 "telnet, accept;"

SMTP TCP 25 "smtp, accept;"

POP3 TCP 110 "pop3, accept;"

Example filters:
n Filter to capture everything on protocol X:

[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o

/var/log/fw_mon.cap

n Filter to capture rverything on protocol X and port Z on protocol Y:

[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)),

accept;" -o /var/log/fw_mon.cap

n Filter to capture capture everything TCP between host X and host Y:

[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "accept [9:1]=6 , ((src=x.x.x.x

, dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"

[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x ,

dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o
/var/log/fw_mon.cap

Example 5 - Capture traffic with specific protocol options

Note - Refer to the $FWDIR/lib/tcpip.def file on Security Gateway.

Summary Table for IPv4

Option Description Expression Example

Source IPv4 address of the IPv4 ip_src = fw monitor -e "ip_src

packet <IPv4_ = 192.168.22.33,
Address> accept;"

Destination IPv4 address of the IPv4 ip_dst = fw monitor -e "ip_dst

packet <IPv4_ = 192.168.22.33,
Address> accept;"

Next Generation Security Gateway R81 Administration Guide      |      340

 fw monitor

Option Description Expression Example

Time To Live of the IPv4 packet ip_ttl = fw monitor -e "ip_ttl

<Number> = 255, accept;"

Total Length of the IPv4 packet in ip_len = fw monitor -e "ip_len

bytes <Length_in_ = 64, accept;"
Bytes>

TOS field of the IPv4 packet ip_tos = fw monitor -e "ip_tos

<Number> = 0, accept;"

IANA Protocol Number (either in Dec ip_p = <IANA_ Example for TCP:
or in Hex) encapsulated in the IPv4 Protocol_ fw monitor -e "ip_p =
packet Number> 6, accept;"
Examples for UDP:
fw monitor -e "ip_p =
17, accept;"
fw monitor -e "ip_p =
0x11, accept;"
Example for ICMPv4:
fw monitor -e "ip_p =
1, accept;"

Summary Table for IPv6

Option Description Expression Example

Source IPv6 address of the IPv6 ip_src6p = fw monitor -e "ip_src6p =

packet <IPv6_ 0:0:0:0:0:ffff:c0a8:1621,
Address> accept;"

Destination IPv6 address of the ip_dst6p = fw monitor -e "ip_dst6p =

IPv6 packet <IPv6_ 0:0:0:0:0:ffff:c0a8:1621,
Address> accept;"

Payload Length of the IPv6 ip_len6 = fw monitor -e "ip_len6 =

packet in bytes <Length_in_ 1000, accept;"
Bytes>

Hop Limit ("Time To Live") of the ip_ttl6 = fw monitor -e "ip_ttl6 = 255,

IPv6 packet <Number> accept;"

Next Header of the IPv6 packet - ip_p6 = <IANA_ fw monitor -e "ip_p6 = 6,

encapsulated IANA Protocol Protocol_ accept;"
Number Number>

Next Generation Security Gateway R81 Administration Guide      |      341

 fw monitor

Summary Table for TCP

Option Description Expression Example

SYN flag is set in TCP packet syn fw monitor -e "ip_p =

6, syn, accept;"

ACK flag is set in TCP packet ack fw monitor -e "ip_p =

6, ack, accept;"

RST flag is set in TCP packet rst fw monitor -e "ip_p =

6, rst, accept;"

FIN flag is set in TCP packet fin fw monitor -e "ip_p =

6, fin, accept;"

First packet of TCP first fw monitor -e "ip_p =

connection 6, first, accept;"
(SYN flag is set, but ACK flag
is not set in TCP packet)

Not the first packet of TCP not_first fw monitor -e "ip_p =

connection 6, not_first, accept;"
(SYN flag is not set in TCP
packet)

Established TCP connection established fw monitor -e "ip_p =

(either ACK flag is set, or SYN 6, established,
flag is not set in TCP packet) accept;"

Last packet of TCP last fw monitor -e "ip_p =

connection 6, last, accept;"
(both ACK flag and FIN flag
are set in TCP packet)

End of TCP connection tcpdone fw monitor -e "ip_p =

(either RST flag is set, or FIN 6, tcpdone, accept;"
flag is set in TCP packet)

Next Generation Security Gateway R81 Administration Guide      |      342

 fw monitor

Option Description Expression Example

General way to match the th_flags = <Sum_

TCP
flags inside in TCP packets of_Flags_Hex_ Example
Flag
Values>
SYN fw monitor -e
(0x2) "th_flags =
0x2, accept;"

ACK fw monitor -e
(0x10) "th_flags =
0x10, accept;"

PSH fw monitor -e
(0x8) "th_flags =
0x8, accept;"

FIN fw monitor -e
(0x1) "th_flags =
0x1, accept;"

RST fw monitor -e
(0x4) "th_flags =
0x4, accept;"

URG fw monitor -e
(0x20) "th_flags =
0x20, accept;"

SYN + fw monitor -e
ACK "th_flags =
0x12, accept;"

PSH + fw monitor -e
ACK "th_flags =
0x18, accept;"

FIN + fw monitor -e
ACK "th_flags =
0x11, accept;"

RST + fw monitor -e
ACK "th_flags =
0x14, accept;"

TCP source port th_sport = <Port_ fw monitor -e "th_sport

Number> = 59259, accept;"

TCP destination port th_dport = <Port_ fw monitor -e "th_dport

Number> = 22, accept;"

Next Generation Security Gateway R81 Administration Guide      |      343

 fw monitor

Option Description Expression Example

TCP sequence number th_seq = <Number> Example for Dec format:

(either in Dec or in Hex) fw monitor -e "th_seq =
3937833514, accept;"
Example for Hex format:
fw monitor -e "th_seq =
0xeab6922a, accept;"

TCP acknowledged number th_ack = <Number> Example for Dec format:

(either in Dec or in Hex) fw monitor -e "th_ack =
509054325, accept;"
Example for Hex format:
fw monitor -e "th_ack =
0x1e578d75, accept;"

Summary Table for UDP

Option
Expression Example
Description

UDP source port uh_sport = <Port_ fw monitor -e "uh_sport = 53,

Number> accept;"

UDP destination uh_dport = <Port_ fw monitor -e "uh_dport = 53,

port Number> accept;"

Summary Table for ICMPv4

Option Description Expression Example

ICMPv4 packets with specified icmp_type = fw monitor -e "icmp_type

Type <Number> = 0, accept;"

ICMPv4 packets with specified icmp_code = fw monitor -e "icmp_code

Code <Number> = 0, accept;"

ICMPv4 packets with specified icmp_id = fw monitor -e "icmp_id =

Identifier <Number> 20583, accept;"

ICMPv4 packets with specified icmp_seq = fw monitor -e "icmp_seq =

Sequence number <Number> 1, accept;"

ICMPv4 Echo Request packets echo_req fw monitor -e "echo_req,

(Type 8, Code 0) accept;"

ICMPv4 Echo Reply packets (Type echo_reply fw monitor -e "echo_

0, Code 0) reply, accept;"

ICMPv4 Echo Request and ping fw monitor -e "ping,

ICMPv4 Echo Reply packets accept;"

Next Generation Security Gateway R81 Administration Guide      |      344

 fw monitor

Option Description Expression Example

Traceroute packets as traceroute fw monitor -e

implemented in Unix OS "traceroute, accept;"
(UDP packets on ports above
30000 and
with TTL<30; or ICMP Time
exceeded packets)

Traceroute packets as tracert fw monitor -e "tracert,

implemented in Windows OS accept;"
(ICMP Request packets with
TTL<30;
or ICMP Time exceeded packets)

Length of ICMPv4 packets icmp_ip_len = fw monitor -e "icmp_ip_

<length> len = 84, accept;"

Summary Table for ICMPv6

Option Description Expression Example

ICMPv6 packets with icmp6_type = fw monitor -e "icmp6_type =

specified Type <Number> 1, accept;"

ICMPv6 packets with icmp6_code = fw monitor -e "icmp6_code =

specified Code <Number> 3, accept;"

Example 6 - Capture specific bytes in packets

Syntax:

fw monitor -e "accept [ <Offset> : <Length> , <Byte Order> ]

<Relational-Operator> <Value>;"

Parameters:

Parameter Explanation

<Offset> Specifies the offset relative to the beginning of the IP packet from where the
value should be read.

<Length> Specifies the number of bytes:

n 1 = byte
n 2 = word
n 4 = dword
If length is not specified, FW Monitor assumes 4 (dword).

Next Generation Security Gateway R81 Administration Guide      |      345

 fw monitor

Parameter Explanation

<Byte Order> Specifies the byte order:

n b = big endian, or network order
n l = little endian, or host order
If order is not specified, FW Monitor assumes little endian byte order.

<Relational- Relational operator to express the relation between the packet data and the
Operator value:
n < - less than
n > - greater than
n <= - less than or equal to
n >= - greater than
n = or is - equal to
n != or is not - not equal to

<Value> One of the data types known to INSPECT (for example, an IP address, or
an integer).

Explanations:
n The IP-based protocols are stored in the IP packet as a byte at offset 9.
l To filter based on a Protocol encapsulated into IP, use this syntax:

[Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_

Protocol_Number>;"

n The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source
address) and at offset 16 (Destination address).
l To filter based on a Source IP address, use this syntax:

[Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_

Address_in_Doted_Decimal_format>;"

l To filter based on a Destination IP address, use this syntax:

[Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_

Address_in_Doted_Decimal_format>;"

n The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22
(Destination port).

Next Generation Security Gateway R81 Administration Guide      |      346

 fw monitor

l To filter based on a Source port, use this syntax:

[Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_

Number_in_Decimal_format>;"

l To filter based on a Destination port, use this syntax:

[Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_

Number_in_Decimal_format>;"

Example filters:
n Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x ,

[16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"

n Capture everything on port X:

[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or

[22:2,b]=x;" -o /var/log/fw_mon.cap

Example 7 - Capture traffic to/from specific network

You must specify the network address and length of network mask (number of bits).
There are 3 options:

Traffic direction Expression

To or From a "net(<Network_IP_Address>, <Mask_Length>), accept;"

network

To a network "to_net(<Network_IP_Address>, <Mask_Length>),

accept;"

From a network "from_net(<Network_IP_Address>, <Mask_Length>),

accept;"

Example filters:
n Capture everything to/from network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "net(192.168.33.0, 24),

accept;"

n Capture everything sent to network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24),

accept;"

n Capture everything sent from network 192.168.33.0 / 24:

Next Generation Security Gateway R81 Administration Guide      |      347

 fw monitor

[Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24),

accept;"

Example 8 - Filter out irrelevant "noise"

Filter in only TCP protocol, and HTTP and HTTPS ports

Filter out the SSH and FW Logs

[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22

or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or
dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap

Examples for the "-F" parameter

You can specify up to 5 capture filters with this parameter (up to 5 instances of the "-F" parameter in the
syntax).
The FW Monitor performs the logical "OR" between all specified simple capture filters.
Value 0 is used as "any".

Example 1 - Capture everything

[Expert@HostName]# fw monitor -F "0,0,0,0,0" -o /var/log/fw_mon.cap

Example 2 - Capture traffic to / from specific hosts

n Capture all traffic from Source IP x.x.x.x (any port) to Destination IP y.y.y.y (any port), over all
protocols:

[Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -o

/var/log/fw_mon.cap

n Capture all traffic between Host x.x.x.x (any port) and Host y.y.y.y (any port), over all protocols:

[Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -F

"y.y.y.y,0, x.x.x.x ,0,0" -o /var/log/fw_mon.cap

Example 3 - Capture traffic to / from specific ports

n Capture traffic from any Source IP from Source Port X to any Destination IP to Destination Port Y,
over all protocols:

[Expert@HostName]# fw monitor -F "0,x,0,y,0" -o /var/log/fw_

mon.cap

n Capture traffic between all hosts, between Port X and Port Y, over all protocols:

[Expert@HostName]# fw monitor -F "0,x,0,y,0" -F "0,y,0,x,0" -o

/var/log/fw_mon.cap

Next Generation Security Gateway R81 Administration Guide      |      348

 fw monitor

Example 4 - Capture traffic over specific protocol

n Capture traffic between all hosts, between all ports, over a Protocol with assigned number X:

[Expert@HostName]# fw monitor -F "0,0,0,0,x" -o /var/log/fw_

mon.cap

Example 5 - Capture traffic between specific hosts between specific ports over specific
protocol
[Expert@HostName]# fw monitor -F "a.a.a.a,b,c.c.c.c,d,e" -F
"c.c.c.c,d,a.a.a.a,b,e" -o /var/log/fw_mon.cap

To capture only HTTP traffic between the Client 1.1.1.1 and the Server 2.2.2.2:

fw montior –F "1.1.1.1,0,2.2.2.2,80,6" –F "2.2.2.2,80,1.1.1.1,0,6" -

o /var/log/fw_mon.cap

Next Generation Security Gateway R81 Administration Guide      |      349

 fw repairlog

fw repairlog
Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog) are
databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this command
can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/*.log *.logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/*.adtlog *.adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

Next Generation Security Gateway R81 Administration Guide      |      350

 fw sam

fw sam
Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections
to and from IP addresses without the need to change or reinstall the Security Policy. For more information,
see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" on page 358 and "sam_alert" on page 423 commands.
n SAM rules consume some CPU resources on Security Gateway.
Best Practice - The SAM Policy rules consume some CPU resources
on Security Gateway. Set an expiration for rules that gives you time to
investigate, but does not affect performance. Keep only the required
SAM Policy rules. If you confirm that an activity is risky, edit the
Security Policy, educate users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches 100,000.
This data log file contains the records in one of these formats:
<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>
n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security Gateway
in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM .
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

Next Generation Security Gateway R81 Administration Guide      |      351

 fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e
<key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway,
on which the command is enforced. These messages show whether the command
was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the
Server> Security Gateway that enforces the command.
The default is localhost.

Next Generation Security Gateway R81 Administration Guide      |      352

 fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected that the
Name of SAM SAM server has this SIC name, otherwise the connection fails.
Server> Notes:
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC API
Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command to
show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security <Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n localhost - Specifies to enforce the action on this local Check Point computer
(on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as Security
Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Security Gateway object - Specifies to enforce the action on this
specific Security Gateway object.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Group object - Specifies to enforce the action on all specific Security
Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.
Notes:
n To "uninhibit" the inhibited connections, run the fw sam command
with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

Next Generation Security Gateway R81 Administration Guide      |      353

 fw sam

Parameter Description

-C Cancels the fw sam command to inhibit connections with the specified parameters.
Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+ Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match the
specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

-I Inhibits (drops or rejects) new connections with the specified parameters, and closes
all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

Next Generation Security Gateway R81 Administration Guide      |      354

 fw sam

Parameter Description

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all existing
connections with the specified parameters.
Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

Next Generation Security Gateway R81 Administration Guide      |      355

 fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Src IP> <Src Netmask> <Dest IP> <Dest
Netmask> <Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the connection.

any <IP> Matches either the Source IP address or the Destination

IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the connections

according to the netmask.

subany <IP> <Netmask> Matches either the Source IP address or Destination IP

address of connections according to the netmask.

srv <Src IP> <Dest IP> <Port> Matches the specific Source IP address, Destination IP
<Protocol> address, Service (port number) and Protocol.

Next Generation Security Gateway R81 Administration Guide      |      356

 fw sam

Parameter Description

subsrv <Src IP> <Netmask> Matches the specific Source IP address, Destination IP
<Dest IP> <Netmask> <Port> address, Service (port number) and Protocol.
<Protocol> Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Netmask> Matches the specific Source IP address, source
<Dest IP> <Port> <Protocol> netmask, destination netmask, Service (port number)
and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination IP,
<Dest Netmask> <Port> destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service (port
<Protocol> number) and Protocol.

subdstsrv <Dest IP> <Netmask> Matches specific Destination IP address, Service (port
<Port> <Protocol> number) and Protocol.
Destination IP address is assigned according to the
netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to the
netmask.

generic <key=val>+ Matches the GTP connections based on the specified

keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

Next Generation Security Gateway R81 Administration Guide      |      357

 fw sam_policy

fw sam_policy
Description
Manages the Suspicious Activity Policy editor that lets you work with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 351
n "sam_alert" on page 423
Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Next Generation Security Gateway R81 Administration Guide      |      358

 fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
      add <options>
      batch
      del <options>
      get <options>

fw [-d] samp
      add <options>
      batch
      del <options>
      get <options>

Syntax for IPv6

fw6 [-d] sam_policy

      add <options>
      batch
      del <options>
      get <options>

fw6 [-d] samp

      add <options>
      batch
      del <options>
      get <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 360.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 372.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 374.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 377.

Next Generation Security Gateway R81 Administration Guide      |      359

 fw sam_policy add

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Next Generation Security Gateway R81 Administration Guide      |      360

 fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b} Specifies the rule action if the traffic matches the rule conditions:

n d - Drop the connection.

n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against the policy
rules.
Note - Rules with action set to Bypass cannot have a log or limit specification.
Bypassed packets and connections do not count towards overall number of
packets and connection for limit enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that matches:
n -r - Generate a regular log
n -a - Generate an alert log

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be enforced.
Default timeout is indefinite.

Next Generation Security Gateway R81 Administration Guide      |      361

 fw sam_policy add

Parameter Description

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be enforced on
all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the rule should
be enforced only on this Security Gateway or Cluster object (the object name
must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be enforced on all
Security Gateways that are members of this Group object (the object name
must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>" Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:
"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Optional.
Comment>" Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:
"This\ is\ a\ comment\ with\ a\ backslash\ \\"

-o "<Rule Optional.
Originator Specifies the name of the originator for this rule.
>" Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:
"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

Next Generation Security Gateway R81 Administration Guide      |      362

 fw sam_policy add

Parameter Description

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter Configures the Suspicious Activity Monitoring (SAM) rule.
Arguments> Specifies the IP Filter Arguments for the SAM rule (you must use at least one of
these options):
[-C] [-s <Source IP>] [-m <Source Mask>] [-d
<Destination IP>] [-M <Destination Mask>] [-p <Port>]
[-r <Protocol>]
See the explanations below.

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota Configures the Rate Limiting rule.
Filter Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations
Arguments> below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service <Protocol
and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2
Value>] ...[<LimitN Name> <LimitN Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from the
SAM policy database immediately, add "flush true" in the fw
samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general), when
a rule's limit is violated, the Security Gateway also drops all packets
that match the rule.
The Security Gateway computes new connection rates on a per-
second basis.
At the start of the 1-second timer, the Security Gateway allows all
packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too many
new connections, then the Security Gateway blocks all remaining
packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are reset, and
the process starts over - the Security Gateway allows packets to
pass again up to the point, where the rule’s limit is violated.

Next Generation Security Gateway R81 Administration Guide      |      363

 fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port Number
Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

Next Generation Security Gateway R81 Administration Guide      |      364

 fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the source
IP addresses assigned to this country, based on
the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that are
assigned to this organization, based on the Geo
IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

Next Generation Security Gateway R81 Administration Guide      |      365

 fw sam_policy add

Argument Description

[destination-negated {true | Specifies the destination type and its value:

false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses that
are assigned to this organization, based on the
Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the specified
type

Next Generation Security Gateway R81 Administration Guide      |      366


Argument
[service-negated {true |
false}] service <Protocol and
Port numbers>
Next Generation Security Gateway R81 Administration Guide      |      367
fw sam_policy add
Description
Specifies the Protocol number (see IANA Protocol
Numbers) and Port number (see IANA Service Name
and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port End>
IP protocol number and range of TCP/UDP port
numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process all
traffic except the traffic with the specified
protocols and ports

Argument
[<Limit 1 Name> <Limit 1
Value>] [<Limit 2 Name> <Limit
2 Value>] ... [<Limit N Name>
<Limit N Value>]
[track <Track>]
Next Generation Security Gateway R81 Administration Guide      |      368
fw sam_policy add
Description
Specifies quota limits and their values.
Note - Separate multiple quota limits with spaces.
n concurrent-conns <Value>
Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the concurrent-
conns value to the total number of active
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n pkt-rate <Value>
Specifies the maximum number of packets per
second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate value
to the rate of all connections through the Security
Gateway, expressed in parts per 65536 (formula:
N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes per
second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate value
to the bytes per second rate of all connections
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
n new-conn-rate <Value>
Specifies the maximal number of connections per
second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-rate
value to the rate of all connections per second
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
Specifies the tracking option:
n source
Counts connections, packets, and bytes for
specific source IP address, and not cumulatively
for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific IP
protocol and destination port, and not
cumulatively for this rule.
 fw sam_policy add

Examples

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this rule,
including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second (new-conn-
rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11
- 172.16.7.13 (source range:172.16.7.11-172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the fwaccel dos
config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious
Activity Monitoring (SAM) policy database immediately, because this rule includes the "flush
true" parameter.

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all packets except (service-negated true) the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the country with
specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Next Generation Security Gateway R81 Administration Guide      |      369

 fw sam_policy add

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).
n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:
[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:
n This rule bypasses (-a b) all packets that match this rule.

Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).
n This rule applies to packets sent to TCP port 80 (service 6/80).
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Next Generation Security Gateway R81 Administration Guide      |      370

 fw sam_policy add

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP addresses that
are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to 655/65536=~1%
(concurrent-conns-ratio 655) for any traffic (service any) except (service-
negated true) the connections from the source IP addresses that are assigned to the country
with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that match this rule,
and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Next Generation Security Gateway R81 Administration Guide      |      371

 fw sam_policy batch

fw sam_policy batch

Description
The "fw sam_policy batch" and "fw6 sam_policy batch" commands:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Procedure

1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as necessary.
Start each line with only "add" or "del" parameter (not with "fw samp").

Next Generation Security Gateway R81 Administration Guide      |      372

 fw sam_policy batch

n Use the same set of parameters and values as described in these commands:
l "fw sam_policy add" on page 360
l "fw sam_policy del" on page 374
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source
range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

Next Generation Security Gateway R81 Administration Guide      |      373

 fw sam_policy del

fw sam_policy del

Description
The "fw sam_policy del" and "fw6 sam_policy del" commands:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

Next Generation Security Gateway R81 Administration Guide      |      374

 fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle
brackets ('<...>') are
mandatory.
n To see the Rule UID, run the
"fw sam_policy get" on
page 377 command.

Procedure

1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\
Doe src_ip_addr=1.1.1.1 req_tpe=ip

Next Generation Security Gateway R81 Administration Guide      |      375

 fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The "fw samp del" and "fw6 samp del" commands only remove a rule from the persistent
database. The Security Gateway continues to enforce the deleted rule until the next time you
compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only
rule right after the "fw samp del" and "fw6 samp del" command. This flush-only rule
immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

Next Generation Security Gateway R81 Administration Guide      |      376

 fw sam_policy get

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+
{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type>
[+{-v '<Value>'}] [-n]]

Next Generation Security Gateway R81 Administration Guide      |      377

 fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on a
separate line.
n In the list format (with "-l"), the output shows each parameter of a rule on
a separate line.
n See "fw sam_policy add" on page 360.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples

Example 1 - Output in the default format

[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log

name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

Next Generation Security Gateway R81 Administration Guide      |      378

 fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log
name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

Next Generation Security Gateway R81 Administration Guide      |      379

 fw sam_policy get

Example 4 - Printing rules that match the specified filters

[Expert@HostName:0]# fw samp get
no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-
172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-
conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#

Next Generation Security Gateway R81 Administration Guide      |      380

 fw showuptables

fw showuptables
Description
Shows the formatted contents of the Unified Policy kernel tables.

Syntax

fw [-d] showuptables
[-h]
[-i]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-h Shows the built-in usage.

-i Shows the implied rules layers.

Next Generation Security Gateway R81 Administration Guide      |      381

 fw stat

fw stat
Description
Shows the following information about the policy on the Security Gateway:
n Name of the installed policy.
n Date of the last policy installation.
n Names of the interfaces protected by the installed policy, and in which direction the policy protects
them.

Important - This command is outdated and exists only for backward compatibility with
very old versions. Use the "cpstat -f policy fw" command instead (see
"cpstat" on page 220).

Syntax

fw [-d] stat [-l | -s] [<Name of Object>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

No Shows default output - all information is on one line.

Parameters

-l Shows long output.

Shows each interface and its protected traffic direction is on a separate line.
In addition, shows this information:
n Total - Number of packets the Security Gateway received on this interface
n Reject - Number of packets the Security Gateway rejected on this interface
n Drop - Number of packets the Security Gateway dropped on this interface
n Accept - Number of packets the Security Gateway accepted on this interface
n Log - Whether Security Gateway sends its logs from this interface (0 - no, 1 - yes)

-s Shows short output.

Shows each interface and its protected traffic direction is on a separate line.

<Name of Specifies the name of the Security Gateway or Cluster Member object (as defined in
Object> SmartConsole), from which to show the information. Use this parameter only on the
Management Server.
This requires the established SIC with that Check Point computer.

Next Generation Security Gateway R81 Administration Guide      |      382

 fw stat

Example 1 - Default output

[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost MyGW_Policy 10Sep2018 14:01:25 : [>eth0] [<eth0] [>eth1]
[Expert@MyGW:0]#

Example 2 - Short output

[Expert@MyGW:0]# fw stat -s
HOST IF POLICY DATE
localhost >eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost <eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost >eth1 MyGW_Policy 10Sep2018 14:01:25 :
[Expert@MyGW:0]#

Example 3 - Long output

[Expert@MyGW:0]# fw stat -l
HOST IF POLICY DATE TOTAL REJECT DROP
localhost >eth0 MyGW_Policy 10Sep2018
localhost <eth0 MyGW_Policy 10Sep2018
localhost >eth1 MyGW_Policy 10Sep2018
[Expert@MyGW:0]#
ACCEPT LOG
14:01:25 : 14377 0 316 14061 1
14:01:25 : 60996 0 0 60996 0
14:01:25 : 304 0 304 0 0

Example 4 - Long output from the Management Server

[Expert@MGMY:0]# fw stat -l MyGW

HOST IF POLICY DATE TOTAL REJECT
MyGW >eth0 MyGW_Policy 12Sep2018
MyGW <eth0 MyGW_Policy 12Sep2018
MyGW >eth2 MyGW_Policy 12Sep2018
MyGW <eth2 MyGW_Policy 12Sep2018
[Expert@MGMT:0]#
DROP ACCEPT LOG
16:34:56 : 120113 0 0 120113 0
16:34:56 : 10807 0 0 10807 0
16:34:56 : 3 0 0 3 0
16:34:56 : 3 0 0 3 0

Next Generation Security Gateway R81 Administration Guide      |      383

 fw tab

fw tab
Description
Shows data from the specified Security Gateway kernel tables.
This command also lets you change the content of dynamic kernel tables. You cannot change the content
of static kernel tables.
Kernel tables (also known as State tables) store data that the Firewall and other Software Blades use to
inspect packets. These kernel tables are a critical component of Stateful Inspection.

Best Practices:
n Use the "fw tab -t connections -f" command to see the detailed (and
more technical) information about the current connections in the Connections
kernel table (ID 8158).
n Use the "fw ctl conntab" on page 274 command to see the simplified information
about the current connections in the Connections kernel table (ID 8158).

Syntax

fw [-d]
{-h | -help}
[-v] [-t <Table>] [-c | -s] [-f] [-o <Output File>] [-r] [-u | -
m <Limit>] [-a -e "<Entry>"] [ -x [-e "<Entry>"]] [-y] [<Name of
Object>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

{-h | - Shows the built-in usage.

help}

-t Specifies the kernel table by its name of unique ID.

<Table> To see the names and IDs of the available kernel tables, run:
fw tab -s
Because the output of this command is very long, we recommend to redirect it to a file.
For example:
fw tab -s > /tmp/output.txt

Next Generation Security Gateway R81 Administration Guide      |      384

 fw tab

Parameter Description

-a -e Adds the specified entry to the specified kernel table.

"< If a kernel table has the expire attribute, when you add an entry with the "-a -e
Entry>" <Entry>" parameter, the new entry gets the default table timeout.
You can use this parameter only on the local Security Gateway.

Warning - If you add a wrong entry, you can make your Security Gateway
unresponsive.

-c Shows formatted kernel table data in the common format. This is the default.

-e Specifies the entry in the kernel table.

"<
Entry>"
Important - Each kernel table has its own internal format.

-f Shows formatted kernel table data. For example, shows:

n All IP addresses and port numbers in the decimal format.
n All dates and times in human readable format.

Note - Each table can use a different style.

Important - If the specified kernel table is large, this consumes a large amount
of RAM. This can make your Security Gateway unresponsive.

-o Saves the output in the specified file in the CL format as a Check Point Firewall log.
<Output You can later open this file with the "fw log" on page 305 command.
File> If you do not specify the full path explicitly, this command saves the output file in the
current working directory.

-m Specifies the maximal number of kernel table entries to show.

<Limit> This command counts the entries from the beginning of the kernel table.

-r Resolves IP addresses in the formatted output.

-s Shows a short summary of the kernel table data.

-u Specifies to show an unlimited number of kernel table entries.

Important - If the specified kernel table is large, this consumes a large amount
of RAM. This can make your Security Gateway unresponsive.

-v Shows the CoreXL Firewall instance number as a prefix for each line.

Next Generation Security Gateway R81 Administration Guide      |      385

 fw tab

Parameter Description

-x [-e Deletes all entries or the specified entry from the specified kernel table.
< You can use this parameter only on the local Security Gateway.
Entry>]
Warning - If you delete a wrong entry, you can break the current connections
through your Security Gateway. This includes the remote SSH connection.

-y Specifies not to show a prompt before Security Gateway executes a command.

For example, this applies to the parameters "-a" and "-x".

<Name Specifies the name of the Security Gateway or Cluster Member object (as defined in
of SmartConsole), from which to show the information. Use this parameter only on the
Object> Management Server.
This requires the established SIC with that Check Point computer.
If you do not use this parameter, the default is localhost.

Example 1 - Show the summary of all kernel tables

[Expert@MyGW:0]# fw tab -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost vsx_firewalled 0 1 1 0
localhost firewalled_list 1 2 2 0
localhost external_firewalled_list 2 0 0 0
localhost management_list 3 2 2 0
localhost external_management_list 4 0 0 0
localhost log_server_list 5 0 0 0
localhost ips1_sensors_list 6 0 0 0
localhost all_tcp_services 7 141 141 0
localhost tcp_services 8 1 1 0
... ...
localhost connections 8158 2 56 2
... ...
localhost up_251_rule_to_clob_uuid 14083 0 0 0
... ...
localhost urlf_cache_tbl 29 0 0 0
localhost proxy_outbound_conn_tbl 30 0 0 0
localhost dns_cache_tbl 31 0 0 0
localhost appi_referrer_table 32 0 0 0
localhost uc_hits_htab 33 0 0 0
localhost uc_cache_htab 34 0 0 0
localhost uc_incident_to_instance_htab 35 0 0 0
localhost fwx_cntl_dyn_ghtab 36 0 0 0
localhost frag_table 37 0 0 0
localhost dos_blacklist_notifs 38 0 0 0
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      386

 fw tab

Example 2 - Show the raw data from the Connections table

[Expert@MyGW:0]# fw tab -t connections

localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24
25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
1996/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28,
00000016, 00000006> (00000805)
<00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9679de, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edaa98, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3597/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000c9f6, 00000006> -> <00000000, c0a8cc01, 0000c9f6, c0a8cc28,
00000016, 00000006> (00000805)
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      387

 fw tab

Example 3 - Show the formatted data from the Connections table

[Expert@MyGW:0]# fw tab -t connections -f

Using cptfmt
Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_Name: connections; : (+);
Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30
31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime: 10Sep2018 20:30:48;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 55411; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout:
335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 2/40;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 53901; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2;
Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires:
2002/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1:
192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 51702; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2;
Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires:
3600/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 22; Dest: 192.168.204.1; DPort: 51702; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1:
192.168.204.1; SPort_1: 51702; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 53; Dest: 192.168.204.40; DPort: 55411; Protocol: udp; CPTFMT_sep_1: ->; Direction_2: 1; Source_2:
192.168.204.40; SPort_2: 55411; Dest_2: 192.168.204.1; DPort_2: 53; Protocol_2: udp; FW_symval: 2054;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      388

 fw tab

Example 4 - Show only two entries from the Connections table

[Expert@MyGW:0]# fw tab -t connections -m 2

localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24
25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
1961/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28,
00000016, 00000006> (00000805)
...(4 More)
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      389

 fw tab

Example 5 - Show the raw data from the Connections table and show the IDs of CoreXL Firewall instances
for each entry

[Expert@MyGW:0]# fw tab -t 8158 -v

localhost:
-------- connections --------
dynamic, id 8158, num ents 6, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24
25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
[fw_0] <00000001, c0a80335, 00004710, c0a803f0, 00008652, 00000006> -> <00000000, c0a803f0, 00008652,
c0a80335, 00004710, 00000006> (00000805)
[fw_0] <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006; 0002d001, 00046000, 10000000, 0000000e,
00000000, 5b9a4129, 00030000, 3503a8c0, c0000000, ffffffff, ffffffff, 00000001, 00000001, 00000800,
00000000, 80008080, 00000000, 00000000, 338ea330, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3162/3600>
[fw_0] <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f,
00000000, 5b8fed6a, 00030001, 3503a8c0, c0000000, 00000001, 00000001, ffffffff, ffffffff, 00000800,
08000000, 00000080, 00000000, 00000000, 337b0978, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3599/3600>
[fw_0] <00000000, c0a803f0, 0000470f, c0a80335, 00008adf, 00000006> -> <00000001, c0a80335, 00008adf,
c0a803f0, 0000470f, 00000006> (00000806)
[fw_0] <00000001, c0a80334, 00004710, c0a803f0, 0000a659, 00000006> -> <00000000, c0a803f0, 0000a659,
c0a80334, 00004710, 00000006> (00000805)
[fw_0] <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f,
00000000, 5b8feabb, 0000007a, 3403a8c0, c0000000, ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
10000000, 04000080, 00000000, 00000000, 3364aed0, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3484/3600>
[fw_1] <00000001, c0a80334, 00004710, c0a803f0, 0000bc74, 00000006> -> <00000000, c0a803f0, 0000bc74,
c0a80334, 00004710, 00000006> (00000805)
[fw_1] <00000001, c0a80335, 00000016, ac14a810, 0000e056, 00000006> -> <00000000, ac14a810, 0000e056,
c0a80335, 00000016, 00000006> (00000805)
[fw_1] <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006; 0001c001, 00044000, 00000003, 000001df,
00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 00000800,
08000000, 00000080, 00000000, 00000000, 33410370, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3600/3600>
[fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f,
00000000, 5b8fe89b, 00000001, 3403a8c0, c0000001, ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
10000000, 04000080, 00000000, 00000000, 335841e0, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3600/3600>
[fw_2] <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f,
00000000, 5b8fed7e, 00030000, 3503a8c0, c0000002, 00000001, 00000001, ffffffff, ffffffff, 00000800,
08000000, 00000080, 00000000, 00000000, 33337660, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3556/3600>
[fw_2] <00000001, c0a80335, 00004710, c0a803f0, 0000ab74, 00000006> -> <00000000, c0a803f0, 0000ab74,
c0a80335, 00004710, 00000006> (00000805)
[fw_2] <00000001, c0a80335, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4,
c0a80335, 00001fb4, 00000011> (00000805)
[fw_2] <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011; 00010001, 00004000, 00000003, 00000028,
00000000, 5b8fed76, 00030000, 3503a8c0, c0000002, 00000001, ffffffff, ffffffff, ffffffff, 00000800,
08000000, 00000084, 00000000, 00000000, 336d4e30, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 38/40>
[fw_2] <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011; 00010001, 00004100, 00000003, 00000028,
00000000, 5b8fed72, 0000025f, 3403a8c0, c0000002, ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
10000000, 04000084, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 39/40>
[fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4,
c0a80334, 00001fb4, 00000011> (00000805)
Table fetched in 3 chunks
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      390

 fw unloadlocal

fw unloadlocal
Description
Uninstalls all policies from the Security Gateway or Cluster Member.

Warning

1. The "fw unloadlocal" command prevents all traffic from passing through the Security
Gateway (Cluster Member), because it disables the IP Forwarding in the Linux kernel on the
Security Gateway (Cluster Member).
2. The "fw unloadlocal" command removes all policies from the Security Gateway (Cluster
Member). This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection enabled.

Notes
n If it is necessary to remove the current policy, but keep the Security Gateway (Cluster Member)
protected, then run the "comp_init_policy" on page 183 command on the Security Gateway (Cluster
Member).
n To load the policies on the Security Gateway (Cluster Member), run one of these commands on the
Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 296
l "cpstart" on page 219

Syntax

fw [-d] unloadlocal

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Next Generation Security Gateway R81 Administration Guide      |      391

 fw unloadlocal

Example

Next Generation Security Gateway R81 Administration Guide      |      392

 fw unloadlocal

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: My_Policy
Policy install time: Tue Oct 23 18:23:14 2018
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw unloadlocal

Uninstalling Security Policy from all.all@MyGW

Done.
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0

Next Generation Security Gateway R81 Administration Guide      |      393

 fw unloadlocal

net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw fetch localhost

Installing Security Policy My_Policy on all.all@MyGW
Fetching Security Policy from localhost succeeded
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      394

 fw up_execute

fw up_execute
Description
Executes the offline Unified Policy.

Important -
This command only supports:
n Source IP address, Destination IP address, and objects that contain an IP
address
n Simple services objects (based on destination port, source port, and protocol)
n Protocol detection
n Application detection
This command does not support:
n Implied rules
n All other objects (Security Zone, Access Roles, Domain Objects, Updatable
Objects, Dynamic Objects, Other/DCERPC service, Content Awareness, VPN,
Resource, Mobile Access application, Time Objects, and so on)

Syntax

fw [-d] up_execute ipp=<IANA Protocol Number> [src=<Source IP>]

[dst=<Destination IP>] [sport=<Source Port>] [dport=<Destination
Port>] [protocol=<Protocol Detection Name>]
[application=<Application/Category Name 1>
[application=<Application/Category Name 2> ...]]

Parameters

Parameter Description

No Parameters Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

Next Generation Security Gateway R81 Administration Guide      |      395

 fw up_execute

Parameter Description

ipp=<IANA Protocol Number> IANA Protocol Number in the Hexadecimal format.

Important - This parameter is always

mandatory.

For example:
n TCP = 6
n UDP = 17
n ICMP = 1

See IANA Protocol Numbers.

src=<Source IP> Source IP address.

dst=<Destination IP> Destination IP address.

sport=<Source Port> Source Port number in the Decimal format.

See IANA Service Name and Port Number Registry.

dport=<Destination Port> Destination Port number in the Decimal format.

Important - This parameter is mandatory

for the TCP (6) and UDP (17) protocols.

See IANA Service Name and Port Number Registry.

protocol=<Protocol Detection Protocol detection name.

Name> For example:

n TCP
n UDP
n ICMP
n HTTP

See IANA Protocol Numbers.

application=< Name of the Application/Category as defined in

Application/Category Name> SmartConsole.
You can specify multiple applications.

Next Generation Security Gateway R81 Administration Guide      |      396

 fw up_execute

Example 1

[Expert@MyGW:0]# fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

Example 2

[Expert@MyGW:0]# fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP application=Facebook

application=Opera

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      397

 fw ver

fw ver
Description
Shows this information about the Security Gateway software:
n Major version
n Minor version
n Build number
n Kernel build number

Syntax

fw [-d] ver [-k] [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

ver Shows:

n Major version
n Minor version
n Build number

-k n Shows:
n Major version
n Minor version
n Build number
n Kernel build number

-f <Output Saves the output to the specified file.

File> If you do not specify the full path explicitly, this command saves the output file in the
current working directory.

Example 1

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R81 - Build 123
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      398

 fw ver

Example 2

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R81 - Build 456
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      399

 fwboot

fwboot
Description
Configures Check Point boot options.

Important - Most of these commands are for Check Point use only.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot
      bootconf <options>
      corexl <options>
      cpuid <options>
      default <options>
      fwboot_ipv6 <options>
      fwdefault <options>
      ha_conf <options>
      ht <options>
      multik_reg <options>
      post_drv <options>

Parameters

Parameter Description

bootconf Shows and configures the security boot options.

<options> See "fwboot bootconf" on page 402.

corexl Configures and monitors the CoreXL.

<options> See "fwboot corexl" on page 406.

cpuid <options> Shows the number of available CPUs and CPU cores on this Security
Gateway.
See "fwboot cpuid" on page 412.

default Loads the specified Default Filter policy on this Security Gateway.
<options> See "fwboot default" on page 414.

fwboot_ipv6 Shows the internal memory address of the hook function for the specified
<options> CoreXL Firewall instance.
See "fwboot fwboot_ipv6" on page 415.

fwdefault Loads the specified Default Filter policy on this Security Gateway.
<options> See "fwboot fwdefault" on page 416.

Next Generation Security Gateway R81 Administration Guide      |      400

 fwboot

Parameter Description

ha_conf Configures the cluster mechanism during boot.

<options> See "fwboot ha_conf" on page 417.

ht <options> Shows and configures the SMT (HyperThreading) feature (sk93000) boot
options.
See "fwboot ht" on page 418.

multik_reg Shows the internal memory address of the registration function for the
<options> specified CoreXL Firewall instance.
See "fwboot multik_reg" on page 420.

post_drv Loads the Firewall driver for CoreXL during boot.

<options> See "fwboot post_drv" on page 422.

Next Generation Security Gateway R81 Administration Guide      |      401

 fwboot bootconf

fwboot bootconf
Description
Configures boot security options.

Notes:
n You must run this command from the Expert mode.
n The settings are saved in the
$FWDIR/boot/boot.conf file.
Warning - To avoid issues, do not edit the
$FWDIR/boot/boot.conf file manually.
Edit the file only with this command.
n Refer to these related commands:
l "fwboot corexl" on page 406
l "control_bootsec" on page 186

Syntax to show the current boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

      get_corexl
      get_core_override
      get_def
      get_ipf
      get_ipv6
      get_kernnum
      get_kern6num

Syntax to configure the boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

      set_corexl {0 | 1}
      set_core_override <number>
      set_def [</path/filename>]
      set_ipf {0 | 1}
      set_ipv6 {0 | 1}
      set_kernnum <number>
      set_kern6num <number>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

Next Generation Security Gateway R81 Administration Guide      |      402

 fwboot bootconf

Parameter Description

get_corexl Shows if the CoreXL is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the COREXL_INSTALLED.

get_core_ Shows the number of overriding CPU cores.

override The SMT (HyperThreading) feature (sk93000) uses this configuration to set
the number of CPU cores after reboot.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CORE_OVERRIDE.

get_def Shows the configured path and the name of the Default Filter policy file
(default is $FWDIR/boot/default.bin).

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the DEFAULT_FILTER_PATH.

get_ipf Shows if the IP Forwarding during boot is enabled or disabled:

n 0 - disabled (Security Gateway does not forward traffic between its
interfaces during boot)
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CTL_IPFORWARDING.

get_ipv6 Shows if the IPv6 support is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the IPV6_INSTALLED.

get_kernnum Shows the configured number of IPv4 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the KERN_INSTANCE_NUM.

Next Generation Security Gateway R81 Administration Guide      |      403

 fwboot bootconf

Parameter Description

get_kern6num Shows the configured number of IPv6 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the KERN6_INSTANCE_NUM.

set_corexl {0 | Enables or disables CoreXL:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the COREXL_INSTALLED.
n To configure CoreXL, use the "cpconfig" on page 201
menu.

set_core_ Configures the number of overriding CPU cores.

override The SMT (HyperThreading) feature (sk93000) uses this configuration to set
<number> the number of CPU cores after reboot.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CORE_OVERRIDE.

set_def Configures the path and the name of the Default Filter policy file (default is
[< $FWDIR/boot/default.bin).
/path/filename>] Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the DEFAULT_FILTER_PATH.
n If you do not specify the path and the name explicitly, then
the value of the DEFAULT_FILTER_PATH is set to 0.
As a result, Security Gateway does not load a Default Filter
during boot.

Best Practice - The best location for this file is the

$FWDIR/boot/ directory.

set_ipf {0 | 1} Configures the IP forwarding during boot:

n 0 - disables (forbids the Security Gateway to forward traffic between
its interfaces during boot)
n 1 - enables

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CTL_IPFORWARDING.

Next Generation Security Gateway R81 Administration Guide      |      404

 fwboot bootconf

Parameter Description

set_ipv6 {0 | 1} Enables or disables the IPv6 Support:

n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the IPV6_INSTALLED.
n Configure the IPv6 Support in Gaia Portal, or Gaia Clish.
See the R81 Gaia Administration Guide.

set_kernnum Configures the number of IPv4 CoreXL Firewall instances.

<number> Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 201
menu.

set_kern6num Configures the number of IPv6 CoreXL Firewall instances.

<number> Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN6_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 201
menu.

Next Generation Security Gateway R81 Administration Guide      |      405

 fwboot corexl

fwboot corexl
Description
Configures and monitors the CoreXL.

Note - The settings are saved in the $FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the $FWDIR/boot/boot.conf file manually.

Edit the file only with this command.

Syntax to show CoreXL configuration

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

      core_count
      curr_instance4_count
      curr_instance6_count
      def_instance4_count
      def_instance6_count
      eligible
      installed
      max_instance4_count
      max_instances4_32bit
      max_instances4_64bit
      max_instance6_count
      max_instances_count
      max_instances_32bit
      max_instances_64bit
      min_instance_count
      unsupported_features

Next Generation Security Gateway R81 Administration Guide      |      406

 fwboot corexl

Syntax to configure CoreXL

Important:
n The configuration commands are for Check Point use only. To configure
CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 201
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must
reboot it.
n In a Cluster, you must configure all the Cluster Members in the same way.

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

      def_by_allowed [n]
      default
[-v] disable
[-v] enable [n] [-6 k]
      vmalloc_recalculate

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

core_count Returns the number of CPU cores on this computer.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl core_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      407

 fwboot corexl

Parameter Description

curr_ Returns the current configured number of IPv4 CoreXL Firewall instances.
instance4_ Example
count
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

curr_ Returns the current configured number of IPv6 CoreXL Firewall instances.
instance6_ Example
count
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
[Expert@MyGW:0]#

def_by_ Sets the default configuration for CoreXL according to the specified allowed number
allowed of CPU cores.
[n]

default Sets the default configuration for CoreXL.

def_ Returns the default number of IPv4 CoreXL Firewall instances for this Security
instance4_ Gateway.
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      408

 fwboot corexl

Parameter Description

def_ Returns the default number of IPv4 CoreXL Firewall instances for this Security
instance6_ Gateway.
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

[-v] Disables CoreXL.

disable
n -v - Leaves the high memory (vmalloc) unchanged.

See the "cp_conf corexl" on page 193 command.

eligible Returns whether CoreXL can be enabled on this Security Gateway.

n 0 - CoreXL cannot be enabled
n 1 - CoreXL can be enabled

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl eligible
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

[-v] Enables CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall
enable [n] instances.
[-6 k]
n -v - Leaves the high memory (vmalloc) unchanged.
n n - Denotes the number of IPv4 CoreXL Firewall instances.
n k - Denotes the number of IPv6 CoreXL Firewall instances.

See the "cp_conf corexl" on page 193 command.

installed Returns whether CoreXL is installed (enabled) on this Security Gateway.

n 0 - CoreXL is not enabled
n 1 - CoreXL is enabled

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl installed
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      409

 fwboot corexl

Parameter Description

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for this
instance4_ Security Gateway.
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance4_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for a
instances Security Gateway that runs Gaia with 32-bit kernel.
4_32bit Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_32bit
[Expert@MyGW:0]# echo $?
14
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for a
instances Security Gateway that runs Gaia with 64-bit kernel.
4_64bit Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_64bit
[Expert@MyGW:0]# echo $?
38
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv6 CoreXL Firewall instances for this
instance6_ Security Gateway.
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance6_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances (IPv4 and
instances_ IPv6) for this Security Gateway.
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_count
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      410

 fwboot corexl

Parameter Description

max_ Returns the total maximal allowed number of CoreXL Firewall instances for a Security
instances_ Gateway that runs Gaia with 32-bit kernel.
32bit Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_32bit
[Expert@MyGW:0]# echo $?
16
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances for a Security
instances_ Gateway that runs Gaia with 64-bit kernel.
64bit Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_64bit
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

min_ Returns the minimal allowed number of IPv4 CoreXL Firewall instances.
instance_ Example
count
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl min_
instance_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

vmalloc_ Updates the value of the vmalloc parameter in the /boot/grub/grub.conf

recalculat file.
e

unsupporte Returns 1 if at least one feature is configured, which CoreXL does not support.
d_features Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
unsupported_features
corexl unsupported feature: QoS is configured.
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      411

 fwboot cpuid

fwboot cpuid
Description
Shows the number of available CPUs and CPU cores on this Security Gateway.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot cpuid

{-h | -help | --help}
      -c
      --full
      ht_aware
      -n
      --possible

Parameters

Parameter Description

No Parameters Shows the IDs of the available CPU cores on this Security Gateway.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid
3 2 1 0
[Expert@MyGW:0]#

-c Counts the number of available CPU cores on this Security Gateway.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -c
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

--full Shows a full map of the available CPUs and CPU cores on this Security Gateway.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --full
cpuid phys_id core_id thread_id
0 0 0 0
1 2 0 0
2 4 0 0
3 6 0 0
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      412

 fwboot cpuid

Parameter Description

ht_aware Shows the CPU cores in the order of their awareness of Hyper-Threading.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid ht_aware
3 2 1 0
[Expert@MyGW:0]#

-n Counts the number of available CPUs on this Security Gateway.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

--possible Counts the number of possible CPU cores.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --
possible
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      413

 fwboot default

fwboot default
Description
Loads the specified Default Filter policy on this Security Gateway.

Notes:
n You must run this command from the Expert mode.
n This command is the same as the "fwboot default" above
command.
n Refer to these related commands:
l "fw defaultgen" on page 295
l "fwboot bootconf" on page 402
l "control_bootsec" on page 186
l "comp_init_policy" on page 183

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot default <Default Filter Policy

File>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Default Filter Policy Specifies the full path and name of the Default Filter policy
File> file.
The default is $FWDIR/boot/default.bin

Example

[Expert@MyGW:0]# $FWDIR/boot/fwboot default $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]

Next Generation Security Gateway R81 Administration Guide      |      414

 fwboot fwboot_ipv6

fwboot fwboot_ipv6
Description
Shows the internal memory address of the hook function for the specified CoreXL Firewall instance.

Important - This command is for Check Point use only.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot fwboot_ipv6 <Number of CoreXL

Firewall instance> hook [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

-d Shows the decimal 64-bit address of the hook

function.

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 0 hook

0xffffffff89f8fc00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 1 hook

0xffffffff8cd71c00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 2 hook

0xffffffff8fb53c00
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      415

 fwboot fwdefault

fwboot fwdefault
Description
Loads the specified Default Filter policy on this Security Gateway.

Notes:
n You must run this command from the Expert mode.
n This command is the same as the "fwboot default" on
page 414command.
n Refer to these related commands:
l "fw defaultgen" on page 295
l "fwboot bootconf" on page 402
l "control_bootsec" on page 186
l "comp_init_policy" on page 183

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot fwdefault <Default Filter

Policy File>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Default Filter Policy Specifies the full path and name of the Default Filter policy
File> file.
The default file is $FWDIR/boot/default.bin

Example

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwdefault $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]

Next Generation Security Gateway R81 Administration Guide      |      416

 fwboot ha_conf

fwboot ha_conf
Description
Configures the cluster mechanism during boot.

Important - This command is for Check Point use only.

Notes:
n You must run this command from the Expert mode.
n Refer to these related commands:
l "fw defaultgen" on page 295
l "fwboot bootconf" on page 402

l "control_bootsec" on page 186

l "comp_init_policy" on page 183

n To install a cluster, see the R81 Installation and Upgrade Guide.

n To configure a cluster , see the R81 Installation and Upgrade Guide and R81
ClusterXL Administration Guide.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ha_conf

Next Generation Security Gateway R81 Administration Guide      |      417

 fwboot ht

fwboot ht
Description
Shows and configures the boot options for the SMT (HyperThreading) feature (sk93000).

Important - This command is for Check Point use only. To configure SMT
(HyperThreading) feature, follow sk93000.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ht
      --core_override [<number>]
      --disable
      --eligible
      --enable
      --enabled
      --supported

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

--core_override Shows or configures the number of overriding CPU cores.

[<number>] The SMT feature uses this configuration to set the number of CPU
cores after reboot.

--disable Disables the SMT feature.

Next Generation Security Gateway R81 Administration Guide      |      418

 fwboot ht

Parameter Description

--eligible Returns a number that shows if this system is eligible for the SMT
feature. Run:
[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
eligible
[Expert@MyGW:0]# echo $?

n If you get 1 - The system is eligible for the SMT.

n If you get 0 - The system is not eligible for the SMT.
The possible causes are:
l The system is not a Check Point appliance.

l The system does not support the SMT.

l The system does not run Gaia OS.

l The appliance runs Gaia OS with 32-bit kernel and has

more than 4 CPU cores.

--enable Enables the SMT feature.

--enabled Returns a number that shows if SMT feature is enabled on this

system. Run:
[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
enabled
[Expert@MyGW:0]# echo $?

n If you get 1 - The SMT is enabled.

n If you get 0 - The SMT is disabled.
The possible causes are:
l The system does not run Gaia OS.

l The SMT is disabled in software.

--supported Returns a number that shows if this system supports the SMT feature.
Run:
[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
supported
[Expert@MyGW:0]# echo $?

n If you get 1 - System supports the SMT.

n If you get 0 - System does not support the SMT.
The possible causes are:
l The system's CPU does not support the SMT.

l The SMT is disabled in the system's BIOS.

l The SMT is disabled in software.

Next Generation Security Gateway R81 Administration Guide      |      419

 fwboot multik_reg

fwboot multik_reg
Description
Shows the internal memory address of the registration function for the specified CoreXL Firewall instance.

Important - This command is for Check Point use only.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of CoreXL

Firewall instance> {ipv4 | ipv6} [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

ipv4 Specifies to work with IPv4 CoreXL Firewall

instances.

ipv6 Specifies to work with IPv6 CoreXL Firewall

instances.

-d Shows the decimal 64-bit address of the hook

function.

Next Generation Security Gateway R81 Administration Guide      |      420

 fwboot multik_reg

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 0 ipv4

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 1 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 2 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      421

 fwboot post_drv

fwboot post_drv
Description
Loads the Firewall driver for CoreXL during boot.

Important:
n This command is for Check Point use only.
n If you run this command, Security Gateway can block all traffic. In such case, you
must connect to the Security Gateway over a console and restart Check Point
services with the "cpstop" on page 227 and "cpstart" on page 219 commands.
Alternatively, you can reboot the Security Gateway.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot post_drv {ipv4 | ipv6}

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

ipv4 Loads the IPv4 Firewall driver for CoreXL.

ipv6 Loads the IPv6 Firewall driver for CoreXL.

Next Generation Security Gateway R81 Administration Guide      |      422

 sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information
received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts
mechanism.

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>
n See the "fw sam" on page 351 and "fw sam_policy" on page 358 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the fw sam command.

-o Specifies to print the input of this tool to the standard output (to use with pipes in
a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is localhost.

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The default is
forever.

-f Specifies the Security Gateway, on which to run the operation.

<Security
Gateway> Important - If you do not specify the target Security Gateway explicitly,
this command applies to all managed Security Gateways.

Next Generation Security Gateway R81 Administration Guide      |      423

 sam_alert

Parameter Description

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified criteria,
passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria and
closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

Next Generation Security Gateway R81 Administration Guide      |      424

 sam_alert

SAM v2 syntax

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r |
a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to use
with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the action.
The default is forever.

-f <Security Specifies the Security Gateway, on which to run the operation.

Gateway>
Important - If you do not specify the target Security Gateway
explicitly, this command applies to all managed Security
Gateways.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is sam_alert.

-l {r | a} Specifies the log type for connections that match the specified criteria:
n r - Regular
n a - Alert
Default is None.

Next Generation Security Gateway R81 Administration Guide      |      425

 sam_alert

Parameter Description

-a {d | r| n | b | Specifies the action to apply on connections that match the specified

q | i} criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

Next Generation Security Gateway R81 Administration Guide      |      426

 stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug purposes - to
make sure the applicable SNMP OIDs provide the requested information.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2>
... <Regular_OID_N>

These are specified in the SNMP MIB files.

For Check Point MIB files, see sk90470.
n To query a Statistical OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_oid.conf file.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to query

by its IP address or resolvable hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

Next Generation Security Gateway R81 Administration Guide      |      427

 stattest

Parameter Description

-x <Proxy Server> Specifies the Proxy Server by its IP address or

resolvable hostname.

Note - Use only when you query a

remote host.

-l <Polling Interval> Specifies the time in seconds between queries.

Note - Use only when you query a

Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which to run

consecutive queries.

Note - Use only when you query a

Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of a

Virtual Device to query.

-t <Timeout> Specifies the session timeout in milliseconds.

<Regular_OID_1> <Regular_OID_2> ... Specifies the Regular OIDs to query.

<Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

<Statistical_OID_1> <Statistical_ Specifies the Statistical OIDs to query.

OID_2> ... <Statistical_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

Next Generation Security Gateway R81 Administration Guide      |      428

 usrchk

usrchk
Description
Controls the UserCheck daemon (usrchkd).

Syntax

usrchk
      hits <options>
      incidents <options>
      debug <options>

Note - You can also enter partial names of the sub-commands and their options.

Next Generation Security Gateway R81 Administration Guide      |      429

 usrchk

Parameters

Parameter Description

No Parameter Shows the built-in help.

This applies to sub-commands as well.
For example, run just the "usrchk hits" command.

hits <options> Shows user hits (violations).

The available options are:

n Show user hits:

l List all existing hits:

usrchk hits list all

l Show hits for a specified user:
usrchk hits list user <UserName>
l Show hits for a specified interaction object:
usrchk hits list uci <Name of UserCheck
Interaction Object>

n Clear user hits:

l Clear all existing hits:

usrchk hits clear all

l Clear hits for a specified user:
usrchk hits clear user <UserName>
l Clear hits for a specified interaction object:
usrchk hits clear uci <Name of UserCheck
Interaction Object>

n Database operations:
l Reload hits from the database:

usrchk hits db reload

l Update hits changes in the database:
usrchk hits db reload update

incidents Sends emails to users about incidents.

<options> The available option is:

n Send emails to users about their expiring email violations:

usrchk incidents expiring

debug Controls the debug of the UserCheck daemon.

<options> The available options are:

Next Generation Security Gateway R81 Administration Guide      |      430

 usrchk

Parameter Description

n Enable the debug:

usrchk debug on

Important - After you run this command "usrchk debug

on", you must run the command "usrchk debug set ..."
to configure the required filter.

Important - When you enable the debug, it affects the

performance of the usrchkd daemon. Make sure to disable the
debug after you complete your troubleshooting.

n Disable the debug:

usrchk debug off

n Filter which debug logs UserCheck writes to the log file based on the
specified Debug Topics and Severity:
usrchk debug set <Topic Name> <Severity>
The available Debug Topics are:
l all

l Check Point Support provides more specific topics, based on the

reported issue
The available Severities are:
l all

l critical

l events

l important

l surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:
usrchk debug set all all

n Show the UserCheck current debug status:

usrchk debug stat

n Unset the specified Debug Topic(s):

usrchk debug unset <Topic Name>

n Reset all debug topics:

usrchk debug reset

n Rotate the UserCheck log files:

usrchk debug

Next Generation Security Gateway R81 Administration Guide      |      431

 usrchk

Parameter Description

n Show the memory consumption by the usrchkd daemon:

usrchk debug memory

n Show and set the number of indentation spaces in the

$FWDIR/log/usrchk.elg file.
usrchk debug spaces [<0 - 5>]
You can specify the number of spaces:
l 0 (this is the default)

l 1

l 2

l 3

l 4

l 5

Notes:
n To show all UserCheck interaction objects, run:
usrchk hits list all
n You can only run a command that contains "user
<UserName>" if:
l Identity Awareness is enabled on the Security Gateway.

l User object is used in the same policy rules as

UserCheck objects.

Next Generation Security Gateway R81 Administration Guide      |      432

 Working with Kernel Parameters on Security Gateway

Working with Kernel Parameters on

Security Gateway
This section describes what are kernel parameters, and how to view and configure their values.

Next Generation Security Gateway R81 Administration Guide      |      433

 Introduction to Kernel Parameters

Introduction to Kernel Parameters

Kernel parameters let you change the advanced behavior of your Security Gateway.
These are the supported types of kernel parameters:

Type Description

Integer Accepts only one integer value.

String Accepts only a plain-text string.

Important:
n In Cluster, you must see and configure the same value for the same kernel
parameter on each Cluster Member.
n In VSX Gateway, the configured values of kernel parameters apply to all existing
Virtual Systems and Virtual Routers.
Security Gateway gets the names and the default values of the kernel parameters from these kernel
module files:
n $FWDIR/modules/fw_kern_64.o
n $FWDIR/modules/fw_kern_64_v6.o
n $PPKDIR/modules/sim_kern_64.o
n $PPKDIR/modules/sim_kern_64_v6.o

Next Generation Security Gateway R81 Administration Guide      |      434

 Firewall Kernel Parameters

Firewall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for Firewall,
you can use Firewall kernel parameters.
The names of applicable Firewall kernel parameters and their values appear in various SK articles in
Check Point Support Center, and provided by Check Point Support.
Important:
n The names of Firewall kernel parameters are case-sensitive.
n You can configure most of the Firewall kernel parameters on-the-fly with the "fw
ctl set" command.
This change does not survive a reboot.
n You can configure some of the Firewall kernel parameters only permanently in
the special configuration files - $FWDIR/boot/modules/fwkern.conf or
$FWDIR/boot/modules/vpnkern.conf.
This requires a maintenance window, because the new values of the kernel
parameters take effect only after a reboot.
n In a Cluster, you must configure all the Cluster Members in the same way.

Examples of Firewall kernel parameters

Type Name

Integer fw_allow_simultaneous_ping
fw_kdprintf_limit
fw_log_bufsize
send_buf_limit

String simple_debug_filter_addr_1
simple_debug_filter_daddr_1
simple_debug_filter_vpn_1
ws_debug_ip_str
fw_lsp_pair1

Next Generation Security Gateway R81 Administration Guide      |      435

 Firewall Kernel Parameters

Working with Integer Kernel Parameters

Viewing the list of the available Firewall integer kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:
modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort
-u | grep _type | awk 'BEGIN {FS=":"} ; {print
$1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_
integer_kernel_parameters.txt 2>> /var/log/fw_
integer_kernel_parameters.txt

4 Analyze the output file:

/var/log/fw_integer_kernel_parameters.txt

Viewing the current value of a Firewall integer kernel parameter

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Check the current value of an integer kernel parameter:

fw ctl get int <Name of Integer Kernel Parameter>
[-a]
Example:
[Expert@MyGW:0]# fw ctl get int send_buf_limit
send_buf_limit = 80
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      436

 Firewall Kernel Parameters

Configuring a value for a Firewall integer kernel parameter temporarily

Important - This change does not survive reboot.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Set the new value for an integer kernel parameter:

fw ctl set int <Name of Integer Kernel Parameter>
<Integer Value>
Example:
[Expert@MyGW:0]# fw ctl set int send_buf_limit 100
Set operation succeeded
[Expert@MyGW:0]#

4 Make sure the new value is set:

fw ctl get int <Name of Integer Kernel Parameter>
Example:
[Expert@MyGW:0]# fw ctl get int send_buf_limit
send_buf_limit = 100
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      437

 Firewall Kernel Parameters

Configuring a value for a Firewall integer kernel parameter permanently

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the
applicable configuration files:
n For Firewall kernel parameters:
$FWDIR/boot/modules/fwkern.conf
n For VPN kernel parameters:
$FWDIR/boot/modules/vpnkern.conf
The exact instructions are provided in various SK articles in Check Point Support Center, and provided
by Check Point Support.
For more information, see sk26202: Changing the kernel global parameters for Check Point Security
Gateway.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 See if the configuration file already exists.

n For Firewall kernel parameters:
ls -l $FWDIR/boot/modules/fwkern.conf
n For VPN kernel parameters:
ls -l $FWDIR/boot/modules/vpnkern.conf

4 If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6.

n For Firewall kernel parameters:

touch $FWDIR/boot/modules/fwkern.conf
n For VPN kernel parameters:
touch $FWDIR/boot/modules/vpnkern.conf

5 Back up the current configuration file.

n For Firewall kernel parameters:
cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}
n For VPN kernel parameters:
cp -v $FWDIR/boot/modules/vpnkern.conf{,_BKP}

Next Generation Security Gateway R81 Administration Guide      |      438

 Firewall Kernel Parameters

Step Description

6 Edit the current configuration file.

n For Firewall kernel parameters:
vi $FWDIR/boot/modules/fwkern.conf
n For VPN kernel parameters:
vi $FWDIR/boot/modules/vpnkern.conf

7 Add the required Firewall kernel parameter with the assigned value in the exact format
specified below.

Important - These configuration files do not support space characters, tabulation

characters, and comments (lines that contain the # character).

n To add an integer kernel parameter:

<Name_of_Integer_Kernel_Parameter>=<Integer_Value>
n To add a string kernel parameter:

Note - You must write the value in single quotes, or double-quotes.

<Name_of_String_Kernel_Parameter>='<String_Text>'
or
<Name_of_String_Kernel_Parameter>="<String_Text>"

8 Save the changes in the file and exit the Vi editor.

9 Reboot the Security Gateway or Cluster Member.

Important - In cluster, this can cause a failover.

10 Connect to the command line on your Security Gateway or Cluster Member.

11 Log in to Gaia Clish or the Expert mode.

12 Make sure the new value of the kernel parameter is set:

n For an integer kernel parameter, run:
fw ctl get int <Name of Integer Kernel Parameter> [-a]
n For a string kernel parameter, run:
fw ctl get str <Name of String Kernel Parameter> [-a]

Next Generation Security Gateway R81 Administration Guide      |      439

 Firewall Kernel Parameters

Working with String Kernel Parameters

Viewing the list of the available Firewall string kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:
modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort
-u | grep 'string param' | awk 'BEGIN {FS=":"} ;
{print $1}' | xargs -n 1 fw ctl get str 1>>
/var/log/fw_string_kernel_parameters.txt 2>>
/var/log/fw_string_kernel_parameters.txt

4 Analyze the output file:

/var/log/fw_string_kernel_parameters.txt

Viewing the current value of a Firewall string kernel parameter

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Check the current value of a string kernel parameter:

fw ctl get str <Name of String Kernel Parameter>
[-a]
Example:
[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset
fileapp_default_encoding_charset = 'UTF-8'
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      440

 Firewall Kernel Parameters

Configuring a value for a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Set the new value for a string kernel parameter:

Note - You must write the value in single quotes, or double-

quotes.

fw ctl set str <Name of String Kernel Parameter>

'<String Text>'
or
fw ctl set str <Name of String Kernel Parameter>
"<String Text>"
Example:
[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1'
Set operation succeeded
[Expert@MyGW:0]#

4 Make sure the new value is set:

fw ctl get str <Name of String Kernel Parameter>
Example:
[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = '1.1.1.1'
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      441

 Firewall Kernel Parameters

Removing the current value from a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Clear the current value from a string kernel parameter:

Note - You must set an empty value in single quotes, or double-

quotes.

fw ctl set str '<Name of String Kernel

Parameter>'
or
fw ctl set str "<Name of String Kernel
Parameter>"
Example:
[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip ''
Set operation succeeded
[Expert@MyGW:0]#

4 Make sure the value is cleared (the new value is empty):

fw ctl get str <Name of String Kernel Parameter>
Example:
[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = ''
[Expert@MyGW:0]#

Next Generation Security Gateway R81 Administration Guide      |      442

 SecureXL Kernel Parameters

SecureXL Kernel Parameters

To change the internal default behavior of SecureXL or to configure special advanced settings for
SecureXL, you can use SecureXL kernel parameters.
The names of applicable SecureXL kernel parameters and their values appear in various SK articles in
Check Point Support Center, and provided by Check Point Support.
Important:
n The names of SecureXL kernel parameters are case-sensitive.
n You cannot configure SecureXL kernel parameters on-the-fly with the "fw ctl
set" command.
You must configure them only permanently in the special configuration file -
$PPKDIR/conf/simkern.conf
Schedule a maintenance window, because this procedure requires a reboot.
n For some SecureXL kernel parameters, you cannot get their current value on-
the-fly with the "fw ctl get" command (see sk43387).
n In a Cluster, you must configure all the Cluster Members in the same way.

Examples of SecureXL kernel parameters

Type Name

Integer num_of_sxl_devices
sim_ipsec_dont_fragment
tcp_always_keepalive
sim_log_all_frags
simple_debug_filter_dport_1
simple_debug_filter_proto_1

String simple_debug_filter_addr_1
simple_debug_filter_daddr_2
simlinux_excluded_ifs_list

Next Generation Security Gateway R81 Administration Guide      |      443

 SecureXL Kernel Parameters

Viewing the list of the available SecureXL integer kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:
modinfo -p $PPKDIR/boot/modules/sim_kern*.o |
sort -u | grep _type | awk 'BEGIN {FS=":"} ;
{print $1}' | xargs -n 1 fw ctl get int 1>>
/var/log/sxl_integer_kernel_parameters.txt 2>>
/var/log/sxl_integer_kernel_parameters.txt

4 Analyze the output file:

/var/log/sxl_integer_kernel_parameters.txt

Viewing the list of the available SecureXL string kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:
modinfo -p $PPKDIR/boot/modules/sim_kern*.o |
sort -u | grep 'string param' | awk 'BEGIN
{FS=":"} ; {print $1}' | xargs -n 1 fw ctl get
str 1>> /var/log/sxl_string_kernel_parameters.txt
2>> /var/log/sxl_string_kernel_parameters.txt

4 Analyze the output file:

/var/log/sxl_string_kernel_parameters.txt

Next Generation Security Gateway R81 Administration Guide      |      444

 SecureXL Kernel Parameters

Configuring a value for a SecureXL kernel parameter permanently

For more information, see sk26202: Changing the kernel global parameters for Check Point Security
Gateway.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 See if the configuration file already exists:

ls -l $PPKDIR/conf/simkern.conf

4 If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6:
touch $PPKDIR/conf/simkern.conf

5 Back up the current configuration file:

cp -v $PPKDIR/conf/simkern.conf{,_BKP}

6 Edit the current configuration file:

vi $PPKDIR/conf/simkern.conf

7 Add the required SecureXL kernel parameter with the assigned value in the exact format
specified below.

Important - This configuration file does not support space characters, tabulation
characters, and comments (lines that contain the # character).

n To add an integer kernel parameter:

<Name_of_SecureXL_Integer_Kernel_Parameter>=<Integer_
Value>
n To add a string kernel parameter:

Note - You must write the value in single quotes, or double-quotes.

<Name_of_SecureXL_String_Kernel_Parameter>='<String_
Text>'
or
<Name_of_SecureXL_String_Kernel_Parameter>="<String_
Text>"

8 Save the changes in the file and exit the Vi editor.

Next Generation Security Gateway R81 Administration Guide      |      445

 SecureXL Kernel Parameters

Step Description

9 Reboot the Security Gateway or Cluster Member.

Important - In cluster, this can cause a failover.

10 Connect to the command line on your Security Gateway or Cluster Member.

11 Log in to Gaia Clish or the Expert mode.

12 Make sure the new value of the kernel parameter is set:

n For an integer kernel parameter, run:
fw ctl get int <Name of Integer Kernel Parameter> [-a]
n For a string kernel parameter, run:
fw ctl get str <Name of String Kernel Parameter> [-a]

Next Generation Security Gateway R81 Administration Guide      |      446

 Kernel Debug on Security Gateway

Kernel Debug on Security Gateway

This section describes how to collect a kernel debug on Security Gateway.

Next Generation Security Gateway R81 Administration Guide      |      447

 Kernel Debug Syntax

Kernel Debug Syntax

Description:
During a kernel debug session, Security Gateway prints special debug messages that help Check Point
Support and R&D understand how the Security Gateway processes the applicable connections.

Important - In Cluster, you must configure and perform the kernel debug procedure on
all cluster members in the same way.

Action plan to collect a kernel debug:

Note - See the "Kernel Debug Procedure" on page 461, or the "Kernel Debug
Procedure with Connection Life Cycle" on page 463.

Step Action Description

1 Configure the applicable In this step, you prepare the kernel debug options:
debug settings:
a. Restore the default debug settings, so that any other
a. Restore the default debug settings do not interfere with the kernel debug.
settings. b. Allocate the kernel debug buffer, in which Security
b. Allocate the debug Gateway holds the applicable debug messages.
buffer.

2 Configure the applicable In this step, you prepare the applicable kernel debug modules
kernel debug modules and and their debug flags, so that Security Gateway collects only
their debug flags. applicable debug messages.

3 Start the collection of the In this step, you configure Security Gateway to write the debug
kernel debug into an output messages from the kernel debug buffer into an output file.
file.

4 Stop the kernel debug. In this step, you configure Security Gateway to stop writing the
debug messages into an output file.

5 Restore the default kernel In this step, you restore the default kernel debug options.
debug settings.

Next Generation Security Gateway R81 Administration Guide      |      448

 Kernel Debug Syntax

To see the built-in help for the kernel debug

fw ctl debug -h

To restore the default kernel debug settings

n To reset all debug flags and enable only the default debug flags in all kernel modules:

fw ctl debug 0

n To disable all debug flags including the default flags in all kernel modules:

Best Practice - Do not run this command, because it disables even the basic
default debug messages.

fw ctl debug -x

To allocate the kernel debug buffer

fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}] [-k]
Notes:
n Security Gateway allocates the kernel debug buffer with the specified size for
every CoreXL Firewall instance.
n The maximal supported buffer size is 8192 kilobytes..

To configure the debug modules and debug flags

n General syntax:

fw ctl debug [-d <Strings to Search>] [-v {"<List of VSIDs>" |

all}] -m <Name of Debug Module> {all | + <List of Debug Flags> |
- <List of Debug Flags>}

fw ctl debug [-s "<String to Stop Debug>"] [-v {"<List of

VSIDs>" | all}] -m <Name of Debug Module> {all | + <List of
Debug Flags> | - <List of Debug Flags>}

n To see a list of all debug modules and their flags:

Note - The list of kernel modules depends on the Software Blades you
enabled on the Security Gateway.

fw ctl debug -m

n To see a list of debug flags that are already enabled:

fw ctl debug

n To enable all debug flags in the specified kernel module:

fw ctl debug -m <Name of Debug Module> all

Next Generation Security Gateway R81 Administration Guide      |      449

 Kernel Debug Syntax

n To enable the specified debug flags in the specified kernel module:

fw ctl debug -m <Name of Debug Module> + <List of Debug Flags>

n To disable the specified debug flags in the specified kernel module:

fw ctl debug -m <Name of Debug Module> - <List of Debug Flags>

To collect the kernel debug output

n General syntax (only supported parameters are listed):

fw ctl kdebug [-p <List of Fields>] [-T] -f > /<Path>/<Name of

Output File>

fw ctl kdebug [-p <List of Fields>] [-T] -f -o /<Path>/<Name of

Output File> -m <Number of Cyclic Files> [-s <Size of Each
Cyclic File in KB>]

n To start the collection of the kernel debug into an output file:

fw ctl kdebug -T -f > /<Path>/<Name of Output File>

n To start collecting the kernel debug into cyclic output files:

fw ctl kdebug -T -f -o /<Path>/<Name of Output File> -m <Number

of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

Parameters

Note - Only supported parameters are listed.

Table: Parameters of the 'fw ctl debug' command

Parameter Description

0 | -x Controls how to disable the debug flags:

n 0
Resets all debug flags and enables only the default debug
flags in all kernel modules.
n -x
Disables all debug flags, including the default flags in all kernel
modules.
Best Practice - Do not use the "-x" parameter,
because it disables even the basic default debug
messages.

Next Generation Security Gateway R81 Administration Guide      |      450

 Kernel Debug Syntax

Table: Parameters of the 'fw ctl debug' command (continued)

Parameter Description

-d <Strings to When you specify this parameter, the Security Gateway:

Search>
1. Examines the applicable debug messages based on the
enabled kernel debug modules and their debug flags.
2. Collects only debug messages that contain at least one of the
specified strings into the kernel debug buffer.
3. Writes the entire kernel debug buffer into the output file.

Notes:
n These strings can be any plain text (not a regular
expression) that you see in the debug messages.
n Separate the applicable strings by commas without
spaces:
-d String1,String2,...,StringN
n You can specify up to 10 strings, up to 250
characters in total.

-s "<String to Stop When you specify this parameter, the Security Gateway:
Debug>"
1. Collects the applicable debug messages into the kernel debug
buffer based on the enabled kernel debug modules and their
debug flags.
2. Does not write any of these debug messages from the kernel
debug buffer into the output file.
3. Stops collecting all debug messages when it detects the first
debug message that contains the specified string in the kernel
debug buffer.
4. Writes the entire kernel debug buffer into the output file.

Notes:
n This one string can be any plain text (not a regular
expression) that you see in the debug messages.
n String length is up to 50 characters.

-m <Name of Debug Specifies the name of the kernel debug module, for which you print or
Module> configure the debug flags.

Next Generation Security Gateway R81 Administration Guide      |      451

 Kernel Debug Syntax

Table: Parameters of the 'fw ctl debug' command (continued)

Parameter Description

{all | + <List of
Debug Flags> | -
<List of Debug
Flags>}
Specifies which debug flags to enable or disable in the specified
kernel debug module:
n all
Enables all debug flags in the specified kernel debug module.
n + <List of Debug Flags>
Enables the specified debug flags in the specified kernel
debug module.
You must press the space bar key after the plus (+) character:
+ <Flag1> [<Flag2> ... <FlagN>]
Example: + drop conn
n - <List of Debug Flags>
Disables the specified debug flags in the specified kernel
debug module.
You must press the space bar key after the minus (-)
character:
- <Flag1> [<Flag2> ... <FlagN>]
Example: - conn

-v {"<List of Specifies the list of Virtual Systems.

VSIDs>" | all} A VSX Gateway automatically filters the collected kernel debug
information for debug messages only for these Virtual Systems.
n -v "<List of VSIDs>"
Monitors the messages only from the specified Virtual
Systems.
To specify the Virtual Systems, enter their VSID number
separated with commas and without spaces:
"VSID1[,VSID2,VSID3,...,VSIDn]"
Example: -v "1,3,7"
n -v all
Monitors the messages from all configured Virtual Systems.

Notes:
n This parameter is supported only in VSX mode.
n This parameter and the -k parameter are mutually
exclusive.

Next Generation Security Gateway R81 Administration Guide      |      452

 Kernel Debug Syntax

Table: Parameters of the 'fw ctl debug' command (continued)

Parameter Description

-e <Expression> Specifies the INSPECT filter for the debug:

-i <Name of Filter
n -e <Expression>
File>
Specifies the INSPECT filter. See "fw monitor" on page 322.
-i -
n -i <Name of Filter File>
-u
Specifies the file that contains the INSPECT filter.
n -i -
Specifies that the INSPECT filter arrives from the standard
input.
The Security Gateway prompts to enter the INSPECT filter on
the screen.
n -u - Removes the INSPECT debug filter.

Notes:
n These are legacy parameters ("-e" and "-i").
n When you use these parameters ("-e" and "-i"),
the Security Gateway cannot apply the specified
INSPECT filter to the accelerated traffic.
n For new debug filters, see "Kernel Debug Filters" on
page 456.

-z The Security Gateway processes some connections in both

SecureXL code and in the Host appliance code (for example, Passive
Streaming Library (PSL) - an IPS infrastructure, which transparently
listens to TCP traffic as network packets, and rebuilds the TCP
stream out of these packets.).
The Security Gateway processes some connections in only in the
Host appliance code.
When you use this parameter, kernel debug output contains the
debug messages only from the Host appliance code.

-k The Security Gateway processes some connections in both kernel

space code and in the user space code (for example, Web
Intelligence).
The Security Gateway processes some connections only in the
kernel space code.
When you use this parameter, kernel debug output contains the
debug messages only from the kernel space.
Notes:
n This parameter is not supported in the VSX mode, in
which the Firewall works in the user space.
n This parameter and the -v parameter are mutually
exclusive.

Next Generation Security Gateway R81 Administration Guide      |      453

 Kernel Debug Syntax

Table: Parameters of the 'fw ctl debug' command (continued)

Parameter Description

-p <List of Fields>
By default, when the Security Gateway prints the debug messages,
the messages start with the applicable CPU ID and CoreXL Firewall
instance ID.
You can print additional fields in the beginning of each debug
message.
Notes:
n These fields are available:
all, proc, pid, date, mid, type, freq, topic,
time, ticks, tid, text, errno, host, vsid,
cpu.
n When you specify the applicable fields, separate
them with commas and without spaces:
Field1,Field2,...,FieldN
n The more fields you specify, the higher the load on
the CPU and on the hard disk.

-T Prints the time stamp in microseconds in front of each debug

message.

Best Practice - Always use this parameter to make the

debug analysis easier.

-f Collects the debug data until you stop the kernel debug in one of
these ways:
n When you press the CTRL+C keys.
n When you run the "fw ctl debug 0" command.
n When you run the "fw ctl debug -x" command.
n When you kill the "fw ctl kdebug" process.

/<Path>/<Name of Specifies the path and the name of the debug output file.
Output File> Best Practice - Always use the largest partition on the disk
- /var/log/. Security Gateway can generate many
debug messages within short time. As a result, the debug
output file can grow to large size very fast.

Next Generation Security Gateway R81 Administration Guide      |      454


Table: Parameters of the 'fw ctl debug' command (continued)
Parameter
-o /<Path>/<Name of
Output File> -m
<Number of Cyclic
Files> [-s <Size of
Each Cyclic File in
KB>]
Kernel Debug Syntax
Description
Saves the collected debug data into cyclic debug output files.
When the size of the current <Name of Output File> reaches
the specified <Size of Each Cyclic File in KB> (more or
less), the Security Gateway renames the current <Name of
Output File> to <Name of Output File>.0 and creates a
new <Name of Output File>.
If the <Name of Output File>.0 already exists, the Security
Gateway renames the <Name of Output File>.0 to <Name
of Output File>.1, and so on - until the specified limit
<Number of Cyclic Files>. When the Security Gateway
reaches the <Number of Cyclic Files>, it deletes the oldest
files.
The valid values are:
n <Number of Cyclic Files> - from 1 to 999
n <Size of Each Cyclic File in KB> - from 1 to
2097150
Next Generation Security Gateway R81 Administration Guide      |      455
 Kernel Debug Filters

Kernel Debug Filters

By default, kernel debug output contains information about all processed connections.
You can configure filters for kernel debug to collect debug messages only for the applicable connections.
There are three types of debug filters:
n By connection tuple parameters
n By an IP address parameter
n By a VPN peer parameter
To configure these kernel debug filters, assign the applicable values to the applicable kernel parameters
before you start the kernel debug.
You assign the values to the applicable kernel parameters temporarily with the "fw ctl set" command.

Notes:
n A Security Gateway supports:
l up to five Connection Tuple filters in total (from all types)

l up to three Host IP Address filters

l up to two VPN Peer filters

n A Security Gateway applies these debug filters to both the non-accelerated and
accelerated traffic.
n A Security Gateway applies these debug filters to "Kernel Debug Procedure with
Connection Life Cycle" on page 463.

Best Practice - It is usually simpler to set the Connection Tuple and Host IP Address
filters from within the "'fw ctl debug' and 'fw ctl kdebug'" on page 279 command. To
filter the kernel debug by a VPN Peer, use the procedure below.

Next Generation Security Gateway R81 Administration Guide      |      456

 Kernel Debug Filters

To configure debug filter of the type "By connection tuple parameters":

A Security Gateway processes connections based on the 5-tuple:
n Source IP address
n Source Port (see IANA Service Name and Port Number Registry)
n Destination IP address
n Destination Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)
This debug filter lets you filter by these tuple parameters:

Tuple Parameter Syntax for Kernel Parameters

Source IP fw ctl set str simple_debug_filter_saddr_<N> "<IPv4 or

address IPv6 Address>"

Source Ports fw ctl set int simple_debug_filter_sport_<N> <1-65535>

Destination IP fw ctl set str simple_debug_filter_daddr_<N> "<IPv4 or

address IPv6 Address>"

Destination Ports fw ctl set int simple_debug_filter_dport_<N> <1-65535>

Protocol Number fw ctl set int simple_debug_filter_proto_<N> <0-254>

Next Generation Security Gateway R81 Administration Guide      |      457

 Kernel Debug Filters

Notes:
1. <N> is an integer between 1 and 5. This number is an index for the configured
kernel parameters of this type.
2. When you specify IP addresses, you must enclose them in double quotes.
3. When you configure kernel parameters with the same index <N>, the debug filter
is a logical "AND" of these kernel parameters.
In this case, the final filter matches only one direction of the processed
connection.
n Example 1 - packets from the source IP address X to the destination IP
address Y:
simple_debug_filter_saddr_1 <Value X>
AND
simple_debug_filter_daddr_1 <Value Y>
n Example 2 - packets from the source IP address X to the destination port
Y:
simple_debug_filter_saddr_1 <Value X>
AND
simple_debug_filter_dport_1 <Value Y>
4. When you configure kernel parameters with the different indices <N>, the debug
filter is a logical "OR" of these kernel parameters.
This means that if it is necessary the final filter matches both directions of the
connection, then it is necessary to configure the applicable debug filters for both
directions.
n Example 1 - packets either from the source IP address X, or to the
destination IP address Y:
simple_debug_filter_saddr_1 <Value X>
OR
simple_debug_filter_daddr_2 <Value Y>
n Example 2 - packets either from the source IP address X, or to the
destination port Y:
simple_debug_filter_saddr_1 <Value X>
OR
simple_debug_filter_dport_2 <Value Y>
5. For information about the Port Numbers, see IANA Service Name and Port
Number Registry.
6. For information about the Protocol Numbers, see IANA Protocol Numbers.

To configure debug filter of the type "By an IP address parameter":

This debug filter lets you filter by one IP address, which is either the source or the destination IP address of
the packet.
Syntax for Kernel Parameters:

fw ctl set str simple_debug_filter_addr_<N> "<IPv4 or IPv6 Address>"

Next Generation Security Gateway R81 Administration Guide      |      458

 Kernel Debug Filters

Notes:
1. <N> is an integer between 1 and 3.
This number is an index for the configured kernel parameters of this type.
2. You can configure one, two, or three of these kernel parameters at the same
time.
n Example 1:
Configure one IP address (simple_debug_filter_addr_1).
n Example 2:
Configure two IP addresses (simple_debug_filter_addr_1 and
simple_debug_filter_addr_2).
This would match packets, where any of these IP addresses appears,
either as a source or a destination.
3. You must enclose the IP addresses in double quotes.

To configure debug filter of the type "By a VPN peer parameter":

This debug filter lets you filter by one IP address.
Syntax for Kernel Parameters:

fw ctl set str simple_debug_filter_vpn_<N> "<IPv4 or IPv6 Address>"

Notes:
1. <N> is an integer - 1 or 2.
This number is an index for the configured kernel parameters of this type.
2. You can configure one or two of these kernel parameters at the same time.
n Example 1:
Configure one VPN peer (simple_debug_filter_vpn_1).
n Example 2:
Configure two VPN peers (simple_debug_filter_vpn_1 and
simple_debug_filter_vpn_2).
3. You must enclose the IP addresses in double quotes.

To disable all debug filters:

You can disable all the configured debug filters of all types.
Syntax for Kernel Parameter:

fw ctl set int simple_debug_filter_off 1

Next Generation Security Gateway R81 Administration Guide      |      459

 Kernel Debug Filters

Usage Example
It is necessary to show in the kernel debug the information about the connection from Source IP address
192.168.20.30 from any Source Port to Destination IP address 172.16.40.50 to Destination Port 80
(192.168.20.30:<Any> --> 172.16.40.50:80).
Run these commands before you start the kernel debug:

fw ctl set int simple_debug_filter_off 1

fw ctl set str simple_debug_filter_saddr_1 "192.168.20.30"
fw ctl set str simple_debug_filter_daddr_1 "172.16.40.50"
fw ctl set str simple_debug_filter_saddr_2 "172.16.40.50"
fw ctl set str simple_debug_filter_daddr_2 "192.168.20.30"
fw ctl set int simple_debug_filter_dport_1 80
fw ctl set int simple_debug_filter_sport_2 80

Important - In the above example, two Connection Tuple filters are used ("..._1" and
"..._2") - one for each direction, because we want the debug filter to match both
directions of this connection.

Next Generation Security Gateway R81 Administration Guide      |      460

 Kernel Debug Procedure

Kernel Debug Procedure

Alternatively, use the "Kernel Debug Procedure with Connection Life Cycle" on page 463.

Important:
n Kernel debug increases the load on the Security Gateway CPU. Schedule a
maintenance window.
n In Cluster, you must perform these steps on all the Cluster Members in the same
way.

Step Description

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Reset the kernel debug options:

fw ctl debug 0

4 Reset the kernel debug filters:

fw ctl set int simple_debug_filter_off 1

5 Configure the applicable kernel debug filters.

See "Kernel Debug Filters" on page 456.

6 Allocate the kernel debug buffer for every CoreXL Firewall instance:
fw ctl debug -buf 8200

7 Make sure the kernel debug buffer was allocated:

fw ctl debug | grep buffer

8 Enable the applicable debug flags in the applicable kernel modules:

fw ctl debug -m <module> {all | + <flags>}
See "Kernel Debug Modules and Debug Flags" on page 470.

9 Examine the list of the debug flags that are enabled in the specified kernel modules:
fw ctl debug -m <module>

10 Start the kernel debug:

fw ctl kdebug -T -f > /var/log/kernel_debug.txt

11 Replicate the issue, or wait for the issue to occur.

12 Stop the kernel debug:

Press the CTRL+C keys

Next Generation Security Gateway R81 Administration Guide      |      461

 Kernel Debug Procedure

Step Description

13 Reset the kernel debug options:

fw ctl debug 0

14 Reset the kernel debug filters:

fw ctl set int simple_debug_filter_off 1

15 Analyze the debug output file:

/var/log/kernel_debug.txt

Example - Connection 192.168.20.30:<Any> --> 172.16.40.50:80

[Expert@GW:0]# fw ctl debug 0

Defaulting all kernel debugging options
Debug state was reset to default.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set int simple_debug_filter_off 1
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set str simple_debug_filter_saddr_1 "192.168.20.30"
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set str simple_debug_filter_daddr_2 "192.168.20.40"
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set int simple_debug_filter_dport_1 80
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -buf 8200
Initialized kernel debugging buffer to size 8192K
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug | grep buffer
Kernel debugging buffer size: 8192KB
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw + conn drop
Updated kernel's debug variable for module fw
Debug flags updated.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw
Kernel debugging buffer size: 8192KB
Module: fw
Enabled Kernel debugging options: error warning conn drop
Messaging threshold set to type=Info freq=Common
[Expert@GW:0]#
[Expert@GW:0]# fw ctl kdebug -T -f > /var/log/kernel_debug.txt
... ... Replicate the issue, or wait for the issue to occur ... ...
... ... Press CTRL+C ... ...
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug 0
Defaulting all kernel debugging options
Debug state was reset to default.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set int simple_debug_filter_off 1
[Expert@GW:0]#
[Expert@GW:0]# ls -l /var/log/kernel_debug.txt
-rw-rw---- 1 admin root 1630619 Apr 12 19:49 /var/log/kernel_debug.txt
[Expert@GW:0]#

Next Generation Security Gateway R81 Administration Guide      |      462

 Kernel Debug Procedure with Connection Life Cycle

Kernel Debug Procedure with Connection Life

Cycle
Introduction
R80.20 introduced a new debug tool called Connection Life Cycle.
This tool generates a formatted debug output file that presents the debug messages hierarchically by
connections and packets:
n The first hierarchy level shows connections.
n After you expand the connection, you see all the packets of this connection.

Important - You must use this tool in the Expert mode together with the regular kernel
debug flags (see "Kernel Debug Modules and Debug Flags" on page 470).

Syntax
n To start the debug capture:

conn_life_cycle.sh -a start -o /<Path>/<Name of Raw Debug Output

File> [{-t | -T}] [[-f "<Filter1>"] [-f "<Filter2>"] [-f
"<Filter3>] [-f "<Filter4>] [-f "<Filter5>"]]

n To stop the debug capture and prepare the formatted debug output:

conn_life_cycle.sh -a stop -o /<Path>/<Name of Formatted Debug

Output File>

Parameters
Table: Parameters of the 'conn_life_cycle.sh' script
Parameter Description

-a start Mandatory.
-a stop Specifies the action:
n start - Starts the debug capture based on the debug
flags you enabled and debug filters you specified.
n stop - Stops the debug capture, resets the kernel
debug options, resets the kernel debug filters.

Next Generation Security Gateway R81 Administration Guide      |      463

 Kernel Debug Procedure with Connection Life Cycle

Table: Parameters of the 'conn_life_cycle.sh' script (continued)

Parameter Description

-t | -T Optional.
Specifies the resolution of a time stamp in front of each debug
message:
n -t - Prints the time stamp in milliseconds.
n -T - Prints the time stamp in microseconds.

Best Practice - Always use the "-T" option to make

the debug analysis easier.

-f "<Filter>" Optional.
Specifies which connections and packets to capture.
For additional information, see "Kernel Debug Filters" on
page 456.
Important - If you do not specify filters, then the tool
prints debug messages for all traffic. This causes
high load on the CPU and increases the time to
format the debug output file.
Each filter must contain these five numbers (5-tuple) separated
with commas:
"<Source IP Address>,<Source
Port>,<Destination IP
Address>,<Destination Port>,<Protocol
Number>"
Example of capturing traffic from IP 192.168.20.30 from any
port to IP 172.16.40.50 to port 22 over the TCP protocol:
-f "192.168.20.30,0,172.16.40.50,22,6"

Notes:
n The tool supports up to five of such filters.
n The tool treats the value 0 (zero) as "any".
n If you specify two or more filters, the tool
performs a logical "OR" of all the filters on each
packet.
If the packet matches at least one filter, the
tool prints the debug messages for this packet.
n "<Source IP Address>" and
"<Destination IP Address>" - IPv4 or
IPv6 address
n "<Source Port>" and "<Destination
Port>" - integers from 1 to 65535 (see IANA
Service Name and Port Number Registry)
n <Protocol Number> - integer from 0 to
254 (see IANA Protocol Numbers)

Next Generation Security Gateway R81 Administration Guide      |      464

 Kernel Debug Procedure with Connection Life Cycle

Table: Parameters of the 'conn_life_cycle.sh' script (continued)

Parameter Description

-o /<Path>/<Name of Raw Mandatory.

Debug Output File> Specifies the absolute path and the name of the raw debug
output file.
Example:
-o /var/log/kernel_debug.txt

-o /<Path>/<Name of Mandatory.
Formatted Debug Output Specifies the absolute path and the name of the formatted
File> debug output file (to analyze by an administrator).
Example:
-o /var/log/kernel_debug_formatted.txt

Next Generation Security Gateway R81 Administration Guide      |      465

 Kernel Debug Procedure with Connection Life Cycle

Procedure

Important - In cluster, you must perform these steps on all the Cluster Members in the
same way.

Step Description

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Enable the applicable debug flags in the applicable kernel modules:

fw ctl debug -m <module> {all | + <flags>}
See "Kernel Debug Modules and Debug Flags" on page 470.

4 Examine the list of the debug flags that are enabled in the specified kernel modules:
fw ctl debug -m <module>

5 Start the debug capture:

conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T -f
"<Filter1>" [... [-f "<FilterN>"]]

6 Replicate the issue, or wait for the issue to occur.

7 Stop the debug capture and prepare the formatted debug output:
conn_life_cycle.sh -a stop -o /var/log/kernel_debug_
formatted.txt

8 Transfer the formatted debug output file from your Security Gateway to your desktop or laptop
computer:
/var/log/kernel_debug_formatted.txt

9 Examine the formatted debug output file in an advanced text editor like Notepad++ (click
Language > R > Ruby ), or any other Ruby language viewer.

Next Generation Security Gateway R81 Administration Guide      |      466

 Kernel Debug Procedure with Connection Life Cycle

Example

Collecting the kernel debug for TCP connection from IP 172.20.168.15 (any port) to IP
192.168.3.53 and port 22
[Expert@GW:0]# fw ctl debug -m fw + conn drop
Updated kernel's debug variable for module fw
Debug flags updated.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw
Kernel debugging buffer size: 50KB
HOST:
Module: fw
Enabled Kernel debugging options: error warning conn drop
Messaging threshold set to type=Info freq=Common
[Expert@GW:0]#
[Expert@GW:0]# conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T -f
"172.20.168.15,0,192.168.3.53,22,6"
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Initialized kernel debugging buffer to size 8192K
Set operation succeeded
Capturing started...
[Expert@GW:0]#

... ... Replicate the issue, or wait for the issue to occur ... ...

[Expert@GW:0]#
[Expert@GW:0]# conn_life_cycle.sh -a stop -o /var/log/kernel_debug_formatted.txt
Set operation succeeded
Defaulting all kernel debugging options
Debug state was reset to default.
Set operation succeeded
doing unification...
Openning host debug file /tmp/tmp.KiWmF18217... OK
New unified debug file: /tmp/tmp.imzMZ18220... OK
prepare unification
performing unification
Done :-)
doing grouping...
wrapping connections and packets...
Some of packets lack description, probably because they were already handled when the feature was
enabled.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw
Kernel debugging buffer size: 50KB
HOST:
Module: fw
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common
[Expert@GW:0]
[Expert@GW:0] ls -l /var/log/kernel_debug.*
-rw-rw---- 1 admin root 40960 Nov 26 13:02 /var/log/kernel_debug.txt
-rw-rw---- 1 admin root 24406 Nov 26 13:02 /var/log/kernel_debug_formatted.txt
[Expert@GW:0]

Next Generation Security Gateway R81 Administration Guide      |      467

 Kernel Debug Procedure with Connection Life Cycle

Opening the kernel debug in Notepad++

Everything is collapsed:

Connection with 1st packet already in handling so no conn details

[+]
{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++

Opened the first hierarchy level to see the connection:

Connection with 1st packet already in handling so no conn details

[-]
{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++
;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is INBOUND;
[+]{---------------------------------------------------------- packet begins ---------------------------
---------------------------

Next Generation Security Gateway R81 Administration Guide      |      468

 Kernel Debug Procedure with Connection Life Cycle

Opened the second hierarchy level to see the packets of this connection:

Connection with 1st packet already in handling so no conn details

[-]
{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++
;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is INBOUND;
[-]{---------------------------------------------------------- packet begins ---------------------------
---------------------------
;26Nov2018 13:02:06.736021;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering CHAIN_MODULES_ENTER;
;26Nov2018 13:02:06.736035;[cpu_2];[fw4_1];#fwconn_lookup_cache: conn <dir 0, 172.20.168.15:57821 ->
192.168.3.53:22 IPP 6>;
;26Nov2018 13:02:06.736046;[cpu_2];[fw4_1];#<1c001,44000,2,1e2,0,UUID: 5bfbc2a2-0000-0000-c0-a8-3-35-1-
0-0-c0, 1,1,ffffffff,ffffffff,40800,0,80,OPQS:
[0,ffffc20033d220f0,0,0,0,0,ffffc20033958648,0,0,0,ffffc200325d57b0,0,0,0,0,0],0,0,0,0,0,0,0,0,0,0,0,0,0
,0>
;26Nov2018 13:02:06.736048;[cpu_2];[fw4_1];CONN LIFE CYCLE: lookup: found;
;26Nov2018 13:02:06.736053;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering VM_ENTER;
;26Nov2018 13:02:06.736055;[cpu_2];[fw4_1];#
;26Nov2018 13:02:06.736060;[cpu_2];[fw4_1];#Before VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22
IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 (ifn=1) (first
seen) (looked up) ;
;26Nov2018 13:02:06.736068;[cpu_2];[fw4_1];#After VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22
IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 ;
;26Nov2018 13:02:06.736071;[cpu_2];[fw4_1];#VM Final action=ACCEPT;
;26Nov2018 13:02:06.736072;[cpu_2];[fw4_1];# ----- Stateful VM inbound Completed -----
;26Nov2018 13:02:06.736075;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting VM_EXIT;
;26Nov2018 13:02:06.736081;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering POST VM_ENTER;
;26Nov2018 13:02:06.736083;[cpu_2];[fw4_1];#
;26Nov2018 13:02:06.736085;[cpu_2];[fw4_1];#fw_post_vm_chain_handler: (first_seen 32, new_conn 0, is_my_
ip 0, is_first_packet 0);
;26Nov2018 13:02:06.736089;[cpu_2];[fw4_1];#Before POST VM: <dir 0, 172.20.168.15:57821 ->
192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054
(ifn=1) (first seen) (looked up) ;
;26Nov2018 13:02:06.736095;[cpu_2];[fw4_1];#After POST VM: <dir 0, 172.20.168.15:57821 ->
192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054
;
;26Nov2018 13:02:06.736097;[cpu_2];[fw4_1];#POST VM Final action=ACCEPT;
;26Nov2018 13:02:06.736098;[cpu_2];[fw4_1];# ----- Stateful POST VM inbound Completed -----
;26Nov2018 13:02:06.736101;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting POST VM_EXIT;
;26Nov2018 13:02:06.736104;[cpu_2];[fw4_1];#fwconnoxid_msg_get_cliconn: warning - failed to get connoxid
message.;
;26Nov2018 13:02:06.736107;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering CPAS_ENTER;
;26Nov2018 13:02:06.736110;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting CPAS_EXIT;
;26Nov2018 13:02:06.736113;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting CHAIN_MODULES_EXIT;
;26Nov2018 13:02:06.736116;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is ACCEPTED;
}
;26Nov2018 13:02:06.770652;[cpu_2];[fw4_1];Packet 0xffff8101ea128580 is INBOUND;

Next Generation Security Gateway R81 Administration Guide      |      469

 Kernel Debug Modules and Debug Flags

Kernel Debug Modules and Debug Flags

This section describes the Kernel Debug Modules and their Debug Flags.
To see the available kernel debug modules and their debug flags, run:

fw ctl debug -m

List of kernel debug modules (in alphabetical order):

n "Module 'accel_apps' (Accelerated Applications)" on page 472
n "Module 'accel_pm_mgr' (Accelerated Pattern Match Manager)" on page 473
n "Module 'APPI' (Application Control Inspection)" on page 474
n "Module 'BOA' (Boolean Analyzer for Web Intelligence)" on page 475
n "Module 'CI' (Content Inspection)" on page 476
n "Module 'cluster' (ClusterXL)" on page 478
n "Module 'cmi_loader' (Context Management Interface / Infrastructure Loader)" on page 480
n "Module 'CPAS' (Check Point Active Streaming)" on page 481
n "Module 'cpcode' (Data Loss Prevention - CPcode)" on page 482
n "Module 'CPSSH' (SSH Inspection)" on page 483
n "Module 'crypto' (SSL Inspection)" on page 485
n "Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness)" on page 486
n "Module 'dlpk' (Data Loss Prevention - Kernel Space)" on page 488
n "Module 'dlpuk' (Data Loss Prevention - User Space)" on page 489
n "Module 'DOMO' (Domain Objects)" on page 490
n "Module 'fg' (FloodGate-1 - QoS)" on page 491
n "Module 'FILE_SECURITY' (File Inspection)" on page 493
n "Module 'FILEAPP' (File Application)" on page 494
n "Module 'fw' (Firewall)" on page 495
n "Module 'gtp' (GPRS Tunneling Protocol)" on page 501
n "Module 'h323' (VoIP H.323)" on page 502
n "Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client)" on page 503
n "Module 'IDAPI' (Identity Awareness API)" on page 505
n "Module 'kiss' (Kernel Infrastructure)" on page 506
n "Module 'kissflow' (Kernel Infrastructure Flow)" on page 509
n "Module 'MALWARE' (Threat Prevention)" on page 510
n "Module 'multik' (Multi-Kernel Inspection - CoreXL)" on page 511

Next Generation Security Gateway R81 Administration Guide      |      470

 Kernel Debug Modules and Debug Flags

n "Module 'MUX' (Multiplexer for Applications Traffic)" on page 513

n "Module 'NRB' (Next Rule Base)" on page 515
n "Module 'PSL' (Passive Streaming Library)" on page 517
n "Module 'RAD_KERNEL' (Resource Advisor - Kernel Space)" on page 518
n "Module 'RTM' (Real Time Monitoring)" on page 519
n "Module 'seqvalid' (TCP Sequence Validator and Translator)" on page 521
n "Module 'SFT' (Stream File Type)" on page 522
n "Module 'SGEN' (Struct Generator)" on page 523
n "Module 'synatk' (Accelerated SYN Defender)" on page 524
n "Module 'UC' (UserCheck)" on page 525
n "Module 'UP' (Unified Policy)" on page 526
n "Module 'upconv' (Unified Policy Conversion)" on page 528
n "Module 'UPIS' (Unified Policy Infrastructure)" on page 529
n "Module 'VPN' (Site-to-Site VPN and Remote Access VPN)" on page 531
n "Module 'WS' (Web Intelligence)" on page 533
n "Module 'WS_SIP' (Web Intelligence VoIP SIP Parser)" on page 535
n "Module 'WSIS' (Web Intelligence Infrastructure)" on page 537

Next Generation Security Gateway R81 Administration Guide      |      471

 Module 'accel_apps' (Accelerated Applications)

Module 'accel_apps' (Accelerated Applications)

Syntax:

fw ctl debug -m accel_apps + {all | <List of Debug Flags>}

Flag Description

av_lite Messages from the lite Content Inspection (Anti-Virus) module

cmi_lite Messages from the lite Context Management Interface / Infrastructure module

error General errors

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      472

 Module 'accel_pm_mgr' (Accelerated Pattern Match Manager)

Module 'accel_pm_mgr' (Accelerated Pattern Match

Manager)
Syntax:

fw ctl debug -m accel_pm_mgr + {all | <List of Debug Flags>}

Flag Description

debug Operations in the Accelerated Pattern Match Manager module

error General errors and failures

flow Internal flow of functions

submit_error General failures to submit the data for analysis

warning General warnings and failures

Next Generation Security Gateway R81 Administration Guide      |      473

 Module 'APPI' (Application Control Inspection)

Module 'APPI' (Application Control Inspection)

Syntax:

fw ctl debug -m APPI + {all | <List of Debug Flags>}

Flag Description

account Accounting information

address Information about connection's IP address

btime Browse time

connection Application Control connections

coverage Coverage times (entering, blocking, and time spent)

error General errors

global Global policy operations

info General information

limit Application Control limits

memory Memory allocation operations

module Operations in the Application Control module (initialization, module loading, calls to
the module, policy loading, and so on)

observer Classification Object (CLOB) observer (data classification)

policy Application Control policy

referrer Application Control referrer

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

urlf_ssl Application Control and URL Filtering for SSL

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      474

 Module 'BOA' (Boolean Analyzer for Web Intelligence)

Module 'BOA' (Boolean Analyzer for Web Intelligence)

Syntax:

fw ctl debug -m BOA + {all | <List of Debug Flags>}

Flag Description

analyzer Operations in the BOA module

disasm Disassembler information

error General errors

fatal Fatal errors

flow Operations in the BOA module

info General information

lock Information about internal locks in the FireWall kernel

memory Memory allocation operations

spider Internal hash tables

stat Statistics

stream Memory allocation when processing streamed data

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      475

 Module 'CI' (Content Inspection)

Module 'CI' (Content Inspection)

Syntax:

fw ctl debug -m CI + {all | <List of Debug Flags>}

Flag Description

address Prints connection addresses (as Source_IP:Source_Port -> Dest_

IP:Dest_Port)

av Anti-Virus inspection

coverage Coverage times (entering, blocking, and time spent)

crypto Basic information about encryption and decryption

error General errors

fatal Fatal errors

filter Basic information about URL filters

info General information

ioctl Currently is not used

memory Memory allocation operations

module Operations in the Content Inspection module (initialization, module loading, calls to the
module, policy loading, and so on)

policy Content Inspection policy

profile Basic information about the Content Inspection module (initialization, destroying,
freeing)

regexp Regular Expression library

session Session layer

stat Content Inspection statistics

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

track Use only for very limited important debug prints, so it can be used in a loaded
environment -
Content-Disposition, Content-Type, extension validation, extension matching

Next Generation Security Gateway R81 Administration Guide      |      476

 Module 'CI' (Content Inspection)

Flag Description

uf URL filters and URL cache

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      477

 Module 'cluster' (ClusterXL)

Module 'cluster' (ClusterXL)

Syntax:

fw ctl debug -m cluster + {all | <List of Debug Flags>}

Notes:
n To print all synchronization operations in Check Point cluster in the debug
output, enable these debug flags:
l The debug flag "sync" in "Module 'fw' (Firewall)" on page 495

l The debug flag "sync" in "Module 'CPAS' (Check Point Active

Streaming)" on page 481
n To print the contents of the packets in HEX format in the debug output (as "FW-
1: fwha_print_packet: Buffer ..."), before you start the kernel
debug, set this kernel parameter on each Cluster Member:
fw ctl set int fwha_dprint_io 1
n To print all network checks in the debug output, before you start the kernel
debug, set this kernel parameter on each Cluster Member:
fw ctl set int fwha_dprint_all_net_check 1

Flag Description

arp ARP Forwarding (see sk111956)

autoccp Operations of CCP in Auto mode

ccp Reception and transmission of Cluster Control Protocol (CCP) packets

cloud Replies to the probe packets in CloudGuard IaaS

conf Cluster configuration and policy installation

correction Correction Layer

cu Connectivity Upgrade (see sk107042)

drop Connections dropped by the cluster Decision Function (DF) module (does not include
CCP packets)

forward Forwarding Layer messages (when Cluster Members send and receive a forwarded
packet)

if Interface tracking and validation (all the operations and checks on interfaces)

ifstate Interface state (all the operations and checks on interfaces)

io Information about sending of packets through cluster interfaces

Next Generation Security Gateway R81 Administration Guide      |      478

 Module 'cluster' (ClusterXL)

Flag Description

log Creating and sending of logs by cluster

Note - Also enable the debug flag "log" in "Module 'fw' (Firewall)" on
page 495.

mac Current configuration of and detection of cluster interfaces

Note - Also enable the debug flags "conf" and "if" in this debug module

mmagic Operations on "MAC magic" (getting, setting, updating, initializing, dropping, and so
on)

msg Handling of internal messages between Cluster Members

pivot Operation of ClusterXL in Load Sharing Unicast mode (Pivot mode)

pnote Registration and monitoring of Critical Devices (pnotes)

select Packet selection (includes the Decision Function)

stat States of cluster members (state machine)

subs Subscriber module (set of APIs, which enable user space processes to be aware of
the current state of the ClusterXL state machine and other clustering configuration
parameters)

timer Reports of cluster internal timers

trap Sending trap messages from the cluster kernel to the RouteD daemon about Master
change

Next Generation Security Gateway R81 Administration Guide      |      479

 Module 'cmi_loader' (Context Management Interface / Infrastructure Loader)

Module 'cmi_loader' (Context Management Interface /

Infrastructure Loader)
Syntax:

fw ctl debug -m cmi_loader + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

connection Internal messages about connection

coverage Coverage times (entering, blocking, and time spent)

cpcode DLP CPcode

Note - Also see "Module 'cpcode' (Data Loss Prevention - CPcode)" on

page 482.

error General errors

global_ User Space global state structures

states

info General information

inspect INSPECT code

memory Memory allocation operations

module Operations in the Context Management Interface / Infrastructure Loader module

(initialization, module loading, calls to the module, contexts, and so on)

parsers_is Module parsers infrastructure

policy Policy installation

sigload Signatures, patterns, ranges

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      480

 Module 'CPAS' (Check Point Active Streaming)

Module 'CPAS' (Check Point Active Streaming)

Syntax:

fw ctl debug -m CPAS + {all | <List of Debug Flags>}

Flag Description

api Interface layer messages

conns Detailed description of connections, and connection's limit-related messages

cpconntim Information about internal timers

error General errors

events Event-related messages

ftp Messages of the FTP example server

glue Glue layer messages

http Messages of the HTTP example server

icmp Messages of the ICMP example server

notify E-mail Messaging Security application

pkts Packets handling messages (allocation, splitting, resizing, and so on)

skinny Processing of Skinny Client Control Protocol (SCCP) connections

sync Synchronization operations in cluster

Note - Also see the debug flag "sync" in "Module 'fw' (Firewall)"
on page 495.

tcp TCP processing messages

tcpinfo TCP processing messages - more detailed description

timer Reports of internal timer ticks

Warning - Prints many messages, without real content.

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      481

 Module 'cpcode' (Data Loss Prevention - CPcode)

Module 'cpcode' (Data Loss Prevention - CPcode)

Syntax:

fw ctl debug -m cpcode + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'dlpda' (Data Loss Prevention - Download Agent for Content
Awareness)" on page 486
n "Module 'dlpk' (Data Loss Prevention - Kernel Space)" on page 488
n "Module 'dlpuk' (Data Loss Prevention - User Space)" on page 489

Flag Description

cplog Resolving of names and IP addresses for Check Point logs

csv Creation of CSV files

echo Prints the function that called the CPcode module

error General errors

init Initializing of CPcode system

io Input / Output functionality for CPcode module

ioctl IOCTL control messages to kernel

kisspm Kernel Infrastructure Pattern Matcher

memory Memory allocation operations

persist Operations on persistence domains

policy Policy operations

run Policy operations

url Operations on URLs

vm Virtual Machine execution

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      482

 Module 'CPSSH' (SSH Inspection)

Module 'CPSSH' (SSH Inspection)

R80.40 introduced SSH Deep Packet Inspection - decryption / encryption of SSH, extraction of files from
SFTP/SCP, blocking of SSH port forwarding, and so on.
For more information, see the R81 Threat Prevention Administration Guide.

Syntax:

fw ctl debug -m CPSSH + {all | <List of Debug Flags>}

Important - Also enable the debug flag "cpsshi" in "Module 'fw' (Firewall)" on page 495.

Flag Description

authentication Detailed information about authentication

binary_packet Detailed information about packets

conn_proto Detailed information about connections

crypto Encryption and decryption

Note - Also see "Module 'crypto' (SSL

Inspection)" on page 485.

dump Dumps the connection buffer

error General errors

info General information

mux_auth_app Information about authentication

Note - Also see "Module 'MUX'
(Multiplexer for Applications Traffic)" on
page 513.

mux_conn_app Information about connections

Note - Also see "Module 'MUX'
(Multiplexer for Applications Traffic)" on
page 513.

mux_decrypt_app Information about decryption of connections

Note - Also see "Module 'MUX'
(Multiplexer for Applications Traffic)" on
page 513.

Next Generation Security Gateway R81 Administration Guide      |      483

 Module 'CPSSH' (SSH Inspection)

Flag Description

mux_encrypt_app Information about encryption of connections

Note - Also see "Module 'MUX'
(Multiplexer for Applications Traffic)" on
page 513.

mux_inf Internal flow

Note - Also see "Module 'MUX'
(Multiplexer for Applications Traffic)" on
page 513.

mux_stream Internal flow

Note - Also see "Module 'MUX'
(Multiplexer for Applications Traffic)" on
page 513.

probe Information about connections

session Internal flow

sftp_parser Parser of SFTP / SCP connections

state_machine Information about the module State Machine

trans_proto Information about client and server communication

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      484

 Module 'crypto' (SSL Inspection)

Module 'crypto' (SSL Inspection)

Syntax:

fw ctl debug -m crypto + {all | <List of Debug Flags>}

Flag Description

error General errors

info General information

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      485

 Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness)

Module 'dlpda' (Data Loss Prevention - Download Agent for

Content Awareness)
Syntax:

fw ctl debug -m dlpda + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'cpcode' (Data Loss Prevention - CPcode)" on
page 482
n "Module 'dlpk' (Data Loss Prevention - Kernel Space)" on
page 488
n "Module 'dlpuk' (Data Loss Prevention - User Space)" on
page 489

Flag Description

address Information about connection's IP address

cmi Context Management Interface / Infrastructure operations

coverage Coverage times (entering, blocking, and time spent)

ctx Operations on DLP context

engine Content Awareness engine module

error General errors

filecache Content Awareness file caching

info General information

memory Memory allocation operations

mngr Currently is not used

module Initiation / removal of the Content Awareness infrastructure

observer Classification Object (CLOB) observer (data classification)

policy Content Awareness policy

slowpath Currently is not used

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

Next Generation Security Gateway R81 Administration Guide      |      486

 Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness)

Flag Description

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      487

 Module 'dlpk' (Data Loss Prevention - Kernel Space)

Module 'dlpk' (Data Loss Prevention - Kernel Space)

Syntax:

fw ctl debug -m dlpk + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'cpcode' (Data Loss Prevention - CPcode)" on page 482
n "Module 'dlpda' (Data Loss Prevention - Download Agent for Content
Awareness)" on page 486
n "Module 'dlpuk' (Data Loss Prevention - User Space)" on page 489

Flag Description

cmi HTTP Proxy, connection redirection, identity information, Async

drv DLP inspection

error General errors

identity User identity, connection identity, Async

rulebase DLP rulebase match

stat Counter statistics

Next Generation Security Gateway R81 Administration Guide      |      488

 Module 'dlpuk' (Data Loss Prevention - User Space)

Module 'dlpuk' (Data Loss Prevention - User Space)

Syntax:

fw ctl debug -m dlpuk + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'cpcode' (Data Loss Prevention - CPcode)" on page 482
n "Module 'dlpda' (Data Loss Prevention - Download Agent for Content
Awareness)" on page 486
n "Module 'dlpk' (Data Loss Prevention - Kernel Space)" on page 488

Flag Description

address Information about connection's IP address

buffer Currently is not used

coverage Coverage times (entering, blocking, and time spent)

error General errors

info General information

memory Memory allocation operations

module Initiation / removal of the Data Loss Prevention User Space modules' infrastructure

policy Currently is not used

serialize Data buffers and data sizes

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      489

 Module 'DOMO' (Domain Objects)

Module 'DOMO' (Domain Objects)

Syntax:

fw ctl debug -m DOMO + {all | <List of Debug Flags>}

Flag Description

conn Internal processing of connections

module Operations in the Domain Objects module (initialization, module loading, calls to the
module, policy loading, and so on)

policy Currently is not used

Next Generation Security Gateway R81 Administration Guide      |      490

 Module 'fg' (FloodGate-1 - QoS)

Module 'fg' (FloodGate-1 - QoS)

Syntax:

fw ctl debug -m fg + {all | <List of Debug Flags>}

Flag Description

chain Tracing each packet through FloodGate-1 stages in the cookie chain

chainq Internal Chain Queue mechanism - holding and releasing of packets during critical
actions (policy installation and uninstall)

classify Classification of connections to QoS rules

conn Processing and identification of connection

dns DNS classification mechanism

drops Dropped packets due to WFRED policy

dropsv Dropped packets due to WFRED policy - with additional debug information (verbose)

error General errors

flow Internal flow of connections (direction, interfaces, buffers, and so on)

fwrate Rate statistics for each interface and direction

general Currently is not used

install Policy installation

llq Low latency queuing

log Everything related to calls in the log

ls Processing of connections in ClusterXL in Load Sharing Mode

memory Memory allocation operations

multik Processing of connections in CoreXL

pkt Packet recording mechanism

policy QoS policy rules matching

qosaccel Acceleration of QoS traffic

rates Rule and connection rates (IQ Engine behavior and status)

Next Generation Security Gateway R81 Administration Guide      |      491

 Module 'fg' (FloodGate-1 - QoS)

Flag Description

rtm Failures in information gathering in the Real Time Monitoring module

Note - Also see "Module 'RTM' (Real Time Monitoring)" on page 519.

sched Basic scheduling information

tcp TCP streaming (re-transmission detection) mechanism

time Currently is not used

timers Reports of internal timer ticks

Warning - Prints many messages, without real content.

url URL and URI for QoS classification

verbose Prints additional information (used with other debug flags)

Next Generation Security Gateway R81 Administration Guide      |      492

 Module 'FILE_SECURITY' (File Inspection)

Module 'FILE_SECURITY' (File Inspection)

Syntax:

fw ctl debug -m FILE_SECURITY + {all | <List of Debug Flags>}

Note - Also see "Module 'WSIS' (Web Intelligence Infrastructure)" on page 537.

Flag Description

cache File cache

global Global operations

memory Currently is not used

module Operations in the FILE_SECURITY module (identification and processing of connections)

Next Generation Security Gateway R81 Administration Guide      |      493

 Module 'FILEAPP' (File Application)

Module 'FILEAPP' (File Application)

Syntax:

fw ctl debug -m FILEAPP + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

coverage Coverage times (entering, blocking, and time spent)

error General errors

filetype Information about processing a file type

global Allocation and creation of global object

info General information

memory Memory allocation operations

module Operations in the FILEAPP module (initialization, module loading, calls to the module,
and so on)

normalize File normalization operations (internal operations)

parser File parsing

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

upload File upload operations

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      494

 Module 'fw' (Firewall)

Module 'fw' (Firewall)

Syntax:

fw ctl debug -m fw + {all | <List of Debug Flags>}

Flag Description

acct Accounting data in logs for Application Control (also enable the debug of "Module
'APPI' (Application Control Inspection)" on page 474)

advp Advanced Patterns (signatures over port ranges) - runs under ASPII and CMI

aspii Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)

balance ConnectControl - logical servers in kernel, load balancing

bridge Bridge mode

bypass_ Universal Bypass on CoreXL Firewall Instances during load

timer

caf Mirror and Decrypt feature - only mirror operations on all traffic

cgnat Carrier Grade NAT (CGN/CGNAT)

chain Connection Chain modules, cookie chain

chainfwd Chain forwarding - related to cluster kernel parameter fwha_perform_chain_

forwarding

cifs Processing of Microsoft Common Internet File System (CIFS) protocol

citrix Processing of Citrix connections

cmi Context Management Interface / Infrastructure - IPS signature manager

conn Processing of all connections

connstats Connections statistics for Evaluation of Heavy Connections in CPView (see sk105762)

content Anti-Virus content inspection

context Operations on Memory context and CPU context in "Module 'kiss' (Kernel
Infrastructure)" on page 506

cookie Virtual de-fragmentation , cookie issues (cookies in the data structure that holds the
packets)

corr Correction layer

Next Generation Security Gateway R81 Administration Guide      |      495

 Module 'fw' (Firewall)

Flag Description

cpsshi SSH Inspection

Important - Also enable all the debug flags in "Module 'CPSSH' (SSH
Inspection)" on page 483.

cptls CRYPTO-PRO Transport Layer Security (HTTPS Inspection) - Russian VPN GOST

crypt Encryption and decryption of packets (algorithms and keys are printed in clear text
and cipher text)

cvpnd Processing of connections handled by the Mobile Access daemon

dfilter Operations in the debug filters (see "Kernel Debug Filters" on page 456)

dlp Processing of Data Loss Prevention connections

dnstun DNS tunnels

domain DNS queries

dos DDoS attack mitigation (part of IPS)

driver Check Point kernel attachment (access to kernel is shown as log entries)

drop Reason for (almost) every dropped packet

drop_tmpl Operations in Drop Templates

dynlog Dynamic log enhancement (INSPECT logs)

epq End Point Quarantine (also AMD)

error General errors

event Event App features (DNS, HTTP, SMTP, FTP)

ex Expiration issues (time-outs) in dynamic kernel tables

fast_accel Fast acceleration of connections

filter Packet filtering performed by the Check Point kernel and all data loaded into kernel

ftp Processing of FTP Data connections (used to call applications over FTP Data - i.e.,
Anti-Virus)

handlers Operations related to the Context Management Interface / Infrastructure Loader

Note - Also see "Module 'cmi_loader' (Context Management Interface /

Infrastructure Loader)" on page 480.

Next Generation Security Gateway R81 Administration Guide      |      496

 Module 'fw' (Firewall)

Flag Description

highavail Cluster configuration - changes in the configuration and information about interfaces
during
traffic processing

hold Holding mechanism and all packets being held / released

icmptun ICMP tunnels

if interface-related information (accessing the interfaces, installing a filter on an

interfaces)

install Driver installation - NIC attachment (actions performed by the "fw ctl install"
and "fw ctl uninstall" commands)

integrity Integrity Client (enforcement cooperation)

ioctl IOCTL control messages (communication between kernel and daemons, loading and
unloading of the FireWall)

ipopt Enforcement of IP Options

ips IPS logs and IPS IOCTL

ipv6 Processing of IPv6 traffic

kbuf Kernel-buffer memory pool (for example, encryption keys use these memory
allocations)

ld Kernel dynamic tables infrastructure (reads from / writes to the tables)

Warning - Security Gateway can freeze or hang due to very high CPU load!.

leaks Memory leak detection mechanism

link Creation of links in Connections kernel table (ID 8158)

log Everything related to calls in the log

machine INSPECT Virtual Machine (actual assembler commands being processed)

Warning - Security Gateway can freeze or hang due to very high CPU load!.

mail Issues with e-mails over POP3, IMAP

Next Generation Security Gateway R81 Administration Guide      |      497

 Module 'fw' (Firewall)

Flag Description

malware Matching of connections to Threat Prevention Layers (multiple rulebases)

Note - Also see "Module 'MALWARE' (Threat Prevention)" on page 510.

media Does not apply anymore

Only on Security Gateway that runs on Windows OS:
Transport Driver Interface information (interface-related information)

memory Memory allocation operations

mgcp Media Gateway Control Protocol (complementary to H.323 and SIP)

misc Miscellaneous helpful information (not shown with other debug flags)

misp ISP Redundancy

monitor Prints output similar to the "fw monitor" command (see "fw monitor" on page 322)

Note - Also enable the debug flag "misc" in this module.

monitorall Prints output similar to the "fw monitor -p all" command (see "fw monitor" on
page 322)

Note - Also enable the debug flag "misc" in this module.

mrtsync Synchronization between cluster members of Multicast Routes that are added when
working with Dynamic Routing Multicast protocols

msnms MSN over MSMS (MSN Messenger protocol)

Also always enable the debug flag 'sip' in this module

multik CoreXL-related
Note - This debug flag enables all the debug flags in the "Module 'multik'
(Multi-Kernel Inspection - CoreXL)" on page 511, except for the debug flag
"packet".

nac Network Access Control (NAC) feature in Identity Awareness

nat NAT issues - basic information

nat_sync NAT issues - NAT port allocation operations in Check Point cluster

nat64 NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6)

netquota IPS protection "Network Quota"

Next Generation Security Gateway R81 Administration Guide      |      498

 Module 'fw' (Firewall)

Flag Description

ntup Non-TCP / Non-UDP traffic policy (traffic parser)

packet Actions performed on packets (like Accept, Drop, Fragment)

packval Stateless verifications (sequences, fragments, translations and other header

verifications)

portscan Prevention of port scanning

prof Connection profiler for Firewall Priority Queues (see sk105762)

q Driver queue (for example, cluster synchronization operations)

This debug flag is crucial for the debug of Check Point cluster synchronization issues

qos QoS (FloodGate-1)

rad Resource Advisor policy (for Application Control, URL Filtering, and others)

route Routing issues

This debug flag is crucial for the debug of ISP Redundancy issues

sam Suspicious Activity Monitoring

sctp Processing of Stream Control Transmission Protocol (SCTP) connections

scv SecureClient Verification

shmem Currently is not used

sip VoIP traffic - SIP and H.323

Note - Also see:
n "Module 'h323' (VoIP H.323)" on page 502
n "Module 'WS_SIP' (Web Intelligence VoIP SIP Parser)" on page 535

smtp Issues with e-mails over SMTP

sock Sockstress TCP DoS attack (CVE-2008-4609)

span Monitor mode (mirror / span port)

spii Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure

synatk IPS protection 'SYN Attack' (SYNDefender)

Note - Also see "Module 'synatk' (Accelerated SYN Defender)" on

page 524.

Next Generation Security Gateway R81 Administration Guide      |      499

 Module 'fw' (Firewall)

Flag Description

sync Synchronization operations in Check Point cluster

Note - Also see the debug flag "sync" in "Module 'CPAS' (Check Point
Active Streaming)" on page 481.

tcpstr TCP streaming mechanism

te Prints the name of an interface for incoming connection from Threat Emulation
Machine

tlsparser Currently is not used

ua Processing of Universal Alcatel "UA" connections

ucd Processing of UserCheck connections in Check Point cluster

unibypass Universal Bypass on CoreXL Firewall Instances during load

user User Space communication with Kernel Space (most useful for configuration and VSX
debug)

utest Currently is not used

vm Virtual Machine chain decisions on traffic going through the fw_filter_chain

wap Processing of Wireless Application Protocol (WAP) connections

warning General warnings

wire Wire-mode Virtual Machine chain module

xlate NAT issues - basic information

xltrc NAT issues - additional information - going through NAT rulebase

zeco Memory allocations in the Zero-Copy kernel module

Next Generation Security Gateway R81 Administration Guide      |      500

 Module 'gtp' (GPRS Tunneling Protocol)

Module 'gtp' (GPRS Tunneling Protocol)

Syntax:

fw ctl debug -m gtp + {all | <List of Debug Flags>}

Flag Description

create GTPv0 / GTPv1 create PDP context

create2 GTPv2 create session

dbg GTP debug mechanism

delete GTPv0 / GTPv1 delete PDP context

delete2 GTPv2 delete session

error General GTP errors

ioctl GTP IOCTL commands

ld Operations with GTP kernel tables (addition, removal, modification of entries)

log GTPv0 / GTPv1 logging

log2 GTPv2 logging

modify GTPv2 modify bearer

other GTPv0 / GTPv1 other messages

other2 GTPv2 other messages

packet GTP main packet flow

parse GTPv0 / GTPv1 parsing

parse2 GTPv2 parsing

policy Policy installation

state GTPv0 / GTPv1 dispatching

state2 GTPv2 dispatching

sxl Processing of GTP connections in SecureXL

tpdu GTP T-PDU

update GTPv0 / GTPv1 update PDP context

Next Generation Security Gateway R81 Administration Guide      |      501

 Module 'h323' (VoIP H.323)

Module 'h323' (VoIP H.323)

Syntax:

fw ctl debug -m h323 + {all | <List of Debug Flags>}

Flag Description

align General VoIP debug messages (for example, VoIP infrastructure)

cpas Debug messages about the CPAS TCP

Important - This debug flag is not included when you use the syntax "fw ctl
debug -m h323 all"

decode H.323 decoder messages

error General errors

h225 H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, and so on)

h245 H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION
COMMAND, and so on)

init Internal errors

ras H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST /

RESPONSE)

Next Generation Security Gateway R81 Administration Guide      |      502

 Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client)

Module 'ICAP_CLIENT' (Internet Content Adaptation

Protocol Client)
Syntax:

fw ctl debug -m ICAP_CLIENT + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

blade Internal operations in the ICAP Client module

coverage Coverage times (entering, blocking, and time spent)

cpas Check Point Active Streaming (CPAS)

Note - Also see "Module 'CPAS' (Check Point Active Streaming)" on

page 481.

daf_cmi Mirror and Decrypt of HTTPS traffic - operations related to the Context Management
Interface / Infrastructure Loader

Note - Also see "Module 'cmi_loader' (Context Management Interface /

Infrastructure Loader)" on page 480.

daf_ Mirror and Decrypt of HTTPS traffic - operations related to the ICAP Client module
module

daf_ Mirror and Decrypt of HTTPS traffic - operations related to policy installation
policy

daf_ Mirror and Decrypt of HTTPS traffic - operations related to rulebase

rulebase

daf_tcp Mirror and Decrypt of HTTPS traffic - internal processing of TCP connections

error General errors

global Global operations in the ICAP Client module

icap Processing of ICAP connections

info General information

memory Memory allocation operations

module Operations in the ICAP Client module (initialization, module loading, calls to the module,
and so on)

Next Generation Security Gateway R81 Administration Guide      |      503

 Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client)

Flag Description

policy Policy installation

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

trick Data Trickling mode

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      504

 Module 'IDAPI' (Identity Awareness API)

Module 'IDAPI' (Identity Awareness API)

Syntax:

fw ctl debug -m IDAPI + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

async Checking for known networks

classifier Data classification

clob Classification Object (CLOB) observer (data classification)

coverage Coverage times (entering, blocking, and time spent)

data Portal, IP address matching for Terminal Servers Identity Agent, session handling

error General errors

htab Checking for network IP address, working with kernel tables

info General information

log Various logs for internal operations

memory Memory allocation operations

module Removal of the Identity Awareness API debug module's infrastructure, failure to
convert to Base64, failure to append Source to Destination, and so on

observer Data classification observer

subject Prints the debug subject of each debug message

test IP test, Identity Awareness API synchronization

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      505

 Module 'kiss' (Kernel Infrastructure)

Module 'kiss' (Kernel Infrastructure)

Syntax:

fw ctl debug -m kiss + {all | <List of Debug Flags>}

Note - Also see "Module 'kissflow' (Kernel Infrastructure Flow)" on page 509.

Flag Description

accel_pm Accelerated Pattern Matcher

bench CPU benchmark

connstats Statistics for connections

cookie Virtual de-fragmentation , cookie issues (cookies in the data structure that holds the
packets)

dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution

driver Loading / unloading of the FireWall driver

error General errors

flofiler FLow prOFILER

ghtab Multi-threaded safe global hash tables

ghtab_bl Internal operations on global hash tables

handles Memory pool allocation for tables

htab Multi-threaded safe hash tables

htab_bl Internal operations on hash tables

htab_bl_ Errors and failures during internal operations on hash tables

err

htab_bl_ Expiration in hash tables

exp

htab_bl_ Errors and failures during internal operations on hash tables

infra

ioctl IOCTL control messages (communication between the kernel and daemons)

kqstats Kernel Worker thread statistics (resetting, initializing, turning off)

Next Generation Security Gateway R81 Administration Guide      |      506

 Module 'kiss' (Kernel Infrastructure)

Flag Description

kw Kernel Worker state and Pattern Matcher inspection

leak Memory leak detection mechanism

memory Memory allocation operations

memprof Memory allocation operations in the Memory Profiler (when the kernel parameter fw_
conn_mem_prof_enabled=1)

misc CPU counters, Memory counters, getting/setting of global kernel parameters

mtctx Multi-threaded context - memory allocation, reference count

packet Internal parsing operations on packets

pcre Perl Compatible Regular Expressions (execution, memory allocation)

pm Pattern Matcher compilation and execution

pmdump Pattern Matcher DFA (dumping XMLs of DFAs)

pmint Pattern Matcher compilation

pools Memory pool allocation operations

queue Kernel Worker thread queues

rem Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)

salloc System Memory allocation

shmem Shared Memory allocation

sm String Matcher - Pattern Matcher 1st tier (fast path)

stat Statistics for categories and maps

swblade Registration of Software Blades

thinnfa Currently is not used

thread Kernel thread that supplies low level APIs to the kernel thread

timers Internal timers

usrmem User Space platform memory usage

vbuf Virtual buffer

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      507

 Module 'kiss' (Kernel Infrastructure)

Flag Description

worker Kernel Worker - queuing and dequeuing

Next Generation Security Gateway R81 Administration Guide      |      508

 Module 'kissflow' (Kernel Infrastructure Flow)

Module 'kissflow' (Kernel Infrastructure Flow)

Syntax:

fw ctl debug -m kissflow + {all | <List of Debug Flags>}

Note - Also see "Module 'kiss' (Kernel Infrastructure)" on page 506.

Flag Description

compile Pattern Matcher (pattern compilation)

dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution

error General errors

memory Memory allocation operations

pm Pattern Matcher - general information

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      509

 Module 'MALWARE' (Threat Prevention)

Module 'MALWARE' (Threat Prevention)

Syntax:

fw ctl debug -m MALWARE + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

av Currently is not used

coverage Coverage times (entering, blocking, and time spent)

error General errors

global Prints parameters from the $FWDIR/conf/mail_security_config file

info General information

ioc Operations on Indicators of Compromise (IoC)

memory Currently is not used

module Removal of the MALWARE module's debug infrastructure

policy Policy installation

subject Prints the debug subject of each debug message

te Currently is not used

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      510

 Module 'multik' (Multi-Kernel Inspection - CoreXL)

Module 'multik' (Multi-Kernel Inspection - CoreXL)

Syntax:

fw ctl debug -m multik + {all | <List of Debug Flags>}

Note - When you enable the debug flag 'multik' in the "Module 'fw' (Firewall)" on
page 495, it enables all the debug flags in this debug module, except for the debug flag
'packet'.

Flag Description

api Registration and unregistration of cross-instance function calls

cache_ Cache table infrastructure

tab

conn Creation and deletion of connections in the dispatcher table

counter Cross-instance counter infrastructure

error General errors

event Cross-instance event aggregation infrastructure

fwstats Firewall statistics

ioctl Distribution of IOCTLs to different CoreXL Firewall instances

lock Obtaining and releasing the fw_lock on multiple CoreXL Firewall instances

message Cross-instance messages (used for local sync and port scanning)

packet For each packet, shows the CoreXL SND dispatching decision (CoreXL Firewall instance
and reason)

packet_ Invalid packets, for CoreXL SND could not make a dispatching decision
err

prio Firewall Priority Queues (refer to sk105762)

queue Packet queue

quota Cross-instance quota table (used by the Network Quota feature)

route Routing of packets

state Starting and stopping of CoreXL Firewall instances, establishment of relationship between
CoreXL Firewall instances

temp_ Temporary connections

conns

Next Generation Security Gateway R81 Administration Guide      |      511

 Module 'multik' (Multi-Kernel Inspection - CoreXL)

Flag Description

uid Cross-instance Unique IDs

vpn_ MultiCore VPN (see sk118097)

multik

Next Generation Security Gateway R81 Administration Guide      |      512

 Module 'MUX' (Multiplexer for Applications Traffic)

Module 'MUX' (Multiplexer for Applications Traffic)

R80.20 introduced a new layer between the Streaming layer and the Applications layer - MUX
(Multiplexer).
Applications are registered to the Streaming layer through the MUX layer.
The MUX layer chooses to work over PSL (passive streaming) or CPAS (active streaming).

Syntax:

fw ctl debug -m MUX + {all | <List of Debug Flags>}

Flag Description

active CPAS (active streaming)

Note - Also see "Module 'CPAS' (Check Point Active Streaming)" on

page 481.

advp Advanced Patterns (signatures over port ranges)

api API calls

comm Information about opening and closing of connections

error General errors

http_disp HTTP Dispatcher

misc Miscellaneous helpful information (not shown with other debug flags)

passive PSL (passive streaming)

Note - Also see "Module 'PSL' (Passive Streaming Library)" on

page 517.

proxy_tp Proxy tunnel parser

stream General information about the data stream

test Currently is not used

tier1 Pattern Matcher 1st tier (fast path)

tls General information about the TLS

tlsp TLS parser

tol Test Object List algorithm (to determine whether an application is malicious or not)

Next Generation Security Gateway R81 Administration Guide      |      513

 Module 'MUX' (Multiplexer for Applications Traffic)

Flag Description

udp UDP parser

warning General warnings

ws Web Intelligence

Next Generation Security Gateway R81 Administration Guide      |      514

 Module 'NRB' (Next Rule Base)

Module 'NRB' (Next Rule Base)

Syntax:

fw ctl debug -m NRB + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

appi Rules and applications

Note - Also see "Module 'APPI' (Application Control Inspection)" on

page 474.

coverage Coverage times (entering, blocking, and time spent)

dlp Data Loss Prevention

Note - Also see:
n "Module 'dlpda' (Data Loss Prevention - Download Agent for Content
Awareness)" on page 486
n "Module 'dlpk' (Data Loss Prevention - Kernel Space)" on page 488
n "Module 'dlpuk' (Data Loss Prevention - User Space)" on page 489

error General errors

info General information

match Rule matching

memory Memory allocation operations

module Operations in the NRB module (initialization, module loading, calls to the module,
contexts, and so on)

policy Policy installation

sec_rb Security rulebase

session Session layer

ssl_insp HTTPS Inspection

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

Next Generation Security Gateway R81 Administration Guide      |      515

 Module 'NRB' (Next Rule Base)

Flag Description

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      516

 Module 'PSL' (Passive Streaming Library)

Module 'PSL' (Passive Streaming Library)

Syntax:

fw ctl debug -m PSL + {all | <List of Debug Flags>}

Note - Also see "Module 'MUX' (Multiplexer for Applications Traffic)" on page 513.

Flag Description

error General errors

pkt Processing of packets

tcpstr Processing of TCP streams

seq Processing of TCP sequence numbers

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      517

 Module 'RAD_KERNEL' (Resource Advisor - Kernel Space)

Module 'RAD_KERNEL' (Resource Advisor - Kernel Space)

Syntax:

fw ctl debug -m RAD_KERNEL + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

cache RAD kernel malware cache

coverage Coverage times (entering, blocking, and time spent)

error General errors

global RAD global context

info General information

memory Memory allocation operations

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      518

 Module 'RTM' (Real Time Monitoring)

Module 'RTM' (Real Time Monitoring)

Syntax:

fw ctl debug -m RTM + {all | <List of Debug Flags>}

Flag Description

accel Prints SecureXL information about the accelerated packets, connections, and so on

chain Prints information about chain registration and about the E2E (Virtual Link) chain
function actions

Note - This important debug flag helps you know, whether the E2E
identifies the Virtual Link packets

con_conn Prints messages for each connection (when a new connection is handled by the
RTM module)
The same debug flags as 'per_conn'

driver Check Point kernel attachment (access to kernel is shown as log entries)

err General errors

import Importing of the data from other kernel modules (FireWall, QoS)

init Initialization of the RTM module

ioctl IOCTL control messages

netmasks Information about how the RTM handles netmasks, if you are monitoring an object of
type Network

per_conn Prints messages for each connection (when a new connection is handled by the
RTM module)
The same debug flags as 'con_conn'

per_pckt Prints messages for each packet (when a new packet arrives)

Warning - Prints many messages, which increases the load on the CPU

performance Currently is not used

policy Prints messages about loading and unloading on the FireWall module (indicates that
the RTM module received the FireWall callback)

rtm Real time monitoring

s_err General errors about kernel tables and other failures

Next Generation Security Gateway R81 Administration Guide      |      519

 Module 'RTM' (Real Time Monitoring)

Flag Description

sort Sorting of "Top XXX" counters

special Information about how the E2E modifies the E2ECP protocol packets

tabs Currently is not used

topo Calculation of network topography

view_add Adding or deleting of a View

view_update Updating of Views with new information

view_ Updating of Views with new information

update1

wd WebDefense views

Next Generation Security Gateway R81 Administration Guide      |      520

 Module 'seqvalid' (TCP Sequence Validator and Translator)

Module 'seqvalid' (TCP Sequence Validator and Translator)

Syntax:

fw ctl debug -m seqvalid + {all | <List of Debug Flags>}

Flag Description

error General errors

seqval TCP sequence validation and translation

sock Currently is not used

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      521

 Module 'SFT' (Stream File Type)

Module 'SFT' (Stream File Type)

Syntax:

fw ctl debug -m SFT + {all | <List of Debug Flags>}

Flag Description

error General errors

fatal Fatal errors

info General information

mgr Rule match, database, connection processing, classification

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      522

 Module 'SGEN' (Struct Generator)

Module 'SGEN' (Struct Generator)

Syntax:

fw ctl debug -m SGEN + {all | <List of Debug Flags>}

Flag Description

engine Struct Generator engine operations on objects

error General errors

fatal Fatal errors

field Operations on fields

general General types macros

info General information

load Loading of macros

serialize Serialization while loading the macros

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      523

 Module 'synatk' (Accelerated SYN Defender)

Module 'synatk' (Accelerated SYN Defender)

For additional information, see R81 Performance Tuning Administration Guide - Chapter SecureXL -
Section Accelerated SYN Defender.

Syntax:

fw ctl debug -m synatk + {all | <List of Debug Flags>}

Flag Description

cookie TCP SYN Cookie

error General errors

radix_dump Dump of the radix tree

radix_match Matched items in the radix tree

radix_modify Operations in the radix tree

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      524

 Module 'UC' (UserCheck)

Module 'UC' (UserCheck)

Syntax:

fw ctl debug -m UC + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

coverage Coverage times (entering, blocking, and time spent)

error General errors

htab Hash table

info General information

memory Memory allocation operations

module Operations in the UserCheck module (initialization, UserCheck table hits, finding User
ID in cache, removal of UserCheck debug module's infrastructure)

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

webapi URL patterns, UserCheck incidents, connection redirection

Next Generation Security Gateway R81 Administration Guide      |      525

 Module 'UP' (Unified Policy)

Module 'UP' (Unified Policy)

Syntax:

fw ctl debug -m UP + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'upconv' (Unified Policy Conversion)" on
page 528
n "Module 'UPIS' (Unified Policy Infrastructure)" on
page 529

Flag Description

account Currently is not used

address Information about connection's IP address

btime Currently is not used

clob Classification Object (CLOB) observer (data classification)

connection Information about connections, transactions

coverage Coverage times (entering, blocking, and time spent)

error General errors

info General information

limit Unified Policy download and upload limits

log Some logging operations

mab Mobile Access handler

manager Unified Policy manager operations

match Classification Object (CLOB) observer (data classification)

memory Memory allocation operations

module Operations in the Unified Policy module (initialization, module loading, calls to the
module, and so on)

policy Unified Policy internal operations

prob Currently is not used

prob_impl Implied matched rules

Next Generation Security Gateway R81 Administration Guide      |      526

 Module 'UP' (Unified Policy)

Flag Description

rulebase Unified Policy rulebase

sec_rb Secondary NRB rulebase operations

stats Statistics about connections, transactions

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

urlf_ssl Currently is not used

verbose Prints additional information (used with other debug flags)

vpn VPN classifier

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      527

 Module 'upconv' (Unified Policy Conversion)

Module 'upconv' (Unified Policy Conversion)

Syntax:

fw ctl debug -m upconv + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'UP' (Unified Policy)" on page 526
n "Module 'UPIS' (Unified Policy Infrastructure)" on
page 529

Flag Description

error General errors

info General information

map UTF-8 and UTF-16 characters conversion

mem Prints how much memory is used for character sets

tree Lookup of characters

utf7 Conversion of UTF-7 characters to a Unicode characters

utf8 Conversion of UTF-8 characters to a Unicode characters

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      528

 Module 'UPIS' (Unified Policy Infrastructure)

Module 'UPIS' (Unified Policy Infrastructure)

Syntax:

fw ctl debug -m UPIS + {all | <List of Debug Flags>}

Note - Also see:
n "Module 'UP' (Unified Policy)" on page 526
n "Module 'upconv' (Unified Policy Conversion)" on
page 528

Flag Description

address Information about connection's IP address

clob Classification Object (CLOB) observer (data classification)

coverage Coverage times (entering, blocking, and time spent)

cpdiag CPDiag operations

crumbs Currently is not used

db SQLite Database operations

error General errors

fwapp Information about policy installation for the FireWall application

info General information

memory Memory allocation operations

mgr Policy installation manager

module Operations in the Unified Policy Infrastructure module (initialization, module loading,
calls to the module, and so on)

mutex Unified Policy internal mutex operations

policy Unified Policy Infrastructure internal operations

report Various reports about Unified Policy installations

sna Operations on SnA objects ("Services and Application")

subject Prints the debug subject of each debug message

tables Operations on kernel tables

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

Next Generation Security Gateway R81 Administration Guide      |      529

 Module 'UPIS' (Unified Policy Infrastructure)

Flag Description

topo Information about topology and Anti-Spoofing of interfaces; about Address Range
objects

upapp Information about policy installation for Unified Policy application

update Information about policy installation for CMI Update application

verbose Prints additional information (used with other debug flags)

vpn VPN classifier

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      530

 Module 'VPN' (Site-to-Site VPN and Remote Access VPN)

Module 'VPN' (Site-to-Site VPN and Remote Access VPN)

Syntax:

fw ctl debug -m VPN + {all | <List of Debug Flags>}

Flag Description

cluster Events related to cluster

comp Compression for encrypted connections

counters Various status counters (typically for real-time Monitoring)

cphwd Traffic acceleration issues (in hardware)

driver Check Point kernel attachment (access to kernel is shown as log entries)

err Errors that should not happen, or errors that critical to the working of the VPN module

gtp Processing of GPRS Tunneling Protocol (GTP) connections

Note - Also see "Module 'gtp' (GPRS Tunneling Protocol)" on page 501

ifnotify Notifications about the changes in interface status - up or down (as received from OS)

ike Enables all IKE kernel debug in respect to moving the IKE to the interface, where it will
eventually leave and the modification of the source IP of the IKE packet, depending on
the configuration

init Initializes the VPN kernel and kernel data structures, when kernel is up, or when policy
is installed (it will also print the values of the flags that are set using the CPSET upon
policy reload)

l2tp Processing of L2TP connections

lsv Large Scale VPN (LSV)

mem Allocation of VPN pools and VPN contexts

mspi Information related to creation and destruction of MSA / MSPI

multicast VPN multicast

multik information related to interaction between VPN and CoreXL

nat NAT issues , cluster IP manipulation (Cluster Virtual IP address <=> Member IP
address)

om_alloc Allocation of Office Mode IP addresses

Next Generation Security Gateway R81 Administration Guide      |      531

 Module 'VPN' (Site-to-Site VPN and Remote Access VPN)

Flag Description

osu Cluster Optimal Service Upgrade (see sk107042)

packet Events that can happen for every packet, unless covered by more specific debug flags

pcktdmp Prints the encrypted packets before the encryption

Prints the decrypted packets after the decryption

policy Events that can happen only for a special packet in a connection, usually related to
policy decisions or logs / traps

queue Handling of Security Association (SA) queues

rdp Processing of Check Point RDP connections

ref Reference counting for MSA / MSPI, when storing or deleting Security Associations
(SAs)

resolver VPN Link Selection table and Certificate Revocation List (CRL), which is also part of the
peer resolving mechanism

rsl Operations on Range Skip List

sas Information about keys and Security Associations (SAs)

sr SecureClient / SecureRemote related issues

tagging Sets the VPN policy of a connection according to VPN communities, VPN Policy related
information

tcpt Information related to TCP Tunnel (Visitor mode - FireWall traversal on TCP port 443)

tnlmon VPN tunnel monitoring

topology VPN Link Selection

vin Does not apply anymore

Only on Security Gateway that runs on Windows OS:
Information related to IPSec NIC interaction

warn General warnings

xl Does not apply anymore

Interaction with Accelerator Cards (AC II / III / IV)

Next Generation Security Gateway R81 Administration Guide      |      532

 Module 'WS' (Web Intelligence)

Module 'WS' (Web Intelligence)

Syntax:

fw ctl debug -m WS + {all | <List of Debug Flags>}

Notes:
n Also see "Module 'WSIS' (Web Intelligence Infrastructure)" on page 537.
n To print information for all Virtual Systems in the debug output, before you start
the kernel debug, set this kernel parameter on the VSX Gateway or each VSX
Cluster Member (this is the default behavior):
# fw ctl set int ws_debug_vs 0
n To print information for a specific Virtual System in the debug output, before you
start the kernel debug, set this kernel parameter on the VSX Gateway or each
VSX Cluster Member:
# fw ctl set int ws_debug_vs <VSID>
n To print information for all IPv4 addresses in the debug output, before you start
the kernel debug, set this kernel parameter on the VSX Gateway or each VSX
Cluster Member (this is the default behavior):
# fw ctl set int ws_debug_ip 0
n To print information for a specific IPv4 address in the debug output, before you
start the kernel debug, set this kernel parameter on the VSX Gateway or each
VSX Cluster Member:
# fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX>

Flag Description

address Information about connection's IP address

body HTTP body (content) layer

connection Connection layer

cookie HTTP cookie header

coverage Coverage times (entering, blocking, and time spent)

crumb Currently is not used

error General errors (the connection is probably rejected)

event Events

fatal Fatal errors

flow Currently is not used

global Handling of global structure (usually, related to policy)

Next Generation Security Gateway R81 Administration Guide      |      533

 Module 'WS' (Web Intelligence)

Flag Description

info General information

ioctl IOCTL control messages (communication between the kernel and daemons, loading
and unloading of the FireWall)

mem_pool Memory pool allocation operations

memory Memory allocation operations

module Operations in the Web Intelligence module (initialization, module loading, calls to the
module, policy loading, and so on)

parser HTTP header parser layer

parser_err HTTP header parsing errors

pfinder Pattern finder

pkt_dump Packet dump

policy Policy (installation and enforcement)

regexp Regular Expression library

report_mgr Report manager (errors and logs)

session Session layer

spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)

ssl_insp HTTPS Inspection

sslt SSL Tunneling (SSLT)

stat Memory usage statistics

stream Stream virtualization

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

uuid Session UUID

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      534

 Module 'WS_SIP' (Web Intelligence VoIP SIP Parser)

Module 'WS_SIP' (Web Intelligence VoIP SIP Parser)

Syntax:

fw ctl debug -m WS_SIP + {all | <List of Debug Flags>}

Flag Description

address Information about connection's IP address

body HTTP body (content) layer

connection Connection layer

cookie HTTP cookie header

coverage Coverage times (entering, blocking, and time spent)

crumb Currently is not used

error General errors

event Events

fatal Fatal errors

flow Currently is not used

global Handling of global structure (usually, related to policy)

info General information

ioctl IOCTL control messages (communication between the kernel and daemons, loading
and unloading of the FireWall)

mem_pool Memory pool allocation operations

memory Memory allocation operations

module Operations in the Web Intelligence VoIP SIP Parser module (initialization, module
loading, calls to the module, policy loading, and so on)

parser HTTP header parser layer

parser_err HTTP header parsing errors

pfinder Pattern finder

pkt_dump Packet dump

policy Policy (installation and enforcement)

Next Generation Security Gateway R81 Administration Guide      |      535

 Module 'WS_SIP' (Web Intelligence VoIP SIP Parser)

Flag Description

regexp Regular Expression library

report_mgr Report manager (errors and logs)

session Session layer

spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)

ssl_insp HTTPS Inspection

sslt SSL Tunneling (SSLT)

stat Memory usage statistics

stream Stream virtualization

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

uuid Session UUID

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      536

 Module 'WSIS' (Web Intelligence Infrastructure)

Module 'WSIS' (Web Intelligence Infrastructure)

Syntax:

fw ctl debug -m WSIS + {all | <List of Debug Flags>}

Note - Also see "Module 'WS' (Web Intelligence)" on page 533.

Flag Description

address Information about connection's IP address

cipher Currently is not used

common Prints a message, when parameters are invalid

coverage Coverage times (entering, blocking, and time spent)

crumb Currently is not used

datastruct Data structure tree

decoder Decoder for the content transfer encoding (UUEncode, UTF-8, HTML encoding &#)

dump Packet dump

error General errors

flow Currently is not used

info General information

memory Memory allocation operations

parser HTTP header parser layer

subject Prints the debug subject of each debug message

timestamp Prints the timestamp for each debug message (changes when you enable the debug
flag 'coverage')

verbose Prints additional information (used with other debug flags)

vs Prints the VSID of the debugged Virtual System

warning General warnings

Next Generation Security Gateway R81 Administration Guide      |      537

 Running Check Point Commands in Shell Scripts

Running Check Point Commands in

Shell Scripts
To run Check Point commands in shell scripts, it is necessary to add the call for Check Point shell script
/etc/profile.d/CP.sh to your shell script.
Add this call right under the sha-bang line.

#!/bin/bash
source /etc/profile.d/CP.sh
<Check Point commands>
[mandatory last new line]

Next Generation Security Gateway R81 Administration Guide      |      538