22 January 2020

CLI

R80.40

Reference Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
 CLI R80.40 Reference Guide

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.

Check Point R80.40

For more about this release, see the R80.40 home page.

Latest Version of this Document

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Revision History

Date Description

22 January 2020 First release of this document

CLI R80.40 Reference Guide      |      3

 Table of Contents

Table of Contents
Glossary 30
Introduction 66
Syntax Legend 67
Gaia Commands 70
Security Management Server Commands 71
Managing Security through API 72
API 72
API Tools 72
Configuring the API Server 72
contract_util 74
contract_util check 76
contract_util cpmacro 77
contract_util download 78
contract_util mgmt 80
contract_util print 81
contract_util summary 82
contract_util update 83
contract_util verify 84
cp_conf 85
cp_conf admin 88
cp_conf auto 91
cp_conf ca 93
cp_conf client 95
cp_conf finger 99
cp_conf lic 101
cp_log_export 103
cpca_client 108
cpca_client create_cert 110
cpca_client double_sign 112
cpca_client get_crldp 114

CLI R80.40 Reference Guide      |      4

 Table of Contents

cpca_client get_pubkey 115

cpca_client init_certs 116
cpca_client lscert 117
cpca_client revoke_cert 120
cpca_client revoke_non_exist_cert 123
cpca_client search 124
cpca_client set_mgmt_tool 127
cpca_client set_sign_hash 130
cpca_create 132
cpconfig 133
cpinfo 136
cplic 137
cplic check 140
cplic contract 142
cplic db_add 144
cplic db_print 146
cplic db_rm 148
cplic del 149
cplic del <object name> 150
cplic get 151
cplic print 153
cplic put 155
cplic put <object name> 157
cplic upgrade 160
cppkg 162
cppkg add 164
cppkg delete 165
cppkg get 167
cppkg getroot 168
cppkg print 169
cppkg setroot 170
cpprod_util 171
cprid 175

CLI R80.40 Reference Guide      |      5

 Table of Contents

cprinstall 176
cprinstall boot 179
cprinstall cprestart 180
cprinstall cpstart 181
cprinstall cpstop 182
cprinstall delete 183
cprinstall get 184
cprinstall install 185
cprinstall revert 188
cprinstall show 189
cprinstall snapshot 190
cprinstall transfer 191
cprinstall uninstall 192
cprinstall verify 194
cpstart 196
cpstat 197
cpstop 205
cpview 206
Overview of CPView 206
CPView User Interface 206
Using CPView 207
cpwd_admin 208
cpwd_admin config 211
cpwd_admin del 214
cpwd_admin detach 215
cpwd_admin exist 216
cpwd_admin flist 217
cpwd_admin getpid 219
cpwd_admin kill 220
cpwd_admin list 221
cpwd_admin monitor_list 225
cpwd_admin start 226
cpwd_admin start_monitor 228

CLI R80.40 Reference Guide      |      6

 Table of Contents

cpwd_admin stop 229

cpwd_admin stop_monitor 231
dbedit 232
fw 245
fw fetchlogs 247
fw hastat 249
fw kill 250
fw log 251
fw logswitch 260
fw lslogs 264
fw mergefiles 267
fw repairlog 270
fw sam 271
fw sam_policy 279
fw sam_policy add 282
fw sam_policy batch 295
fw sam_policy del 297
fw sam_policy get 300
fwm 304
fwm dbload 307
fwm exportcert 309
fwm fetchfile 310
fwm fingerprint 311
fwm getpcap 313
fwm ikecrypt 315
fwm load 316
fwm logexport 317
fwm mds 322
fwm printcert 324
fwm sic_reset 329
fwm snmp_trap 330
fwm unload 333
fwm ver 337

CLI R80.40 Reference Guide      |      7

 Table of Contents

fwm verify 338

inet_alert 339
ldapcmd 342
ldapcompare 344
ldapmemberconvert 348
ldapmodify 353
ldapsearch 355
mgmt_cli 358
migrate 359
migrate_server 363
queryDB_util 367
rs_db_tool 368
sam_alert 370
stattest 374
threshold_config 377
Multi-Domain Security Management Commands 383
Managing Security through API 384
API 384
API Tools 384
Configuring the API Server 384
cma_migrate 386
contract_util 387
contract_util check 389
contract_util cpmacro 390
contract_util download 391
contract_util mgmt 393
contract_util print 394
contract_util summary 395
contract_util update 396
contract_util verify 397
cp_conf 398
cp_conf admin 401
cp_conf auto 404

CLI R80.40 Reference Guide      |      8

 Table of Contents

cp_conf ca 406
cp_conf client 408
cp_conf finger 412
cp_conf lic 414
cp_log_export 416
cpca_client 421
cpca_client create_cert 423
cpca_client double_sign 425
cpca_client get_crldp 427
cpca_client get_pubkey 428
cpca_client init_certs 429
cpca_client lscert 430
cpca_client revoke_cert 433
cpca_client revoke_non_exist_cert 436
cpca_client search 437
cpca_client set_mgmt_tool 440
cpca_client set_sign_hash 443
cpca_create 445
cpinfo 446
cplic 447
cplic check 450
cplic contract 452
cplic db_add 454
cplic db_print 456
cplic db_rm 458
cplic del 459
cplic del <object name> 460
cplic get 461
cplic print 463
cplic put 465
cplic put <object name> 467
cplic upgrade 470
cpmiquerybin 472

CLI R80.40 Reference Guide      |      9

 Table of Contents

cppkg 474
cppkg add 476
ppkg delete 477
cppkg get 479
cppkg getroot 480
cppkg print 481
cppkg setroot 482
cpprod_util 483
cprid 487
cprinstall 488
cprinstall boot 491
cprinstall cprestart 492
cprinstall cpstart 493
cprinstall cpstop 494
cprinstall delete 495
cprinstall get 496
cprinstall install 497
cprinstall revert 500
cprinstall show 501
cprinstall snapshot 502
cprinstall transfer 503
cprinstall uninstall 504
cprinstall verify 506
cpstat 508
cpview 516
Overview of CPView 516
CPView User Interface 516
Using CPView 517
cpwd_admin 518
cpwd_admin config 521
cpwd_admin del 524
cpwd_admin detach 525
cpwd_admin exist 526

CLI R80.40 Reference Guide      |      10

 Table of Contents

cpwd_admin flist 527

cpwd_admin getpid 529
cpwd_admin kill 530
cpwd_admin list 531
cpwd_admin monitor_list 535
cpwd_admin start 536
cpwd_admin start_monitor 538
cpwd_admin stop 539
cpwd_admin stop_monitor 541
dbedit 542
fw 555
fw fetchlogs 557
fw hastat 559
fw kill 560
fw log 561
fw logswitch 570
fw lslogs 574
fw mergefiles 577
fw repairlog 580
fw sam 581
fw sam_policy 589
fw sam_policy add 592
fw sam_policy batch 605
fw sam_policy del 607
fw sam_policy get 610
fwm 614
fwm dbload 617
fwm exportcert 619
fwm fetchfile 620
fwm fingerprint 621
fwm getpcap 623
fwm ikecrypt 625
fwm load 626

CLI R80.40 Reference Guide      |      11

 Table of Contents

fwm logexport 627

fwm mds 632
fwm printcert 634
fwm sic_reset 639
fwm snmp_trap 640
fwm unload 643
fwm ver 647
fwm verify 648
inet_alert 649
ldapcmd 652
ldapcompare 654
ldapmemberconvert 658
ldapmodify 663
ldapsearch 665
mcd 668
mds_backup 670
mds_restore 673
mdscmd 674
mdsconfig 676
mdsenv 680
mdsquerydb 682
mdsstart 684
mdsstart_customer 688
mdsstat 689
mdsstop 691
mdsstop_customer 695
mgmt_cli 696
migrate 697
migrate_server 701
migrate_global_policies 705
queryDB_util 706
rs_db_tool 707
sam_alert 709

CLI R80.40 Reference Guide      |      12

 Table of Contents

stattest 713
threshold_config 716
$MDSVERUTIL 722
$MDSVERUTIL AllCMAs 732
$MDSVERUTIL AllVersions 733
$MDSVERUTIL CMAAddonDir 736
$MDSVERUTIL CMACompDir 737
$MDSVERUTIL CMAFgDir 738
$MDSVERUTIL CMAFw40Dir 739
$MDSVERUTIL CMAFw41Dir 740
$MDSVERUTIL CMAFwConfDir 741
$MDSVERUTIL CMAFwDir 742
$MDSVERUTIL CMAIp 743
$MDSVERUTIL CMAIp6 744
$MDSVERUTIL CMALogExporterDir 745
$MDSVERUTIL CMALogIndexerDir 746
$MDSVERUTIL CMANameByFwDir 747
$MDSVERUTIL CMANameByIp 748
$MDSVERUTIL CMARegistryDir 749
$MDSVERUTIL CMAReporterDir 750
$MDSVERUTIL CMASmartLogDir 751
$MDSVERUTIL CMASvnConfDir 752
$MDSVERUTIL CMASvnDir 753
$MDSVERUTIL ConfDirVersion 754
$MDSVERUTIL CpdbUpParam 755
$MDSVERUTIL CPprofileDir 756
$MDSVERUTIL CPVer 757
$MDSVERUTIL CustomersBaseDir 758
$MDSVERUTIL DiskSpaceFactor 759
$MDSVERUTIL InstallationLogDir 760
$MDSVERUTIL IsIPv6Enabled 761
$MDSVERUTIL IsLegalVersion 762
$MDSVERUTIL IsOsSupportsIPv6 763

CLI R80.40 Reference Guide      |      13

 Table of Contents

$MDSVERUTIL LatestVersion 764

$MDSVERUTIL MDSAddonDir 765
$MDSVERUTIL MDSCompDir 766
$MDSVERUTIL MDSDir 767
$MDSVERUTIL MDSFgDir 768
$MDSVERUTIL MDSFwbcDir 769
$MDSVERUTIL MDSFwDir 770
$MDSVERUTIL MDSIp 771
$MDSVERUTIL MDSIp6 772
$MDSVERUTIL MDSLogExporterDir 773
$MDSVERUTIL MDSLogIndexerDir 774
$MDSVERUTIL MDSPkgName 775
$MDSVERUTIL MDSRegistryDir 776
$MDSVERUTIL MDSReporterDir 777
$MDSVERUTIL MDSSmartLogDir 778
$MDSVERUTIL MDSSvnDir 779
$MDSVERUTIL MDSVarCompDir 780
$MDSVERUTIL MDSVarDir 781
$MDSVERUTIL MDSVarFwbcDir 782
$MDSVERUTIL MDSVarFwDir 783
$MDSVERUTIL MDSVarSvnDir 784
$MDSVERUTIL MSP 785
$MDSVERUTIL OfficialName 786
$MDSVERUTIL OptionPack 787
$MDSVERUTIL ProductName 788
$MDSVERUTIL RegistryCurrentVer 789
$MDSVERUTIL ShortOfficialName 790
$MDSVERUTIL SmartCenterPuvUpgradeParam 791
$MDSVERUTIL SP 792
$MDSVERUTIL SVNPkgName 793
$MDSVERUTIL SvrDirectory 794
$MDSVERUTIL SvrParam 795
Creating a Domain Management Server with the 'mgmt_cli' Command 796

CLI R80.40 Reference Guide      |      14

 Table of Contents

SmartProvisioning Commands 797

Managing Security through API 798
API 798
API Tools 798
Configuring the API Server 798
Check Point LSMcli Overview 800
SmartLSM Security Gateway Management Actions 802
LSMcli AddROBO VPN1 803
LSMcli ModifyROBO VPN1 805
LSMcli ModifyROBOManualVPNDomain 807
LSMcli ModifyROBOTopology VPN1 808
LSMcli ModifyROBOInterface VPN1 809
LSMcli AddROBOInterface VPN1 810
LSMcli DeleteROBOInterface VPN1 811
LSMcli ExportIke 812
LSMcli ResetIke 813
LSMcli Remove 814
LSMcli ResetSic 815
LSMcli Show 816
LSMcli ShowROBOTopology 818
LSMcli UpdateCO 819
SmartUpdate Actions 820
LSMcli Install 821
LSMcli Uninstall 823
LSMcli Distribute 824
LSMcli VerifyInstall 825
LSMcli VerifyUpgrade 826
LSMcli Upgrade 827
LSMcli GetInfo 828
LSMcli ShowInfo 829
LSMcli ShowRepository 830
LSMcli Stop 831
LSMcli Start 832

CLI R80.40 Reference Guide      |      15

 Table of Contents

LSMcli Restart 833

LSMcli Reboot 834
LSMcli Push Actions 835
LSMcli PushPolicy 836
LSMcli PushDOs 837
LSMcli GetStatus 838
LSMcli Gateway Conversion Actions 839
LSMcli Convert ROBO VPN1 840
LSMcli Convert Gateway VPN1 842
Managing SmartLSM Clusters with LSMcli 844
LSMcli AddROBO VPN1Cluster 845
LSMcli ModifyROBO VPN1Cluster 847
LSMcli ModifyROBOTopology VPN1Cluster 848
LSMcli ModifyROBONetaccess VPN1Cluster 849
LSMcli AddClusterSubnetOverride VPN1Cluster 851
LSMcli ModifyClusterSubnetOverride VPN1Cluster 853
LSMcli DeleteClusterSubnetOverride VPN1Cluster 855
LSMcli AddPrivateSubnetOverride VPN1ClusterMember 857
LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember 859
LSMcli DeletePrivateSubnetOverride VPN1ClusterMember 861
LSMcli RemoveCluster 863
Using LSMcli Commands for Small Office Appliances 864
LSMcli AddROBO <Appliance_Model> 865
LSMcli AddROBO <Appliance_Model>Cluster 867
Other LSMcli Commands for Small Office Appliances 869
Security Gateway Commands 870
comp_init_policy 871
control_bootsec 874
cp_conf 878
cp_conf auto 881
cp_conf corexl 883
cp_conf fullha 885
cp_conf ha 886

CLI R80.40 Reference Guide      |      16

 Table of Contents

cp_conf intfs 887

cp_conf lic 888
cp_conf sic 890
cpconfig 892
cpinfo 895
cplic 896
cplic check 898
cplic contract 900
cplic del 902
cplic print 903
cplic put 905
cpprod_util 907
cpstart 911
cpstat 912
cpstop 920
cpview 921
Overview of CPView 921
CPView User Interface 921
Using CPView 922
dynamic_objects 923
cpwd_admin 927
cpwd_admin config 930
cpwd_admin del 936
cpwd_admin detach 937
cpwd_admin exist 938
cpwd_admin flist 939
cpwd_admin getpid 941
cpwd_admin kill 942
cpwd_admin list 943
cpwd_admin monitor_list 947
cpwd_admin start 948
cpwd_admin start_monitor 950
cpwd_admin stop 951

CLI R80.40 Reference Guide      |      17

 Table of Contents

cpwd_admin stop_monitor 953

fw 954
fw -i 958
fw amw 959
fw ctl 962
fw ctl arp 965
fw ctl bench 966
fw ctl block 968
fw ctl chain 969
fw ctl conn 971
fw ctl conntab 973
fw ctl cpasstat 977
'fw ctl debug' and 'fw ctl kdebug' 978
fw ctl dlpkstat 979
fw ctl get 980
fw ctl iflist 982
fw ctl install 983
fw ctl leak 984
fw ctl pstat 988
fw ctl set 991
fw ctl tcpstrstat 993
fw ctl uninstall 995
fw defaultgen 996
fw fetch 998
fw fetchlogs 1000
fw getifs 1002
fw hastat 1003
fw isp_link 1004
fw kill 1005
fw lichosts 1006
fw log 1007
fw logswitch 1016
fw lslogs 1020

CLI R80.40 Reference Guide      |      18

 Table of Contents

fw mergefiles 1023
fw monitor 1026
fw repairlog 1056
fw sam 1057
fw sam_policy 1065
fw sam_policy add 1068
fw sam_policy batch 1081
fw sam_policy del 1083
fw sam_policy get 1086
fw showuptables 1090
fw stat 1091
fw tab 1093
fw unloadlocal 1100
fw up_execute 1104
fw ver 1107
fwboot 1109
fwboot bootconf 1111
fwboot corexl 1116
fwboot cpuid 1123
fwboot default 1125
fwboot fwboot_ipv6 1126
fwboot fwdefault 1127
fwboot ha_conf 1128
fwboot ht 1129
fwboot multik_reg 1132
fwboot post_drv 1134
sam_alert 1135
stattest 1139
usrchk 1142
ClusterXL Commands 1147
ClusterXL Configuration Commands 1148
Configuring the Cluster Member ID Mode in Local Logs 1152
Registering a Critical Device 1153

CLI R80.40 Reference Guide      |      19

 Table of Contents

Unregistering a Critical Device 1155

Reporting the State of a Critical Device 1156
Registering Critical Devices Listed in a File 1157
Unregistering All Critical Devices 1159
Configuring the Cluster Control Protocol (CCP) Settings 1160
Initiating Manual Cluster Failover 1161
Configuring the Minimal Number of Required Slave Interfaces for Bond Load Sharing 1165
Configuring Link Monitoring on the Cluster Interfaces 1166
Configuring the Multi-Version Cluster Mechanism 1169
ClusterXL Monitoring Commands 1170
Viewing Cluster State 1175
Viewing Critical Devices 1180
Viewing Cluster Interfaces 1187
Viewing Bond Interfaces 1192
Viewing Cluster Failover Statistics 1197
Viewing Software Versions on Cluster Members 1199
Viewing Delta Synchronization 1200
Viewing IGMP Status 1207
Viewing Cluster Delta Sync Statistics for Connections Table 1208
Viewing Cluster IP Addresses 1209
Viewing the Cluster Member ID Mode in Local Logs 1210
Viewing Interfaces Monitored by RouteD 1211
Viewing Roles of RouteD Daemon on Cluster Members 1212
Viewing Cluster Correction Statistics 1213
Viewing the Cluster Control Protocol (CCP) Settings 1215
Viewing Latency and Drop Rate of Interfaces 1216
Viewing the State of the Multi-Version Cluster Mechanism 1217
Viewing Full Connectivity Upgrade Statistics 1218
cpconfig 1219
cphastart 1222
cphastop 1223
cp_conf fullha 1224
cp_conf ha 1225

CLI R80.40 Reference Guide      |      20

 Table of Contents

fw hastat 1226
fwboot ha_conf 1227
The clusterXL_admin Script 1228
The clusterXL_monitor_ips Script 1232
The clusterXL_monitor_process Script 1236
SecureXL Commands 1240
'fwaccel' and 'fwaccel6' 1241
fwaccel cfg 1244
fwaccel conns 1247
fwaccel dbg 1251
fwaccel dos 1257
fwaccel dos blacklist 1259
fwaccel dos config 1261
fwaccel dos pbox 1267
fwaccel dos rate 1272
fwaccel dos stats 1274
fwaccel dos whitelist 1276
fwaccel feature 1281
fwaccel off 1284
fwaccel on 1288
fwaccel ranges 1292
fwaccel stat 1298
fwaccel stats 1304
Description of the Statistics Counters in the "fwaccel stats" Output 1306
Example Outputs on the "fwaccel stats" Commands 1312
fwaccel synatk 1327
fwaccel synatk -a 1330
fwaccel synatk -c <Configuration File> 1331
fwaccel synatk -d 1332
fwaccel synatk -e 1333
fwaccel synatk -g 1334
fwaccel synatk -m 1335
fwaccel synatk -t <Threshold> 1336

CLI R80.40 Reference Guide      |      21

 Table of Contents

fwaccel synatk config 1337

fwaccel synatk monitor 1340
fwaccel synatk state 1345
fwaccel synatk whitelist 1347
fwaccel tab 1352
fwaccel templates 1356
fwaccel ver 1360
'sim' and 'sim6' 1361
sim affinity 1363
sim affinityload 1366
sim enable_aesni 1367
sim if 1368
sim nonaccel 1372
sim ver 1374
fw sam_policy 1375
fw sam_policy add 1378
fw sam_policy batch 1391
fw sam_policy del 1393
fw sam_policy get 1396
The /proc/ppk/ and /proc/ppk6/ entries 1400
/proc/ppk/affinity 1402
/proc/ppk/conf 1403
/proc/ppk/conns 1404
/proc/ppk/cpls 1405
/proc/ppk/cqstats 1406
/proc/ppk/drop_statistics 1407
/proc/ppk/ifs 1408
/proc/ppk/mcast_statistics 1412
/proc/ppk/nac 1413
/proc/ppk/notify_statistics 1414
/proc/ppk/profile_cpu_stat 1415
/proc/ppk/rlc 1416
/proc/ppk/statistics 1417

CLI R80.40 Reference Guide      |      22

 Table of Contents

/proc/ppk/stats 1419
/proc/ppk/viol_statistics 1420
SecureXL Debug 1421
fwaccel dbg 1422
SecureXL Debug Procedure 1428
SecureXL Debug Modules and Debug Flags 1432
CoreXL Commands 1440
cp_conf corexl 1441
dynamic_split 1443
fw ctl multik 1445
fw ctl multik add_bypass_port 1448
fw ctl multik del_bypass_port 1450
fw ctl multik dynamic_dispatching 1452
fw ctl multik gconn 1453
fw ctl multik get_instance 1458
fw ctl multik print_heavy_conn 1460
fw ctl multik prioq 1462
fw ctl multik show_bypass_ports 1463
fw ctl multik stat 1464
fw ctl multik start 1466
fw ctl multik stop 1467
fw ctl multik utilize 1468
fw ctl affinity 1469
Running the 'fw ctl affinity -l' command in Gateway Mode 1470
Running the 'fw ctl affinity -l' command in VSX Mode 1474
Running the 'fw ctl affinity -s' command in Gateway Mode 1477
Running the 'fw ctl affinity -s' command in VSX Mode 1481
fw -i 1485
fwboot bootconf 1486
fwboot corexl 1491
fwboot cpuid 1498
fwboot ht 1500
fwboot multik_reg 1503

CLI R80.40 Reference Guide      |      23

 Table of Contents

fwboot post_drv 1505

Multi-Queue Commands 1506
mq_mng 1507
Identity Awareness Commands 1510
adlog 1511
adlog control 1513
adlog dc 1515
adlog debug 1516
adlog query 1517
adlog statistics 1518
pdp 1519
pdp ad 1521
General Syntax 1521
The 'pdp ad associate' command 1521
The 'pdp ad disassociate' command 1522
pdp auth 1523
pdp broker 1527
pdp conciliation 1531
pdp connections 1533
pdp control 1534
pdp debug 1535
pdp idc 1538
pdp idp 1540
pdp ifmap 1541
pdp monitor 1543
pdp muh 1545
pdp nested_groups 1546
pdp network 1547
pdp radius 1548
pdp status 1552
pdp tasks_manager 1553
pdp timers 1554
pdp topology_map 1555

CLI R80.40 Reference Guide      |      24

 Table of Contents

pdp tracker 1556

pdp update 1557
pdp vpn 1558
pep 1559
pep control 1560
pep debug 1561
pep show 1563
pep tracker 1566
test_ad_connectivity 1567
VPN Commands 1571
vpn 1572
vpn check_ttm 1576
vpn compreset 1577
vpn compstat 1578
vpn crl_zap 1579
vpn crlview 1580
vpn debug 1582
vpn dll 1586
vpn drv 1587
vpn dump_psk 1588
vpn ipafile_check 1589
vpn ipafile_users_capacity 1590
vpn macutil 1591
vpn mep_refresh 1592
vpn neo_proto 1593
vpn nssm_toplogy 1594
vpn overlap_encdom 1595
vpn rim_cleanup 1596
vpn rll 1597
vpn set_slim_server 1598
vpn set_snx_encdom_groups 1599
vpn set_trac 1600
vpn shell 1601

CLI R80.40 Reference Guide      |      25

 Table of Contents

vpn show_tcpt 1608

vpn sw_topology 1609
vpn tu 1610
vpn tu del 1612
vpn tu list 1615
vpn tu mstats 1617
vpn tu tlist 1618
vpn ver 1620
mcc 1621
mcc add 1623
mcc add2main 1624
mcc del 1625
mcc lca 1626
mcc main2add 1627
mcc show 1628
Mobile Access Commands 1630
admin_wizard 1631
cvpnd_admin 1635
cvpnd_settings 1638
cvpn_ver 1640
cvpnrestart 1641
cvpnstart 1642
cvpnstop 1643
deleteUserSettings 1644
fwpush 1645
ics_updates_script 1649
listusers 1650
rehash_ca_bundle 1651
UserSettingsUtil 1652
Data Loss Prevention Commands 1654
dlpcmd 1655
VSX Commands 1658
cpconfig 1659

CLI R80.40 Reference Guide      |      26

 Table of Contents

vsenv 1662
vsx 1663
vsx fetch 1665
vsx fetch_all_cluster_policies 1667
vsx fetchvs 1668
vsx get 1669
vsx initmsg 1670
vsx mstat 1671
vsx resctrl 1675
vsx showncs 1678
vsx sicreset 1679
vsx stat 1680
vsx unloadall 1682
vsx vspurge 1683
vsx_util 1684
vsx_util add_member 1687
vsx_util change_interfaces 1689
vsx_util change_mgmt_ip 1692
vsx_util change_mgmt_subnet 1693
vsx_util change_private_net 1694
vsx_util convert_cluster 1695
vsx_util reconfigure 1696
vsx_util remove_member 1701
vsx_util show_interfaces 1702
vsx_util upgrade 1704
vsx_util view_vs_conf 1705
vsx_util vsls 1708
vsx_provisioning_tool 1709
Transactions 1712
vsx_provisioning_tool Commands 1713
Explicit Transaction Commands 1714
Adding a VSX Gateway 1715
Adding a VSX Cluster 1717

CLI R80.40 Reference Guide      |      27

 Table of Contents

Adding a Virtual Device 1720

Deleting a Virtual Device 1723
Modifying Settings of a Virtual Device 1724
Adding an Interface to a Virtual Device 1727
Removing an Interface from a Virtual Device 1731
Modifying Settings of an Interface 1733
Adding a Route 1736
Removing a Route 1738
Showing Virtual Device Data 1740
Script Examples 1741
Example 1 1741
Example 2 1742
Example 3 1742
QoS Commands 1743
etmstart 1744
etmstop 1745
fgate 1746
IPS Commands 1754
ips 1755
ips bypass 1757
ips debug 1759
ips off 1760
ips on 1761
ips pmstats 1762
ips refreshcap 1763
ips stat 1764
ips stats 1765
Running Check Point Commands in Shell Scripts 1768
Working with Kernel Parameters on Security Gateway 1769
Introduction to Kernel Parameters 1769
Firewall Kernel Parameters 1770
Working with Integer Kernel Parameters 1771
Working with String Kernel Parameters 1776

CLI R80.40 Reference Guide      |      28

 Table of Contents

SecureXL Kernel Parameters 1779

CLI R80.40 Reference Guide      |      29

 Glossary

Glossary
3

3rd party Cluster

Cluster of Check Point Security Gateways that work together in a redundant
configuration. These Check Point Security Gateways are installed on X-Series XOS, or
IPSO OS. VRRP Cluster on Gaia OS is also considered a 3rd party cluster. The 3rd
party cluster handles the traffic, and Check Point Security Gateways perform only State
Synchronization.

Accelerated Path
Packet flow on the Host appliance, when the packet is completely handled by the
SecureXL device. It is processed and forwarded to the network.

Access Role
Access Role objects let you configure network access according to: Networks, Users
and user groups, Computers and computer groups, Remote Access Clients. After you
activate the Identity Awareness Software Blade, you can create Access Role objects
and use them in the Source and Destination columns of Access Control Policy rules.

Active
State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the
state of the Security Gateway component (2) In 3rd party / OPSEC cluster, this applies
to the state of the cluster State Synchronization mechanism.

Active-Active
A cluster mode, where cluster members are located in different geographical areas
(different sites, different availability zones). Administrator configures Dynamic Routing
on each cluster member, so it becomes a router in the applicable area or autonomous
system on the site. The IP addresses of the interfaces on each cluster member are on
different networks (including the Sync interfaces). Each cluster member inspects all
traffic routed to it and synchronizes the recorded connections to its peer cluster
members. The traffic is not balanced between the cluster members.

CLI R80.40 Reference Guide      |      30

 Glossary

Active Directory
Microsoft® directory information service. Stores data about user, computer, and service
identities for authentication and access. Acronym: AD.

Active Domain Server

The only Domain Management Server in a High Availability deployment that can
manage a specified Domain.

Active Up
ClusterXL in High Availability mode that was configured as Maintain current active
Cluster Member in the cluster object in SmartConsole: (1) If the current Active member
fails for some reason, or is rebooted (for example, Member_A), then failover occurs
between Cluster Members - another Standby member will be promoted to be Active (for
example, Member_B). (2) When former Active member (Member_A) recovers from a
failure, or boots, the former Standby member (Member_B) will remain to be in Active
state (and Member_A will assume the Standby state).

Active(!)
In ClusterXL, state of the Active Cluster Member that suffers from a failure. A problem
was detected, but the Cluster Member still forwards packets, because it is the only
member in the cluster, or because there are no other Active members in the cluster. In
any other situation, the state of the member is Down. Possible states: ACTIVE(!),
ACTIVE(!F) - Cluster Member is in the freeze state, ACTIVE(!P) - This is the Pivot
Cluster Member in Load Sharing Unicast mode, ACTIVE(!FP) - This is the Pivot Cluster
Member in Load Sharing Unicast mode and it is in the freeze state.

Active/Active
See "Load Sharing".

Active/Standby
See "High Availability".

AD Query
Check Point clientless identity acquisition tool. It is based on Active Directory
integration and it is completely transparent to the user. The technology is based on
querying the Active Directory Security Event Logs and extracting the user and computer
mapping to the network address from them. It is based on Windows Management
Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security
Gateway communicates directly with the Active Directory domain controllers and does
not require a separate server. No installation is necessary on the clients, or on the
Active Directory server.

CLI R80.40 Reference Guide      |      31

 Glossary

Administrator
A user with permissions to manage Check Point security products and the network
environment.

Affinity
The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface,
user space process, or IRQ to one or more specified CPU cores.

Anti-Bot
Check Point Software Blade that inspects network traffic for malicious bot software.

Anti-Virus
Check Point Software Blade that protects networks against self-propagating programs
or processes that can cause damage.

API
In computer programming, an application programming interface (API) is a set of
subroutine definitions, protocols, and tools for building application software. In general
terms, it is a set of clearly defined methods of communication between various software
components.

Appliance
A physical computer manufactured and distributed by Check Point.

ARP Forwarding
Forwarding of ARP Request and ARP Reply packets between Cluster Members by
encapsulating them in Cluster Control Protocol (CCP) packets. Introduced in R80.10
version. For details, see sk111956.

Ask
UserCheck rule action that blocks traffic and files and shows a UserCheck message.
The user can agree to allow the activity.

Audit Log
A record of an action that is done by an Administrator.

CLI R80.40 Reference Guide      |      32

 Glossary

Backup
(1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be
promoted to Master state (if Master member fails). (2) In VSX Cluster configured in
Virtual System Load Sharing mode with three or more Cluster Members - State of a
Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or
Virtual System in this state does not process any traffic passing through cluster.

Blocking Mode
Cluster operation mode, in which Cluster Member does not forward any traffic (for
example, caused by a failure).

Bond
A virtual interface that contains (enslaves) two or more physical interfaces for
redundancy and load sharing. The physical interfaces share one IP address and one
MAC address. See "Link Aggregation".

Bonding
See "Link Aggregation".

Bot
Malicious software that neutralizes Anti-Virus defenses, connects to a Command and
Control center for instructions from cyber criminals, and carries out the instructions.

Bridge Mode
A Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Browser-Based Authentication
Authentication of users in Check Point Identity Awareness web portal - Captive Portal,
to which users connect with their web browser to log in and authenticate.

Burstiness
Data that is transferred or transmitted in short, uneven spurts. LAN traffic is typically
bursty. Opposite of streaming data.

CLI R80.40 Reference Guide      |      33

 Glossary

CA
Certificate Authority. Issues certificates to gateways, users, or computers, to identify
itself to connecting entities with Distinguished Name, public key, and sometimes IP
address. After certificate validation, entities can send encrypted data using the public
keys in the certificates.

Captive Portal
A Check Point Identity Awareness web portal, to which users connect with their web
browser to log in and authenticate, when using Browser-Based Authentication.

CCP
See "Cluster Control Protocol".

Certificate
An electronic document that uses a digital signature to bind a cryptographic public key
to a specific identity. The identity can be an individual, organization, or software entity.
The certificate is used to authenticate one identity to another.

Cisco ISE
Cisco Identity Services Engine is a network administration product that enables the
creation and enforcement of security and access policies for endpoint devices
connected to the company's routers and switches. The purpose is to simplify identity
management across diverse devices and applications.

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

Cluster Control Protocol

Proprietary Check Point protocol that runs between Cluster Members on UDP port
8116, and has the following roles: (1) State Synchronization (Delta Sync), (2) Health
checks (state of Cluster Members and of cluster interfaces): Health-status Reports,
Cluster-member Probing, State-change Commands, Querying for cluster membership.
Note: CCP is located between the Check Point Firewall kernel and the network
interface (therefore, only TCPdump should be used for capturing this traffic). Acronym:
CCP.

CLI R80.40 Reference Guide      |      34

 Glossary

Cluster Correction Layer

Proprietary Check Point mechanism that deals with asymmetric connections in Check
Point cluster. The CCL provides connections stickiness by "correcting" the packets to
the correct Cluster Member: In most cases, the CCL makes the correction from the
CoreXL SND; in some cases (like Dynamic Routing, or VPN), the CCL makes the
correction from the Firewall or SecureXL. Acronym: CCL.

Cluster Interface
An interface on a Cluster Member, whose Network Type was set as Cluster in
SmartConsole in cluster object. This interface is monitored by cluster, and failure on this
interface will cause cluster failover.

Cluster Member
A Security Gateway that is part of a cluster.

Cluster Mode
Configuration of Cluster Members to work in these redundant modes: (1) One Cluster
Member processes all the traffic - High Availability or VRRP mode (2) All traffic is
processed in parallel by all Cluster Members - Load Sharing.

Cluster Topology
Set of interfaces on all members of a cluster and their settings (Network Objective, IP
address/Net Mask, Topology, Anti-Spoofing, and so on).

ClusterXL
Cluster of Check Point Security Gateways that work together in a redundant
configuration. The ClusterXL both handles the traffic and performs State
Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1)
ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster
Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL
Load Sharing mode, configuring more than 4 Cluster Members significantly decreases
the cluster performance due to amount of Delta Sync traffic.

Cooperative Enforcement
Integration of Endpoint Security server compliance to verify internal network
connections.

CoreXL
A performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CLI R80.40 Reference Guide      |      35

 Glossary

CoreXL Dynamic Dispatcher

Improved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXL
Firewall instances. Traffic distribution between CoreXL Firewall instances is
dynamically based on the utilization of CPU cores, on which the CoreXL Firewall
instances are running. The dynamic decision is made for first packets of connections, by
assigning each of the CoreXL Firewall instances a rank, and selecting the CoreXL
Firewall instance with the lowest rank. The rank for each CoreXL Firewall instance is
calculated according to its CPU utilization. The higher the CPU utilization, the higher
the CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is less
likely to be selected by the CoreXL SND. See sk105261.

CoreXL Firewall Instance

Also CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewall
kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one
processing CPU core. These firewall instances handle traffic at the same time, and
each firewall instance is a complete and independent firewall inspection kernel.

CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to
stick to a particular FWK daemon is done at the first packet of connection on a very high
level, before anything else. Depending on the SecureXL settings, and in most of the
cases, the SecureXL can be offloading decryption calculations. However, in some other
cases, such as with Route-Based VPN, it is done by FWK daemon.

Correlation Unit
A SmartEvent software component that analyzes logs and detects events.

CPHA
General term in Check Point Cluster that stands for Check Point High Availability
(historic fact: the first release of ClusterXL supported only High Availability) that is used
only for internal references (for example, inside kernel debug) to designate ClusterXL
infrastructure.

CLI R80.40 Reference Guide      |      36

 Glossary

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you
can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
For details, see sk92449.

Critical Device
Also known as a Problem Notification, or pnote. A special software device on each
Cluster Member, through which the critical aspects for cluster operation are monitored.
When the critical monitored component on a Cluster Member fails to report its state on
time, or when its state is reported as problematic, the state of that member is
immediately changed to Down. The complete list of the configured critical devices
(pnotes) is printed by the 'cphaprob -ia list' command or 'show cluster members pnotes
all' command.

Custom Report
A user defined report for a Check Point product, typically based on a predefined report.

DAIP Gateway
A Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where the
IP address of the external interface is assigned dynamically by the ISP.

Data Loss Prevention

Check Point Software Blade that detects and prevents the unauthorized transmission of
confidential information outside the organization. Acronym: DLP.

Data Type
A classification of data. The Firewall classifies incoming and outgoing traffic according
to Data Types, and enforces the Policy accordingly.

Database
The Check Point database includes all objects, including network objects, users,
services, servers, and protection profiles.

Dead
State reported by a Cluster Member when it goes out of the cluster (due to 'cphastop'
command (which is a part of 'cpstop'), or reboot).

CLI R80.40 Reference Guide      |      37

 Glossary

Decision Function
A special cluster algorithm applied by each Cluster Member on the incoming traffic in
order to decide, which Cluster Member should process the received packet. Each
Cluster Members maintains a table of hash values generated based on connections
tuple (source and destination IP addresses/Ports, and Protocol number).

Dedicated Management Interface

A separate physical interface on VSX Gateway or VSX Cluster Members, through which
Check Point Security Management Server or Multi-Domain Server connects directly to
VSX Gateway or VSX Cluster Members. DMI is restricted to management traffic, such
as provisioning, logging and monitoring. Acronym: DMI.

Delta Sync
Synchronization of kernel tables between all working Cluster Members - exchange of
CCP packets that carry pieces of information about different connections and operations
that should be performed on these connections in relevant kernel tables. This Delta
Sync process is performed directly by Check Point kernel. While performing Full Sync,
the Delta Sync updates are not processed and saved in kernel memory. After Full Sync
is complete, the Delta Sync packets stored during the Full Sync phase are applied by
order of arrival.

Delta Sync Retransmission

It is possible that Delta Sync packets will be lost or corrupted during the Delta Sync
operations. In such cases, it is required to make sure the Delta Sync packet is re-sent.
The Cluster Member requests the sending Cluster Member to retransmit the
lost/corrupted Delta Sync packet. Each Delta Sync packet has a sequence number. The
sending member has a queue of sent Delta Sync packets. Each Cluster Member has a
queue of packets sent from each of the peer Cluster Members. If, for any reason, a Delta
Sync packet was not received by a Cluster Member, it can ask for a retransmission of
this packet from the sending member. The Delta Sync retransmission mechanism is
somewhat similar to a TCP Window and TCP retransmission mechanism. When a
member requests retransmission of Delta Sync packet, which no longer exists on the
sending member, the member prints a console messages that the sync is not complete.

Detect
UserCheck rule action that allows traffic and files to enter the internal network and logs
them.

Distributed Deployment
The Check Point Security Gateway and Security Management Server products are
deployed on different computers.

CLI R80.40 Reference Guide      |      38

 Glossary

Domain
A network or a collection of networks related to an entity, such as a company, business
unit or geographical location.

Domain Log Server

A Log Server for a specified Domain. It stores and processes logs from Security
Gateways that are managed by the corresponding Domain Management Server.
Acronym: DLS.

Domain Management Server

A virtual Security Management Server that manages Security Gateways for one
Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS.

Down
State of a Cluster Member during a failure when one of the Critical Devices reports its
state as "problem": In ClusterXL, applies to the state of the Security Gateway
component; in 3rd party / OPSEC cluster, applies to the state of the State
Synchronization mechanism. A Cluster Member in this state does not process any traffic
passing through cluster.

Dying
State of a Cluster Member as assumed by peer members, if it did not report its state for
0.7 second.

Event
A record of a security or network incident that is based on one or more logs, and on a
customizable set of rules that are defined in the Event Policy.

Event Correlation
A procedure that extracts, aggregates, correlates and analyzes events from the logs.

Event Policy
A set of rules that define the behavior of SmartEvent.

Expert Mode
The name of the full command line shell that gives full system root permissions in the
Check Point Gaia operating system.

CLI R80.40 Reference Guide      |      39

 Glossary

External Network
Computers and networks that are outside of the protected network.

External Users
Users defined on external servers. External users are not defined in the Security
Management Server database or on an LDAP server. External user profiles tell the
system how to identify and authenticate externally defined users.

F2F
Denotes non-VPN connections that SecureXL forwarded to firewall. See "Firewall
Path".

Failback in Cluster
Also, Fallback. Recovery of a Cluster Member that suffered from a failure. The state of a
recovered Cluster Member is changed from Down to either Active, or Standby
(depending on Cluster Mode).

Failed Member
A Cluster Member that cannot send or accept traffic because of a hardware or software
problem.

Failover
Also, Fail-over. Transferring of a control over traffic (packet filtering) from a Cluster
Member that suffered a failure to another Cluster Member (based on internal cluster
algorithms).

Failure
A hardware or software problem that causes a Security Gateway to be unable to serve
as a Cluster Member (for example, one of cluster interface has failed, or one of the
monitored daemon has crashed). Cluster Member that suffered from a failure is declared
as failed, and its state is changed to Down (a physical interface is considered Down
only if all configured VLANs on that physical interface are Down).

Firewall
The software and hardware that protects a computer network by analyzing the incoming
and outgoing network traffic (packets).

CLI R80.40 Reference Guide      |      40

 Glossary

Firewall Path
Also Slow Path. Packet flow on the Host Security Appliance, when the SecureXL
device is unable to process the packet (see sk32578). The packet is passed to the
CoreXL layer and then to one of the CoreXL Firewall instances for full processing. This
path also processes all packets when SecureXL is disabled.

Flapping
Consequent changes in the state of either cluster interfaces (cluster interface flapping),
or Cluster Members (Cluster Member flapping). Such consequent changes in the state
are seen in the 'Logs & Monitor' > 'Logs' (if in SmartConsole > cluster object, the cluster
administrator set the 'Track changes in the status of cluster members' to 'Log').

Flush and ACK

Also, FnA, F&A. Cluster Member forces the Delta Sync packet about the incoming
packet and waiting for acknowledgments from all other Active members and only then
allows the incoming packet to pass through. In some scenarios, it is required that some
information, written into the kernel tables, will be Sync-ed promptly, or else a race
condition can occur. The race condition may occur if a packet that caused a certain
change in kernel tables left Member_A toward its destination and then the return packet
tries to go through Member_B. In general, this kind of situation is called asymmetric
routing. What may happen in this scenario is that the return packet arrives at Member_B
before the changes induced by this packet were Sync-ed to this Member_B. Example of
such a case is when a SYN packet goes through Member_A, causing multiple changes
in the kernel tables and then leaves to a server. The SYN-ACK packet from a server
arrives at Member_B, but the connection itself was not Sync-ed yet. In this condition, the
Member_B will drop the packet as an Out-of-State packet (First packet isn't SYN). In
order to prevent such conditions, it is possible to‎ use ‎the‎"Flush ‎and ‎ACK" (F&A)
mechanism. This mechanism can send the Delta Sync packets with all the changes
accumulated so far in the Sync buffer to the other Cluster Members, hold the original
packet that induced these changes and wait for acknowledgment from all other (Active)
Cluster Members that they received the information in the Delta Sync packet. When all
acknowledgments arrived, the mechanism will release the held original packet. This
ensures that by the time the return packet arrived from a server at the cluster, all the
Cluster Members are aware of the connection. F&A is being operated at the end of the
Inbound chain and at the end of the Outbound chain (it is more common at the
Outbound).

Forwarding
Process of transferring of an incoming traffic from one Cluster Member to another
Cluster Member for processing. There are two types of forwarding the incoming traffic
between Cluster Members - Packet forwarding and Chain forwarding. Also see
"Forwarding Layer in Cluster" and "ARP Forwarding in Cluster".

CLI R80.40 Reference Guide      |      41

 Glossary

Forwarding Layer
The Forwarding Layer is a ClusterXL mechanism that allows a Cluster Member to pass
packets to peer Cluster Members, after they have been locally inspected by the firewall.
This feature allows connections to be opened from a Cluster Member to an external
host. Packets originated by Cluster Members are hidden behind the Cluster Virtual IP
address. Thus, a reply from an external host is sent to the cluster, and not directly to the
source Cluster Member. This can pose problems in the following situations: (1) The
cluster is working in High Availability mode, and the connection is opened from the
Standby Cluster Member. All packets from the external host are handled by the Active
Cluster Member, instead. (2) The cluster is working in a Load Sharing mode, and the
decision function has selected another Cluster Member to handle this connection. This
can happen since packets directed at a Cluster IP address are distributed between
Cluster Members as with any other connection. If a Cluster Member decides, upon the
completion of the firewall inspection process, that a packet is intended for another
Cluster Member, it can use the Forwarding Layer to hand the packet over to that Cluster
Member. In High Availability mode, packets are forwarded over a Synchronization
network directly to peer Cluster Members. It is important to use secured networks only,
as encrypted packets are decrypted during the inspection process, and are forwarded
as clear-text (unencrypted) data. In Load Sharing mode, packets are forwarded over a
regular traffic network. Packets that are sent on the Forwarding Layer use a special
source MAC address to inform the receiving Cluster Member that they have already
been inspected by another Cluster Member. Thus, the receiving Cluster Member can
safely hand over these packets to the local Operating System, without further inspection.

Full High Availability

Also, Full HA Cluster Mode. A special Cluster Mode (supported only on Check Point
appliances running Gaia OS or SecurePlatform OS, where each Cluster Member also
runs as a Security Management Server. This provides redundancy both between
Security Gateways (only High Availability is supported) and between Security
Management Servers (only High Availability is supported - see sk39345).

CLI R80.40 Reference Guide      |      42

 Glossary

Full Sync
Process of full synchronization of applicable kernel tables by a Cluster Member from the
working Cluster Member(s) when it tries to join the existing cluster. This process is
meant to fetch ‎a‎"snapshot" ‎of the applicable kernel tables of already Active Cluster
Member(s). Full Sync is performed during the initialization of Check Point software
(during boot process, the first time the Cluster Member runs policy installation, during
'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, this
Cluster Member remains in the Down state, because until it is fully synchronized with
other Cluster Members, it cannot function as a Cluster Member. Meanwhile, the Delta
Sync packets continue to arrive, and the Cluster Member that tries to join the existing
cluster, stores them in the kernel memory until the Full Sync completes. The whole Full
Sync process is performed by fwd daemons on TCP port 256 over the Sync network (if it
fails over the Sync network, it tries the other cluster interfaces). The information is sent
by fwd daemons in chunks, while making sure they confirm getting the information
before sending the next chunk. Also see "Delta Sync".

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restrictive shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for Check Point Gaia operating system.

Global Domain
A Domain on a Multi-Domain Server, on which the Multi-Domain Server administrator
creates and manages objects, security policies and settings that apply to the entire
Multi-Domain Security Management environment.

Global Objects
For Multi-Domain Management, all network and objects defined in the Global Domain.

Global Policy
All Policies defined in the Global Domain that can be assigned to Domains, or to
specified groups of Domains.

CLI R80.40 Reference Guide      |      43

 Glossary

HA not started
Output of the 'cphaprob <flag>' command or 'show cluster <option>' command on the
Cluster Member. This output means that Check Point clustering software is not started
on this Security Gateway (for example, this machine is not a part of a cluster, or
'cphastop' command was run, or some failure occurred that prevented the ClusterXL
product from starting correctly).

High Availability
A redundant cluster mode, where only one Cluster Member (Active member) processes
all the traffic, while other Cluster Members (Standby members) are ready to be promoted
to Active state if the current Active member fails. In the High Availability mode, the
Cluster Virtual IP address (that represents the cluster on that network) is associated: (1)
With physical MAC Address of Active member (2) With virtual MAC Address (see
sk50840). Acronym: HA.

Hotfix
A piece of software installed on top of the current software in order to fix some wrong or
undesired behavior.

HTU
Stands for "HA Time Unit". All internal time in ClusterXL is measured in HTUs (the
times in cluster debug also appear in HTUs). Formula in the Check Point software: 1
HTU = 10 x fwha_timer_base_res = 10 x 10 milliseconds = 100 ms.

Hybrid
Starting in R80.20, on Security Gateways with 40 or more CPU cores, Software Blades
run in the user space (as 'fwk' processes). The Hybrid Mode refers to the state when you
upgrade Cluster Members from R80.10 (or below) to R80.20 (or above). The Hybrid
Mode is the state, in which the upgraded Cluster Members already run their Software
Blades in the user space (as fwk processes), while other Cluster Members still run their
Software Blades in the kernel space (represented by the fw_worker processes). In the
Hybrid Mode, Cluster Members are able to synchronize the required information.

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

CLI R80.40 Reference Guide      |      44

 Glossary

ICAP Client
The ICAP Client functionality in your Security Gateway or Cluster enables it to interact
with an ICAP Server responses (see RFC 3507), modify their content, and block the
matched HTTP connections.

ICAP Server
The ICAP Server functionality in your Security Gateway or Cluster enables it to interact
with an ICAP Client requests, send the files for inspection, and return the verdict.

Identity Agent
Check Point dedicated client agent installed on Windows-based user endpoint
computers. This Identity Agent acquires and reports identities to the Check Point Identity
Awareness Security Gateway. The administrator configures the Identity Agents (not the
end users). There are three types of Identity Agents - Full, Light and Custom. You can
download the Full, Light and Custom Identity Agent package from the Captive Portal -
'https://<Gateway_IP_Address>/connect'. You can transfer the Full and Light Identity
Agent package from the Identity Awareness Agents -
'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_
doGoviewsolutiondetails=&solutionid=sk134312'.

Identity Agent Configuration Utility

Check Point utlity that creates custom Identity Agent installation packages. This utlity is
installed as a part of the Identity Agent: go to the Windows Start menu > All Programs >
Check Point > Identity Agent > right-click the 'Identity Agent' shortcut > select
'Properties' > click 'Open File Location' ('Find Target' in some Windows versions >
double-click 'IAConfigTool.exe').

Identity Agent Distributed Configuration Tool

Check Point Identity Agent control tool for Windows-based client computers that are
members of an Active Directory domain. The Distributed Configuration tool lets you
configure connectivity and trust rules for Identity Agents - to which Identity Awareness
Security Gateways the Identity Agent should connect, depending on its IPv4 / IPv6
address, or Active Directory Site. This tool is installed a part of the Identity Agent: go to
the Windows Start menu > All Programs > Check Point > Identity Agent > open the
Distributed Configuration. Note - You must have administrative access to this Active
Directory domain to allow automatic creation of new LDAP keys and writing.

Identity Awareness
Check Point Software Blade that enforces network access and audits data based on
network location, the identity of the user, and the identity of the computer.

CLI R80.40 Reference Guide      |      45

 Glossary

Identity Broker
Identity Sharing mechanism between Identity Servers (PDP): (1) Communication
channel between PDPs based on Web-API (2) Identity Sharing capabilities between
PDPs - ability to add, remove, and update the identity session.

Identity Collector
Check Point dedicated client agent installed on Windows Servers in your network.
Identity Collector collects information about identities and their associated IP addresses,
and sends it to the Check Point Security Gateways for identity enforcement. For more
information, see sk108235. You can download the Identity Collector package from the
Identity Awareness Agents -
'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_
doGoviewsolutiondetails=&solutionid=sk134312'.

Identity Collector Identity Sources

Identity Sources for Check Point Identity Collector - Microsoft Active Directory Domain
Controllers, Cisco Identity Services Engine (ISE) Servers, or NetIQ eDirectory Servers.

Identity Collector Query Pool

A list of Identity Sources for Check Point Identity Collector.

Identity Server
Check Point Security Gateway with enabled Identity Awareness Software Blade.

IKE
Internet Key Exchange. An Encryption key management protocol for IPSec that creates
a shared key to encrypt and decrypt IP packets and establishes a VPN tunnel and
Security Association.

Indicator
Pattern of relevant observable malicious activity in an operational cyber domain, with
relevant information on how to interpret it and how to handle it.

Init
State of a Cluster Member in the phase after the boot and until the Full Sync completes.
A Cluster Member in this state does not process any traffic passing through cluster.

Inline Layer
Set of rules used in another rule in Security Policy.

CLI R80.40 Reference Guide      |      46

 Glossary

Intelligent Queuing Engine

A bandwidth allocation algorithm that guarantees high priority traffic takes precedence
over low priority traffic.

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IP Tracking
Collecting and saving of Source IP addresses and Source MAC addresses from
incoming IP packets during the probing. IP tracking is a useful for Cluster Members to
determine whether the network connectivity of the Cluster Member is acceptable.

IP Tracking Policy
Internal setting that controls, which IP addresses should be tracked during IP tracking:
(1) Only IP addresses from the subnet of cluster VIP, or from subnet of physical cluster
interface (this is the default) (2) All IP addresses, also outside the cluster subnet.

IPS
Intrusion Prevention System. Check Point Software Blade that inspects and analyzes
packets and data for numerous types of risks.

IPv4
Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each
set can be from 0 - 255. For example, 192.168.2.1.

IPv6
Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of
hexadecimal numbers, each set can be from 0 - ffff. For example,
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

IRQ Affinity
A state of binding an IRQ to one or more CPU cores.

CLI R80.40 Reference Guide      |      47

 Glossary

Jitter
Variation in the delay of received packets. On the sending side, packets are spaced
evenly apart and sent in a continuous stream. On the receiving side, the delay between
each packet can vary according to network congestion, improper queuing or
configuration errors.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF.

Kerberos
A computer network authentication protocol that works based on tickets to allow nodes
communicating over a non-secure network to prove their identity to one another in a
secure manner. Kerberos builds on symmetric key cryptography and requires a trusted
third party, and optionally may use public-key cryptography during certain phases of
authentication.

Link Aggregation
Technology that joins multiple physical interfaces together into one virtual interface,
known as a bond interface. Also known as Interface Bonding.

LLQ
Low Latency Queuing is a feature developed by Cisco to bring strict priority queuing
(PQ) to class-based weighted fair queuing (CBWFQ). LLQ allows delay-sensitive data
(such as voice) to be given preferential treatment over other traffic by letting the data to
be dequeued and sent first.

Load Sharing
Also, Load Balancing mode. A redundant cluster mode, where all Cluster Members
process all incoming traffic in parallel. See "Load Sharing Multicast Mode" and "Load
Sharing Unicast Mode". Acronym: LS.

CLI R80.40 Reference Guide      |      48

 Glossary

Load Sharing Multicast

Load Sharing Cluster Mode, where all Cluster Members process all traffic in parallel.
Each Cluster Member is assigned the equal load of [ 100% / number_of_members ].
The Cluster Virtual IP address (that represents the cluster on that network) is associated
with Multicast MAC Address 01:00:5E:X:Y:Z (which is generated based on last 3 bytes
of cluster Virtual IP address on that network). A ClusterXL decision algorithm (Decision
Function) on all Cluster Members decides, which Cluster Member should process the
given packet.

Load Sharing Unicast

Load Sharing Cluster Mode, where one Cluster Member (called Pivot) accepts all traffic.
Then, the Pivot member decides to process this traffic, or to forward it to other non-Pivot
Cluster Members. The traffic load is assigned to Cluster Members based on the hard-
coded formula per the value of Pivot_overhead attribute (see sk34668). The Cluster
Virtual IP address (that represents the cluster on that network) is associated with: (1)
Physical MAC Address of Pivot member (2) Virtual MAC Address (see sk50840).

Log
A record of an action that is done by a Software Blade.

Log Server
A dedicated Check Point computer that runs Check Point software to store and process
logs in Security Management Server or Multi-Domain Security Management
environment.

Mail Transfer Agent

A gateway feature that intercepts SMTP traffic and forwards it to the applicable
inspection component.

Main Domain Management Server

A Domain Management Server on a Multi-Domain Server, on which you defined the
object of your VSX Gateway or VSX Cluster. In this case, objects of your Virtual
Systems are defined on different Domain Management Servers (Target Domain
Management Servers).

Malware Database
The Check Point database of commonly used signatures, URLs, and their related
reputations, installed on a Security Gateway and used by the ThreatSpect engine.

CLI R80.40 Reference Guide      |      49

 Glossary

Management High Availability

Deployment and configuration mode of two Check Point Management Servers, in which
they automatically synchronize the management databases with each other. In this
mode, one Management Server is Active, and the other is Standby. Acronyms:
Management HA, MGMT HA.

Management Interface
Interface on Gaia computer, through which users connect to Portal or CLI. Interface on a
Gaia Security Gateway or Cluster member, through which Management Server
connects to the Security Gateway or Cluster member.

Management Server
A Check Point Security Management Server or a Multi-Domain Server.

Master
State of a Cluster Member that processes all traffic in cluster configured in VRRP mode.

Medium Path (PXL)

Packet flow on the Host Security Appliance, when the packet is handled by the
SecureXL device. The CoreXL layer passes the packet to one of the CoreXL Firewall
instances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXL
infrastructure to send the packet to the single CoreXL Firewall instance that still
functions. When the Medium Path is available, the SecureXL fully accelerates the TCP
handshake. Rule Base match is achieved for the first packet through an existing
connection acceleration template. The SecureXL also fully accelerates the TCP [SYN-
ACK] and TCP [ACK] packets. However, once data starts to flow, to stream it for Content
Inspection, an FWK instance now handles the packets. The SecureXL sends all
packets that contain data to FWK for data extraction in order to build the data stream.
Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets,
because they do not contain data that needs to be streamed. This path is available only
when CoreXL is enabled. Exceptions are: IPS (some protections); VPN (in some
configurations); Application Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPS
Inspection; Proxy mode; Mobile Access; VoIP; Web Portals.

Mirror and Decrypt

The Mirror and Decrypt feature on your Security Gateway or Cluster performs these
actions: (1) Mirror only of all traffic - Clones all traffic (including HTTPS without
decryption) that passes through, and sends it out of the designated physical interface.
(2) Mirror and Decrypt of HTTPS traffic - Clones all HTTPS traffic that passes through,
decrypts it, and sends it in clear-text out of the designated physical interface.

CLI R80.40 Reference Guide      |      50

 Glossary

Multi-Domain Log Server

A computer that runs Check Point software to store and process logs in Multi-Domain
Security Management environment. The Multi-Domain Log Server consists of Domain
Log Servers that store and process logs from Security Gateways that are managed by
the corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Security Management

A centralized management solution for large-scale, distributed environments with many
different Domain networks.

Multi-Domain Server
A computer that runs Check Point software to host virtual Security Management Servers
called Domain Management Servers. Acronym: MDS.

Multi-Queue
An acceleration feature on Security Gateway that lets you assign more than one packet
queue and CPU core to an interface.

Multi-Version Cluster
The Multi-Version Cluster (MVC) mechanism lets you synchronize connections
between cluster members that run different versions. This lets you upgrade to a newer
version without a loss in connectivity and lets you test the new version on some of the
cluster members before you decide to upgrade the rest of the cluster members.

MVC
See "Multi-Version Cluster".

NAC
Network Access Control. This is an approach to computer security that attempts to unify
endpoint security technology (such as Anti-Virus, Intrusion Prevention, and Vulnerability
Assessment), user or system authentication and network security enforcement. Check
Point's Network Access Control solution is called Identity Awareness Software Blade.

Network Object
Logical representation of every part of corporate topology (physical machine, software
component, IP Address range, service, and so on).

CLI R80.40 Reference Guide      |      51

 Glossary

Network Objective
Defines how the cluster will configure and monitor an interface - Cluster, Sync,
Cluster+Sync, Monitored Private, Non-Monitored Private. Configured in SmartConsole >
cluster object > 'Topology' pane > 'Network Objective'.

Non-Blocking Mode
Cluster operation mode, in which Cluster Member keeps forwarding all traffic.

Non-Dedicated Management Interface

A shared physical interface on VSX Gateway or VSX Cluster Members, which carries
user "production" traffic and through which Check Point Security Management Server or
Multi-Domain Server connects to VSX Gateway or VSX Cluster Members. Non-DMI
configuration requires the use of a Virtual Router or Virtual Switch. Acronym: Non-DMI.

Non-Monitored Interface
An interface on a Cluster Member, whose Network Type was set as Private in
SmartConsole, in cluster object.

Non-Pivot
A Cluster Member in the Unicast Load Sharing cluster that receives all packets from the
Pivot Cluster Member.

Non-Sticky Connection
A connection is called non-sticky, if the reply packet returns via a different Cluster
Member, than the original packet (for example, if network administrator has configured
asymmetric routing). In Load Sharing mode, all Cluster Members are Active, and in
Static NAT and encrypted connections, the Source and Destination IP addresses
change. Therefore, Static NAT and encrypted connections through a Load Sharing
cluster may be non-sticky.

Observable
An event or a stateful property that can be observed in an operational cyber domain.

Open Server
A physical computer manufactured and distributed by a company, other than Check
Point.

CLI R80.40 Reference Guide      |      52

 Glossary

Packet Selection
Distinguishing between different kinds of packets coming from the network, and
selecting, which member should handle a specific packet (Decision Function
mechanism): CCP packet from another member of this cluster; CCP packet from another
cluster or from a Cluster; Member with another version (usually older version of CCP);
Packet is destined directly to this member; Packet is destined to another member of this
cluster; Packet is intended to pass through this Cluster Member; ARP packets.

PDP
Check Point Identity Awareness Security Gateway that acts as Policy Decision Point:
acquires identities from identity sources; shares identities with other gateways.

PEP
Check Point Identity Awareness Security Gateway that acts as Policy Enforcement
Point: receives identities via identity sharing; redirects users to Captive Portal.

Permission Profile
A predefined group of SmartConsole access permissions assigned to Domains and
administrators. With this feature you can configure complex permissions for many
administrators with one definition.

Pingable Host
Some host (that is, some IP address) that Cluster Members can ping during probing
mechanism. Pinging hosts in an interface's subnet is one of the health checks that
ClusterXL mechanism performs. This pingable host will allow the Cluster Members to
determine with more precision what has failed (which interface on which member). On
Sync network, usually, there are no hosts. In such case, if switch supports this, an IP
address should be assigned on the switch (for example, in the relevant VLAN). The IP
address of such pingable host should be assigned per this formula: IP_of_pingable_
host = IP_of_physical_interface_on_member + ~10. Assigning the IP address to
pingable host that is higher than the IP addresses of physical interfaces on the Cluster
Members will give some time to Cluster Members to perform the default health checks.
Example: IP address of physical interface on a given subnet on Member_A is
10.20.30.41; IP address of physical interface on a given subnet on Member_B is
10.20.30.42; IP address of pingable host should be at least 10.20.30.5

CLI R80.40 Reference Guide      |      53

 Glossary

Pivot
A Cluster Member in the Unicast Load Sharing cluster that receives all packets. Cluster
Virtual IP addresses are associated with Physical MAC Addresses of this Cluster
Member. This Pivot Cluster Member distributes the traffic between other Non-Pivot
Cluster Members.

Pnote
See "Critical Device".

Policy Layer
A layer (set of rules) in a Security Policy.

Policy Package
A collection of different types of Security Policies, such as Access Control, Threat
Prevention, QoS, and Desktop Security. After installation, Security Gateways enforce all
Policies in the Policy Package.

Preconfigured Mode
Cluster Mode, where cluster membership is enabled on all Cluster Members to be.
However, no policy had been yet installed on any of the Cluster Members - none of
them is actually configured to be primary, secondary, and so on. The cluster cannot
function, if one Cluster Member ‎fails.‎ In ‎this ‎scenario,‎the "preconfigured mode" takes
place. The preconfigured mode also comes into effect when no policy is yet installed,
right after the Cluster Members came up after boot, or when running the 'cphaconf init'
command.

Predefined Report
A default report included in a Check Point product that you can run right out of the box.

Prevent
UserCheck rule action that blocks traffic and files and can show a UserCheck message.

Primary Multi-Domain Server

The Multi-Domain Server in Management High Availability that you install as Primary.

CLI R80.40 Reference Guide      |      54

 Glossary

Primary Up
ClusterXL in High Availability mode that was configured as Switch to higher priority
Cluster Member in the cluster object in SmartConsole: (1) Each Cluster Member is
given a priority (SmartConsole > cluster object > 'Cluster Members' pane). Cluster
Member with the highest priority appears at the top of the table, and Cluster Member
with the lowest priority appears at the bottom of the table. (2) The Cluster Member with
the highest priority will assume the Active state. (3) If the current Active Cluster Member
with the highest priority (for example, Member_A), fails for some reason, or is rebooted,
then failover occurs between Cluster Members. The Cluster Member with the next
highest priority will be promoted to be Active (for example, Member_B). (4) When the
Cluster Member with the highest priority (Member_A) recovers from a failure, or boots,
then additional failover occurs between Cluster Members. The Cluster Member with the
highest priority (Member_A) will be promoted to Active state (and Member_B will return
to Standby state).

Private Interface
An interface on a Cluster Member, whose Network Type was set as 'Private' in
SmartConsole in cluster object. This interface is not monitored by cluster, and failure on
this interface will not cause any changes in Cluster Member's state.

Probing
If a Cluster Member fails to receive status for another member (does not receive CCP
packets from that member) on a given segment, Cluster Member will probe that segment
in an attempt to illicit a response. The purpose of such probes is to detect the nature of
possible interface failures, and to determine which module has the problem. The
outcome of this probe will determine what action is taken next (change the state of an
interface, or of a Cluster Member).

Problem Notification
See "Critical Device".

CLI R80.40 Reference Guide      |      55

 Glossary

PSL
Passive Streaming Library. Packets may arrive at Security Gateway out of order, or may
be legitimate retransmissions of packets that have not yet received an acknowledgment.
In some cases, a retransmission may also be a deliberate attempt to evade IPS
detection by sending the malicious payload in the retransmission. Security Gateway
ensures that only valid packets are allowed to proceed to destinations. It does this with
the Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer,
which provides stream reassembly for TCP connections. (2) The Security Gateway
makes sure that TCP data seen by the destination system is the same as seen by code
above PSL. (3) The PSL handles packet reordering, congestion, and is responsible for
various security aspects of the TCP layer, such as handling payload overlaps, some
DoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewall
chain and from the SecureXL. (5) The PSL serves as a middleman between the various
security applications and the network packets. It provides the applications with a
coherent stream of data to work with, free of various network problems or attacks. (6)
The PSL infrastructure is wrapped with well-defined APIs called the Unified Streaming
APIs, which are used by the applications to register and access streamed data. For
more details, see sk95193.

PSLXL
Technology name for combination of SecureXL and PSL (Passive Streaming Library) in
R80.20 and higher versions. In R80.10 and lower versions, this technology was called
PXL (PacketXL).

Publisher PDP
Check Point Identity Awareness Security Gateway that gets identities from an identity
source/remote PDP and shares identities to a remote PDP. The Publisher PDP: (1)
Initiates an HTTPS connection to the Subscriber PDP for each Identity to be shared (2)
Verifies the CN and OU present in the subject field of the certificate presented (3)
Verifies that the CA's certificate matches the certificate that was approved in advance by
the administrator (4) Checks if the certificate presented is revoked (5) Shares identities
including the information about user(s), machine(s) and Access Roles in the form of
HTTP POST requests.

PXL
See "PSLXL".

QoS
Check Point Software Blade that guarantees quality of service for traffic.

CLI R80.40 Reference Guide      |      56

 Glossary

QoS Action Properties

Properties that define bandwidth allocation, limits, and guarantees for a security rule.

RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that
provides centralized Authentication, Authorization, and Accounting (AAA or Triple A)
management for users who connect and use a network service. RADIUS is a
client/server protocol that runs in the application layer, and can use either TCP or UDP
as transport.

RDED
Retransmit Detect Early Drop. The bottleneck that results from the connection of a LAN
to the WAN causes TCP to retransmit packets. RDED prevents inefficiencies by
detecting retransmits in TCP streams and preventing the transmission of redundant
packets when multiple copies of a packet are concurrently queued on the same flow.

Ready
State of a Cluster Member during after initialization and before promotion to the next
required state - Active / Standby / VRRP Master / VRRP Backup (depending on Cluster
Mode). A Cluster Member in this state does not process any traffic passing through
cluster. A member can be stuck in this state due to several reasons - see sk42096.

Remote Access VPN

An encryption tunnel between a Security Gateway and Remote Access clients.
Provides secure, seamless access to corporate networks remotely, over IPsec VPN.

Remote Access VPN Community

A group of computers, appliances, and devices that access, with authentication and
encryption, the internal protected network from physically remote sites.

Report
A summary of network activity and Security Policy enforcement that is generated by
Check Point products such as SmartEvent.

Rule
A set of traffic parameters and other conditions in a Rule Base that cause specified
actions to be taken for a communication session.

CLI R80.40 Reference Guide      |      57

 Glossary

Rule Base
Also Rulebase. All rules configured in a given Security Policy.

RX Queue
Receive packet queue. See "Multi-Queue".

Secondary Multi-Domain Server

The Multi-Domain Server in Management High Availability that you install as
Secondary.

SecureXL
Check Point product that accelerates IPv4 and IPv6 traffic. Installed on Security
Gateways for significant performance improvements.

Security Gateway
A computer that runs Check Point software to inspect traffic and enforces Security
Policies for connected network resources.

Security Management Server

A computer that runs Check Point software to manage the objects and policies in Check
Point environment.

Security Policy
A collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

Selection
The packet selection mechanism is one of the central and most important components
in the ClusterXL product and State Synchronization infrastructure for 3rd party clustering
solutions. Its main purpose is to decide (to select) correctly what has to be done to the
incoming and outgoing traffic on the Cluster Member. (1) In ClusterXL, the packet is
selected by Cluster Member(s) depending on the cluster mode: In HA modes - by Active
member; In LS Unicast mode - by Pivot member; In LS Multicast mode - by all members.
Then the Cluster Member applies the Decision Function (and the Cluster Correction
Layer). (2) In 3rd party / OPSEC cluster, the 3rd party software selects the packet, and
Check Point software just inspects it (and performs State Synchronization).

CLI R80.40 Reference Guide      |      58

 Glossary

Service Account
In Microsoft® Active Directory, a user account created explicitly to provide a security
context for services running on Microsoft® Windows® Server.

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over
SSL, for secure communication. This authentication is based on the certificates issued
by the ICA on a Check Point Management Server.

Single Sign-On
A property of access control of multiple related, yet independent, software systems. With
this property, a user logs in with a single ID and password to gain access to a
connected system or systems without using different usernames or passwords, or in
some configurations seamlessly sign on at each system. This is typically accomplished
using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases
on (directory) servers. Acronym: SSO.

Site to Site VPN

An encryption tunnel between two Security Gateways.

Slow Path
See "Firewall Path".

SmartConsole
A Check Point GUI application used to manage Security Policies, monitor products and
events, install updates, provision new devices and appliances, and manage a multi-
domain environment and each domain.

SmartDashboard
A legacy Check Point GUI client used to create and manage the security settings in
R77.30 and lower versions.

SmartEvent Server
Server with enabled SmartEvent Software Blade that hosts the events database.

Software Blade
A software blade is a security solution based on specific business needs. Each blade is
independent, modular and centrally managed. To extend security, additional blades can
be quickly added.

CLI R80.40 Reference Guide      |      59

 Glossary

SSO
See "Single Sign-On".

Standalone
A Check Point computer, on which both the Security Gateway and Security
Management Server products are installed and configured.

Standby
State of a Cluster Member that is ready to be promoted to Active state (if the current
Active Cluster Member fails). Applies only to ClusterXL High Availability Mode.

Standby Domain Server

All Domain Management Servers for a Domain that are not designated as the Active
Domain Management Server.

State Synchronization
Technology that synchronizes the relevant information about the current connections
(stored in various kernel tables on Check Point Security Gateways) among all Cluster
Members over Synchronization Network. Due to State Synchronization, the current
connections are not cut off during cluster failover.

Sticky Connection
A connection is called sticky, if all packets are handled by a single Cluster Member (in
High Availability mode, all packets reach the Active Cluster Member, so all connections
are sticky).

STIX
Structured Threat Information eXpression™. A language that describes cyber threat
information in a standardized and structured way.

Subscriber PDP
Check Point Identity Awareness Security Gateway that gets identities from a remote
PDP. The Subscriber PDP: (1) Presents the configured SSL certificate to the Publisher
PDP (2) Receives the information from the Publisher PDP after verifying the pre-shared
secret in the POST requests.

Subscribers
User Space processes that are made aware of the current state of the ClusterXL state
machine and other clustering configuration parameters. List of such subscribers can be
obtained by running the 'cphaconf debug_data' command (see sk31499).

CLI R80.40 Reference Guide      |      60

 Glossary

Sync Interface
Also, Secured Interface, Trusted Interface. An interface on a Cluster Member, whose
Network Type was set as Sync or Cluster+Sync in SmartConsole in cluster object. This
interface is monitored by cluster, and failure on this interface will cause cluster failover.
This interface is used for State Synchronization between Cluster Members. The use of
more than one Sync Interfaces for redundancy is not supported because the CPU load
will increase significantly due to duplicate tasks performed by all configured
Synchronization Networks. See sk92804.

Synchronization Network
Also, Sync Network, Secured Network, Trusted Network. A set of interfaces on Cluster
Members that were configured as interfaces, over which State Synchronization
information will be passed (as Delta Sync packets ). The use of more than one
Synchronization Network for redundancy is not supported because the CPU load will
increase significantly due to duplicate tasks performed by all configured
Synchronization Networks. See sk92804.

System Counter
SmartView Monitor data or report on status, activity, and resource usage of Check Point
products.

Target Domain Management Server

A Domain Management Server on a Multi-Domain Server, on which you defined the
objects of your Virtual Systems. In this case, object of your VSX Gateway or VSX
Cluster are defined on a different Domain Management Server (Main Domain
Management Server).

Terminal Server
Microsoft® Windows-based application server that hosts Terminal Servers, Citrix
XenApp, and Citrix XenDesktop services.

Terminal Servers Identity Agent

Dedicated client agent installed on Microsoft® Windows-based application server that
hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. This client
agent acquires and reports identities to the Check Point Identity Awareness Security
Gateway. In the past, this client agent was called Multi-User Host (MUH) Agent. You
can download the Terminal Servers Identity Agent from the Identity Awareness Agents -
'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_
doGoviewsolutiondetails=&solutionid=sk134312'.

CLI R80.40 Reference Guide      |      61

 Glossary

Threat Emulation
Check Point Software Blade that emulates files. Virtual computers open files that users
download. These computers are monitored for unusual and malicious behavior.

Threat Emulation Private Cloud Appliance

A Check Point appliance that is certified to support the Threat Emulation Software
Blade.

Threat Extraction
Check Point Software Blade that extracts potentially malicious content from files and
delivers a safe copy to the user.

ThreatCloud IntelliStore
Threat intelligence marketplace where you can select intelligence feeds (in addition to
ThreatCloud feeds) from a range of security vendors that specialize in cyber
intelligence. ThreatCloud translates these feeds into protections which run on Security
Gateways.

ThreatCloud Repository
A cloud database with more than 250 million Command and Control (C&C) IP, URL,
and DNS addresses and over 2,000 different botnet communication patterns, used by
the ThreatSpect engine to classify bots and viruses.

ThreatSpect Engine
A unique multi-tiered engine that analyzes network traffic and correlates data across
multiple layers (reputation, signatures, suspicious mail outbreaks, behavior patterns) to
detect bots and viruses.

Traffic
Flow of data between network devices.

TX queue
Transmit packet queue. See "Multi-Queue".

User Database
Check Point internal database that contains all users defined and managed in
SmartConsole.

CLI R80.40 Reference Guide      |      62

 Glossary

User Groups
Named groups of users with related responsibilities.

User Template
Property set that defines a type of user on which a security policy will be enforced.

UserCheck
Gives users a warning when there is a potential risk of data loss or security violation.
This helps users to prevent security incidents and to learn about the organizational
security policy.

Users
Personnel authorized to use network resources and applications.

Virtual Device
A logical object that emulates the functionality of a type of physical network object.

Virtual Router
A Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a
physical router. Acronym: VR.

Virtual Switch
A Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a
physical switch. Acronym: VSW.

Virtual System
A Virtual Device on a VSX Gateway or VSX Cluster Member that implements the
functionality of a Security Gateway. Acronym: VS.

Virtual System Load Sharing

A VSX Cluster technology that assigns Virtual System traffic to different Active Cluster
Members. Acronym: VSLS.

VLAN
Virtual Local Area Network. Open servers or appliances connected to a virtual network,
which are not physically connected to the same network.

CLI R80.40 Reference Guide      |      63

 Glossary

VLAN Trunk
A connection between two switches that contains multiple VLANs.

VMAC
Virtual MAC address. When this feature is enabled on Cluster Members, all Cluster
Members in High Availability mode and Load Sharing Unicast mode associate the
same Virtual MAC address with Virtual IP address. This allows avoiding issues when
Gratuitous ARP packets sent by cluster during failover are not integrated into ARP
cache table on switches surrounding the cluster. See sk50840.

VPN
Virtual Private Network. A secure, encrypted connection between networks and remote
clients on a public infrastructure, to give authenticated remote users and sites secured
access to an organization's network and resources.

VPN Community
A named collection of VPN domains, each protected by a VPN gateway.

VPN Tunnel
An encrypted connection between two hosts using standard protocols (such as L2TP) to
encrypt traffic going in and decrypt it coming out, creating an encapsulated network
through which data can be safely shared as though on a physical private line.

VSLS
See "Virtual System Load Sharing".

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a
computer or cluster with virtual abstractions of Check Point Security Gateways and
other network devices. These Virtual Devices provide the same functionality as their
physical counterparts.

VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that
provide the functionality of physical network devices. It holds at least one Virtual
System, which is called VS0.

CLI R80.40 Reference Guide      |      64

 Glossary

Warp Link
An interface between a Virtual System and a Virtual Switch or Virtual Router that is
created automatically in a VSX topology.

WFQ
Weighted Fair Queuing. An algorithm to precisely control bandwidth allocation in QoS.

WFRED
Weighted Flow Random Early Drop. A mechanism for managing the packet buffers of
QoS. Adjusting automatically and dynamically to the network traffic situation, WFRED
remains transparent to the user.

CLI R80.40 Reference Guide      |      65

 CLI R80.40 Reference Guide

Introduction
The CLI Reference Guide provides CLI commands to configure and monitor Check Point Software Blades.

CLI R80.40 Reference Guide      |      66

 Syntax Legend

Syntax Legend
Whenever possible, this guide lists commands, parameters and options in the alphabetical order.
This guide uses this convention in the Command Line Interface (CLI) syntax:

CLI R80.40 Reference Guide      |      67

 Syntax Legend

Character Description

TAB Shows the available nested subcommands:

main command
→ nested subcommand 1
→ → nested subsubcommand 1-1
→ → nested subsubcommand 1-2
→ nested subcommand 2

Example:

cpwd_admin
    config
        -a <options>
        -d <options>
        -p
        -r
    del <options>

Meaning, you can run only one of these commands:

n This command:

cpwd_admin config -a <options>

n Or this command:

cpwd_admin config -d <options>

n Or this command:

cpwd_admin config -p

n Or this command:

cpwd_admin config -r

n Or this command:

cpwd_admin del <options>

Curly brackets or braces Enclose a list of available commands or parameters, separated by the
vertical bar |.
{ }
User can enter only one of the available commands or parameters.

CLI R80.40 Reference Guide      |      68

 Syntax Legend

Character Description

Angle brackets Enclose a variable.

<> User must explicitly specify a supported value.

Square brackets or Enclose an optional command or parameter, which user can also enter.
brackets
[ ]

CLI R80.40 Reference Guide      |      69

 Gaia Commands

Gaia Commands
See:
n R80.40 Gaia Administration Guide
n R80.40 Gaia Advanced Routing Administration Guide

CLI R80.40 Reference Guide      |      70

 Security Management Server Commands

Security Management Server

Commands
For more information about Security Management Server, see the R80.40 Security Management
Administration Guide.

CLI R80.40 Reference Guide      |      71

 Managing Security through API

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the API Server
that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with third
party systems such as virtualization servers, ticketing systems, and change management systems.

API Tools
You can use these tools to run API scripts on the Management Server:
n Standalone management tool, included with SmartConsole. You can copy this tool to computers that
run Windows or Gaia operating system.
l mgmt_cli.exe (for Windows operating system)
l mgmt_cli (for Gaia operating system)
n Web Services API that allow communication and data exchange between the clients and the
Management Server over the HTTP protocol.
These also let other Check Point processes communicate with the Management Server over the
HTTPS protocol.
To learn more about the management APIs, to see code samples, and to take advantage of user forums,
see:
n The Check Point Management API Reference.
n The Developers Network section of Check Point CheckMates Community.

Configuring the API Server

To configure the API Server:
1. Connect with SmartConsole to the Security Management Server or Domain Management Server.
2. From the left navigation panel, click Manage & Settings .
3. In the upper left section, click Blades .
4. In the Management API section, click Advanced Settings .
The Management API Settings window opens.
5. Configure the Startup Settings and the Access Settings .

CLI R80.40 Reference Guide      |      72

 Managing Security through API

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot the
Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the
Automatic start option is activated by default during Management
Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic
Start option is deactivated.

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only - Only the Management Server itself can connect to the API
Server. This option only lets you use the mgmt_cli utility to send API requests. You
cannot use SmartConsole or web services to send API requests.
n All IP addresses that can be used for GUI clients - You can send API requests from all
IP addresses that are defined as Trusted Clients in SmartConsole. This includes requests
from SmartConsole, Web services and the mgmt_cli utility.
n All IP addresses - You can send API requests from all IP addresses. This includes
requests from SmartConsole, Web services and the mgmt_cli utility.

6. Publish the SmartConsole session.

7. Restart the API Server.
Run this command:

api restart

Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

CLI R80.40 Reference Guide      |      73

 contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util [-d]
    check <options>
    cpmacro <options>
    download <options>
    mgmt
    print <options>
    summary <options>
    update <options>
    verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options>
See "contract_util check" on page 76.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options>
See "contract_util cpmacro" on page 77.

download Downloads all associated Check Point Service Contracts from the User Center, or
<options> from a local file.
See "contract_util download" on page 78.

mgmt Delivers the Service Contract information from the Management Server to the
managed Security Gateways.
See "contract_util mgmt" on page 80.

print Shows all the installed licenses and whether the Service Contract covers these
<options> license, which entitles them for upgrade or not.
See "contract_util print" on page 81.

CLI R80.40 Reference Guide      |      74

 contract_util

Parameter Description

summary Shows post-installation summary.

<options>
See "contract_util summary" on page 82.

update Updates Check Point Service Contracts from your User Center account.
<options>
See "contract_util update" on page 83.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful message.
See "contract_util verify" on page 84.

CLI R80.40 Reference Guide      |      75

 contract_util check

contract_util check
Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util check
{-h | -help}
    hfa
    maj_upgrade
    min_upgrade
    upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher Hotfix
Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher Major
upgrade version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher Minor
upgrade version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

CLI R80.40 Reference Guide      |      76

 contract_util cpmacro

contract_util cpmacro
Description
Overwrites the current cp.macro file with the specified cp.macro file, if the specified is newer than the
current file.
For more information about the cp.macro file, see sk96217: What is a cp.macro file?

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_Write_ The contract_util cpmacro command failed:

cp_macro returned -
1 n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_Write_ The contract_util cpmacro command was able to overwrite the

cp_macro returned 0 current file with the specified file, because the specified file is newer.

CntrctUtils_Write_ The contract_util cpmacro command did not overwrite the

cp_macro returned 1 current file, because it is newer than the specified file.

CLI R80.40 Reference Guide      |      77

 contract_util download

contract_util download
Description
Downloads all associated Check Point Service Contracts from User Center, or from a local file.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util download
{-h | -help}
      local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service
Contract File>
      uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}]
<Username> <Password> [<Proxy Server> [<Proxy Username>:<Proxy
Password>]]

CLI R80.40 Reference Guide      |      78

 contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local file.
This is equivalent to the cplic contract putcommand.

uc Specifies to download the Service Contract from the User Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Proxy Server> [<Proxy Specifies that the connection to the User Center goes through
Username>:<Proxy the proxy server.
Password>]
n <Proxy Server> - IP address of resolvable hostname
of the proxy server
n <Proxy Username> - Username for the proxy server.
n <Proxy Password> - Password for the proxy server.
Note - If you do not specify the proxy server explicitly, the
command uses the proxy server configured in the management
database.

<Service Contract File> Path to and the name of the Service Contract file.
First, you must download the Service Contract file from your User
Center account.

CLI R80.40 Reference Guide      |      79

 contract_util mgmt

contract_util mgmt
Description
Delivers the Service Contract information from the Management Server to the managed Security
Gateways.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util mgmt

CLI R80.40 Reference Guide      |      80

 contract_util print

contract_util print
Description
Shows all the installed licenses and whether the Service Contract covers these license, which entitles them
for upgrade or not.
This command can show which licenses are not recognized by the Service Contract file.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util [-d] print

{-h | -help}
      hfa
      maj_upgrade
      min_upgrade
      upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

CLI R80.40 Reference Guide      |      81

 contract_util summary

contract_util summary
Description
Shows post-installation summary and whether this Check Point computer is eligible for upgrades.

Syntax

contract_util summary
      hfa
      maj_upgrade
      min_upgrade
      upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

CLI R80.40 Reference Guide      |      82

 contract_util update

contract_util update
Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-installed

licenses) from your User Center account.

-proxy <Proxy Specifies that the connection to the User Center goes through the
Server>:<Proxy Port> proxy server:
n <Proxy Server> - IP address of resolvable hostname of
the proxy server.
n <Proxy Port> - The applicable port on the proxy server.
Note - If you do not specify the proxy explicitly, the command
uses the proxy configured in the management database.

-ca_path <Path to ca- Specifies the path to the Certificate Authority Bundle file (ca-
bundle.crt File> bundle.crt).

Note - If you do not specify the path explicitly, the command

uses the default path.

CLI R80.40 Reference Guide      |      83

 contract_util verify

contract_util verify
Description
Checks whether the Security Gateway is eligible for an upgrade.
This command is the same as the "contract_util check" on page 76 command, but it also interprets the
return values and shows a meaningful message.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util verify

CLI R80.40 Reference Guide      |      84

 cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
      -h
      admin <options>
      auto <options>
      ca <options>
      client <options>
      finger <options>
      lic <options>
      snmp <options>

Syntax on a Security Gateway

cp_conf
      -h
      adv_routing <options>
      auto <options>
      corexl <options>
      fullha <options>
      ha <options>
      intfs <options>
      lic <options>
      sic <options>
      snmp <options>

CLI R80.40 Reference Guide      |      85

 cp_conf

Parameters

Parameter Description

-h Shows the entire built-in usage.

admin Configures Check Point system administrators for the Security Management
<options> Server.
See "cp_conf admin" on page 88.

adv_routing Enables or disables the Advanced Routing feature on this Security Gateway.
<options>
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto <options> Shows and configures the automatic start of Check Point products during boot.
See "cp_conf auto" on page 91.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain Name
(FQDN).
n Initializes the Internal Certificate Authority (ICA).

See "cp_conf ca" on page 93.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 95.

corexl Enables or disables CoreXL on this Security Gateway.

<options>
See "cp_conf corexl" on page 883.

finger Shows the ICA's Fingerprint.

<options>
See "cp_conf finger" on page 99.

fullha Manages Full High Availability Cluster.

<options>
See "cp_conf fullha" on page 885.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 886.

intfs Sets the topology of interfaces on a Security Gateway, which you manage with
<options> SmartProvisioning.
See "cp_conf intfs" on page 887.

CLI R80.40 Reference Guide      |      86

 cp_conf

Parameter Description

lic <options> Manages Check Point licenses.

See "cp_conf lic" on page 101.

sic <options> Manages SIC on this Security Gateway.

See "cp_conf sic" on page 890.

snmp <options> Do not use these outdated commands.

To configure SNMP, see the R80.40 Gaia Administration Guide - Chapter
System Management - Section SNMP.

CLI R80.40 Reference Guide      |      87

 cp_conf admin

cp_conf admin
Description
Configures Check Point system administrators for the Security Management Server.

Notes:
n Multi-Domain Server does not support this command.
n Only one administrator can be defined in the "cpconfig" on page 133 menu.
To define additional administrators, use SmartConsole.
n This command corresponds to the option Administrator in the "cpconfig" on page 133
menu.

Syntax

cp_conf admin
      -h
      add [<UserName> <Password> {a | w | r}]
      add -gaia [{a | w | r}]
      del <UserName1> <UserName2> ...
      get

CLI R80.40 Reference Guide      |      88

 cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> <Password> Adds a Check Point system administrator:

{a | w | r}]
n <UserName> - Specifies the administrator's
username
n <Password> - Specifies the administrator's
password
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings only
(cannot manage administrators)
n r - Assigns permissions to only read settings

add -gaia [{a | w | r}] Adds the Gaia administrator user admin:

n a - Assigns all permissions - read settings, write

settings, and manage administrators
n w - Assigns permissions to read and write settings only
(cannot manage administrators)
n r - Assigns permissions to only read settings

del <UserName1> <UserName2> Deletes the specified system administrators.

...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the Gaia

administrator user admin.

CLI R80.40 Reference Guide      |      89

 cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      90

 cp_conf auto

cp_conf auto
Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 133 menu.

Note - On a Multi-Domain Server, use the option Automatic Start of Multi-Domain

Server in the "mdsconfig" on page 676menu.

Syntax

cp_conf auto
      -h
{enable | disable} <Product1> <Product2> ...
      get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} <Product1> Controls whether the installed Check Point products start
<Product2> ... automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      91

 cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

CLI R80.40 Reference Guide      |      92

 cp_conf ca

cp_conf ca
Description
n Initializes the Internal Certificate Authority (ICA).
n Configures the Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).

Note - On a Security Management Server, this command corresponds to the option

Certificate Authority in the "cpconfig" on page 133 menu.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf ca
      -h
      fqdn <FQDN Name>
      init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

fqdn <FQDN Configures the Certificate Authority's (CA) Fully Qualified Domain Name
Name> (FQDN).
<FQDN Name> is the text string hostname.domainname

init Initializes the Internal Certificate Authority (ICA).

CLI R80.40 Reference Guide      |      93

 cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

CLI R80.40 Reference Guide      |      94

 cp_conf client

cp_conf client
Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security Management
Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on page 133
menu.

Syntax

cp_conf client
      add <GUI Client>
      createlist <GUI Client 1> <GUI Client 2> ...
      del <GUI Client 1> <GUI Client 2> ...
      get

CLI R80.40 Reference Guide      |      95

 cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

n One IPv4 address (for example, 192.168.10.20),
or
one IPv6 address (for example,
3731:54:65fe:2::a7)
n One hostname (for example, MyComputer)
n "Any" - To denote all IPv4 and IPv6 addresses
without restriction
n A range of IPv4 addresses (for example,
192.168.10.0/255.255.255.0), or
a range of IPv6 addresses (for example,
2001::1/128)
n IPv4 address wildcard (for example, 192.168.10.*)

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates a
<GUI Client 2> ... new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples

Example 1 - Configure one IPv4 address

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      96

 cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      97

 cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

Example 6 - Delete the current list and create a new list of allowed GUI clients
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      98

 cp_conf finger

cp_conf finger
Description
Shows the Internal Certificate Authority's Fingerprint.
This fingerprint is a text string derived from the ICA certificate on the Security Management Server, Multi-
Domain Server, or Domain Management Server.
This fingerprint verifies the identity of the Security Management Server, Multi-Domain Server, or Domain
Management Server when you connect to it with SmartConsole.

Note - This command corresponds to the option Certificate's Fingerprint in the

"cpconfig" on page 133 menu.

Note - On a Multi-Domain Server:

n To see the fingerprint of the Multi-Domain Server, this command corresponds to
the option Certificate's Fingerprint in the "mdsconfig" on page 676 menu.
n You can run this command in these contexts:
l To see the fingerprint of the Multi-Domain Server, run it in the context of
the Multi-Domain Server:

mdsenv

l To see the fingerprint of a Domain Management Server, run it in the

context of the applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cp_conf finger
      -h
      get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

CLI R80.40 Reference Guide      |      99

 cp_conf finger

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      100

 cp_conf lic

cp_conf lic
Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 133 menu.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf lic
      -h
      add -f <Full Path to License File>
      add -m <Host> <Date> <Signature Key> <SKU/Features>
      del <Signature Key>
      get [-x]

CLI R80.40 Reference Guide      |      101

 cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to License Adds a license from the specified Check Point license
File> file.
You get this license file in the Check Point User Center.
This is the same command as the "cplic db_add" on
page 144.

add -m <Host> <Date> Adds the license manually.

<Signature Key> <SKU/Features>
You get these license details in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 144.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 149.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also shows the
signature key for every installed license.
This is the same command as the "cplic print" on
page 153.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-

XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

CLI R80.40 Reference Guide      |      102

 cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R80.40 Logging and Monitoring Administration Guide.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cp_log_export

cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

CLI R80.40 Reference Guide      |      103

 cp_log_export

Internal Commands

Name Description

add Deploy a new Check Point Log Exporter.

delete Remove an exporter.

reexport Reset the current position and reexport all logs per the configuration.

restart Restart an exporter process.

set Update an existing exporter's configuration.

show Print an exporter's current configuration.

start Start an exporter process.

status Show an exporter's overview status.

stop Stop an exporter process.

CLI R80.40 Reference Guide      |      104

 cp_log_export

Internal Command Arguments

Required
for
Required "show", Required
Required Required
for "status", for
Name Description for "add" for "set"
"delete" "start", "reexport"
command command
command "stop", command
"restart"
command

apply-now Applying any Optional Optional Mandatory N/A Mandatory

change that
was done
immediately.

ca-cert Full path to the Optional Optional N/A N/A N/A

CA certificate
file *.pem.
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client-cert Full path to the Optional Optional N/A N/A N/A

client
certificate
*.p12.
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- The challenge Optional Optional N/A N/A N/A

secret phrase used to
create the
client
certificate
*.p12.
Applicable only
when the value
of the
"encrypted"
argument is
"true".

CLI R80.40 Reference Guide      |      105

 cp_log_export

Required
for
Required "show", Required
Required Required
for "status", for
Name Description for "add" for "set"
"delete" "start", "reexport"
command command
command "stop", command
"restart"
command

domain- The name or Mandatory Mandatory Mandatory Optional. Mandatory

server IP address of
the applicable By
Domain default,
Management applies to
Server. all.

enabled Allow the Log Optional Optional N/A N/A N/A

Exporter to
start when you
run the
"cpstart" on
page 196 or
"mdsstart" on
page 684
command.

encrypted Use TSL (SSL) Optional Optional N/A N/A N/A

encryption to
export the
logs.

export- Add a field to Optional Optional N/A N/A N/A

attachment- the exported
link log that
represents a
link to
SmartView
that sows the
log card and
automatically
opens the
attachment.

export-link Add a field to Optional Optional N/A N/A N/A

the exported
log that
represents a
link to
SmartView
that shows the
log card.

CLI R80.40 Reference Guide      |      106

 cp_log_export

Required
for
Required "show", Required
Required Required
for "status", for
Name Description for "add" for "set"
"delete" "start", "reexport"
command command
command "stop", command
"restart"
command

export- Make the links Optional Optional N/A N/A N/A

link-ip to SmartView
use a custom
IP address (for
example, for a
Log Server
behind NAT).

format The format, in Optional Optional N/A N/A N/A

which the logs
are exported.

name Unique name Mandatory Mandatory Mandatory Optional. Mandatory

of the exporter
configuration. By
default,
applies to
all.

protocol Transport Mandatory Optional N/A N/A N/A

protocol to
use.

target-port The port on Mandatory Optional N/A N/A N/A

the target
server, to
which you
export the
logs.

target- The IP Mandatory Optional N/A N/A N/A

server address of the
target server,
to which you
export the
logs.

CLI R80.40 Reference Guide      |      107

 cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d]
      create_cert <options>
      double_sign <options>
      get_crldp <options>
      get_pubkey <options>
      init_certs <options>
      lscert <options>
      revoke_cert <options>
      revoke_non_exist_cert <options>
      search <options>
      set_mgmt_tool <options>
      set_sign_hash <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect

the output to a file, or use the script command to save
the entire CLI session.

create_cert <options> Issues a SIC certificate for the Security Management Server or
Domain Management Server.
See "cpca_client create_cert" on page 110.

CLI R80.40 Reference Guide      |      108

 cpca_client

Parameter Description

double_sign <options> Creates a second signature for a certificate.

See "cpca_client double_sign" on page 112.

get_crldp <options> Shows how to access a CRL file from a CRL Distribution Point.
See "cpca_client get_crldp" on page 114.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate to a file.
See "cpca_client get_pubkey" on page 115.

init_certs <options> Imports a list of DNs for users and creates a file with registration
keys for each user.
See "cpca_client init_certs" on page 116.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 117.

revoke_cert <options> Revokes a certificate issued by the ICA.

See "cpca_client revoke_cert" on page 120.

revoke_non_exist_cert Revokes a non-existent certificate issued by the ICA.

<options>
See "cpca_client revoke_non_exist_cert" on page 123.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 124.

set_mgmt_tool Controls the ICA Management Tool.

<options>
See "cpca_client set_mgmt_tool" on page 127.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options>
See "cpca_client set_sign_hash" on page 130.

CLI R80.40 Reference Guide      |      109

 cpca_client create_cert

cpca_client create_cert
Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC | USER |
IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path to Specifies the PKCS12 file, which stores the certificate and keys.
PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER | Optional. Specifies the certificate kind.

IKE | ADMIN_PKG}

-c "<Comment for Optional. Specifies the certificate comment (must enclose in double quotes).
Certificate>"

CLI R80.40 Reference Guide      |      110

 cpca_client create_cert

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

CLI R80.40 Reference Guide      |      111

 cpca_client double_sign

cpca_client double_sign
Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Certificate Imports the specified certificate (only in PEM format).

File in PEM
format>

-o <Full Path to Optional. Saves the certificate into the specified file.
Output File>

CLI R80.40 Reference Guide      |      112

 cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy Validation
Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("[email protected],CN=http://www.example.com/,OU=exampleOU Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      113

 cpca_client get_crldp

cpca_client get_crldp
Description
Shows how to access a CRL file from a CRL Distribution Point.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <CA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-p <CA Optional. Specifies the TCP port on the Security Management Server or Domain
port Management Server, which is used to connect to the Certificate Authority.
number>
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_crldp

192.168.3.51
[Expert@MGMT:0]

CLI R80.40 Reference Guide      |      114

 cpca_client get_pubkey

cpca_client get_pubkey
Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to Output
File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18209.

<Full Path to Saves the encoding of the public key of the ICA's certificate to the specified file.
Output File>

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      115

 cpca_client init_certs

cpca_client init_certs
Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Full Path Imports the specified file.

to Input File>
Make sure to use the full path.
Make sure that there is an empty line between each DN in the specified file.
Example:

...CN=test1,OU=users...
&lt;Empty Line&gt;
...CN=test2,OU=users...

-o <Full Path Saves the registration keys to the specified file.

to Output
This command saves the error messages in the <Name of Output
File>
File>.failures file in the same directory.

CLI R80.40 Reference Guide      |      116

 cpca_client lscert

cpca_client lscert
Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid |

Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}] [-ser
<Certificate Serial Number>] [-dp <Certificate Distribution Point>]

CLI R80.40 Reference Guide      |      117

 cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN that
matches the specified <SubString>.
This command does not support multiple values.

-stat {Pending | Valid | Optional. Filters the search results to those with certificate
Revoked | Expired | status that matches the specified status.
Renewed}
This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with certificate
LDAP} kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with certificate
Number> serial number that matches the specified serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

CLI R80.40 Reference Guide      |      118

 cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      119

 cpca_client revoke_cert

cpca_client revoke_cert
Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

CLI R80.40 Reference Guide      |      120

 cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-n "CN=<Common Specifies the certificate CN.

Name>"
To get the CN, run the "cpca_client lscert" on page 117 command and examine
the text that you see between the "Subject =" and the ",O=...".

Example

From this output:

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate
To see the serial number, run the "cpca_client lscert" on page 117 command.
Serial Number>

Note - You can use the parameter "-s" only, or together with the
parameter "-n".

CLI R80.40 Reference Guide      |      121

 cpca_client revoke_cert

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      122

 cpca_client revoke_non_exist_cert

cpca_client revoke_non_exist_cert
Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input File>

Parameters

Parame
Description
ter

-d Runs the cpca_client command under debug.

-i Specifies the file that contains the list of the certificate to revoke.
<Full
You must create this file in the same format as the "cpca_client lscert" on page 117
Path
command prints its output.
to
Input Example
File>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7
19:40:12 2023
&lt;Empty Line&gt;
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri Apr 7
19:40:13 2023

Note - This command saves the error messages in the <Name of Input
File>.failures file.

CLI R80.40 Reference Guide      |      123

 cpca_client search

cpca_client search
Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-max
<Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.

Best Practice - If you use this

parameter, then redirect the
output to a file, or use the
script command to save the
entire CLI session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that does
not contain spaces.

CLI R80.40 Reference Guide      |      124


Parameter
-where {dn | comment | serial | device_
type | device_id | device_name}
-kind {SIC | IKE | User | LDAP}
-stat {Pending | Valid | Revoked |
Expired | Renewed}
-max <Maximal Number of Results>
-showfp {y | n}
Example 1
[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending Valid Renewed
cpca_client search
Description
Optional. Specifies the certificate's field, in
which to search for the string:
n dn - Certificate DN
n comment - Certificate comment
n serial - Certificate serial number
n device_type - Device type
n device_id - Device ID
n device_name - Device Name
The default is to search in all fields.
Optional. Specifies the certificate kind to
search.
You can enter multiple values in this format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.
Optional. Specifies the certificate status to
search.
You can enter multiple values in this format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.
Optional. Specifies the maximal number of
results to show.
n Range: 1 and greater
n Default: 200
Optional. Specifies whether to show the
certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint and
thumbprint
CLI R80.40 Reference Guide      |      125
 cpca_client search

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      126

 cpca_client set_mgmt_tool

cpca_client set_mgmt_tool
Description
Controls the ICA Management Tool.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

See:
n sk30501: Setting up the ICA Management Tool
n sk39915: Invoking the ICA Management Tool
n sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] {[-a <Administrator DN>] | [-u <User DN>]
| [-c <Custom User DN>]}

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is permitted to use the
ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is permitted to
use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are permitted to use the
ICA Management Tool.

CLI R80.40 Reference Guide      |      127

 cpca_client set_mgmt_tool

Parameter Description

print Shows the configured administrators, users, or custom users that are permitted to
use the ICA Management Tool.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18265.

-a < Optional. Specifies the DN of the administrator that is permitted to use the ICA
Administrator Management Tool.
DN>
Must specify the full DN as appears in SmartConsole

Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:

-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

CLI R80.40 Reference Guide      |      128

 cpca_client set_mgmt_tool

Parameter Description

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the ICA
Management Tool.
Must specify the full DN as appears in SmartConsole:

Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:

-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

-c <Custom Optional. Specifies the DN for the custom user that is permitted to use the ICA
User DN> Management Tool.
Must specify the full DN as appears in SmartConsole.

Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:

-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

CLI R80.40 Reference Guide      |      129

 cpca_client set_sign_hash

cpca_client set_sign_hash
Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Important - After this change, you must restart the Check Point services with these commands:
n On Security Management Server, run:
1. cpstop
2. cpstart

n On a Multi-Domain Server, run:

1. mdsstop_customer <Name or IP Address of Domain Management
Server>
2. mdsstart_customer <Name or IP Address of Domain
Management Server>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the file
sha512} hash.
The default algorithm is SHA-256.

CLI R80.40 Reference Guide      |      130

 cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256 

You have selected the signature hash function SHA-256
WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this has no security
implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart

CLI R80.40 Reference Guide      |      131

 cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

CLI R80.40 Reference Guide      |      132

 cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool lets you configure specific settings for the installed Check Point products.

Syntax

cpconfig

Note - On a Multi-Domain Server, run the "mdsconfig" on page 676 command.

CLI R80.40 Reference Guide      |      133

 cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and Manages Check Point licenses and contracts on this server.
contracts

Administrator Configures Check Point system administrators for this server.

GUI Clients Configures the GUI clients that can use SmartConsole to connect to this
server.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration Guide - Chapter
System Management - Section SNMP.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Certificate Authority Initializes the Internal Certificate Authority (ICA) and configures the
Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).

Certificate's Shows the ICA's Fingerprint.

Fingerprint
This fingerprint is a text string derived from the server's ICA certificate.
This fingerprint verifies the identity of the server when you connect to it with
SmartConsole.

Automatic start of Shows and controls which of the installed Check Point products start
Check Point Products automatically during boot.

Exit Exits from the Check Point Configuration Tool.

CLI R80.40 Reference Guide      |      134

 cpconfig

Example - Menu on a Security Management Server

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

CLI R80.40 Reference Guide      |      135

 cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on your Check
Point computer.
For more information, see sk92739.

CLI R80.40 Reference Guide      |      136

 cplic

cplic
Description
The cplic command lets you manage Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management Servers, You execute these commands locally on the Check Point
commands computers.
Security Gateways
and Cluster Members

Remote Management Servers You execute these commands on the Security

licensing only Management Server or Domain Management Server.
commands
These changes affect the managed Security Gateways
and Cluster Members.

License Management Servers You execute these commands on the Security

Repository only Management Server or Domain Management Server.
commands
These changes affect the licenses stored in the local
license repository.

For more about managing licenses, see the R80.40 Security Management Administration Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
      check <options>
      contract <options>
      del <options>
      print <options>
      put <options>

CLI R80.40 Reference Guide      |      137

 cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
      del <options>
      get <options>
      put <options>
      upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
      db_add <options>
      db_print <options>
      db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

{-h | -help} Shows the applicable built-in usage.

check <options> Confirms that the license includes the feature on the local Security Gateway or
Management Server.
See "cplic check" on page 140.

contract Manages (deletes and installs) the Check Point Service Contract on the local
<options> Check Point computer.
See "cplic contract" on page 142.

db_add Applies only to a Management Server.

<options>
Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 144.

CLI R80.40 Reference Guide      |      138

 cplic

Parameter Description

db_print Applies only to a Management Server.

<options>
Shows the details of Check Point licenses stored in the license repository on
the Management Server.
See "cplic db_print" on page 146.

db_rm <options> Applies only to a Management Server.

Removes a license from the license repository on the Management Server.
See "cplic db_rm" on page 148.

del <options> Deletes a Check Point license on a host, including unwanted evaluation,
expired, and other licenses.
See "cplic del" on page 149.

del <Object Detaches a Central license from a remote managed Security Gateway or
Name> <options> Cluster Member.
See "cplic del <object name>" on page 150.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster Members
into the license repository on the Management Server.
See "cplic get" on page 151.

print <options> Prints details of the installed Check Point licenses on the local Check Point
computer.
See "cplic print" on page 153.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 155.

put <Object Attaches one or more Central or Local licenses to a remote managed Security
Name> <options> Gateways and Cluster Members.
See "cplic put <object name>" on page 157.

upgrade Applies only to a Management Server.

<options>
Upgrades licenses in the license repository with licenses in the specified
license file.
See "cplic upgrade" on page 160.

CLI R80.40 Reference Guide      |      139

 cplic check

cplic check
Description
Confirms that the license includes the feature on the local Security Gateway or Management Server. See
sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product>
Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member (all
blades), or Management Server (all blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

<Version>

{-c | - Outputs the number of licenses connected to this feature.

count}

CLI R80.40 Reference Guide      |      140

 cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy .
A feature can be valid on a given date on one license, but invalid on another.

{-r | - Checks how many routers are allowed.

routers}
The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1
fw1:6.0:rt fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit
fw1:6.0:prov fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u
fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt
fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

[Expert@GW]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf
fw1:6.0:av fw1:6.0:vsx5 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:connect
fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited
fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps fw1:6.0:pam
fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm
fw1:6.0:blades fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u

cplic check 'cluster-u': 9 licenses

[Expert@GW]#

CLI R80.40 Reference Guide      |      141

 cplic contract

cplic contract
Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member, you must update the license repository on the applicable Management
Server - either with the "cplic get" on page 151 command, or in SmartUpdate.

Syntax

cplic contract -h

cplic [-d] contract

      del
            -h
            <Service Contract ID>
      put
            -h
[{-o | -overwrite}] <Service Contract File>

CLI R80.40 Reference Guide      |      142

 cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the $CPDIR/conf/cp.contract file

on the local Check Point computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract file on

the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File>
First, you must download the Service Contract file from your Check Point
User Center account.

CLI R80.40 Reference Guide      |      143

 cplic db_add

cplic db_add
Description
Adds licenses to the license repository on the Management Server.
When you add Local licenses to the license repository, Management Server automatically attaches them
to the managed Security Gateway / Cluster Member with the matching IP address.
When you add Central licenses, you must manually attach them.

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]

[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example, CPSUITE-EVAL-3DES-vNG

CLI R80.40 Reference Guide      |      144

 cplic db_add

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -l
192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      145

 cplic db_print

cplic db_print
Description
Shows the details of Check Point licenses stored in the license repository on the Management Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x] [{-
t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name>
<Object Name> is the name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached}
Useful, if the parameter "-all" is specified.

CLI R80.40 Reference Guide      |      146

 cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      147

 cplic db_rm

cplic db_rm
Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the "cplic
del" on page 149 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153 command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

CLI R80.40 Reference Guide      |      148

 cplic del

cplic del
Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other licenses.
This command can delete a license on both local computer, and on remote managed computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153 command.

<Object Name> The name of the Security Gateway / Cluster Member object as defined in
SmartConsole.

CLI R80.40 Reference Guide      |      149

 cplic del <object name>

cplic del <object name>

Description
Detaches a Central license from a remote managed Security Gateway or Cluster Member.
When you run this command, it automatically updates the license repository.
The Central license remains in the license repository as an unattached license.

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as defined
in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the specified IP
Address> address.
Note - If this parameter is used, then object name must be a DAIP
Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153
command.

CLI R80.40 Reference Guide      |      150

 cplic get

cplic get
Description
Retrieves all licenses from managed Security Gateways and Cluster Members into the license repository
on the Management Server.
This command helps synchronize the license repository with the managed Security Gateways and Cluster
Members.
When you run this command, it updates the license repository with all local changes.

Syntax

cplic get {-h | -help}

cplic [-d] get

      -all
      <IP Address>
      <Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the managed
network.

<IP The IP address of the Security Gateway / Cluster Member, from which licenses are to be
Address retrieved.
>

<Host The name of the Security Gateway / Cluster Member object as defined in SmartConsole,
Name> from which licenses are to be retrieved.

CLI R80.40 Reference Guide      |      151

 cplic get

Example
If the Security Gateway with the object name MyGW contains four Local licenses, and the license repository
contains two other Local licenses, the command "cplic get MyGW" produces output similar to this:

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      152

 cplic print

cplic print
Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output

File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      153

 cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      154

 cplic put

cplic put
Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -

select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-only}] -
l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-o | - On a Security Gateway / Cluster Member, this command erases only the local
overwrite} licenses, but not central licenses that are installed remotely.

{-c | - Verifies the license. Checks if the IP of the license matches the Check Point
check-only} computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP address of the
select} Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the Check Point
boot} computer.
Use of this option will prevent certain error messages.

CLI R80.40 Reference Guide      |      155

 cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only}
For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for a local
license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the license.
SKU/Features
For example: CPSUITE-EVAL-3DES-vNG
>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration date The license expiration date. It can be never.

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016  CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      156

 cplic put <object name>

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and Cluster
Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F <Output

File>] -l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Feature>]

CLI R80.40 Reference Guide      |      157

 cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

<Object Name> The name of the Security Gateway / Cluster Member object, as defined in
SmartConsole.

-ip <Dynamic IP Installs the license on the Security Gateway with the specified IP address.
Address>
This parameter is used to install a license on a Security Gateway with
dynamically assigned IP address (DAIP).

Note - If you use this parameter, then the object name must be that
of a DAIP Security Gateway.

-F <Output File> Saves the command output to the specified file.

-l <License Installs the licenses from the <License file> .

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example: CPSUITE-EVAL-3DES-vNG

CLI R80.40 Reference Guide      |      158

 cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration date The license expiration date. It can be never.

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

CLI R80.40 Reference Guide      |      159

 cplic upgrade

cplic upgrade
Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l Upgrades the licenses in the license repository and Check Point Security Gateways /
<Input Cluster Members to match the licenses in the specified file.
File>

Example
This example explains the procedure to upgrade the licenses in the license repository.
There are two Software Blade licenses in the input file:
n One license does not match any license on a remote managed Security Gateway.
n The other license matches an NGX-version license on a managed Security Gateway that has to be
upgraded.
Workflow in this example:
1. Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the Security
Gateways with the previous product versions.
2. Import all licenses into the license repository.
You can also do this after you upgrade the products on the remote Security Gateways.
3. Run this command:

cplic get -all

CLI R80.40 Reference Guide      |      160

 cplic upgrade

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

5. In the Check Point User Center, view the licenses for the products that were upgraded from version
NGX to a Software Blades license.
You can also create new upgraded licenses.
6. Download a file containing the upgraded licenses.
Only download licenses for the products that were upgraded from version NGX to Software Blades.
7. If you did not import the version NGX licenses into the repository, import the version NGX licenses
now.
Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

n The licenses in the downloaded license file and in the license repository are compared.
n If the certificate keys and features match, the old licenses in the repository and in the remote
Security Gateways are updated with the new licenses.
n A report of the results of the license upgrade is printed.
For more about managing licenses, see the R80.40 Security Management Administration Guide.

CLI R80.40 Reference Guide      |      161

 cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

cppkg
      add <options>
{del | delete} <options>
      get
      getroot
      print
      setroot <options>

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the MDS (run
mdsenv).

CLI R80.40 Reference Guide      |      162

 cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 164.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options>
See "cppkg delete" on page 165.

get Updates the list of the SmartUpdate software packages in the repository.
See "cppkg get" on page 167.

getroot Shows the path to the root directory of the repository (the value of the
environment variable $SUROOT).

See "cppkg getroot" on page 168.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 169.

setroot <options> Configures the path to the root directory of the repository.
See "cppkg setroot" on page 170.

CLI R80.40 Reference Guide      |      163

 cppkg add

cppkg add
Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n This command does not overwrite existing packages. To overwrite an existing
package, you must first delete the existing package.
n You get the SmartUpdate software packages from the Check Point Support
Center.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      164

 cppkg delete

cppkg delete
Description
Deletes SmartUpdate software packages from the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]

cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the interactive
delete mode. The command shows the menu with applicable options.

"< Specifies the package vendor. Enclose in double-quotes.

Vendor>"

"< Specifies the product name. Enclose in double-quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double-quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double-quotes.

"<Minor Specifies the package Minor Version. Enclose in double-quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 169
command.
n You must specify all optional parameters, or no parameters.

CLI R80.40 Reference Guide      |      165

 cppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      166

 cppkg get

cppkg get
Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software packages repository
based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      167

 cppkg getroot

cppkg getroot
Description
Shows the path to the root directory of the SmartUpdate software packages repository (the value of the
environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to : /var/log/cpupgrade/suroot
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      168

 cppkg print

cppkg print
Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      169

 cppkg setroot

cppkg setroot
Description
Configures the path to the root directory of the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n The default path is: /var/log/cpupgrade/suroot
n When changing repository root directory:
l This command copies the software packages from the old repository to
the new repository. A package in the new location is overwritten by a
package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT
in the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh
and $CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      170

 cpprod_util

cpprod_util
Description
This utility lets you work with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4} "<Value>"

{0|1}

cpprod_util -dump

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue
Important - Do not run these commands unless explicitly instructed by Check
Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified product or feature:

n One of these integers: 0, 1, 4

n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the output file is
RegDump.

CLI R80.40 Reference Guide      |      171

 cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant Domain
Management Server.
n If you run the cpprod_util command without parameters, it prints:
l The list of all available products and features (for example, "FwIsFirewallMgmt",
"FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the cpprod_util command, you need to redirect the stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples

Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      172

 cpprod_util

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High

Availability
[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade
is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the Endpoint Policy Management blade
is enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      173

 cpprod_util

Example - Showing a list of all installed Check Point Products Packages on a Security
Gateway
[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP

(DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      174

 cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the managed Security
Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

CLI R80.40 Reference Guide      |      175

 cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote managed
Security Gateways.

Important - Installing software packages with this command is not supported for
Security Gateways that run on Gaia OS.

Notes:
n This command requires a license for SmartUpdate.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n On the remote Security Gateways these are required:

l SIC Trust must be established between the Security Management Server
and the Security Gateway.
l The cpd daemon must run.
l The cprid daemon must run.

CLI R80.40 Reference Guide      |      176

 cprinstall

Syntax

cprinstall
      boot <options>
      cprestart <options>
      cpstart <options>
      cpstop <options>
      delete <options>
      get <options>
      install <options>
      revert <options>
      show <options>
      snapshot <options>
      transfer <options>
      uninstall <options>
      verify <options>

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options>
See "cprinstall boot" on page 179.

cprestart Runs the cprestart command on the managed Security Gateway.

<options>
See "cprinstall cprestart" on page 180.

cpstart Runs the cpstart command on the managed Security Gateway.

<options>
See "cprinstall cpstart" on page 181.

cpstop Runs the cpstop command on the managed Security Gateway.

<options>
See "cprinstall cpstop" on page 182.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options>
See "cprinstall delete" on page 183.

CLI R80.40 Reference Guide      |      177

 cprinstall

Parameter Description

get n Gets details of the products and the operating system installed on the
<options> managed Security Gateway.
n Updates the management database on the Security Management Server.

See "cprinstall get" on page 184.

install Installs Check Point products on the managed Security Gateway.

<options>
See "cprinstall install" on page 185.

revert Restores the managed Security Gateway that runs on SecurePlatform OS from a
<options> snapshot saved on that Security Gateway.
See "cprinstall revert" on page 188.

show Displays all snapshot (backup) files on the managed Security Gateway that runs on
<options> SecurePlatform OS.
See "cprinstall show" on page 189.

snapshot Creates a snapshot on the managed Security Gateway that runs on SecurePlatform
<options> OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 190.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 191.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options>
See "cprinstall uninstall" on page 192.

verify Confirms these operations were successful:

<options>
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed
Security Gateway are appropriate for the software package.
n That there is enough disk space to install the product the managed Security
Gateway.
n That there is a CPRID connection with the managed Security Gateway.

See "cprinstall verify" on page 194.

CLI R80.40 Reference Guide      |      178

 cprinstall boot

cprinstall boot
Description
Reboots the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

CLI R80.40 Reference Guide      |      179

 cprinstall cprestart

cprinstall cprestart
Description
Runs the cprestart command on the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n All Check Point products on the managed Security Gateway must be of the same
version.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

CLI R80.40 Reference Guide      |      180

 cprinstall cpstart

cprinstall cpstart
Description
Runs the cpstart command on the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n All Check Point products on the managed Security Gateway must be of the same
version.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

CLI R80.40 Reference Guide      |      181

 cprinstall cpstop

cprinstall cpstop
Description
Runs the cpstop command on the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n All Check Point products on the managed Security Gateway must be of the same
version.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-proc Kills the Check Point daemons and Security Servers, while it maintains the active
Security Policy running in the Check Point kernel.
Rules with generic Allow, Drop or Reject action based on services, continue to work.

- Kills the Check Point daemons and Security Servers and unloads the Security Policy
nopolicy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

CLI R80.40 Reference Guide      |      182

 cprinstall delete

cprinstall delete
Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on SecurePlatform OS.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

<Snapshot File> Specifies the name of the snapshot (backup) on SecurePlatform OS.

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

CLI R80.40 Reference Guide      |      183

 cprinstall get

cprinstall get
Description
n Gets details of the products and the operating system installed on the managed Security Gateway.
n Updates the management database on the Security Management Server.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform     R75.20             R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      184

 cprinstall install

cprinstall install
Description
Installs Check Point products on the managed Security Gateway.

Important - Installing software packages with this command is not supported for
Security Gateways that run Gaia OS.

Notes:
n Before transferring the software package, this command runs the "cprinstall
verify" on page 194 command.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object Name>

"<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

CLI R80.40 Reference Guide      |      185

 cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is canceled
in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing the
package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double-quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double-quotes.

Version>"

CLI R80.40 Reference Guide      |      186

 cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      187

 cprinstall revert

cprinstall revert
Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot saved on that
Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File>
To see the names of the saved snapshot files, run the "cprinstall show" on
page 189 command.

CLI R80.40 Reference Guide      |      188

 cprinstall show

cprinstall show
Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on SecurePlatform OS.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      189

 cprinstall snapshot

cprinstall snapshot
Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and saves it on
that Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File>
To see the names of the saved snapshot files, run the "cprinstall show" on
page 189 command.

CLI R80.40 Reference Guide      |      190

 cprinstall transfer

cprinstall transfer
Description
Transfers a software package from the repository to the managed Security Gateway without installing the
package.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Version>" Specifies the package major version. Enclose in double-quotes.

"<Minor Version>" Specifies the package minor version. Enclose in double-quotes.

CLI R80.40 Reference Guide      |      191

 cprinstall uninstall

cprinstall uninstall
Description
Uninstalls Check Point products on the managed Security Gateway.

Important - Uninstalling software packages with this command is not supported for
Security Gateways running on Gaia OS.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n Before uninstalling product packages, this command runs the "cprinstall verify"
on page 194 command.
n After uninstalling a product package, you must run the "cprinstall get" on
page 184 command.
n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

CLI R80.40 Reference Guide      |      192

 cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Version>" Specifies the package major version. Enclose in double-quotes.

"<Minor Version>" Specifies the package minor version. Enclose in double-quotes.

Example
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get

CLI R80.40 Reference Guide      |      193

 cprinstall verify

cprinstall verify
Description
Confirms these operations were successful:
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed Security Gateway are
appropriate for the software package.
n That there is enough disk space to install the product the managed Security Gateway.
n That there is a CPRID connection with the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

CLI R80.40 Reference Guide      |      194

 cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Version>" Specifies the package major version. Enclose in double-quotes.

"<Minor Version>" Specifies the package minor version. Enclose in double-quotes.

This parameter is optional.

Example 1 - Verification succeeds

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Example 2 - Verification fails

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R70 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

CLI R80.40 Reference Guide      |      195

 cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 175
command.
n For manually starting specific Check Point processes, see
sk97638.

Syntax

cpstart

CLI R80.40 Reference Guide      |      196

 cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o
<Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

The output shows the SNMP queries and SNMP responses for the applicable SNMP
OIDs.

-h <Host> Optional.
When you run this command on a Management Server, this parameter specifies the
managed Security Gateway.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object name.
The default is localhost.

Note - On a Multi-Domain Server, you must run this command in the

context of the applicable Domain Management Server:mdsenv <IP
Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s Optional.
<SICname>
Secure Internal Communication (SIC) name of the Application Monitoring (AMON)
server.

CLI R80.40 Reference Guide      |      197

 cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor in the
<Application Flag>. To see all flavors, run the cpstat command without any
parameters.

-o <Polling Optional.
Interval>
Specifies the polling interval (in seconds) - how frequently the command collects and
shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this is the default
value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the "-e
<Period>" parameter.
Example:

cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results before it stops.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling Interval>
and then stops.
Example:

cpstat os -f perf -o 2 -c 2

CLI R80.40 Reference Guide      |      198

 cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the statistics.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
You can use this parameter together with the "-c <Count>" parameter.
Example:

cpstat os -f perf -o 2 -c 2 -e 60

< Mandatory.
Application
See the table below with flavors for the application flags.
Flag>

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Software Flag Flavors
Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn, aspm, dlp,
Software appi, anti_bot, default, content_
Blades awareness, threat-emulation, default

Operating os default, ifconfig, routing, routing6,

System memory, old_memory, cpu, disk, perf,
multi_cpu, multi_disk, raidInfo, sensors,
power_supply, hw_info, all, average_cpu,
average_memory, statistics, updates,
licensing, connectivity, vsx

Firewall fw default, interfaces, policy, perf, hmem,

kmem, inspect, cookies, chains, fragments,
totals, totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_connection,
all

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins, ldap,

Awareness components, adquery, idc, muh

CLI R80.40 Reference Guide      |      199

 cpstat

Feature or
Software Flag Flavors
Blade

Application appi default, subscription_status, update_

Control status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

URL Filtering urlf default, subscription_status, update_

status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_mails,

Prevention subscription_status, update_status, ab_
prm_contracts, av_prm_contracts, ab_prm_
contracts, av_prm_contracts

Threat threat- default, general_statuses, update_status,

Emulation emulation scanned_files, malware_detected, scanned_
on_cloud, malware_on_cloud, average_
process_time, emulated_file_size, queue_
size, peak_size, file_type_stat_file_
scanned, file_type_stat_malware_detected,
file_type_stat_cloud_scanned, file_type_
stat_cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_type_stat_
cache_hit_rate, file_type_stat_error_
count, file_type_stat_no_resource_count,
contract, downloads_information_current,
downloading_file_information, queue_table,
history_te_incidents, history_te_comp_
hosts

Threat scrub default, subscription_status, threat_

Extraction extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns, cpu, all,

memory, cpu_usage_per_core

IPsec VPN vpn default, product, IKE, ipsec, traffic,

compression, accelerator, nic, statistics,
watermarks, all

Data Loss dlp default, dlp, exchange_agents, fingerprint

Prevention

CLI R80.40 Reference Guide      |      200

 cpstat

Feature or
Software Flag Flavors
Blade

Content ctnt default

Awareness

QoS fg all

High ha default, all

Availability

Policy Server polsrv default, all

for Remote
Access VPN
clients

Desktop Policy dtps default, all

Server for
Remote
Access VPN
clients

LTE / GX gx default, contxt_create_info, contxt_

delete_info, contxt_update_info, contxt_
path_mng_info, GXSA_GPDU_info, contxt_
initiate_info, gtpv2_create_info, gtpv2_
delete_info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation
Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

CLI R80.40 Reference Guide      |      201

 cpstat

Feature or
Software Flag Flavors
Blade

Thresholds thresholds default, active_thresholds, destinations,

configured error
with the
threshold_
config
command

Historical persistency product, TableConfig, SourceConfig

status values

Examples

Example - Interfaces on a Security Gateway

[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
--------------------------------------------------------------------------------------------------------
------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy name|Slaves|Ports|IPv6
Address|IPv6 Len|
--------------------------------------------------------------------------------------------------------
------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
--------------------------------------------------------------------------------------------------------
------------

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      202

 cpstat

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

Example - CPU utilization
[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      203

 cpstat

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

Connected clients
-------------------------------------------------------
|Client type |Administrator|Host |Database lock|
-------------------------------------------------------
|SmartConsole|admin |JOHNDOE-PC |false |
-------------------------------------------------------

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      204

 cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 175
command.
n For manually stopping specific Check Point processes, see
sk97638.

Syntax

cpstop

CLI R80.40 Reference Guide      |      205

 cpview

cpview
Overview of CPView
Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk
space) and information for different Software Blades (only on Security Gateway).
The CPView continuously updates the data in easy to access views.
On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

CLI R80.40 Reference Guide      |      206

 cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow keys Moves between menus and views. Scrolls in a view.

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the capture>

H Shows a tooltip with CPView options.

Space bar Immediately refreshes the statistics.

CLI R80.40 Reference Guide      |      207

 cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes such as
Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products and
Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log file.
The cpwd_admin utility shows the status of the monitored processes, and configures the Check Point
WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates abnormally.
In the output of the cpwd_admin list command, the MON column shows N for
passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning (not stuck on
deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows Y for actively
monitored processes.
The list of actively monitored processes is predefined by Check Point. Users cannot
change or configure it.

CLI R80.40 Reference Guide      |      208

 cpwd_admin

Syntax

cpwd_admin
      config <options>
      del <options>
      detach <options>
      exist
      flist <options>
      getpid <options>
      kill
      list <options>
      monitor_list
      start <options>
      start_monitor
      stop <options>
      stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options>
See "cpwd_admin config" on page 211.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 214.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options>
See "cpwd_admin detach" on page 215.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 216.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_list_

<options> <Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 217.

getpid Shows the PID of a monitored process.

<options>
See "cpwd_admin getpid" on page 219.

CLI R80.40 Reference Guide      |      209

 cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options>
See "cpwd_admin kill" on page 220.

Important - Do not run this command unless explicitly instructed by Check

Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 221.

monitor_ Prints the status of actively monitored processes on the screen.

list
See "cpwd_admin monitor_list" on page 225.

start Starts a process as monitored by the WatchDog.

<options>
See "cpwd_admin start" on page 226.

start_ Starts the active WatchDog monitoring - WatchDog monitors the predefined
monitor processes actively.
See "cpwd_admin start_monitor" on page 228.

stop Stops a monitored process.

<options>
See "cpwd_admin stop" on page 229.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes only
monitor passively.
See "cpwd_admin stop_monitor" on page 231.

CLI R80.40 Reference Guide      |      210

 cpwd_admin config

cpwd_admin config
Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
      -h
      -a <options>
      -d <options
      -p
      -r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_1> Adds the WatchDog configuration

<Configuration_Parameter_2>=<Value_2> ... parameters.
<Configuration_Parameter_N>=<Value_N>
Note - Spaces are not
allowed between the name of
the configuration parameter,
the equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog configuration

<Configuration_Parameter_2> ... parameters that user added with the
<Configuration_Parameter_N> "cpwd_admin config -a"
command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

CLI R80.40 Reference Guide      |      211

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ Text string up On a VSX Gateway, configures the CTX value that is assigned to
ctx to 128 monitored processes, for which no CTX is specified.
characters

display_ n 0 On a VSX Gateway, configures whether the WatchDog shows the

ctx (default) CTX column in the output of the cpwd_admin list command
(between the APP and the PID columns):
n 1
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: If rerun_mode=1, specifies the maximal number of times the

-1, 0, >0 WatchDog tries to restart a process.
n Default: n -1 - Always tries to restart
5
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_ n Range: Configures the maximal number of processes managed by the

procs 30 - WatchDog.
2000
n Default:
2000

rerun_ n 0 Configures whether the WatchDog restarts processes after they fail:
mode
n 1 n 0 - Does not restart a failed process. Monitor and log only.
(default)
n 1 - Restarts a failed process (this is the default).

reset_ n Range: Configures the time (in seconds) the WatchDog waits after the
startups >0 process starts and before the WatchDog resets the process's
startup_counter to 0.
n Default:
3600 To see the process's startup counter, in the output of the cpwd_
admin list command, refer to the #START column.

sleep_ n 0 Configures how the WatchDog restarts the process:

mode
n 1 n 0 - Ignores timeout and restarts the process immediately
(default)
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: If rerun_mode=1, specifies how much time (in seconds) passes
timeout 0 - 3600 from a process failure until WatchDog tries to restart it.
n Default:
60

CLI R80.40 Reference Guide      |      212

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

stop_ n Range: Configures the time (in seconds) the WatchDog waits for a process
timeout >0 stop command to complete.
n Default:
60

zero_ n Range: After failing no_limit times to restart a process, the WatchDog
timeout >0 waits zero_timeout seconds before it tries again.
n Default: The value of the zero_timeout must be greater than the value of
7200 the timeout.

The WatchDog saves the user defined configuration parameters in the $CPDIR/registry/HKLM_
registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      213

 cpwd_admin del

cpwd_admin del
Description
Temporarily deletes a monitored process from the WatchDog database of monitored processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 221 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 196 command.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      214

 cpwd_admin detach

cpwd_admin detach
Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 221 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 196 command.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin detach-name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      215

 cpwd_admin exist

cpwd_admin exist
Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      216

 cpwd_admin flist

cpwd_admin flist
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

CLI R80.40 Reference Guide      |      217

 cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin config" on page 211).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 208):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#
[Expert@HostName:0]# date --date="@1564617600"
Thu Aug 1 03:00:00 IDT 2019
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      218

 cpwd_admin getpid

cpwd_admin getpid
Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      219

 cpwd_admin kill

cpwd_admin kill
Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 205 and "cpstart" on page 196 commands.

Syntax

cpwd_admin kill

CLI R80.40 Reference Guide      |      220

 cpwd_admin list

cpwd_admin list
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

CLI R80.40 Reference Guide      |      221

 cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin config" on page 211).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 208):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Examples

Example - Default output on a Management Server

[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-R80.40/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R80.40/log_indexer/log_indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-R80.40/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      222

 cpwd_admin list

Example - Default output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list
APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2019 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 N mpdaemon /opt/CPshrd-
R80.40/log/mpdaemon.elg /opt/CPshrd-R80.40/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 N ci_http_server -j -f
/opt/CPsuite-R80.40/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2019 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2019 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 N DAService_script
[Expert@HostName:0]#

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/java_solr
COMMAND = java_solr /opt/CPrt-R80.40/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/log_indexer/log_indexer
COMMAND = /opt/CPrt-R80.40/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R80.40/smartlog_server
COMMAND = /opt/CPSmartLog-R80.40/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      223

 cpwd_admin list

Example - Verbose output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list -full
APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 3/u N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R80.40/log/mpdaemon.elg /opt/CPshrd-
R80.40/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R80.40/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      224

 cpwd_admin monitor_list

cpwd_admin monitor_list
Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 208.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      225

 cpwd_admin start

cpwd_admin start
Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> | u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Parameters

Parameter Description

-name <Application Name, under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

-path "<Full Path The full path (with or without Check Point environment variables) to the
to Executable>" executable including the executable name.
Must enclose in double-quotes.
Examples:

n For FWM: "$FWDIR/bin/fwm"

n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-R80.40/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl"

CLI R80.40 Reference Guide      |      226

 cpwd_admin start

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>"
Must enclose in double-quotes.
Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-R80.40/fw1/scripts/cpm.sh
-s"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl -c
"/opt/CPuepm-R80.40/engine/conf/cptnl_
srv.conf""

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout" configuration

<Timeout> parameter.
See "cpwd_admin config" on page 211.

-retry_limit Configures the value of the "retry_limit" configuration parameter.

{<Limit> | u}
See "cpwd_admin config" on page 211.

n <Limit> - Tries to restart the process the specified number of

times
n u - Tries to restart the process unlimited number of times

Example
For the list of process and the applicable syntax, see sk97638.

CLI R80.40 Reference Guide      |      227

 cpwd_admin start_monitor

cpwd_admin start_monitor
Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes actively.
See the explanation for the "cpwd_admin" on page 208 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      228

 cpwd_admin stop

cpwd_admin stop
Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

CLI R80.40 Reference Guide      |      229

 cpwd_admin stop

Parameter Description

-path "<Full Path to The full path (with or without Check Point environment variables) to the
Executable>" executable including the executable name.
Must enclose in double-quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

-command "<Command The command and its arguments to run.

Syntax>"
Must enclose in double-quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

CLI R80.40 Reference Guide      |      230

 cpwd_admin stop_monitor

cpwd_admin stop_monitor
Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 208 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      231

 dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

dbedit -help

dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u

<Username> | -c <Certificate>}] [-p <Password>] [-f <File_Name>
[ignore_script_failure] [-continue_updating]] [-r "<Open_Reason_
Text>"] [-d <Database_Name>] [-listen] [-readonly] [-session]

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-help Prints the general help.

-globallock When you work with the dbedit utility, it partially locks the management database. If a
user configures objects in SmartConsole at the same time, it causes problems in the
management database.
This option does not let SmartConsole, or a dbedit user to make changes in the
management database.
When you specify this option, the dbedit commands run on a copy of the
management database. After you make the changes with the dbedit commands
and run the savedb command, the dbedit utility saves and commits your changes to
the actual management database.

-local Connects to the localhost (127.0.0.1) without using username/password.

If you do not specify this parameter, the dbedit utility asks how to connect.

-s < Specifies the Security Management Server - by IP address or HostName.

Management_
If you do not specify this parameter, the dbedit utility asks how to connect.
Server>

CLI R80.40 Reference Guide      |      232

 dbedit

Parameter Description

-u Specifies the username, with which the dbedit utility connects to the Security
<Username> Management Server.
Mandatory parameter when you specify the "-s <Management_Server>"
parameter.

-c < Specifies the user's certificate file, with which the dbedit utility connects to the
Certificate Security Management Server.
>
Mandatory parameter when you specify the "-s <Management_Server>"
parameter.

-p Specifies the user's password, with which the dbedit utility connects to the Security
<Password> Management Server.
Mandatory parameter when you specify the "-s <Management_Server>" and
"-u <Username>" parameters.

-f <File_ Specifies the file that contains the applicable dbedit internal commands (see the
Name> section "dbedit Internal Commands" below):
n create <object_type> <object_name>
n modify <table_name> <object_name> <field_name>
<value>
n update <table_name> <object_name>
n delete <table_name> <object_name>
n print <table_name> <object_name>
n quit

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and ignores errors.
script_
You can use it when you specify the "-f <File_Name>" parameter.
failure

-continue_ Continues to update the modified objects, even if the operation fails for some of the
updating objects (ignores the errors and runs the update_all command at the end of the
script).
You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode (default mode).
Reason_
Text>"

-d Specifies the name of the database, to which the dbedit utility should connect (for
<Database_ example, mdsdb).
Name>

CLI R80.40 Reference Guide      |      233

 dbedit

Parameter Description

-listen The dbedit utility "listens" for changes (use this mode for advanced troubleshooting
with the assistance of Check Point Support).
The dbedit utility prints its internal messages when a change occurs in the
management database.

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with GuiDBedit Tool.

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:

dbedit> -h

-q Description:
Quits from dbedit.
quit Syntax:

dbedit> -q

dbedit> quit [-update_all | -noupdate]

Examples:
n Exit the utility and commit the remaining modified objects (interactive mode):

dbedit> quit

n Exit the utility and update all the remaining modified objects:

dbedit> quit -update_all

n Exit the utility and discard all modifications:

dbedit> quit -no_update

CLI R80.40 Reference Guide      |      234

 dbedit

Command Description, Syntax, Examples

update Description:
Saves the specified object in the specified table (for example, "network_
objects", "services", "users").
Syntax:

dbedit> update <table_name> <object_name>

Example:
Save the object My_Service in the table services:

dbedit> update services My_Service

update_all Description:
Saves all the modified objects.
Syntax:

dbedit> update_all

_print_set Description:
Prints the specified object from the specified table (for example, "network_
objects", "services", "users") as it appears in the
$FWDIR/conf/objects_5_0.C file (sets of attributes).
Syntax:

dbedit> _print_set <table_name> <object_name>

Example:
Print the object My_Obj from the table network_objects:

dbedit> print network_objects My_Obj

CLI R80.40 Reference Guide      |      235

 dbedit

Command Description, Syntax, Examples

print Description:
Prints the list of attributes of the specified object from the specified table (for
example, "network_objects", "properties", "services", "users").

Syntax:

dbedit> print <table_name> <object_name>

Examples:
n Print the object My_Obj from the table network_objects (in "Network
Objects"):

dbedit> print network_objects my_obj

n Print the object firewall_properties from the table properties (in "Global
Properties"):

dbedit> print properties firewall_properties

printxml Description:
Prints in XML format the list of attributes of the specified object from the specified
table (for example, "network_objects", "properties", "services",
"users").
You can export the settings from a Management Server to an XML file that you can
use later with external automation systems.
Syntax:

dbedit> printxml <table_name> [<object_name>]

Examples:
n Print the object My_Obj from the table network_objects:

dbedit> printxml network_objects my_obj

n Print the object firewall_properties from the table properties (in "Global
Properties"):

dbedit> printxml properties firewall_properties

CLI R80.40 Reference Guide      |      236

 dbedit

Command Description, Syntax, Examples

printbyuid Description:
Prints the attributes of the object specified by its UID (appears in the
$FWDIR/conf/objects_5_0.C file at the beginning of the object as "chkpf_
uid ({...})").
Syntax:

dbedit> printbyuid {object_id}

Example:
Print the attributes of the object with the specified UID:

dbedit> printbyuid {D3833F1D-0A58-AA42-865F-

39BFE3C126F1}

query Description:
Prints all the objects in the specified table.
Optionally, you can query for objects with specific attribute and value - query is
separated by a comma after "query <table_name>" (spaces are not allowed
between the <attribute> and '<value>').

Syntax:

dbedit> query <table_name> [ , <attribute>='<value>' ]

Examples:
n Print all objects in the table users:

dbedit> query users

n Print all objects in the table network_objects that are defined as Management
Servers:

dbedit> query network_objects, management='true'

n Print all objects in the table services with the name ssh:

command_sdbedit> query services, name='ssh'

n Print all objects in the table services with the port 22:

dbedit> query services, port='22'

n Print all objects with the IP address 10.10.10.10:

dbedit> query network_objects, ipaddr='10.10.10.10'

CLI R80.40 Reference Guide      |      237

 dbedit

Command Description, Syntax, Examples

whereused Description:
Checks where the specified object used in the database.
Prints the number of places, where this object is used and relevant information about
each such place.
Syntax:

dbedit> whereused <table_name> <object_name>

Example:
Check where the object My_Obj is used:

dbedit> whereused network_objects My_Obj

create Description:
Creates an object of specified type (with its default values) in the database.
Restrictions apply to the object's name:
n Object names can have a maximum of 100 characters.
n Objects names can contain only ASCII letters, numbers, and dashes.
n Reserved words will be blocked by the Management Server (refer to
sk40179).

Syntax:

dbedit> create <object_type> <object_name>

Example:
Create the service object My_Service of the type tcp_service (with its default
values):

dbedit> create tcp_service my_service

delete Description:
Deletes an object from the specified table.
Syntax:

dbedit> delete <table_name> <object_name>

Example:
Delete the service object My_Service from the table services:

dbedit> delete services my_service

CLI R80.40 Reference Guide      |      238

 dbedit

Command Description, Syntax, Examples

modify Description:
Modifies the value of specified attribute in the specified object in the specified table
(for example, "network_objects", "services", "users") in the management
database.
Syntax:

dbedit> modify <table_name> <object_name> <field_name>

<value>

Examples:
n Modify the color to red in the object My_Service in the table services:

dbedit> modify services My_Service color red

n Add a comment to the object MyObj:

dbedit> modify network_objects MyObj comments

"Created by fwadmin with dbedit"

n Set the value of the global property ike_use_largest_possible_subnets in the

table properties to false:

dbedit> modify properties firewall_properties ike_

use_largest_possible_subnets false

n Create a new interface on the Security Gateway My_FW and modify its
attributes - set the IP address / Mask and enable Anti-Spoofing on interface
with "Element Index"=3 (check the attributes of the object My_FW in
GuiDBedit Tool):

CLI R80.40 Reference Guide      |      239

 dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW interfaces

interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW
interfaces:3:ipaddr IP_ADDRESS
dbedit> modify network_objects My_FW
interfaces:3:netmask NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed network_
objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_
spoofing true
dbedit> modify network_objects MyObj FieldA LINKSYS

n In the Owned Object MyObj change the value of FieldB to NewVal:

dbedit> modify network_objects MyObj FieldA:FieldB

NewVal

n In the Linked Object MyObj change the value of FieldA from B to C:

dbedit> modify network_objects MyObj FieldA B:C

lock Description:
Locks the specified object (by administrator) in the specified table (for example,
"network_objects", "services", "users") from being modified by other users.
For example, if you connect from a remote computer to this Management Server
with admin1 and lock an object, you are be able to connect with admin2, but are not
able to modify the locked object, until admin1 releases the lock.
Syntax:

dbedit> lock <table_name> <object_name>

Example:
Lock the object My_Service_Obj in the table services in the database:

dbedit> lock services My_Service_Obj

CLI R80.40 Reference Guide      |      240

 dbedit

Command Description, Syntax, Examples

addelement Description:
Adds a specified multiple field / container (with specified value) to a specified object
in specified table.
Syntax:

dbedit> addelement <table_name> <object_name> <field_

name> <value>

Examples:
n Add the element BranchObjectClass with the value Organization to a multiple
field Read in the object My_Obj in the table ldap:

dbedit> addelement ldap My_Obj

Read:BranchObjectClass Organization

n Add the service MyService to the group of services MyServicesGroup in the

table services:

dbedit> addelement services MyServicesGroup ''

services:MyService

n Add the network MyNetwork to the group of networks MyNetworksGroup in

the table network_objects:

dbedit> addelement network_objects MyNetworksGroup

'' network_objects:MyNetwork

CLI R80.40 Reference Guide      |      241

 dbedit

Command Description, Syntax, Examples

rmelement Description:
Removes a specified multiple field / container (with specified value) from a specified
object in specified table.
Syntax:

dbedit> rmelement <table_name> <object_name> <field_

name> <value>

Examples:
n Remove the service MyService from the group of services MyServicesGroup
from the table services:

dbedit> rmelement services MyServicesGroup ''

services:MyService

n Remove the network MyNetwork from the group of networks

MyNetworksGroup from the table network_objects:

dbedit> rmelement network_objects MyNetworksGroup

'' network_objects:MyNetwork

n Remove the element BranchObjectClass with the value Organization from the
multiple field Read in the object My_Obj in the table ldap:

dbedit> rmelement ldap my_obj

Read:BranchObjectClass Organization

rename Description:
Renames the specified object in specified table.
Syntax:

dbedit> rename <table_name> <object_name> <new_object_

name>

Example:
Rename the network object london to chicago in the table network_objects:

dbedit> rename network_objects london chicago

CLI R80.40 Reference Guide      |      242

 dbedit

Command Description, Syntax, Examples

rmbyindex Description:
Removes an element from a container by element's index.
Syntax:

dbedit> rmbyindex <table_name> <object_name> <field_

name> <index_number>

Example:
Remove the element backup_log_servers from the container log_servers by
element index 1 in the table network_objects:

dbedit> rmbyindex network_objects g log_servers:backup_

log_servers 1

add_owned_ Description:
remove_name
Adds an owned object (and removes its name) to a specified owned object field (or
container).
Syntax:

dbedit> add_owned_remove_name <table_name> <object_

name> <field_name> <value>

Example:
Add the owned object My_Gateway (and remove its name) to the owned object field
(or container) my_external_products:

dbedit> add_owned_remove_name network_objects My_

Gateway additional_products owned:my_external_products

is_delete_ Description:
allowed
Checks if the specified object can be deleted from the specified table (object cannot
be deleted if it is used by other objects).
Syntax:

dbedit> is_delete_allowed <table_name> <object_name>

Example:

dbedit> is_delete_allowed network_objects MyObj

Check if the object MyObj can be deleted from the table network_objects:

CLI R80.40 Reference Guide      |      243

 dbedit

Command Description, Syntax, Examples

set_pass Description:
Sets specified password for specified user.
Notes:
n The password must contain at least 4 characters and no more than 50
characters.
n This command cannot change the administrator's password.

Syntax:

dbedit> set_pass <Username> <Password>

Example:
Set the password 1234 for the user abcd:

dbedit> set_pass abcd 1234

savedb Description:
Saves the database. You can run this command only when the database is locked
globally (when you start the dbedit utility with the "dbedit -globallock"
command).
Syntax:

dbedit> savedb

savesession Description:
Saves the session. You can run this command only when you start the dbedit utility in
session mode (with the "dbedit -session" command).

Syntax:

dbedit> savesession

CLI R80.40 Reference Guide      |      244

 fw

fw
Description
n Performs various operations on Security or Audit log files.
n Kills the specified Check Point processes.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.

Syntax

fw [-d]
      fetchlogs <options>
      hastat <options>
      kill <options>
      log <options>
      logswitch <options>
      lslogs <options>
      mergefiles <options>
      repairlog <options>
      sam <options>
      sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security ($FWDIR/log/*.log*) or
<options> Audit ($FWDIR/log/*.adtlog*), from the specified Check Point computer.

See "fw fetchlogs" on page 247.

hastat Shows information about Check Point computers in High Availability configuration and
<options> their states.
See "fw hastat" on page 249.

CLI R80.40 Reference Guide      |      245

 fw

Parameter Description

kill Kills the specified Check Point process.

<options>
See "fw kill" on page 250.

log Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
<options> ($FWDIR/log/*.adtlog).

See "fw log" on page 251.

logswitch Switches the current active Check Point log file - Security ($FWDIR/log/fw.log) or
<options> Audit ($FWDIR/log/fw.adtlog).

See "fw logswitch" on page 260.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/*.log*) or Audit
<options> ($FWDIR/log/*.adtlog*), located on the local computer or a remote computer.

See "fw lslogs" on page 264.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log) or Audit
<options> ($FWDIR/log/*.adtlog), into a single log file.

See "fw mergefiles" on page 267.

repairlog Rebuilds pointer files for Check Point log files - Security ($FWDIR/log/*.log) or
<options> Audit ($FWDIR/log/*.adtlog).

See "fw repairlog" on page 270.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options>
See "fw sam" on page 271.

sam_policy Manages the Suspicious Activity Policy editor that lets you work with these type of
<options> rules:

or n Suspicious Activity Monitoring (SAM) rules.

samp n Rate Limiting rules.
<options>
See "fw sam_policy" on page 279.

CLI R80.40 Reference Guide      |      246

 fw fetchlogs

fw fetchlogs
Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log
Notes:
File N>
n If you do not specify the log file name explicitly, the command transfers all Security
log files ($FWDIR/log/*.log*) and all Audit log files
($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for example, 2017-0?-
*.log).
If you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check Point computer
has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main IP
address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

CLI R80.40 Reference Guide      |      247

 fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the specified
Check Point computer. Meaning, it deletes the specified log files on the specified Check Point
computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local Check Point
computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer. The new
log file name is the concatenation of the Check Point computer's name (as configured in
SmartConsole), two underscore (_) characters, and the original log file name (for example: MyGW__
2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      248

 fw hastat

fw hastat
Description
Shows information about Check Point computers in High Availability configuration and their states.

Note - This command is outdated. On cluster members, run the Gaia Clish command
"show cluster state", or the Expert mode command "cphaprob state".

Note - This command is outdated. On Management Servers, run the "cpstat" on

page 197 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ...
If you run this command on the Management Server, you can enter the applicable IP
<TargetN>
address, or the resolvable HostName of the managed Security Gateway or Cluster
Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      249

 fw kill

fw kill
Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-t <Signal Specifies which signal to send to the Check Point process.

Number>
For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the kill and
signal.
If you do not specify the signal explicitly, the command sends Signal 15
(SIGTERM).

Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process>
To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

CLI R80.40 Reference Guide      |      250

 fw log

fw log
Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c

<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> |
all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s
"<Start Timestamp>"] [-e "<End Timestamp>"] [-u <Unification Scheme
File>] [-w] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-
#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters described in
this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-a Shows only Account log entries.

-b "<Start Shows only entries that were logged between the specified start and end
Timestamp>" times.
"<End
n The <Start Timestamp> and <End Timestamp> may be a date,
Timestamp>"
a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End Timestamp> in
single or double quotes (-b 'XX' 'YY", or -b "XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-e"
parameters.
n See the date and time format below.

CLI R80.40 Reference Guide      |      251

 fw log

Parameter Description

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>"
Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b" parameter.
n See the date and time format below.

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

CLI R80.40 Reference Guide      |      252

 fw log

Parameter Description

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with the
specified IP address or object name (as configured in SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert type:
l alert
l mail
l snmp_trap
l spoof
l user_alert
l user_auth
n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries, and then
specify the time for each log entry.

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command shows
one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not show any
updates, but shows only entries that relate to the start of new
connections. To shows updates, use the semi parameter.
n semi - Step-by-step unification of log entries. For each log entry, the
output shows an entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file (this is the
default behavior).
This significantly speeds up the log processing.

CLI R80.40 Reference Guide      |      253

 fw log

Parameter Description

-o Shows detailed log chains - shows all the log segments in the log entry.

-p Does not perform resolution of the port numbers in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>"
Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current date.
n Enclose the <Start Timestamp> in single or double quotes (-s
'...', or -s "...").
n You cannot use the "-s" parameter together with the "-b" parameter.
n See the date and time format below.

-t This parameter:
1. Does not show the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

-u <Unification Specifies the path and name of the log unification scheme file.
Scheme File>
The default log unification scheme file is:
$FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the "nature" of
the log - for example, control, audit, accounting, complementary, and so on).

-x <Start Entry Shows only entries from the specified log entry number and below, counting
Number> from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from the
Number> beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show log
entries.
The default behavior is to stop.

CLI R80.40 Reference Guide      |      254

 fw log

Parameter Description

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes the
current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags

Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log Key <max_null>, or empty

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc0000000)

SequenceNum Log Sequence 1

Number

CLI R80.40 Reference Guide      |      255

 fw log

Field Header Description Example

Flags Internal flags that 428292

specify the "nature"
of the log - for
example, control,
audit, accounting,
complementary,
and so on

Action Action performed on n accept

this connection
n dropreject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of the MyGW

Security Gateway
that generated this
log

IfDir Traffic direction n <

through interface:
n >
n < - Outbound
(sent by a
Security
Gateway)
n > - Inbound
(received by
a Security
Gateway)

CLI R80.40 Reference Guide      |      256

 fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security Gateway
interface, on which n daemon
this traffic was n N/A
logged
If a Security
Gateway performed
some internal action
(for example, log
switch), then the log
entry shows
daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Gateway Server.checkpoint.com.s6t98x
that generated this
log

inzone Inbound Security Local

Zone

outzone Outbound Security External

Zone

service_id Name of the service ftp

used to inspect this
connection

src Object name or IP MyHost

address of the
connection's source
computer

dst Object name or IP MyFTPServer

address of the
connection's
destination
computer

CLI R80.40 Reference Guide      |      257

 fw log

Field Header Description Example

proto Name of the tcp

connection's
protocol

sport_svc Source port of the 64933

connection

ProductName Name of the Check n VPN-1 & FireWall-1

Point product that
generated this log n Application Control
n FloodGate-1

ProductFamily Name of the Check Network

Point product family
that generated this
log

Examples

Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      258

 fw log

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity:
2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log
flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292;
Action: drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName:
CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst:
MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-
9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_
match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END;
ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      259

 fw logswitch

fw logswitch
Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
      -h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target>
Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a Security
Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP address or
Object Name as configured in SmartConsole.

CLI R80.40 Reference Guide      |      260

 fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched
Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the switch log
file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched log
matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is 230
characters.

+ Specifies to copy the active log from the remote computer to the local computer.
Notes:
n If you specify the name of the switched log file, you must write it immediately
after this + (plus) parameter.
n The command copies the active log from the remote computer and saves it in
the $FWDIR/log/ directory on the local computer.

n The default name of the saved log file is:

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

CLI R80.40 Reference Guide      |      261

 fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote computer to the local computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/ directory
on the local computer and then deletes the switched log file on the remote
computer.
n If you specify the name of the switched log file, you must write it immediately
after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 247 command.

Compression
When this command transfers the log files from the remote computer, it compresses the file with the gzip
command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method. The
compression ratio varies with the content of the log file and is difficult to predict. Binary data are not
compressed. Text data, such as user names and URLs, are compressed.

Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      262

 fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying
the switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      263

 fw lslogs

fw lslogs
Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog)
residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>] ...
[-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime | etime}]
[<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-f <Name of Specifies the name of the log file to show. Need to specify name only.
Log File>
Notes:
n If the log file name is not specified explicitly, the command shows all Security
log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-0?-*). If
you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command. You must use the "-f"
parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2> ... -
f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

CLI R80.40 Reference Guide      |      264

 fw lslogs

Parameter Description

-s {name | Specifies the sort order of the log files using one of the following sort options:
size |
stime | n name - The file name
etime} n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point computer, with which this local Check Point
computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main
IP address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      265

 fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended information

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse order

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security Gateway with main
IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      266

 fw mergefiles

fw mergefiles
Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw
logswitch" command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw
logswitch" command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:

Warning: The size of the files you have chosen to

merge is greater than 2GB. The merge will produce
two or more files.

The names of merged files are:

l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...
l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of Log
File 1> <Name of Log File 2> ... <Name of Log File N> <Name of Merged
Log File>

CLI R80.40 Reference Guide      |      267

 fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion File> Specifies a full path and name of a file that instructs this
command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:

<IP Address of Log Server #1> <Signed

Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...

Notes
n You must specify the absolute path and the
file name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> ... Specifies the log files to merge.
<Name of Log File N>
Notes:
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

CLI R80.40 Reference Guide      |      268

 fw mergefiles

Parameter Description

<Name of Merged Log File> Specifies the output merged log file.

Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      269

 fw repairlog

fw repairlog
Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog) are
databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this command
can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/*.log *.logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/*.adtlog *.adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

CLI R80.40 Reference Guide      |      270

 fw sam

fw sam
Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections
to and from IP addresses without the need to change or reinstall the Security Policy. For more information,
see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" and "sam_alert" commands.
n SAM rules consume some CPU resources on Security Gateway.

Best Practice - Set an expiration that gives you time to investigate, but
does not affect performance. Keep only the SAM rules that you need.
If you confirm that an activity is risky, edit the Security Policy, educate
users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches 100,000.
This data log file contains the records in one of these formats:

<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>

n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security Gateway
in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM .
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

CLI R80.40 Reference Guide      |      271

 fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e
<key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway,
on which the command is enforced. These messages show whether the command
was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the
Server> Security Gateway that enforces the command.
The default is localhost.

CLI R80.40 Reference Guide      |      272

 fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected that the
Name of SAM SAM server has this SIC name, otherwise the connection fails.
Server>
Notes:
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC API
Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command to
show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security
<Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n localhost - Specifies to enforce the action on this local Check Point computer
(on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as Security
Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Security Gateway object - Specifies to enforce the action on this
specific Security Gateway object.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Group object - Specifies to enforce the action on all specific Security
Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

CLI R80.40 Reference Guide      |      273

 fw sam

Parameter Description

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.

Notes:
n To "uninhibit" the inhibited connections, run the fw sam command
with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

-C Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout>
The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+
Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match the
specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

CLI R80.40 Reference Guide      |      274

 fw sam

Parameter Description

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

-I Inhibits (drops or rejects) new connections with the specified parameters, and closes
all existing connections with the specified parameters.

Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all existing
connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

CLI R80.40 Reference Guide      |      275

 fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Srcip> <Src Netmask> <Dest IP> <Dest Netmask>
<Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the connection.

any <IP> Matches either the Source IP address or the Destination

IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the connections

according to the netmask.

CLI R80.40 Reference Guide      |      276


Parameter
subany <IP> <Netmask>
srv <Src IP> <Dest IP> <Port>
<Protocol>
subsrv <Src IP> <Netmask>
<Dest IP> <Netmask> <Port>
<Protocol>
subsrvs <Src IP> <Src Netmask>
<Dest IP> <Port> <Protocol>
subsrvd <Src IP> <Dest IP>
<Dest Netmask> <Port>
<Protocol>
dstsrv <Dest IP> <Service>
<Protocol>
subdstsrv <Dest IP> <Netmask>
<Port> <Protocol>
srcpr <IP> <Protocol>
dstpr <IP> <Protocol>
subsrcpr <IP> <Netmask>
<Protocol>
subdstpr <IP> <Netmask>
<Protocol>
fw sam
Description
Matches either the Source IP address or Destination IP
address of connections according to the netmask.
Matches the specific Source IP address, Destination IP
address, Service (port number) and Protocol.
Matches the specific Source IP address, Destination IP
address, Service (port number) and Protocol.
Source and Destination IP addresses are assigned
according to the netmask.
Matches the specific Source IP address, source
netmask, destination netmask, Service (port number)
and Protocol.
Matches specific Source IP address, Destination IP,
destination netmask, Service (port number) and
Protocol.
Matches specific Destination IP address, Service (port
number) and Protocol.
Matches specific Destination IP address, Service (port
number) and Protocol.
Destination IP address is assigned according to the
netmask.
Matches the Source IP address and protocol.
Matches the Destination IP address and protocol.
Matches the Source IP address and protocol of
connections.
Source IP address is assigned according to the
netmask.
Matches the Destination IP address and protocol of
connections.
Destination IP address is assigned according to the
netmask.
CLI R80.40 Reference Guide      |      277
 fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the specified

keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

CLI R80.40 Reference Guide      |      278

 fw sam_policy

fw sam_policy
Description
Manages the Suspicious Activity Policy editor that lets you work with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 370
Notes:
n You can run these commands interchangeably: 'fw sam_policy' and 'fw
samp'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

CLI R80.40 Reference Guide      |      279

 fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
      add <options>
      batch
      del <options>
      get <options>

fw [-d] samp
      add <options>
      batch
      del <options>
      get <options>

Syntax for IPv6

fw6 [-d] sam_policy

      add <options>
      batch
      del <options>
      get <options>

fw6 [-d] samp

      add <options>
      batch
      del <options>
      get <options>

CLI R80.40 Reference Guide      |      280

 fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

CLI R80.40 Reference Guide      |      281

 fw sam_policy add

fw sam_policy add

Description
The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy add' and
'fw samp add'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

CLI R80.40 Reference Guide      |      282

 fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b}
Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against the policy
rules.
Note - Rules with action set to Bypass cannot have a log or limit specification.
Bypassed packets and connections do not count towards overall number of
packets and connection for limit enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that matches:
n -r - Generate a regular log
n -a - Generate an alert log

CLI R80.40 Reference Guide      |      283

 fw sam_policy add

Parameter Description

-t Optional.
<Timeout>
Specifies the time period (in seconds), during which the rule will be enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be enforced on
all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the rule should
be enforced only on this Security Gateway or Cluster object (the object name
must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be enforced on all
Security Gateways that are members of this Group object (the object name
must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>"
Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Optional.
Comment>"
Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

CLI R80.40 Reference Guide      |      284

 fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator
Specifies the name of the originator for this rule.
>"
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter
Arguments> Configures the Suspicious Activity Monitoring (SAM) rule.
Specifies the IP Filter Arguments for the SAM rule (you must use at least one of
these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d

<Destination IP>] [-M <Destination Mask>] [-p <Port>]
[-r <Protocol>]

See the explanations below.

CLI R80.40 Reference Guide      |      285

 fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota
Filter Configures the Rate Limiting rule.
Arguments> Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations
below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service <Protocol
and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2
Value>] ...[<LimitN Name> <LimitN Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from the
SAM policy database immediately, add "flush true" in the fw
samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general), when
a rule's limit is violated, the Security Gateway also drops all packets
that match the rule.
The Security Gateway computes new connection rates on a per-
second basis.
At the start of the 1-second timer, the Security Gateway allows all
packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too many
new connections, then the Security Gateway blocks all remaining
packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are reset, and
the process starts over - the Security Gateway allows packets to
pass again up to the point, where the rule’s limit is violated.

CLI R80.40 Reference Guide      |      286

 fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port Number
Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

CLI R80.40 Reference Guide      |      287

 fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the source
IP addresses assigned to this country, based on
the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that are
assigned to this organization, based on the Geo
IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

CLI R80.40 Reference Guide      |      288

 fw sam_policy add

Argument Description

[destination-negated {true | Specifies the destination type and its value:

false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses that
are assigned to this organization, based on the
Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the specified
type

CLI R80.40 Reference Guide      |      289


Argument
[service-negated {true |
false}] service <Protocol and
Port numbers>
fw sam_policy add
Description
Specifies the Protocol number (see IANA Protocol
Numbers) and Port number (see IANA Service Name
and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port End>
IP protocol number and range of TCP/UDP port
numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process all
traffic except the traffic with the specified
protocols and ports
CLI R80.40 Reference Guide      |      290

Argument
[<Limit 1 Name> <Limit 1
Value>] [<Limit 2 Name> <Limit
2 Value>] ... [<Limit N Name>
<Limit N Value>]
fw sam_policy add
Description
Specifies quota limits and their values.
Note - Separate multiple quota limits with spaces.
n concurrent-conns <Value>
Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the concurrent-
conns value to the total number of active
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n pkt-rate <Value>
Specifies the maximum number of packets per
second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate value
to the rate of all connections through the Security
Gateway, expressed in parts per 65536 (formula:
N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes per
second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate value
to the bytes per second rate of all connections
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
n new-conn-rate <Value>
Specifies the maximal number of connections per
second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-rate
value to the rate of all connections per second
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
CLI R80.40 Reference Guide      |      291
 fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not cumulatively
for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific IP
protocol and destination port, and not
cumulatively for this rule.

Examples

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this rule,
including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second (new-conn-
rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11
- 172.16.7.13 (source range:172.16.7.11-172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the fwaccel dos
config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious
Activity Monitoring (SAM) policy database immediately, because this rule includes the "flush
true" parameter.

CLI R80.40 Reference Guide      |      292

 fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all packets except (service-negated true) the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the country with
specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).

n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:
[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:
n This rule bypasses (-a b) all packets that match this rule.

Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).

CLI R80.40 Reference Guide      |      293

 fw sam_policy add

n This rule applies to packets sent to TCP port 80 (service 6/80).

n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP addresses that
are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to 655/65536=~1%
(concurrent-conns-ratio 655) for any traffic (service any) except (service-
negated true) the connections from the source IP addresses that are assigned to the country
with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that match this rule,
and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

CLI R80.40 Reference Guide      |      294

 fw sam_policy batch

fw sam_policy batch

Description
The 'fw sam_policy batch' and 'fw6 sam_policy batch' commands let you:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy batch'
and 'fw samp batch'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all of the
Cluster Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Procedure

1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as necessary.

CLI R80.40 Reference Guide      |      295

 fw sam_policy batch

Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l fw sam_policy add
l fw sam_policy del
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source
range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

CLI R80.40 Reference Guide      |      296

 fw sam_policy del

fw sam_policy del

Description
The 'fw sam_policy del' and 'fw6 sam_policy del' commands let you:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy del' and
'fw samp del'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

CLI R80.40 Reference Guide      |      297

 fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.

Important:
n The quote marks and angle
brackets ('<...>') are
mandatory.
n To see the Rule UID, run the
"fw sam_policy get"
command.

Procedure

1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\
Doe src_ip_addr=1.1.1.1 req_tpe=ip

CLI R80.40 Reference Guide      |      298

 fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The fw samp del and fw6 samp del commands only remove a rule from the persistent
database. The Security Gateway continues to enforce the deleted rule until the next time you
compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only
add rule right after the fw samp del and fw6 samp del command. This flush-only add rule
immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

CLI R80.40 Reference Guide      |      299

 fw sam_policy get

fw sam_policy get

Description
The 'fw sam_policy get' and 'fw6 sam_policy get' commands let you:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n You can run these commands interchangeably: 'fw sam_policy get' and
'fw samp get'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+
{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type>
[+{-v '<Value>'}] [-n]]

CLI R80.40 Reference Guide      |      300

 fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on a
separate line.
n In the list format (with "-l"), the output shows each parameter of a rule on
a separate line.
n See the "fw sam_policy add" command.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>'
The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'}
The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples

Example 1 - Output in the default format

[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log

name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      301

 fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log
name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      302

 fw sam_policy get

Example 4 - Printing rules that match the specified filters

[Expert@HostName:0]# fw samp get
no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-
172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-
conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      303

 fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

fwm [-d]
      dbload <options>
      exportcert <options>
      fetchfile <options>
      fingerprint <options>
      getpcap <options>
      ikecrypt <options>
      load [<options>]
      logexport <options>
      mds <options>
      printcert <options>
      sic_reset
      snmp_trap <options>
      unload [<options>]
      ver [<options>]
      verify <options>

CLI R80.40 Reference Guide      |      304

 fwm

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

dbload Downloads the user database and network objects information to the specified
<options> targets
See "fwm dbload" on page 307.

exportcert Export a SIC certificate of the specified object to file.

<options>
See "fwm exportcert" on page 309.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 310.

fingerprint Shows the Check Point fingerprint.

<options>
See "fwm fingerprint" on page 311.

getpcap Fetches the IPS packet capture data from the specified Security Gateway.
<options>
See "fwm getpcap" on page 313.

ikecrypt Encrypts a secret with a key.

<options>
See "fwm ikecrypt" on page 315.

load <options> This command is obsolete for R80 and above.

Use the "mgmt_cli" on page 358 command to load a policy to a managed
Security Gateway.
See "fwm load" on page 316.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.

See "fwm logexport" on page 317.

mds <options> Shows information and performs various operations on Multi-Domain Server.
See "fwm mds" on page 322.

printcert Shows a SIC certificate's details.

<options>
See "fwm printcert" on page 324.

CLI R80.40 Reference Guide      |      305

 fwm

Parameter Description

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 329.

snmp_trap Sends an SNMP Trap to the specified host.

<options>
See "fwm snmp_trap" on page 330.

unload Unloads the policy from the specified managed Security Gateways.
<options>
See "fwm unload" on page 333.

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 337.

verify This command is obsolete for R80 and above.

<options>
Use the "mgmt_cli" on page 358 command to verify a policy.
See "fwm verify" on page 338.

CLI R80.40 Reference Guide      |      306

 fwm dbload

fwm dbload
Description
Downloads the user database and network objects information to the specified Security Gateways.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] dbload

      -a
      -c <Configuration File>
      <GW1> <GW2> ... <GWN>

CLI R80.40 Reference Guide      |      307

 fwm dbload

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

-a Executes commands on all targets specified in the default system

configuration file - $FWDIR/conf/sys.conf.
Note - You must manually create this file.

-c Specifies the OPSEC configuration file to use.

<Configuration
Note - You must manually create this file.
File>

<GW1> <GW2> ... Executes commands on the specified Security Gateways.

<GWN>
Notes:
n Enter the main IP address or Name of the Security Gateway
object as configured in SmartConsole.
n If you do not explicitly specify the Security Gateway, the
database is downloaded to localhost.

CLI R80.40 Reference Guide      |      308

 fwm exportcert

fwm exportcert
Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

<Name of Specifies the name of the managed object, whose certificate you wish to
Object> export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish to
export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

CLI R80.40 Reference Guide      |      309

 fwm fetchfile

fwm fetchfile
Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the fwopsec.conf or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/fwopsec.conf
n conf/fwopsec.v4x

-d <Local Path> Specifies the local directory to save the fetched file.

<Source> Specifies the managed remote source computer, from which to fetch the file.

Note - The local and the remote source computers must have
established SIC trust.

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      310

 fwm fingerprint

fwm fingerprint
Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

      <IP address of Target> <SSL Port>
      localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the entire
CLI session.

The debug options are:

n fwm -d
Runs the complete debug of all fwm actions.
For complete debug instructions, see the description of the fwm
process in sk97638.
n fingerprint -d
Runs the debug only for the fingerprint actions.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

CLI R80.40 Reference Guide      |      311

 fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email Address,CN=192.168.3.51,L=Locality Name
(eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email Address,CN=192.168.3.52,L=Locality Name
(eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      312

 fwm getpcap

fwm getpcap
Description
Fetches the IPS packet capture data from the specified Security Gateway.
This command only works with IPS packet captures stored on the Security Gateway in the
$FWDIR/log/captures_repository/ directory.
This command does not work with other Software Blades, such as Anti-Bot and Anti-Virus that store packet
captures in the $FWDIR/log/blob/ directory on the Security Gateway.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p <Local

Path>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

-g <Security Specifies the main IP address or Name of Security Gateway object as configured
Gateway> in SmartConsole.

-u '{<Capture Specifies the Unique ID of the packet capture file.

UID>}'
To see the Unique ID of the packet capture file, open the applicable log file in
SmartConsole > Logs & Monitor > Logs .

-p <Local Specifies the local path to save the specified packet capture file.
Path>
If you do not specify the local directory explicitly, the command saves the packet
capture file in the current working directory.

CLI R80.40 Reference Guide      |      313

 fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}' /var/log/

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      314

 fwm ikecrypt

fwm ikecrypt
Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must then be stored
in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties window on the
Encryption tab.

< Specifies the password for the Endpoint VPN Client user.
Password
>

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      315

 fwm load

fwm load
Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and above. Use the "mgmt_cli" on
page 358 command to load a policy on a managed Security Gateway.

CLI R80.40 Reference Guide      |      316

 fwm logexport

fwm logexport
Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog) to an
ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h

fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>] [-i
<Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry Number>]
[-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u <Unification Scheme
File>] [-m {initial | semi | raw}]

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

-d Specifies the output delimiter between fields of log entries:

<Delimiter>
| -s n -d <Delimiter> - Uses the specified delimiter.
n -s - Uses the ASCII character #255 (non-breaking space) as the delimiter.

Note - If you do not specify the delimiter explicitly, the default is a semicolon (;).

-t <Table Specifies the output delimiter inside table field.

Delimiter>
Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a comma (,).

CLI R80.40 Reference Guide      |      317

 fwm logexport

Parameter Description

-i <Input Specifies the name of the input log file.

File>
Notes:
n This command supports only Security log file ($FWDIR/log/*.log) and
Audit log file ($FWDIR/log/*.adtlog)
n If you do not specify the input log file explicitly, the command processes the
active Security log file $FWDIR/log/fw.log

-o <Output Specifies the name of the output file.

File>
Note - If you do not specify the output log file explicitly, the command prints its output
on the screen.

-f After reaching the end of the currently opened log file, specifies to continue to
monitor the log file indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-e After reaching the end of the currently opened log file, continue to monitor the log file
indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-x <Start Starts exporting the log entries from the specified log entry number and below,
Entry counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number, counting from
Entry the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to continue the export
of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-p Specifies to not to perform resolution of the port numbers in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

CLI R80.40 Reference Guide      |      318

 fwm logexport

Parameter Description

-u < Specifies the path and name of the log unification scheme file.
Unification
The default log unification scheme file is:
Scheme
File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

| semi |
raw} n initial - Complete unification of log entries. The command exports one
unified log entry for each ID. This is the default.
If you also specify the "-f" parameter, then the output does not export any
updates, but exports only entries that relate to the start of new connections.
To export updates as well, use the "semi" parameter.
n semi - Step-by-step unification of log entries. For each log entry, exports
entry that unifies this entry with all previously encountered entries with the
same ID.
n raw - No log unification. Exports all log entries.

CLI R80.40 Reference Guide      |      319

 fwm logexport

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.
Each of the next rows consists of a single log entry, whose fields are sorted in the same order as the first
row.
If a log entry has no information in a specific field, this field remains empty (as indicated by two successive
semi-colons ";;").
You can control which log fields appear in the output of the command output:

Ste
Description
p

1 Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2 Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

3 To include or exclude the log fields from the output, add these lines in the configuration file:

[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_
FIELDS>,field100
excluded_fields = field10,field11

Where:

n You can specify only the included_fields parameter, only the excluded_fields
parameter, or both.
n The num field must always appear first. You cannot manipulate this field.
n The <REST_OF_FIELDS> is an optional reserved token that refers to a list of fields.
l If you specify the "-f" parameter, then the <REST_OF_FIELDS> is based on a list
of fields from the $FWDIR/conf/logexport_default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS> is based
on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

CLI R80.40 Reference Guide      |      320

 fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_
client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file has been switched
to: MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the
gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_
client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the
gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      321

 fwm mds

fwm mds
Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:

mdsenv

n In the context of a Domain Management Server:

mdsenv <IP Address or Name of

Domain Management Server>

Syntax

fwm [-d] mds

      ver
      rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect

the output to a file, or use the script command to save
the entire CLI session.

For complete debug instructions, see the description of the fwm

process in sk97638.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

CLI R80.40 Reference Guide      |      322

 fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.40 - Build 11
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      323

 fwm printcert

fwm printcert
Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

      -obj <Name of Object> [-cert <Certificate Nick Name>] [-verbose]
      -ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
      -f <Name of Binary Certificate File> [-verbose]

CLI R80.40 Reference Guide      |      324

 fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

For complete debug instructions, see the description of the fwm

process in sk97638.

-obj <Name of Object> Specifies the name of the managed object, for which to show the
SIC certificate information.

-cert <Certificate Nick Specifies the certificate nick name.

Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

Examples

Example 1 - Showing the SIC certificate of a Management Server

[Expert@MGMT:0]# fwm printcert -ca internal_ca
Subject: O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      325

 fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed. Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45 f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2 a5 e0 a8 ab 45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c d2 dc 3d 36 ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2 30 a5 32 c7 46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d bc b3 f2 ae f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57 54 79 d0 0f 0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90 08 ba 63 85 b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e 95 8b 2f 48 5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34 be b8 00 ae ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b 43 3f f7 36 5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50 01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      326

 fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.3.244
CRL distribution points:
http://192.168.3.240:18264/ICA_CRL2.crl
CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      327

 fwm printcert

Example 4 - Showing the SIC certificate of a managed Cluster object in verbose mode
[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed. Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af c1 fd 20 0a 3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73 77 fa db 86 0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93 c5 4b 01 f4 3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d 23 74 5c d9 00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7 df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: 192.168.3.244
Basic Constraint:
not CA
CRL distribution Points:
URI: http://192.168.3.240:18264/ICA_CRL2.crl
DN: CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      328

 fwm sic_reset

fwm sic_reset
Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Warning:
n Before you run this command, take a Gaia Snapshot and a full backup of
the Management Server.
This command resets SIC between the Management Server and all its
managed objects.
n This operation breaks trust in all Internal CA certificates and SIC trust
across the managed environment.
Therefore, we do not recommend it at all, except for real disaster recovery.

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

CLI R80.40 Reference Guide      |      329

 fwm snmp_trap

fwm snmp_trap
Description
Sends an SNMPv1 Trap to the specified host.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n On a Multi-Domain Server, the SNMP Trap packet is sent from the IP address of
the Leading Interface.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

CLI R80.40 Reference Guide      |      330

 fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the
entire CLI session.

For complete debug instructions, see the description of the fwm

process in sk97638.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

Number>
One of these values:
n 0 - For coldStart trap
n 1 - For warmStart trap
n 2 - For linkDown trap
n 3 - For linkUp trap
n 4 - For authenticationFailure trap
n 5 - For egpNeighborLoss trap
n 6 - For enterpriseSpecific trap (this is the default value)

-s <Specific Trap Specifies the unique trap type.

Number>
Valid only of generic trap value is 6 (for enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap packets.

-c <SNMP Community> Specifies the SNMP community.

<Target> Specifies the managed target host, to which to send the SNMP Trap
packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

CLI R80.40 Reference Guide      |      331

 fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on the Security
Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host 192.168.3.51

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 103)
192.168.3.51.53450 > MyGW_192.168.3.52.snmptrap: [udp sum ok] { SNMPv1 { Trap(58) E:2620.1.1 192.168.3.240
linkDown 1486440 E:2620.1.1.11.0="My Trap Message" } }
Pressed CTRL+C

[Expert@MyGW_192.168.3.52:0]#

CLI R80.40 Reference Guide      |      332

 fwm unload

fwm unload
Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

Warning:
1. The fwm unload command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the specified Security Gateway (Cluster Member).
2. The fwm unload command removes all policies from the specified Security
Gateway (Cluster Member).
This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection
enabled.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n If you need to remove the current policy, but keep the Security Gateway (Cluster
Member) protected, then run the "comp_init_policy" on page 871 command on
the Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of these
commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 998
l "cpstart" on page 911
n In addition, see the "fw unloadlocal" on page 1100 command.

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

CLI R80.40 Reference Guide      |      333

 fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or Object
... <GWN> Name as configured in SmartConsole.

CLI R80.40 Reference Guide      |      334

 fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      335

 fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      336

 fwm ver

fwm ver
Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:

mdsenv

n In the context of a Domain Management Server:

mdsenv <IP Address or Name of

Domain Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.40 - Build 11
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      337

 fwm verify

fwm verify

Important - This command is obsolete for R80 and above. Use the "mgmt_cli" on
page 358 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      338

 inet_alert

inet_alert
Description
Notifies an Internet Service Provider (ISP) when a company's corporate network is under attack. This
command forwards log messages generated by the alert daemon on your Check Point Security Gateway
to an external Management Station. This external Management Station is usually located at the ISP site.
The ISP can then analyze the alert and react accordingly.
This command uses the Event Logging API (ELA) protocol to send the alerts. The Management Station
receiving the alert must be running the ELA Proxy.
If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must be
performed between the external Management Station running the ELA Proxy at the ISP site and the Check
Point Security Gateway generating the alert.

Procedure

Step Description

1 Connect with SmartConsole to the applicable Security Management Server or Domain

Management Server, which manages the applicable Security Gateway that should forward log
messages to an external Management Station.

2 From the top left Menu, click Global properties .

3 Click on the [+] near the Log and Alert and click Alerts .

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Policy on the applicable Security Gateway.

CLI R80.40 Reference Guide      |      339

 inet_alert

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f
<Token> <Value>] [-m <Alert Type>]

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some command> |
inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

Type>
One of these values:

n ssl_opsec-The connection is authenticated and encrypted (this is the

default).
n auth_opsec- The connection is authenticated.
n clear- The connection is neither authenticated, nor encrypted.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair as

<Value> follows:
n <Token> - The name of the field to be added to the log. Cannot contain
spaces.
n <Value> - The field's value. Cannot contain spaces.
This option can be used multiple times to add multiple <Token> <Value> pairs
to the log.

CLI R80.40 Reference Guide      |      340

 inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

Type>
This alert overrides the alert specified in the log message generated by the alert
daemon.
The response to the alert is handled according to the actions specified in the ISP
Security Policy:
These alerts execute the OS commands:
n alert - Popup alert command
n mail - Mail alert command
n snmptrap - SNMP trap alert command
n spoofalert - Anti-Spoof alert command
These NetQuota and ServerQuota alerts execute the OS commands specified in
the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

n Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4
n Send a log message to the specified ELA Proxy. Set the product field of this log message to cads
n Trigger the OS command specified in the SmartConsole > Menu > Global properties > Log and
Alert > Popup Alert Command field.

CLI R80.40 Reference Guide      |      341

 ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing debug
information.

Statistics LDAP search statistics, such as:

n All user searches
n Pending lookups (when two or more lookups are identical)
n Total lookup time (the total search time for a specific lookup)
n Cache statistics such as hits and misses
These statistics are saved in the $FWDIR/log/ldap_pid_<Process PID>.stats
file.

Logging View the alert and warning logs.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

CLI R80.40 Reference Guide      |      342

 ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR debug level.
Level>
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check Point
Name> | all} processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject | TemplateExtGrpCacheObject}
l all - Clears cache for all objects
l UserCacheObject - Clears cache for user objects
l TemplateCacheObject - Clears cache for template objects
l TemplateExtGrpCacheObject - Clears cache for external
template group objects
n cachetrace {all | UserCacheObject |
TemplateCacheObject | TemplateExtGrpCacheObject}
l all - Traces cache for all objects
l UserCacheObject - Traces cache for user objects
l TemplateCacheObject - Traces cache for template objects
l TemplateExtGrpCacheObject - Traces cache for external
template group objects
n log {on | off}
l on - Creates LDAP logs
l off - Does not create LDAP logs
n stat {<Print Interval in Sec> | 0}
l <Print Interval in Sec> - How frequently to collect the
statistics
l 0 - Stops collecting the statistics

CLI R80.40 Reference Guide      |      343

 ldapcompare

ldapcompare
Description
This is an LDAP utility that performs compare queries and prints a message whether the result returned a
match or not.
This utility opens a connection to an LDAP directory server, binds, and performs the comparison specified
on the command line or from a specified file.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute> <Value> |

<Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

CLI R80.40 Reference Guide      |      344

 ldapcompare

Compare options

Option Description

-E [!]<Extension>[=<Extension Specifies the compare extensions.

Parameter>]
Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version is 3.

-z Enables the quiet mode.

The command does not print anything. You can use the
command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

CLI R80.40 Reference Guide      |      345

 ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

[=<Extension Parameter>]
Note - The exclamation sign "!" indicates criticality.
n [!]assert=<Filter>
RFC 4528; an RFC 4515 filter string
n [!]authzid=<Authorization ID>
RFC 4370; either "dn:<DN>", or "u:<Username>"
n [!]chaining[=<Resolve Behavior>
[/<Continuation Behavior>]]
One of these:
l "chainingPreferred"
l "chainingRequired"
l "referralsPreferred"
l "referralsRequired"
n [!]manageDSAit
RFC 3296
n [!]noop
n ppolicy
n [!]postread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]preread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]relax
n abandon
SIGINT sends the abandon signal; if critical, does not
wait for SIGINT. Not really controls.
n cancel
SIGINT sends the cancel signal; if critical, does not
wait for SIGINT. Not really controls.
n ignore
SIGINT ignores the response; if critical, does not wait
for SIGINT. Not really controls.

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.

CLI R80.40 Reference Guide      |      346

 ldapcompare

Option Description

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not actually do
it.

-N Specifies not to use the reverse DNS to canonicalize SASL

host name.

-o <Option>[=<Option Specifies the general options:

Parameter>]
nettimeout={<Timeout in Sec> | none | max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Identity> Specifies the SASL authorization identity (either "dn:<DN>",

or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator password

from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

CLI R80.40 Reference Guide      |      347

 ldapmemberconvert

ldapmemberconvert
Description
This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to the
"MemberOf" attribute values in LDAP member (User or Template) entries.
This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both" mode. The
utility searches through all specified group or template entries that hold one or more "Member" attribute
values and modifies each value. The utility searches through all specified group/template entries and
fetches their "Member" attribute values.
Each value is the DN of a member entry. The entry identified by this DN is added to the "MemberOf"
attribute value of the group/template DN at hand. In addition, the utility delete those "Member" attribute
values from the group/template, unless you run the command in the "Both" mode.
When your run the command, it creates a log file ldapmemberconvert.log in the current working
directory. The command logs all modifications done and errors encountered in that log file.

Important - Back up the LDAP server database before you run this conversion utility.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP Server

Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m <Member Attribute
Name> -o <MemberOf Attribute Name> -c <Member ObjectClass Value> [-B]
[-f <File> | -g <Group DN>] [-L <LDAP Server Timeout>] [-M <Number of
Updates>] [-S <Size>] [-T <LDAP Client Timeout>] [-Z]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug
level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

CLI R80.40 Reference Guide      |      348

 ldapmemberconvert

Parameter Description

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or resolvable
hostname.
If you do not specify the LDAP Server explicitly, the command connects
to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin DN> Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly) deleting
Attribute Name> a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP "MemberOf"
Attribute Name> attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines, which
ObjectClass Value> type of member to modify.
You can specify multiple attribute values with this syntax:

-c <Member Object Class 1> -c <Member Object

Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a new
line:

<Group DN 1>
<Group DN 2>
...
<Group DN N>

Length of each line is limited to 256 characters.

-g <Group DN> Specifies the Group or Template Distinguished Name, on which to

perform the conversion.
You can specify multiple Group DNs with this syntax:

-g <Group DN 1> -g <Group DN 2> ... -g <Group

DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in seconds.
Timeout>
Default is "never".

CLI R80.40 Reference Guide      |      349

 ldapmemberconvert

Parameter Description

-M <Number of Specifies the maximal number of simultaneous member LDAP updates.

Updates>
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in number of
entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in milliseconds.
Timeout>
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups
For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for their groups,
then this conversion has to be applied on LDAP defined templates for their groups.

Troubleshooting
Symptom:
A command fails with an error message stating the connection stopped unexpectedly when you run it with
the parameter -M <Number of Updates>.

Root Cause:
The LDAP server could not handle that many LDAP requests simultaneously and closed the connection.
Solution:
Run the command again with a lower value for the "-M" parameter. The default value should be adequate,
but can also cause a connection failure in extreme situations. Continue to reduce the value until the
command runs normally. Each time you run the command with the same set of groups, the command
continues from where it left off.

CLI R80.40 Reference Guide      |      350

 ldapmemberconvert

Examples

Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o
memberof -c fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the group entry
is not modified.

CLI R80.40 Reference Guide      |      351

 ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the parameter "-c
fw1Person", but the object class of "template1" is "fw1Template".

CLI R80.40 Reference Guide      |      352

 ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF format.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b] [-c]
[-F] [-k] [-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f <Input
File> .ldif | < <Entry>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug
level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or resolvable
hostname.
If you do not specify the LDAP Server explicitly, the command connects
to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin DN> Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

CLI R80.40 Reference Guide      |      353

 ldapmodify

Parameter Description

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually perform
them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in milliseconds.
Timeout>
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif
The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data you
enter on the screen).

CLI R80.40 Reference Guide      |      354

 ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>] [-D
<LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b <Base DN>]
[-F <Separator>] [-l <LDAP Server Timeout>] [-s <Scope>] [-S <Sort
Attribute>] [-t] [-T <LDAP Client Timeout>] [-u] [-z <Number of Search
Entries>] [-Z] <Filter> [<Attributes>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug
level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or resolvable
hostname.
If you do not specify the LDAP Server explicitly, the command connects
to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin DN> Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

CLI R80.40 Reference Guide      |      355

 ldapsearch

Parameter Description

-F <Separator> Specifies the print separator character between attribute names and
their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in seconds.
Timeout>
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Attribute> Specifies to sort the results by the values of this attribute.

-t Specifies to write values to files in the /tmp/ directory.

Writes each <attribute>-<value> pair to a separate file named:

/tmp/ldapsearch-<Attribute>-<Value>
For example, for the fw1color attribute with the value a00188, the
command writes to the file named:
/tmp/ldapsearch-fw1color-a00188

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in milliseconds.
Timeout>
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximal number of entries to search on the LDAP Server.
Search Entries>

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command retrieves all
attributes.

CLI R80.40 Reference Guide      |      356

 ldapsearch

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.
2. Connects to the LDAP Server with Base DN "cn=omi".
3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

CLI R80.40 Reference Guide      |      357

 mgmt_cli

mgmt_cli
Description
The mgmt_cli tool lets you work directly with the management database on your Management Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe) command
and press Enter.
n For more information, see the Check Point Management API Reference.

CLI R80.40 Reference Guide      |      358

 migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If you need to back up the current management database, and you do not plan
to import it on a Management Server that runs a higher software version, then
you can use the built-in command in the $FWDIR/bin/upgrade_tools/
directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate utility from the
migration tools package created specifically for that higher software version.
See the Installation and Upgrade Guide for that higher software version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log

CLI R80.40 Reference Guide      |      359

 migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n] [--
exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File> &

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n] [--
exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File>.tgz &

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

./migrate ... &
1. Sends the "yes" input to the interactive "migrate" command through
the pipeline.
2. The "nohup" forces the "migrate" command to ignore the hangup
signals from the shell.
3. The "&" forces the command to run in the background.

As a result, when the CLI session closes, the command continues to run in the
background.
See:
n sk133312
n https://linux.die.net/man/1/bash
n https://linux.die.net/man/1/nohup

export Exports the management database and applicable Check Point configuration.

import Imports the management database and applicable Check Point configuration
that were exported from another Management Server.

CLI R80.40 Reference Guide      |      360

 migrate

Parameter Description

-l Exports and imports the Check Point logs without log indexes in the
$FWDIR/log/ directory.

Note - The command can export only closed logs (to which the
information is not currently written).

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.

Important:
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).

-n Runs silently (non-interactive mode) and uses the default options for each
setting.

Important:
n If you export a management database in this mode and the
specified name of the exported file matches the name of an
existing file, the command overwrites the existing file without
prompting.
n If you import a management database in this mode, the
"migrate import" command runs the "cpstop"
command automatically.

--exclude-uepm- n During the export operation, does not back up the PostgreSQL
postgres-db database from the Endpoint Security Management Server.
n During the import operation, does not restore the PostgreSQL
database on the Endpoint Security Management Server.

--include-uepm- n During the export operation, backs up the MSI files from the Endpoint
msi-files Security Management Server.
n During the import operation, restores the MSI files on the Endpoint
Security Management Server.

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

<Name of n During the export operation, specifies the name of the output file.
Exported File>
The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

CLI R80.40 Reference Guide      |      361

 migrate

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log' for
further details
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      362

 migrate_server

migrate_server
Important - This command is used to migrate the management database from
R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If you need to back up the current management database, and you do not plan
to import it on a Management Server that runs a higher software version, then
you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log

CLI R80.40 Reference Guide      |      363

 migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R80.40 [-skip_upgrade_
tools_check]

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R80.40 [-skip_upgrade_
tools_check] [-l | -x] [--include-uepm-msi-files] [--exclude-uepm-
postgres-db] /<Full Path>/<Name of Exported File>

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R80.40 [-skip_upgrade_
tools_check] [-l | -x] [-change_ips_file /<Full Path>/<Name of
JSON File>.json] [--include-uepm-msi-files] [--exclude-uepm-
postgres-db] /<Full Path>/<Name of Exported File>.tgz

Parameters

Paramete
Description
r

-h Shows the built-in help.

export Exports the management database and applicable Check Point configuration.

import Imports the management database and applicable Check Point configuration that were
exported from another Management Server.

Important - This command automatically restarts Check Point services (runs the
"cpstop" and "cpstart" commands).

verify Verifies the management database and applicable Check Point configuration that were
exported from another Management Server.

-v Specifies the version, to which you plan to migrate / upgrade.

R80.40

CLI R80.40 Reference Guide      |      364

 migrate_server

Paramete
Description
r

-skip_ Does not try to connect to Check Point Cloud to check for a more recent version of the
upgrad Upgrade Tools.
e_
tools_ Best Practice - Use this parameter on the Management Server that is not
check connected to the Internet.

-l Exports and imports the Check Point logs without log indexes in the $FWDIR/log/
directory.

Note - The command can export only closed logs (to which the information is
not currently written).

-x Exports and imports the Check Point logs with their log indexes in the $FWDIR/log/
directory.

Important:
n This parameter only supports Management Servers and Log Servers
R80.10 and higher.
n The command can export only closed logs (to which the information is not
currently written).

- Specifies the absolute path to the special JSON configuration file with new IPv4
change_ addresses.
ips_
This file is mandatory during an upgrade of a Multi-Domain Security Management
file
environment.
/<Full
Path Even if only one of the servers migrates to a new IP address, all the other servers must get
>/<Name this configuration file for the import process.
of JSON Example:
File
>.json [{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.
30.40.51"},
{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172
.30.40.52"}]

-- n During the export operation, backs up the MSI files from the Endpoint Security
includ Management Server.
e-uepm-
n During the import operation, restores the MSI files on the Endpoint Security
msi-
Management Server.
files

-- n During the export operation, does not back up the PostgreSQL database from the
exclud Endpoint Security Management Server.
e-uepm-
n During the import operation, does not restore the PostgreSQL database on the
postgre
Endpoint Security Management Server.
s-db

CLI R80.40 Reference Guide      |      365

 migrate_server

Paramete
Description
r

/<Full Specifies the absolute path to the exported database file. This path must exist.
Path
n During the export operation, specifies the name of the output file.
>/<Name
of The command automatically adds the *.tgz extension.
Exporte
d File> n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log' for
further details
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      366

 queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and above. Use the "mgmt_cli" on
page 358 command to load a policy on a managed Security Gateway.

CLI R80.40 Reference Guide      |      367

 rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name <Object

Name>

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name <Object

Name>

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

CLI R80.40 Reference Guide      |      368

 rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Address> Specifies the IPv4 address of the DAIP object

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the entry is
Live> valid.

CLI R80.40 Reference Guide      |      369

 sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information
received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts
mechanism.

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the fw sam command.

-o Specifies to print the input of this tool to the standard output (to use with pipes in
a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is localhost.

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The default is
forever.

CLI R80.40 Reference Guide      |      370

 sam_alert

Parameter Description

-f Specifies the Security Gateway, on which to run the operation.

<Security
Gateway>
Important - If you do not specify the target Security Gateway explicitly,
this command applies to all managed Security Gateways.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified criteria,
passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria and
closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

CLI R80.40 Reference Guide      |      371

 sam_alert

SAM v2 syntax

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r |
a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to use
with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the action.
The default is forever.

-f <Security Specifies the Security Gateway, on which to run the operation.

Gateway>
Important - If you do not specify the target Security Gateway
explicitly, this command applies to all managed Security
Gateways.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is sam_alert.

-l {r | a} Specifies the log type for connections that match the specified criteria:

n r - Regular
n a - Alert
Default is None.

CLI R80.40 Reference Guide      |      372

 sam_alert

Parameter Description

-a {d | r| n | b | Specifies the action to apply on connections that match the specified

q | i} criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

CLI R80.40 Reference Guide      |      373

 stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug purposes - to
make sure the applicable SNMP OIDs provide the requested information.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2>
... <Regular_OID_N>

These are specified in the SNMP MIB files.

For Check Point MIB files, see sk90470.
n To query a Statistical OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_oid.conf file.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to query

by its IP address or resolvable hostname.

CLI R80.40 Reference Guide      |      374

 stattest

Parameter Description

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address or

resolvable hostname.

Note - Use only when you query a

remote host.

-l <Polling Interval> Specifies the time in seconds between queries.

Note - Use only when you query a

Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which to run

consecutive queries.

Note - Use only when you query a

Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of a

Virtual Device to query.

-t <Timeout> Specifies the session timeout in milliseconds.

<Regular_OID_1> <Regular_OID_2> ... Specifies the Regular OIDs to query.

<Regular_OID_N>
Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

<Statistical_OID_1> <Statistical_ Specifies the Statistical OIDs to query.

OID_2> ... <Statistical_OID_N>
Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

CLI R80.40 Reference Guide      |      375

 stattest

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

CLI R80.40 Reference Guide      |      376

 threshold_config

threshold_config
Description
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts.
You can use these thresholds to monitor many system components automatically without requesting
information from each object or device.
You configure these SNMP Monitoring Thresholds only on the Security Management Server, Multi-Domain
Server, or Domain Management Server.
During policy installation, the managed a Security Gateway and Clusters receive and apply these
thresholds as part of their policy.
For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Description

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain Management Server:

[Expert@HostName:0]# mdsenv <Name or IP address of Domain

Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

CLI R80.40 Reference Guide      |      377

 threshold_config

Step Description

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).

Threshold Engine Configuration Options:

---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path

"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"

See "cpwd_admin stop" on page 229.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path

"$CPDIR/bin/cpd" -command "cpd"

See "cpwd_admin start" on page 226.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"

See "cpwd_admin list" on page 221.

11 In SmartConsole, install the Access Control Policy on Security Gateways and Clusters.

CLI R80.40 Reference Guide      |      378

 threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name
If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file
If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file
If you do not specify the path explicitly, the file is imported from the current
working directory.

(6) Configure Configures global settings:

global alert
n How frequently alerts are sent (configured delay must be greater
settings
than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to which the
alert managed Security Gateways and Cluster Members send their SNMP alerts.
destinations
Configure Alert Destinations Options:
-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS

(8) View Shows a list of all available thresholds and their current settings. These
thresholds include:
overview
n Name
n Category (see the next option "(9)")

n State (disabled or enabled)

n Threshold (threshold point, if applicable)
n Description

CLI R80.40 Reference Guide      |      379

 threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

thresholds
Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources

See the Thresholds Categories table below.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Mode Status Local Logging Mode Status Thresholds:
-------------------------------------
(1) Local Logging Mode

(4) Log Server Connectivity Log Server Connectivity Thresholds:

-----------------------------------
(1) Connection with log server
(2) Connection with all log servers

CLI R80.40 Reference Guide      |      380

 threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

CLI R80.40 Reference Guide      |      381

 threshold_config

Notes:
n If you run the threshold_config command locally on a Security Gateway or
Cluster Members to configure the SNMP Monitoring Thresholds, then each
policy installation erases these local SNMP threshold settings and reverts them
to the global SNMP threshold settings configured on the Management Server
that manages this Security Gateway or Cluster.
n On a Security Gateway and Cluster Members, you can save the local Threshold
Engine Configuration settings to a file and load it locally later.
n The Threshold Engine Configuration is stored in the
$FWDIR/conf/thresholds.conf file.
n In a Multi-Domain Security Management environment:
l You can configure the SNMP thresholds in the context of Multi-Domain
Server (MDS) and in the context of each individual Domain Management
Server.
l Thresholds that you configure in the context of the Multi-Domain Server
are for the Multi-Domain Server only.
l Thresholds that you configure in the context of a Domain Management
Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a
Domain Management Server, then configure the SNMP threshold both in
the context of the Multi-Domain Server and in the context of the Domain
Management Server.
However, in this scenario you can only get alerts from the Multi-Domain
Server, if the monitored object exceeds the threshold.
Example:
If you configure the CPU threshold, then when the monitored value
exceeds the configured threshold, it applies to both the Multi-Domain
Server and the Domain Management Server. However, only the Multi-
Domain Server generates SNMP alerts.

CLI R80.40 Reference Guide      |      382

 Multi-Domain Security Management Commands

Multi-Domain Security Management

Commands
For more information about Multi-Domain Server, see the R80.40 Multi-Domain Security Management
Administration Guide.
In addition, see "Security Management Server Commands" on page 71.

CLI R80.40 Reference Guide      |      383

 Managing Security through API

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the API Server
that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with third
party systems such as virtualization servers, ticketing systems, and change management systems.

API Tools
You can use these tools to run API scripts on the Management Server:
n Standalone management tool, included with SmartConsole. You can copy this tool to computers that
run Windows or Gaia operating system.
l mgmt_cli.exe (for Windows operating system)
l mgmt_cli (for Gaia operating system)
n Web Services API that allow communication and data exchange between the clients and the
Management Server over the HTTP protocol.
These also let other Check Point processes communicate with the Management Server over the
HTTPS protocol.
To learn more about the management APIs, to see code samples, and to take advantage of user forums,
see:
n The Check Point Management API Reference.
n The Developers Network section of Check Point CheckMates Community.

Configuring the API Server

To configure the API Server:
1. Connect with SmartConsole to the Security Management Server or Domain Management Server.
2. From the left navigation panel, click Manage & Settings .
3. In the upper left section, click Blades .
4. In the Management API section, click Advanced Settings .
The Management API Settings window opens.
5. Configure the Startup Settings and the Access Settings .

CLI R80.40 Reference Guide      |      384

 Managing Security through API

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot the
Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the
Automatic start option is activated by default during Management
Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic
Start option is deactivated.

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only - Only the Management Server itself can connect to the API
Server. This option only lets you use the mgmt_cli utility to send API requests. You
cannot use SmartConsole or web services to send API requests.
n All IP addresses that can be used for GUI clients - You can send API requests from all
IP addresses that are defined as Trusted Clients in SmartConsole. This includes requests
from SmartConsole, Web services and the mgmt_cli utility.
n All IP addresses - You can send API requests from all IP addresses. This includes
requests from SmartConsole, Web services and the mgmt_cli utility.

6. Publish the SmartConsole session.

7. Restart the API Server.
Run this command:

api restart

Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

CLI R80.40 Reference Guide      |      385

 cma_migrate

cma_migrate
Description
On the applicable target Domain Management Server, imports the management database that was
exported from an R7x Domain Management Server.

Note - This command updates the database schema before it imports. First, the
command runs pre-upgrade verification. If no errors are found, migration continues. If
there are errors, you must fix them on the source R7x Domain Management Server
according to instructions in the error messages. Then do this procedure again.

For the complete procedure, see the R80.40 Installation and Upgrade Guide.

Syntax

cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz /<Full

Path>/<$FWDIR Directory of the New Domain Management Server>/

Example

[[email protected]_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz

/opt/CPmds-R80.40/customers/MyDomain3/CPsuite-R80.40/fw1/

CLI R80.40 Reference Guide      |      386

 contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util [-d]
    check <options>
    cpmacro <options>
    download <options>
    mgmt
    print <options>
    summary <options>
    update <options>
    verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options>
See "contract_util check" on page 76.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options>
See "contract_util cpmacro" on page 77.

download Downloads all associated Check Point Service Contracts from the User Center, or
<options> from a local file.
See "contract_util download" on page 78.

mgmt Delivers the Service Contract information from the Management Server to the
managed Security Gateways.
See "contract_util mgmt" on page 80.

print Shows all the installed licenses and whether the Service Contract covers these
<options> license, which entitles them for upgrade or not.
See "contract_util print" on page 81.

CLI R80.40 Reference Guide      |      387

 contract_util

Parameter Description

summary Shows post-installation summary.

<options>
See "contract_util summary" on page 82.

update Updates Check Point Service Contracts from your User Center account.
<options>
See "contract_util update" on page 83.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful message.
See "contract_util verify" on page 84.

CLI R80.40 Reference Guide      |      388

 contract_util check

contract_util check
Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util check
{-h | -help}
    hfa
    maj_upgrade
    min_upgrade
    upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher Hotfix
Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher Major
upgrade version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher Minor
upgrade version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

CLI R80.40 Reference Guide      |      389

 contract_util cpmacro

contract_util cpmacro
Description
Overwrites the current cp.macro file with the specified cp.macro file, if the specified is newer than the
current file.
For more information about the cp.macro file, see sk96217: What is a cp.macro file?

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_Write_ The contract_util cpmacro command failed:

cp_macro returned -
1 n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_Write_ The contract_util cpmacro command was able to overwrite the

cp_macro returned 0 current file with the specified file, because the specified file is newer.

CntrctUtils_Write_ The contract_util cpmacro command did not overwrite the

cp_macro returned 1 current file, because it is newer than the specified file.

CLI R80.40 Reference Guide      |      390

 contract_util download

contract_util download
Description
Downloads all associated Check Point Service Contracts from User Center, or from a local file.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util download
{-h | -help}
      local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service
Contract File>
      uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}]
<Username> <Password> [<Proxy Server> [<Proxy Username>:<Proxy
Password>]]

CLI R80.40 Reference Guide      |      391

 contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local file.
This is equivalent to the cplic contract putcommand.

uc Specifies to download the Service Contract from the User Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Proxy Server> [<Proxy Specifies that the connection to the User Center goes through
Username>:<Proxy the proxy server.
Password>]
n <Proxy Server> - IP address of resolvable hostname
of the proxy server
n <Proxy Username> - Username for the proxy server.
n <Proxy Password> - Password for the proxy server.
Note - If you do not specify the proxy server explicitly, the
command uses the proxy server configured in the management
database.

<Service Contract File> Path to and the name of the Service Contract file.
First, you must download the Service Contract file from your User
Center account.

CLI R80.40 Reference Guide      |      392

 contract_util mgmt

contract_util mgmt
Description
Delivers the Service Contract information from the Management Server to the managed Security
Gateways.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util mgmt

CLI R80.40 Reference Guide      |      393

 contract_util print

contract_util print
Description
Shows all the installed licenses and whether the Service Contract covers these license, which entitles them
for upgrade or not.
This command can show which licenses are not recognized by the Service Contract file.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util [-d] print

{-h | -help}
      hfa
      maj_upgrade
      min_upgrade
      upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

CLI R80.40 Reference Guide      |      394

 contract_util summary

contract_util summary
Description
Shows post-installation summary and whether this Check Point computer is eligible for upgrades.

Syntax

contract_util summary
      hfa
      maj_upgrade
      min_upgrade
      upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

CLI R80.40 Reference Guide      |      395

 contract_util update

contract_util update
Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-installed

licenses) from your User Center account.

-proxy <Proxy Specifies that the connection to the User Center goes through the
Server>:<Proxy Port> proxy server:
n <Proxy Server> - IP address of resolvable hostname of
the proxy server.
n <Proxy Port> - The applicable port on the proxy server.
Note - If you do not specify the proxy explicitly, the command
uses the proxy configured in the management database.

-ca_path <Path to ca- Specifies the path to the Certificate Authority Bundle file (ca-
bundle.crt File> bundle.crt).

Note - If you do not specify the path explicitly, the command

uses the default path.

CLI R80.40 Reference Guide      |      396

 contract_util verify

contract_util verify
Description
Checks whether the Security Gateway is eligible for an upgrade.
This command is the same as the "contract_util check" on page 76 command, but it also interprets the
return values and shows a meaningful message.
For more information about Service Contract files, see sk33089: What is a Service Contract File?

Syntax

contract_util verify

CLI R80.40 Reference Guide      |      397

 cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
      -h
      admin <options>
      auto <options>
      ca <options>
      client <options>
      finger <options>
      lic <options>
      snmp <options>

Syntax on a Security Gateway

cp_conf
      -h
      adv_routing <options>
      auto <options>
      corexl <options>
      fullha <options>
      ha <options>
      intfs <options>
      lic <options>
      sic <options>
      snmp <options>

CLI R80.40 Reference Guide      |      398

 cp_conf

Parameters

Parameter Description

-h Shows the entire built-in usage.

admin Configures Check Point system administrators for the Security Management
<options> Server.
See "cp_conf admin" on page 88.

adv_routing Enables or disables the Advanced Routing feature on this Security Gateway.
<options>
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto <options> Shows and configures the automatic start of Check Point products during boot.
See "cp_conf auto" on page 91.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain Name
(FQDN).
n Initializes the Internal Certificate Authority (ICA).

See "cp_conf ca" on page 93.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 95.

corexl Enables or disables CoreXL on this Security Gateway.

<options>
See "cp_conf corexl" on page 883.

finger Shows the ICA's Fingerprint.

<options>
See "cp_conf finger" on page 99.

fullha Manages Full High Availability Cluster.

<options>
See "cp_conf fullha" on page 885.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 886.

intfs Sets the topology of interfaces on a Security Gateway, which you manage with
<options> SmartProvisioning.
See "cp_conf intfs" on page 887.

CLI R80.40 Reference Guide      |      399

 cp_conf

Parameter Description

lic <options> Manages Check Point licenses.

See "cp_conf lic" on page 101.

sic <options> Manages SIC on this Security Gateway.

See "cp_conf sic" on page 890.

snmp <options> Do not use these outdated commands.

To configure SNMP, see the R80.40 Gaia Administration Guide - Chapter
System Management - Section SNMP.

CLI R80.40 Reference Guide      |      400

 cp_conf admin

cp_conf admin
Description
Configures Check Point system administrators for the Security Management Server.

Notes:
n Multi-Domain Server does not support this command.
n Only one administrator can be defined in the "cpconfig" on page 133 menu.
To define additional administrators, use SmartConsole.
n This command corresponds to the option Administrator in the "cpconfig" on page 133
menu.

Syntax

cp_conf admin
      -h
      add [<UserName> <Password> {a | w | r}]
      add -gaia [{a | w | r}]
      del <UserName1> <UserName2> ...
      get

CLI R80.40 Reference Guide      |      401

 cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> <Password> Adds a Check Point system administrator:

{a | w | r}]
n <UserName> - Specifies the administrator's
username
n <Password> - Specifies the administrator's
password
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings only
(cannot manage administrators)
n r - Assigns permissions to only read settings

add -gaia [{a | w | r}] Adds the Gaia administrator user admin:

n a - Assigns all permissions - read settings, write

settings, and manage administrators
n w - Assigns permissions to read and write settings only
(cannot manage administrators)
n r - Assigns permissions to only read settings

del <UserName1> <UserName2> Deletes the specified system administrators.

...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the Gaia

administrator user admin.

CLI R80.40 Reference Guide      |      402

 cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      403

 cp_conf auto

cp_conf auto
Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 133 menu.

Note - On a Multi-Domain Server, use the option Automatic Start of Multi-Domain

Server in the "mdsconfig" on page 676menu.

Syntax

cp_conf auto
      -h
{enable | disable} <Product1> <Product2> ...
      get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} <Product1> Controls whether the installed Check Point products start
<Product2> ... automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      404

 cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

CLI R80.40 Reference Guide      |      405

 cp_conf ca

cp_conf ca
Description
n Initializes the Internal Certificate Authority (ICA).
n Configures the Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).

Note - On a Security Management Server, this command corresponds to the option

Certificate Authority in the "cpconfig" on page 133 menu.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf ca
      -h
      fqdn <FQDN Name>
      init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

fqdn <FQDN Configures the Certificate Authority's (CA) Fully Qualified Domain Name
Name> (FQDN).
<FQDN Name> is the text string hostname.domainname

init Initializes the Internal Certificate Authority (ICA).

CLI R80.40 Reference Guide      |      406

 cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

CLI R80.40 Reference Guide      |      407

 cp_conf client

cp_conf client
Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security Management
Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on page 133
menu.

Syntax

cp_conf client
      add <GUI Client>
      createlist <GUI Client 1> <GUI Client 2> ...
      del <GUI Client 1> <GUI Client 2> ...
      get

CLI R80.40 Reference Guide      |      408

 cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

n One IPv4 address (for example, 192.168.10.20),
or
one IPv6 address (for example,
3731:54:65fe:2::a7)
n One hostname (for example, MyComputer)
n "Any" - To denote all IPv4 and IPv6 addresses
without restriction
n A range of IPv4 addresses (for example,
192.168.10.0/255.255.255.0), or
a range of IPv6 addresses (for example,
2001::1/128)
n IPv4 address wildcard (for example, 192.168.10.*)

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates a
<GUI Client 2> ... new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples

Example 1 - Configure one IPv4 address

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      409

 cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      410

 cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

Example 6 - Delete the current list and create a new list of allowed GUI clients
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      411

 cp_conf finger

cp_conf finger
Description
Shows the Internal Certificate Authority's Fingerprint.
This fingerprint is a text string derived from the ICA certificate on the Security Management Server, Multi-
Domain Server, or Domain Management Server.
This fingerprint verifies the identity of the Security Management Server, Multi-Domain Server, or Domain
Management Server when you connect to it with SmartConsole.

Note - This command corresponds to the option Certificate's Fingerprint in the

"cpconfig" on page 133 menu.

Note - On a Multi-Domain Server:

n To see the fingerprint of the Multi-Domain Server, this command corresponds to
the option Certificate's Fingerprint in the "mdsconfig" on page 676 menu.
n You can run this command in these contexts:
l To see the fingerprint of the Multi-Domain Server, run it in the context of
the Multi-Domain Server:

mdsenv

l To see the fingerprint of a Domain Management Server, run it in the

context of the applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cp_conf finger
      -h
      get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

CLI R80.40 Reference Guide      |      412

 cp_conf finger

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      413

 cp_conf lic

cp_conf lic
Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 133 menu.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf lic
      -h
      add -f <Full Path to License File>
      add -m <Host> <Date> <Signature Key> <SKU/Features>
      del <Signature Key>
      get [-x]

CLI R80.40 Reference Guide      |      414

 cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to License Adds a license from the specified Check Point license
File> file.
You get this license file in the Check Point User Center.
This is the same command as the "cplic db_add" on
page 144.

add -m <Host> <Date> Adds the license manually.

<Signature Key> <SKU/Features>
You get these license details in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 144.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 149.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also shows the
signature key for every installed license.
This is the same command as the "cplic print" on
page 153.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-

XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

CLI R80.40 Reference Guide      |      415

 cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R80.40 Logging and Monitoring Administration Guide.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cp_log_export

cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

CLI R80.40 Reference Guide      |      416

 cp_log_export

Internal Commands

Name Description

add Deploy a new Check Point Log Exporter.

delete Remove an exporter.

reexport Reset the current position and reexport all logs per the configuration.

restart Restart an exporter process.

set Update an existing exporter's configuration.

show Print an exporter's current configuration.

start Start an exporter process.

status Show an exporter's overview status.

stop Stop an exporter process.

CLI R80.40 Reference Guide      |      417

 cp_log_export

Internal Command Arguments

Required
for
Required "show", Required
Required Required
for "status", for
Name Description for "add" for "set"
"delete" "start", "reexport"
command command
command "stop", command
"restart"
command

apply-now Applying any Optional Optional Mandatory N/A Mandatory

change that
was done
immediately.

ca-cert Full path to the Optional Optional N/A N/A N/A

CA certificate
file *.pem.
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client-cert Full path to the Optional Optional N/A N/A N/A

client
certificate
*.p12.
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- The challenge Optional Optional N/A N/A N/A

secret phrase used to
create the
client
certificate
*.p12.
Applicable only
when the value
of the
"encrypted"
argument is
"true".

CLI R80.40 Reference Guide      |      418

 cp_log_export

Required
for
Required "show", Required
Required Required
for "status", for
Name Description for "add" for "set"
"delete" "start", "reexport"
command command
command "stop", command
"restart"
command

domain- The name or Mandatory Mandatory Mandatory Optional. Mandatory

server IP address of
the applicable By
Domain default,
Management applies to
Server. all.

enabled Allow the Log Optional Optional N/A N/A N/A

Exporter to
start when you
run the
"cpstart" on
page 196 or
"mdsstart" on
page 684
command.

encrypted Use TSL (SSL) Optional Optional N/A N/A N/A

encryption to
export the
logs.

export- Add a field to Optional Optional N/A N/A N/A

attachment- the exported
link log that
represents a
link to
SmartView
that sows the
log card and
automatically
opens the
attachment.

export-link Add a field to Optional Optional N/A N/A N/A

the exported
log that
represents a
link to
SmartView
that shows the
log card.

CLI R80.40 Reference Guide      |      419

 cp_log_export

Required
for
Required "show", Required
Required Required
for "status", for
Name Description for "add" for "set"
"delete" "start", "reexport"
command command
command "stop", command
"restart"
command

export- Make the links Optional Optional N/A N/A N/A

link-ip to SmartView
use a custom
IP address (for
example, for a
Log Server
behind NAT).

format The format, in Optional Optional N/A N/A N/A

which the logs
are exported.

name Unique name Mandatory Mandatory Mandatory Optional. Mandatory

of the exporter
configuration. By
default,
applies to
all.

protocol Transport Mandatory Optional N/A N/A N/A

protocol to
use.

target-port The port on Mandatory Optional N/A N/A N/A

the target
server, to
which you
export the
logs.

target- The IP Mandatory Optional N/A N/A N/A

server address of the
target server,
to which you
export the
logs.

CLI R80.40 Reference Guide      |      420

 cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d]
      create_cert <options>
      double_sign <options>
      get_crldp <options>
      get_pubkey <options>
      init_certs <options>
      lscert <options>
      revoke_cert <options>
      revoke_non_exist_cert <options>
      search <options>
      set_mgmt_tool <options>
      set_sign_hash <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect

the output to a file, or use the script command to save
the entire CLI session.

create_cert <options> Issues a SIC certificate for the Security Management Server or
Domain Management Server.
See "cpca_client create_cert" on page 110.

CLI R80.40 Reference Guide      |      421

 cpca_client

Parameter Description

double_sign <options> Creates a second signature for a certificate.

See "cpca_client double_sign" on page 112.

get_crldp <options> Shows how to access a CRL file from a CRL Distribution Point.
See "cpca_client get_crldp" on page 114.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate to a file.
See "cpca_client get_pubkey" on page 115.

init_certs <options> Imports a list of DNs for users and creates a file with registration
keys for each user.
See "cpca_client init_certs" on page 116.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 117.

revoke_cert <options> Revokes a certificate issued by the ICA.

See "cpca_client revoke_cert" on page 120.

revoke_non_exist_cert Revokes a non-existent certificate issued by the ICA.

<options>
See "cpca_client revoke_non_exist_cert" on page 123.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 124.

set_mgmt_tool Controls the ICA Management Tool.

<options>
See "cpca_client set_mgmt_tool" on page 127.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options>
See "cpca_client set_sign_hash" on page 130.

CLI R80.40 Reference Guide      |      422

 cpca_client create_cert

cpca_client create_cert
Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC | USER |
IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path to Specifies the PKCS12 file, which stores the certificate and keys.
PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER | Optional. Specifies the certificate kind.

IKE | ADMIN_PKG}

-c "<Comment for Optional. Specifies the certificate comment (must enclose in double quotes).
Certificate>"

CLI R80.40 Reference Guide      |      423

 cpca_client create_cert

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

CLI R80.40 Reference Guide      |      424

 cpca_client double_sign

cpca_client double_sign
Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Certificate Imports the specified certificate (only in PEM format).

File in PEM
format>

-o <Full Path to Optional. Saves the certificate into the specified file.
Output File>

CLI R80.40 Reference Guide      |      425

 cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy Validation
Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("[email protected],CN=http://www.example.com/,OU=exampleOU Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      426

 cpca_client get_crldp

cpca_client get_crldp
Description
Shows how to access a CRL file from a CRL Distribution Point.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <CA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-p <CA Optional. Specifies the TCP port on the Security Management Server or Domain
port Management Server, which is used to connect to the Certificate Authority.
number>
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_crldp

192.168.3.51
[Expert@MGMT:0]

CLI R80.40 Reference Guide      |      427

 cpca_client get_pubkey

cpca_client get_pubkey
Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to Output
File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18209.

<Full Path to Saves the encoding of the public key of the ICA's certificate to the specified file.
Output File>

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      428

 cpca_client init_certs

cpca_client init_certs
Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Full Path Imports the specified file.

to Input File>
Make sure to use the full path.
Make sure that there is an empty line between each DN in the specified file.
Example:

...CN=test1,OU=users...
&lt;Empty Line&gt;
...CN=test2,OU=users...

-o <Full Path Saves the registration keys to the specified file.

to Output
This command saves the error messages in the <Name of Output
File>
File>.failures file in the same directory.

CLI R80.40 Reference Guide      |      429

 cpca_client lscert

cpca_client lscert
Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid |

Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}] [-ser
<Certificate Serial Number>] [-dp <Certificate Distribution Point>]

CLI R80.40 Reference Guide      |      430

 cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN that
matches the specified <SubString>.
This command does not support multiple values.

-stat {Pending | Valid | Optional. Filters the search results to those with certificate
Revoked | Expired | status that matches the specified status.
Renewed}
This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with certificate
LDAP} kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with certificate
Number> serial number that matches the specified serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

CLI R80.40 Reference Guide      |      431

 cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      432

 cpca_client revoke_cert

cpca_client revoke_cert
Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

CLI R80.40 Reference Guide      |      433

 cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-n "CN=<Common Specifies the certificate CN.

Name>"
To get the CN, run the "cpca_client lscert" on page 117 command and examine
the text that you see between the "Subject =" and the ",O=...".

Example

From this output:

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate
To see the serial number, run the "cpca_client lscert" on page 117 command.
Serial Number>

Note - You can use the parameter "-s" only, or together with the
parameter "-n".

CLI R80.40 Reference Guide      |      434

 cpca_client revoke_cert

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      435

 cpca_client revoke_non_exist_cert

cpca_client revoke_non_exist_cert
Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input File>

Parameters

Parame
Description
ter

-d Runs the cpca_client command under debug.

-i Specifies the file that contains the list of the certificate to revoke.
<Full
You must create this file in the same format as the "cpca_client lscert" on page 117
Path
command prints its output.
to
Input Example
File>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7
19:40:12 2023
&lt;Empty Line&gt;
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri Apr 7
19:40:13 2023

Note - This command saves the error messages in the <Name of Input
File>.failures file.

CLI R80.40 Reference Guide      |      436

 cpca_client search

cpca_client search
Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-max
<Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.

Best Practice - If you use this

parameter, then redirect the
output to a file, or use the
script command to save the
entire CLI session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that does
not contain spaces.

CLI R80.40 Reference Guide      |      437


Parameter
-where {dn | comment | serial | device_
type | device_id | device_name}
-kind {SIC | IKE | User | LDAP}
-stat {Pending | Valid | Revoked |
Expired | Renewed}
-max <Maximal Number of Results>
-showfp {y | n}
Example 1
[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending Valid Renewed
cpca_client search
Description
Optional. Specifies the certificate's field, in
which to search for the string:
n dn - Certificate DN
n comment - Certificate comment
n serial - Certificate serial number
n device_type - Device type
n device_id - Device ID
n device_name - Device Name
The default is to search in all fields.
Optional. Specifies the certificate kind to
search.
You can enter multiple values in this format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.
Optional. Specifies the certificate status to
search.
You can enter multiple values in this format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.
Optional. Specifies the maximal number of
results to show.
n Range: 1 and greater
n Default: 200
Optional. Specifies whether to show the
certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint and
thumbprint
CLI R80.40 Reference Guide      |      438
 cpca_client search

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      439

 cpca_client set_mgmt_tool

cpca_client set_mgmt_tool
Description
Controls the ICA Management Tool.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

See:
n sk30501: Setting up the ICA Management Tool
n sk39915: Invoking the ICA Management Tool
n sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] {[-a <Administrator DN>] | [-u <User DN>]
| [-c <Custom User DN>]}

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is permitted to use the
ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is permitted to
use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are permitted to use the
ICA Management Tool.

CLI R80.40 Reference Guide      |      440

 cpca_client set_mgmt_tool

Parameter Description

print Shows the configured administrators, users, or custom users that are permitted to
use the ICA Management Tool.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18265.

-a < Optional. Specifies the DN of the administrator that is permitted to use the ICA
Administrator Management Tool.
DN>
Must specify the full DN as appears in SmartConsole

Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:

-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

CLI R80.40 Reference Guide      |      441

 cpca_client set_mgmt_tool

Parameter Description

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the ICA
Management Tool.
Must specify the full DN as appears in SmartConsole:

Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:

-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

-c <Custom Optional. Specifies the DN for the custom user that is permitted to use the ICA
User DN> Management Tool.
Must specify the full DN as appears in SmartConsole.

Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:

-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

CLI R80.40 Reference Guide      |      442

 cpca_client set_sign_hash

cpca_client set_sign_hash
Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Important - After this change, you must restart the Check Point services with these commands:
n On Security Management Server, run:
1. cpstop
2. cpstart

n On a Multi-Domain Server, run:

1. mdsstop_customer <Name or IP Address of Domain Management
Server>
2. mdsstart_customer <Name or IP Address of Domain
Management Server>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the file
sha512} hash.
The default algorithm is SHA-256.

CLI R80.40 Reference Guide      |      443

 cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256 

You have selected the signature hash function SHA-256
WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this has no security
implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart

CLI R80.40 Reference Guide      |      444

 cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

CLI R80.40 Reference Guide      |      445

 cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on your Check
Point computer.
For more information, see sk92739.

CLI R80.40 Reference Guide      |      446

 cplic

cplic
Description
The cplic command lets you manage Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management Servers, You execute these commands locally on the Check Point
commands computers.
Security Gateways
and Cluster Members

Remote Management Servers You execute these commands on the Security

licensing only Management Server or Domain Management Server.
commands
These changes affect the managed Security Gateways
and Cluster Members.

License Management Servers You execute these commands on the Security

Repository only Management Server or Domain Management Server.
commands
These changes affect the licenses stored in the local
license repository.

For more about managing licenses, see the R80.40 Security Management Administration Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
      check <options>
      contract <options>
      del <options>
      print <options>
      put <options>

CLI R80.40 Reference Guide      |      447

 cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
      del <options>
      get <options>
      put <options>
      upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
      db_add <options>
      db_print <options>
      db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

{-h | -help} Shows the applicable built-in usage.

check <options> Confirms that the license includes the feature on the local Security Gateway or
Management Server.
See "cplic check" on page 140.

contract Manages (deletes and installs) the Check Point Service Contract on the local
<options> Check Point computer.
See "cplic contract" on page 142.

db_add Applies only to a Management Server.

<options>
Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 144.

CLI R80.40 Reference Guide      |      448

 cplic

Parameter Description

db_print Applies only to a Management Server.

<options>
Shows the details of Check Point licenses stored in the license repository on
the Management Server.
See "cplic db_print" on page 146.

db_rm <options> Applies only to a Management Server.

Removes a license from the license repository on the Management Server.
See "cplic db_rm" on page 148.

del <options> Deletes a Check Point license on a host, including unwanted evaluation,
expired, and other licenses.
See "cplic del" on page 149.

del <Object Detaches a Central license from a remote managed Security Gateway or
Name> <options> Cluster Member.
See "cplic del <object name>" on page 150.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster Members
into the license repository on the Management Server.
See "cplic get" on page 151.

print <options> Prints details of the installed Check Point licenses on the local Check Point
computer.
See "cplic print" on page 153.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 155.

put <Object Attaches one or more Central or Local licenses to a remote managed Security
Name> <options> Gateways and Cluster Members.
See "cplic put <object name>" on page 157.

upgrade Applies only to a Management Server.

<options>
Upgrades licenses in the license repository with licenses in the specified
license file.
See "cplic upgrade" on page 160.

CLI R80.40 Reference Guide      |      449

 cplic check

cplic check
Description
Confirms that the license includes the feature on the local Security Gateway or Management Server. See
sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product>
Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member (all
blades), or Management Server (all blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

<Version>

{-c | - Outputs the number of licenses connected to this feature.

count}

CLI R80.40 Reference Guide      |      450

 cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy .
A feature can be valid on a given date on one license, but invalid on another.

{-r | - Checks how many routers are allowed.

routers}
The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1
fw1:6.0:rt fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit
fw1:6.0:prov fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u
fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt
fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

[Expert@GW]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf
fw1:6.0:av fw1:6.0:vsx5 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:connect
fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited
fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps fw1:6.0:pam
fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm
fw1:6.0:blades fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u

cplic check 'cluster-u': 9 licenses

[Expert@GW]#

CLI R80.40 Reference Guide      |      451

 cplic contract

cplic contract
Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member, you must update the license repository on the applicable Management
Server - either with the "cplic get" on page 151 command, or in SmartUpdate.

Syntax

cplic contract -h

cplic [-d] contract

      del
            -h
            <Service Contract ID>
      put
            -h
[{-o | -overwrite}] <Service Contract File>

CLI R80.40 Reference Guide      |      452

 cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the $CPDIR/conf/cp.contract file

on the local Check Point computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract file on

the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File>
First, you must download the Service Contract file from your Check Point
User Center account.

CLI R80.40 Reference Guide      |      453

 cplic db_add

cplic db_add
Description
Adds licenses to the license repository on the Management Server.
When you add Local licenses to the license repository, Management Server automatically attaches them
to the managed Security Gateway / Cluster Member with the matching IP address.
When you add Central licenses, you must manually attach them.

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]

[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example, CPSUITE-EVAL-3DES-vNG

CLI R80.40 Reference Guide      |      454

 cplic db_add

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -l
192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      455

 cplic db_print

cplic db_print
Description
Shows the details of Check Point licenses stored in the license repository on the Management Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x] [{-
t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name>
<Object Name> is the name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached}
Useful, if the parameter "-all" is specified.

CLI R80.40 Reference Guide      |      456

 cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      457

 cplic db_rm

cplic db_rm
Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the "cplic
del" on page 149 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153 command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

CLI R80.40 Reference Guide      |      458

 cplic del

cplic del
Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other licenses.
This command can delete a license on both local computer, and on remote managed computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153 command.

<Object Name> The name of the Security Gateway / Cluster Member object as defined in
SmartConsole.

CLI R80.40 Reference Guide      |      459

 cplic del <object name>

cplic del <object name>

Description
Detaches a Central license from a remote managed Security Gateway or Cluster Member.
When you run this command, it automatically updates the license repository.
The Central license remains in the license repository as an unattached license.

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as defined
in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the specified IP
Address> address.
Note - If this parameter is used, then object name must be a DAIP
Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153
command.

CLI R80.40 Reference Guide      |      460

 cplic get

cplic get
Description
Retrieves all licenses from managed Security Gateways and Cluster Members into the license repository
on the Management Server.
This command helps synchronize the license repository with the managed Security Gateways and Cluster
Members.
When you run this command, it updates the license repository with all local changes.

Syntax

cplic get {-h | -help}

cplic [-d] get

      -all
      <IP Address>
      <Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the managed
network.

<IP The IP address of the Security Gateway / Cluster Member, from which licenses are to be
Address retrieved.
>

<Host The name of the Security Gateway / Cluster Member object as defined in SmartConsole,
Name> from which licenses are to be retrieved.

CLI R80.40 Reference Guide      |      461

 cplic get

Example
If the Security Gateway with the object name MyGW contains four Local licenses, and the license repository
contains two other Local licenses, the command "cplic get MyGW" produces output similar to this:

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      462

 cplic print

cplic print
Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output

File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      463

 cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      464

 cplic put

cplic put
Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -

select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-only}] -
l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-o | - On a Security Gateway / Cluster Member, this command erases only the local
overwrite} licenses, but not central licenses that are installed remotely.

{-c | - Verifies the license. Checks if the IP of the license matches the Check Point
check-only} computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP address of the
select} Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the Check Point
boot} computer.
Use of this option will prevent certain error messages.

CLI R80.40 Reference Guide      |      465

 cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only}
For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for a local
license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the license.
SKU/Features
For example: CPSUITE-EVAL-3DES-vNG
>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration date The license expiration date. It can be never.

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016  CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      466

 cplic put <object name>

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and Cluster
Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F <Output

File>] -l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Feature>]

CLI R80.40 Reference Guide      |      467

 cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

<Object Name> The name of the Security Gateway / Cluster Member object, as defined in
SmartConsole.

-ip <Dynamic IP Installs the license on the Security Gateway with the specified IP address.
Address>
This parameter is used to install a license on a Security Gateway with
dynamically assigned IP address (DAIP).

Note - If you use this parameter, then the object name must be that
of a DAIP Security Gateway.

-F <Output File> Saves the command output to the specified file.

-l <License Installs the licenses from the <License file> .

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the license.
For example: CPSUITE-EVAL-3DES-vNG

CLI R80.40 Reference Guide      |      468

 cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration date The license expiration date. It can be never.

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

CLI R80.40 Reference Guide      |      469

 cplic upgrade

cplic upgrade
Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l Upgrades the licenses in the license repository and Check Point Security Gateways /
<Input Cluster Members to match the licenses in the specified file.
File>

Example
This example explains the procedure to upgrade the licenses in the license repository.
There are two Software Blade licenses in the input file:
n One license does not match any license on a remote managed Security Gateway.
n The other license matches an NGX-version license on a managed Security Gateway that has to be
upgraded.
Workflow in this example:
1. Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the Security
Gateways with the previous product versions.
2. Import all licenses into the license repository.
You can also do this after you upgrade the products on the remote Security Gateways.
3. Run this command:

cplic get -all

CLI R80.40 Reference Guide      |      470

 cplic upgrade

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

5. In the Check Point User Center, view the licenses for the products that were upgraded from version
NGX to a Software Blades license.
You can also create new upgraded licenses.
6. Download a file containing the upgraded licenses.
Only download licenses for the products that were upgraded from version NGX to Software Blades.
7. If you did not import the version NGX licenses into the repository, import the version NGX licenses
now.
Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

n The licenses in the downloaded license file and in the license repository are compared.
n If the certificate keys and features match, the old licenses in the repository and in the remote
Security Gateways are updated with the new licenses.
n A report of the results of the license upgrade is printed.
For more about managing licenses, see the R80.40 Security Management Administration Guide.

CLI R80.40 Reference Guide      |      471

 cpmiquerybin

cpmiquerybin
Description
The cpmiquerybin utility connects to a specified database, runs a user-defined query and shows the
query results.
The results can be a collection of Security Gateway sets or a tab-delimited list of specified fields from each
retrieved object.
The default database of the query tool is based on the shell environment settings.
To connect to a Domain Management Server database, run "mdsenv" on page 680 and define the
necessary environment variables.
Use the Domain Management Server name or IP address as the first parameter.

Notes:
n You can see complete documentation of the cpmiquerybin utility, with the full
query syntax, examples, and a list of common attributes in sk65181.
n The MISSING_ATTR string shows when you use an attribute name that does
not exist in the objects in query result.

Syntax

cpmiquerybin <query_result_type> <database> <table> <query> [-a

<attributes_list>]

CLI R80.40 Reference Guide      |      472

 cpmiquerybin

Parameters

Parameter Description

<query_ Query result in one of these formats:

result_
type> n attr - Returns values from one or more specified fields for each object. Use
the "-a" parameter followed by a comma separated list of fields.
n object - Shows Security Gateway sets containing data of each retrieved
object.

<database> Name of the database file in quotes. For example, "mdsdb".

Use empty double-quotes "" to run the query on the default database.

<table> Name of the database table that contains the data.

<query> One or more query strings in a comma separated list.

Use empty double-quotes ("") to return all objects in the database table.
You can use the asterisk character (*) as a wildcard replacement for one or more
matching characters in your query string.

-a < If you use the "query_result_type" parameter, you must specify one or more
attributes_ attributes in a comma-delimited list (without spaces) of object fields.
list>
You can return all object names with the special string: __name__

Return Values
n 0 - Query returns data successfully
n 1 - Query does not return data or there is a query syntax error

Example - Viewing the names of the currently defined network objects

[Expert@HostName:0]# cpmiquerybin attr "" network_objects "" -a __name__

DMZZone
WirelessZone
ExternalZone
InternalZone
AuxiliaryNet
LocalMachine_All_Interfaces
CPDShield
InternalNet
LocalMachine
DMZNet
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      473

 cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

cppkg
      add <options>
{del | delete} <options>
      get
      getroot
      print
      setroot <options>

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the MDS (run
mdsenv).

CLI R80.40 Reference Guide      |      474

 cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 164.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options>
See "cppkg delete" on page 165.

get Updates the list of the SmartUpdate software packages in the repository.
See "cppkg get" on page 167.

getroot Shows the path to the root directory of the repository (the value of the
environment variable $SUROOT).

See "cppkg getroot" on page 168.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 169.

setroot <options> Configures the path to the root directory of the repository.
See "cppkg setroot" on page 170.

CLI R80.40 Reference Guide      |      475

 cppkg add

cppkg add
Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n This command does not overwrite existing packages. To overwrite an existing
package, you must first delete the existing package.
n You get the SmartUpdate software packages from the Check Point Support
Center.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      476

 ppkg delete

ppkg delete
Description
Deletes SmartUpdate software packages from the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]

cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the interactive
delete mode. The command shows the menu with applicable options.

"< Specifies the package vendor. Enclose in double-quotes.

Vendor>"

"< Specifies the product name. Enclose in double-quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double-quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double-quotes.

"<Minor Specifies the package Minor Version. Enclose in double-quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 169
command.
n You must specify all optional parameters, or no parameters.

CLI R80.40 Reference Guide      |      477

 ppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      478

 cppkg get

cppkg get
Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software packages repository
based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      479

 cppkg getroot

cppkg getroot
Description
Shows the path to the root directory of the SmartUpdate software packages repository (the value of the
environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to : /var/log/cpupgrade/suroot
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      480

 cppkg print

cppkg print
Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      481

 cppkg setroot

cppkg setroot
Description
Configures the path to the root directory of the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n The default path is: /var/log/cpupgrade/suroot
n When changing repository root directory:
l This command copies the software packages from the old repository to
the new repository. A package in the new location is overwritten by a
package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT
in the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh
and $CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      482

 cpprod_util

cpprod_util
Description
This utility lets you work with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4} "<Value>"

{0|1}

cpprod_util -dump

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue
Important - Do not run these commands unless explicitly instructed by Check
Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified product or feature:

n One of these integers: 0, 1, 4

n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the output file is
RegDump.

CLI R80.40 Reference Guide      |      483

 cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant Domain
Management Server.
n If you run the cpprod_util command without parameters, it prints:
l The list of all available products and features (for example, "FwIsFirewallMgmt",
"FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the cpprod_util command, you need to redirect the stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples

Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      484

 cpprod_util

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High

Availability
[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade
is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the Endpoint Policy Management blade
is enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      485

 cpprod_util

Example - Showing a list of all installed Check Point Products Packages on a Security
Gateway
[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP

(DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      486

 cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the managed Security
Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

CLI R80.40 Reference Guide      |      487

 cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote managed
Security Gateways.

Important - Installing software packages with this command is not supported for
Security Gateways that run on Gaia OS.

Notes:
n This command requires a license for SmartUpdate.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n On the remote Security Gateways these are required:

l SIC Trust must be established between the Security Management Server
and the Security Gateway.
l The cpd daemon must run.
l The cprid daemon must run.

CLI R80.40 Reference Guide      |      488

 cprinstall

Syntax

cprinstall
      boot <options>
      cprestart <options>
      cpstart <options>
      cpstop <options>
      delete <options>
      get <options>
      install <options>
      revert <options>
      show <options>
      snapshot <options>
      transfer <options>
      uninstall <options>
      verify <options>

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options>
See "cprinstall boot" on page 179.

cprestart Runs the cprestart command on the managed Security Gateway.

<options>
See "cprinstall cprestart" on page 180.

cpstart Runs the cpstart command on the managed Security Gateway.

<options>
See "cprinstall cpstart" on page 181.

cpstop Runs the cpstop command on the managed Security Gateway.

<options>
See "cprinstall cpstop" on page 182.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options>
See "cprinstall delete" on page 183.

CLI R80.40 Reference Guide      |      489

 cprinstall

Parameter Description

get n Gets details of the products and the operating system installed on the
<options> managed Security Gateway.
n Updates the management database on the Security Management Server.

See "cprinstall get" on page 184.

install Installs Check Point products on the managed Security Gateway.

<options>
See "cprinstall install" on page 185.

revert Restores the managed Security Gateway that runs on SecurePlatform OS from a
<options> snapshot saved on that Security Gateway.
See "cprinstall revert" on page 188.

show Displays all snapshot (backup) files on the managed Security Gateway that runs on
<options> SecurePlatform OS.
See "cprinstall show" on page 189.

snapshot Creates a snapshot on the managed Security Gateway that runs on SecurePlatform
<options> OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 190.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 191.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options>
See "cprinstall uninstall" on page 192.

verify Confirms these operations were successful:

<options>
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed
Security Gateway are appropriate for the software package.
n That there is enough disk space to install the product the managed Security
Gateway.
n That there is a CPRID connection with the managed Security Gateway.

See "cprinstall verify" on page 194.

CLI R80.40 Reference Guide      |      490

 cprinstall boot

cprinstall boot
Description
Reboots the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

CLI R80.40 Reference Guide      |      491

 cprinstall cprestart

cprinstall cprestart
Description
Runs the cprestart command on the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n All Check Point products on the managed Security Gateway must be of the same
version.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

CLI R80.40 Reference Guide      |      492

 cprinstall cpstart

cprinstall cpstart
Description
Runs the cpstart command on the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n All Check Point products on the managed Security Gateway must be of the same
version.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

CLI R80.40 Reference Guide      |      493

 cprinstall cpstop

cprinstall cpstop
Description
Runs the cpstop command on the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n All Check Point products on the managed Security Gateway must be of the same
version.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-proc Kills the Check Point daemons and Security Servers, while it maintains the active
Security Policy running in the Check Point kernel.
Rules with generic Allow, Drop or Reject action based on services, continue to work.

- Kills the Check Point daemons and Security Servers and unloads the Security Policy
nopolicy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

CLI R80.40 Reference Guide      |      494

 cprinstall delete

cprinstall delete
Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on SecurePlatform OS.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

<Snapshot File> Specifies the name of the snapshot (backup) on SecurePlatform OS.

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

CLI R80.40 Reference Guide      |      495

 cprinstall get

cprinstall get
Description
n Gets details of the products and the operating system installed on the managed Security Gateway.
n Updates the management database on the Security Management Server.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform     R75.20             R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      496

 cprinstall install

cprinstall install
Description
Installs Check Point products on the managed Security Gateway.

Important - Installing software packages with this command is not supported for
Security Gateways that run Gaia OS.

Notes:
n Before transferring the software package, this command runs the "cprinstall
verify" on page 194 command.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object Name>

"<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

CLI R80.40 Reference Guide      |      497

 cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is canceled
in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing the
package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double-quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double-quotes.

Version>"

CLI R80.40 Reference Guide      |      498

 cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      499

 cprinstall revert

cprinstall revert
Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot saved on that
Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File>
To see the names of the saved snapshot files, run the "cprinstall show" on
page 189 command.

CLI R80.40 Reference Guide      |      500

 cprinstall show

cprinstall show
Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on SecurePlatform OS.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

CLI R80.40 Reference Guide      |      501

 cprinstall snapshot

cprinstall snapshot
Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and saves it on
that Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File>
To see the names of the saved snapshot files, run the "cprinstall show" on
page 189 command.

CLI R80.40 Reference Guide      |      502

 cprinstall transfer

cprinstall transfer
Description
Transfers a software package from the repository to the managed Security Gateway without installing the
package.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Version>" Specifies the package major version. Enclose in double-quotes.

"<Minor Version>" Specifies the package minor version. Enclose in double-quotes.

CLI R80.40 Reference Guide      |      503

 cprinstall uninstall

cprinstall uninstall
Description
Uninstalls Check Point products on the managed Security Gateway.

Important - Uninstalling software packages with this command is not supported for
Security Gateways running on Gaia OS.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n Before uninstalling product packages, this command runs the "cprinstall verify"
on page 194 command.
n After uninstalling a product package, you must run the "cprinstall get" on
page 184 command.
n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

CLI R80.40 Reference Guide      |      504

 cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Version>" Specifies the package major version. Enclose in double-quotes.

"<Minor Version>" Specifies the package minor version. Enclose in double-quotes.

Example
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get

CLI R80.40 Reference Guide      |      505

 cprinstall verify

cprinstall verify
Description
Confirms these operations were successful:
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed Security Gateway are
appropriate for the software package.
n That there is enough disk space to install the product the managed Security Gateway.
n That there is a CPRID connection with the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n To see the values for the package attributes, run the "cppkg print" on page 169
command.

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

CLI R80.40 Reference Guide      |      506

 cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double-quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double-quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Version>" Specifies the package major version. Enclose in double-quotes.

"<Minor Version>" Specifies the package minor version. Enclose in double-quotes.

This parameter is optional.

Example 1 - Verification succeeds

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Example 2 - Verification fails

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R70 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

CLI R80.40 Reference Guide      |      507

 cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o
<Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

The output shows the SNMP queries and SNMP responses for the applicable SNMP
OIDs.

-h <Host> Optional.
When you run this command on a Management Server, this parameter specifies the
managed Security Gateway.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object name.
The default is localhost.

Note - On a Multi-Domain Server, you must run this command in the

context of the applicable Domain Management Server:mdsenv <IP
Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s Optional.
<SICname>
Secure Internal Communication (SIC) name of the Application Monitoring (AMON)
server.

CLI R80.40 Reference Guide      |      508

 cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor in the
<Application Flag>. To see all flavors, run the cpstat command without any
parameters.

-o <Polling Optional.
Interval>
Specifies the polling interval (in seconds) - how frequently the command collects and
shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this is the default
value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the "-e
<Period>" parameter.
Example:

cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results before it stops.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling Interval>
and then stops.
Example:

cpstat os -f perf -o 2 -c 2

CLI R80.40 Reference Guide      |      509

 cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the statistics.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
You can use this parameter together with the "-c <Count>" parameter.
Example:

cpstat os -f perf -o 2 -c 2 -e 60

< Mandatory.
Application
See the table below with flavors for the application flags.
Flag>

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Software Flag Flavors
Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn, aspm, dlp,
Software appi, anti_bot, default, content_
Blades awareness, threat-emulation, default

Operating os default, ifconfig, routing, routing6,

System memory, old_memory, cpu, disk, perf,
multi_cpu, multi_disk, raidInfo, sensors,
power_supply, hw_info, all, average_cpu,
average_memory, statistics, updates,
licensing, connectivity, vsx

Firewall fw default, interfaces, policy, perf, hmem,

kmem, inspect, cookies, chains, fragments,
totals, totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_connection,
all

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins, ldap,

Awareness components, adquery, idc, muh

CLI R80.40 Reference Guide      |      510

 cpstat

Feature or
Software Flag Flavors
Blade

Application appi default, subscription_status, update_

Control status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

URL Filtering urlf default, subscription_status, update_

status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_mails,

Prevention subscription_status, update_status, ab_
prm_contracts, av_prm_contracts, ab_prm_
contracts, av_prm_contracts

Threat threat- default, general_statuses, update_status,

Emulation emulation scanned_files, malware_detected, scanned_
on_cloud, malware_on_cloud, average_
process_time, emulated_file_size, queue_
size, peak_size, file_type_stat_file_
scanned, file_type_stat_malware_detected,
file_type_stat_cloud_scanned, file_type_
stat_cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_type_stat_
cache_hit_rate, file_type_stat_error_
count, file_type_stat_no_resource_count,
contract, downloads_information_current,
downloading_file_information, queue_table,
history_te_incidents, history_te_comp_
hosts

Threat scrub default, subscription_status, threat_

Extraction extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns, cpu, all,

memory, cpu_usage_per_core

IPsec VPN vpn default, product, IKE, ipsec, traffic,

compression, accelerator, nic, statistics,
watermarks, all

Data Loss dlp default, dlp, exchange_agents, fingerprint

Prevention

CLI R80.40 Reference Guide      |      511

 cpstat

Feature or
Software Flag Flavors
Blade

Content ctnt default

Awareness

QoS fg all

High ha default, all

Availability

Policy Server polsrv default, all

for Remote
Access VPN
clients

Desktop Policy dtps default, all

Server for
Remote
Access VPN
clients

LTE / GX gx default, contxt_create_info, contxt_

delete_info, contxt_update_info, contxt_
path_mng_info, GXSA_GPDU_info, contxt_
initiate_info, gtpv2_create_info, gtpv2_
delete_info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation
Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

CLI R80.40 Reference Guide      |      512

 cpstat

Feature or
Software Flag Flavors
Blade

Thresholds thresholds default, active_thresholds, destinations,

configured error
with the
threshold_
config
command

Historical persistency product, TableConfig, SourceConfig

status values

Examples

Example - Interfaces on a Security Gateway

[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
--------------------------------------------------------------------------------------------------------
------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy name|Slaves|Ports|IPv6
Address|IPv6 Len|
--------------------------------------------------------------------------------------------------------
------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
--------------------------------------------------------------------------------------------------------
------------

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      513

 cpstat

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

Example - CPU utilization
[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      514

 cpstat

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

Connected clients
-------------------------------------------------------
|Client type |Administrator|Host |Database lock|
-------------------------------------------------------
|SmartConsole|admin |JOHNDOE-PC |false |
-------------------------------------------------------

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      515

 cpview

cpview
Overview of CPView
Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk
space) and information for different Software Blades (only on Security Gateway).
The CPView continuously updates the data in easy to access views.
On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

CLI R80.40 Reference Guide      |      516

 cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow keys Moves between menus and views. Scrolls in a view.

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the capture>

H Shows a tooltip with CPView options.

Space bar Immediately refreshes the statistics.

CLI R80.40 Reference Guide      |      517

 cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes such as
Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products and
Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log file.
The cpwd_admin utility shows the status of the monitored processes, and configures the Check Point
WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates abnormally.
In the output of the cpwd_admin list command, the MON column shows N for
passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning (not stuck on
deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows Y for actively
monitored processes.
The list of actively monitored processes is predefined by Check Point. Users cannot
change or configure it.

CLI R80.40 Reference Guide      |      518

 cpwd_admin

Syntax

cpwd_admin
      config <options>
      del <options>
      detach <options>
      exist
      flist <options>
      getpid <options>
      kill
      list <options>
      monitor_list
      start <options>
      start_monitor
      stop <options>
      stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options>
See "cpwd_admin config" on page 211.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 214.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options>
See "cpwd_admin detach" on page 215.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 216.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_list_

<options> <Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 217.

getpid Shows the PID of a monitored process.

<options>
See "cpwd_admin getpid" on page 219.

CLI R80.40 Reference Guide      |      519

 cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options>
See "cpwd_admin kill" on page 220.

Important - Do not run this command unless explicitly instructed by Check

Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 221.

monitor_ Prints the status of actively monitored processes on the screen.

list
See "cpwd_admin monitor_list" on page 225.

start Starts a process as monitored by the WatchDog.

<options>
See "cpwd_admin start" on page 226.

start_ Starts the active WatchDog monitoring - WatchDog monitors the predefined
monitor processes actively.
See "cpwd_admin start_monitor" on page 228.

stop Stops a monitored process.

<options>
See "cpwd_admin stop" on page 229.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes only
monitor passively.
See "cpwd_admin stop_monitor" on page 231.

CLI R80.40 Reference Guide      |      520

 cpwd_admin config

cpwd_admin config
Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
      -h
      -a <options>
      -d <options
      -p
      -r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_1> Adds the WatchDog configuration

<Configuration_Parameter_2>=<Value_2> ... parameters.
<Configuration_Parameter_N>=<Value_N>
Note - Spaces are not
allowed between the name of
the configuration parameter,
the equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog configuration

<Configuration_Parameter_2> ... parameters that user added with the
<Configuration_Parameter_N> "cpwd_admin config -a"
command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

CLI R80.40 Reference Guide      |      521

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ Text string up On a VSX Gateway, configures the CTX value that is assigned to
ctx to 128 monitored processes, for which no CTX is specified.
characters

display_ n 0 On a VSX Gateway, configures whether the WatchDog shows the

ctx (default) CTX column in the output of the cpwd_admin list command
(between the APP and the PID columns):
n 1
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: If rerun_mode=1, specifies the maximal number of times the

-1, 0, >0 WatchDog tries to restart a process.
n Default: n -1 - Always tries to restart
5
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_ n Range: Configures the maximal number of processes managed by the

procs 30 - WatchDog.
2000
n Default:
2000

rerun_ n 0 Configures whether the WatchDog restarts processes after they fail:
mode
n 1 n 0 - Does not restart a failed process. Monitor and log only.
(default)
n 1 - Restarts a failed process (this is the default).

reset_ n Range: Configures the time (in seconds) the WatchDog waits after the
startups >0 process starts and before the WatchDog resets the process's
startup_counter to 0.
n Default:
3600 To see the process's startup counter, in the output of the cpwd_
admin list command, refer to the #START column.

sleep_ n 0 Configures how the WatchDog restarts the process:

mode
n 1 n 0 - Ignores timeout and restarts the process immediately
(default)
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: If rerun_mode=1, specifies how much time (in seconds) passes
timeout 0 - 3600 from a process failure until WatchDog tries to restart it.
n Default:
60

CLI R80.40 Reference Guide      |      522

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

stop_ n Range: Configures the time (in seconds) the WatchDog waits for a process
timeout >0 stop command to complete.
n Default:
60

zero_ n Range: After failing no_limit times to restart a process, the WatchDog
timeout >0 waits zero_timeout seconds before it tries again.
n Default: The value of the zero_timeout must be greater than the value of
7200 the timeout.

The WatchDog saves the user defined configuration parameters in the $CPDIR/registry/HKLM_
registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      523

 cpwd_admin del

cpwd_admin del
Description
Temporarily deletes a monitored process from the WatchDog database of monitored processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 221 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 196 command.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      524

 cpwd_admin detach

cpwd_admin detach
Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 221 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 196 command.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin detach-name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      525

 cpwd_admin exist

cpwd_admin exist
Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      526

 cpwd_admin flist

cpwd_admin flist
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

CLI R80.40 Reference Guide      |      527

 cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin config" on page 211).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 208):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#
[Expert@HostName:0]# date --date="@1564617600"
Thu Aug 1 03:00:00 IDT 2019
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      528

 cpwd_admin getpid

cpwd_admin getpid
Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      529

 cpwd_admin kill

cpwd_admin kill
Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 205 and "cpstart" on page 196 commands.

Syntax

cpwd_admin kill

CLI R80.40 Reference Guide      |      530

 cpwd_admin list

cpwd_admin list
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

CLI R80.40 Reference Guide      |      531

 cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin config" on page 211).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 208):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Examples

Example - Default output on a Management Server

[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-R80.40/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R80.40/log_indexer/log_indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-R80.40/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      532

 cpwd_admin list

Example - Default output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list
APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2019 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 N mpdaemon /opt/CPshrd-
R80.40/log/mpdaemon.elg /opt/CPshrd-R80.40/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 N ci_http_server -j -f
/opt/CPsuite-R80.40/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2019 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2019 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 N DAService_script
[Expert@HostName:0]#

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/java_solr
COMMAND = java_solr /opt/CPrt-R80.40/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/log_indexer/log_indexer
COMMAND = /opt/CPrt-R80.40/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R80.40/smartlog_server
COMMAND = /opt/CPSmartLog-R80.40/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      533

 cpwd_admin list

Example - Verbose output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list -full
APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 3/u N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R80.40/log/mpdaemon.elg /opt/CPshrd-
R80.40/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R80.40/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      534

 cpwd_admin monitor_list

cpwd_admin monitor_list
Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 208.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      535

 cpwd_admin start

cpwd_admin start
Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> | u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Parameters

Parameter Description

-name <Application Name, under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

-path "<Full Path The full path (with or without Check Point environment variables) to the
to Executable>" executable including the executable name.
Must enclose in double-quotes.
Examples:

n For FWM: "$FWDIR/bin/fwm"

n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-R80.40/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl"

CLI R80.40 Reference Guide      |      536

 cpwd_admin start

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>"
Must enclose in double-quotes.
Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-R80.40/fw1/scripts/cpm.sh
-s"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl -c
"/opt/CPuepm-R80.40/engine/conf/cptnl_
srv.conf""

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout" configuration

<Timeout> parameter.
See "cpwd_admin config" on page 211.

-retry_limit Configures the value of the "retry_limit" configuration parameter.

{<Limit> | u}
See "cpwd_admin config" on page 211.

n <Limit> - Tries to restart the process the specified number of

times
n u - Tries to restart the process unlimited number of times

Example
For the list of process and the applicable syntax, see sk97638.

CLI R80.40 Reference Guide      |      537

 cpwd_admin start_monitor

cpwd_admin start_monitor
Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes actively.
See the explanation for the "cpwd_admin" on page 208 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      538

 cpwd_admin stop

cpwd_admin stop
Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

CLI R80.40 Reference Guide      |      539

 cpwd_admin stop

Parameter Description

-path "<Full Path to The full path (with or without Check Point environment variables) to the
Executable>" executable including the executable name.
Must enclose in double-quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

-command "<Command The command and its arguments to run.

Syntax>"
Must enclose in double-quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

CLI R80.40 Reference Guide      |      540

 cpwd_admin stop_monitor

cpwd_admin stop_monitor
Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 208 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      541

 dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

dbedit -help

dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u

<Username> | -c <Certificate>}] [-p <Password>] [-f <File_Name>
[ignore_script_failure] [-continue_updating]] [-r "<Open_Reason_
Text>"] [-d <Database_Name>] [-listen] [-readonly] [-session]

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-help Prints the general help.

-globallock When you work with the dbedit utility, it partially locks the management database. If a
user configures objects in SmartConsole at the same time, it causes problems in the
management database.
This option does not let SmartConsole, or a dbedit user to make changes in the
management database.
When you specify this option, the dbedit commands run on a copy of the
management database. After you make the changes with the dbedit commands
and run the savedb command, the dbedit utility saves and commits your changes to
the actual management database.

-local Connects to the localhost (127.0.0.1) without using username/password.

If you do not specify this parameter, the dbedit utility asks how to connect.

-s < Specifies the Security Management Server - by IP address or HostName.

Management_
If you do not specify this parameter, the dbedit utility asks how to connect.
Server>

CLI R80.40 Reference Guide      |      542

 dbedit

Parameter Description

-u Specifies the username, with which the dbedit utility connects to the Security
<Username> Management Server.
Mandatory parameter when you specify the "-s <Management_Server>"
parameter.

-c < Specifies the user's certificate file, with which the dbedit utility connects to the
Certificate Security Management Server.
>
Mandatory parameter when you specify the "-s <Management_Server>"
parameter.

-p Specifies the user's password, with which the dbedit utility connects to the Security
<Password> Management Server.
Mandatory parameter when you specify the "-s <Management_Server>" and
"-u <Username>" parameters.

-f <File_ Specifies the file that contains the applicable dbedit internal commands (see the
Name> section "dbedit Internal Commands" below):
n create <object_type> <object_name>
n modify <table_name> <object_name> <field_name>
<value>
n update <table_name> <object_name>
n delete <table_name> <object_name>
n print <table_name> <object_name>
n quit

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and ignores errors.
script_
You can use it when you specify the "-f <File_Name>" parameter.
failure

-continue_ Continues to update the modified objects, even if the operation fails for some of the
updating objects (ignores the errors and runs the update_all command at the end of the
script).
You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode (default mode).
Reason_
Text>"

-d Specifies the name of the database, to which the dbedit utility should connect (for
<Database_ example, mdsdb).
Name>

CLI R80.40 Reference Guide      |      543

 dbedit

Parameter Description

-listen The dbedit utility "listens" for changes (use this mode for advanced troubleshooting
with the assistance of Check Point Support).
The dbedit utility prints its internal messages when a change occurs in the
management database.

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with GuiDBedit Tool.

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:

dbedit> -h

-q Description:
Quits from dbedit.
quit Syntax:

dbedit> -q

dbedit> quit [-update_all | -noupdate]

Examples:
n Exit the utility and commit the remaining modified objects (interactive mode):

dbedit> quit

n Exit the utility and update all the remaining modified objects:

dbedit> quit -update_all

n Exit the utility and discard all modifications:

dbedit> quit -no_update

CLI R80.40 Reference Guide      |      544

 dbedit

Command Description, Syntax, Examples

update Description:
Saves the specified object in the specified table (for example, "network_
objects", "services", "users").
Syntax:

dbedit> update <table_name> <object_name>

Example:
Save the object My_Service in the table services:

dbedit> update services My_Service

update_all Description:
Saves all the modified objects.
Syntax:

dbedit> update_all

_print_set Description:
Prints the specified object from the specified table (for example, "network_
objects", "services", "users") as it appears in the
$FWDIR/conf/objects_5_0.C file (sets of attributes).
Syntax:

dbedit> _print_set <table_name> <object_name>

Example:
Print the object My_Obj from the table network_objects:

dbedit> print network_objects My_Obj

CLI R80.40 Reference Guide      |      545

 dbedit

Command Description, Syntax, Examples

print Description:
Prints the list of attributes of the specified object from the specified table (for
example, "network_objects", "properties", "services", "users").

Syntax:

dbedit> print <table_name> <object_name>

Examples:
n Print the object My_Obj from the table network_objects (in "Network
Objects"):

dbedit> print network_objects my_obj

n Print the object firewall_properties from the table properties (in "Global
Properties"):

dbedit> print properties firewall_properties

printxml Description:
Prints in XML format the list of attributes of the specified object from the specified
table (for example, "network_objects", "properties", "services",
"users").
You can export the settings from a Management Server to an XML file that you can
use later with external automation systems.
Syntax:

dbedit> printxml <table_name> [<object_name>]

Examples:
n Print the object My_Obj from the table network_objects:

dbedit> printxml network_objects my_obj

n Print the object firewall_properties from the table properties (in "Global
Properties"):

dbedit> printxml properties firewall_properties

CLI R80.40 Reference Guide      |      546

 dbedit

Command Description, Syntax, Examples

printbyuid Description:
Prints the attributes of the object specified by its UID (appears in the
$FWDIR/conf/objects_5_0.C file at the beginning of the object as "chkpf_
uid ({...})").
Syntax:

dbedit> printbyuid {object_id}

Example:
Print the attributes of the object with the specified UID:

dbedit> printbyuid {D3833F1D-0A58-AA42-865F-

39BFE3C126F1}

query Description:
Prints all the objects in the specified table.
Optionally, you can query for objects with specific attribute and value - query is
separated by a comma after "query <table_name>" (spaces are not allowed
between the <attribute> and '<value>').

Syntax:

dbedit> query <table_name> [ , <attribute>='<value>' ]

Examples:
n Print all objects in the table users:

dbedit> query users

n Print all objects in the table network_objects that are defined as Management
Servers:

dbedit> query network_objects, management='true'

n Print all objects in the table services with the name ssh:

command_sdbedit> query services, name='ssh'

n Print all objects in the table services with the port 22:

dbedit> query services, port='22'

n Print all objects with the IP address 10.10.10.10:

dbedit> query network_objects, ipaddr='10.10.10.10'

CLI R80.40 Reference Guide      |      547

 dbedit

Command Description, Syntax, Examples

whereused Description:
Checks where the specified object used in the database.
Prints the number of places, where this object is used and relevant information about
each such place.
Syntax:

dbedit> whereused <table_name> <object_name>

Example:
Check where the object My_Obj is used:

dbedit> whereused network_objects My_Obj

create Description:
Creates an object of specified type (with its default values) in the database.
Restrictions apply to the object's name:
n Object names can have a maximum of 100 characters.
n Objects names can contain only ASCII letters, numbers, and dashes.
n Reserved words will be blocked by the Management Server (refer to
sk40179).

Syntax:

dbedit> create <object_type> <object_name>

Example:
Create the service object My_Service of the type tcp_service (with its default
values):

dbedit> create tcp_service my_service

delete Description:
Deletes an object from the specified table.
Syntax:

dbedit> delete <table_name> <object_name>

Example:
Delete the service object My_Service from the table services:

dbedit> delete services my_service

CLI R80.40 Reference Guide      |      548

 dbedit

Command Description, Syntax, Examples

modify Description:
Modifies the value of specified attribute in the specified object in the specified table
(for example, "network_objects", "services", "users") in the management
database.
Syntax:

dbedit> modify <table_name> <object_name> <field_name>

<value>

Examples:
n Modify the color to red in the object My_Service in the table services:

dbedit> modify services My_Service color red

n Add a comment to the object MyObj:

dbedit> modify network_objects MyObj comments

"Created by fwadmin with dbedit"

n Set the value of the global property ike_use_largest_possible_subnets in the

table properties to false:

dbedit> modify properties firewall_properties ike_

use_largest_possible_subnets false

n Create a new interface on the Security Gateway My_FW and modify its
attributes - set the IP address / Mask and enable Anti-Spoofing on interface
with "Element Index"=3 (check the attributes of the object My_FW in
GuiDBedit Tool):

CLI R80.40 Reference Guide      |      549

 dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW interfaces

interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW
interfaces:3:ipaddr IP_ADDRESS
dbedit> modify network_objects My_FW
interfaces:3:netmask NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed network_
objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_
spoofing true
dbedit> modify network_objects MyObj FieldA LINKSYS

n In the Owned Object MyObj change the value of FieldB to NewVal:

dbedit> modify network_objects MyObj FieldA:FieldB

NewVal

n In the Linked Object MyObj change the value of FieldA from B to C:

dbedit> modify network_objects MyObj FieldA B:C

lock Description:
Locks the specified object (by administrator) in the specified table (for example,
"network_objects", "services", "users") from being modified by other users.
For example, if you connect from a remote computer to this Management Server
with admin1 and lock an object, you are be able to connect with admin2, but are not
able to modify the locked object, until admin1 releases the lock.
Syntax:

dbedit> lock <table_name> <object_name>

Example:
Lock the object My_Service_Obj in the table services in the database:

dbedit> lock services My_Service_Obj

CLI R80.40 Reference Guide      |      550

 dbedit

Command Description, Syntax, Examples

addelement Description:
Adds a specified multiple field / container (with specified value) to a specified object
in specified table.
Syntax:

dbedit> addelement <table_name> <object_name> <field_

name> <value>

Examples:
n Add the element BranchObjectClass with the value Organization to a multiple
field Read in the object My_Obj in the table ldap:

dbedit> addelement ldap My_Obj

Read:BranchObjectClass Organization

n Add the service MyService to the group of services MyServicesGroup in the

table services:

dbedit> addelement services MyServicesGroup ''

services:MyService

n Add the network MyNetwork to the group of networks MyNetworksGroup in

the table network_objects:

dbedit> addelement network_objects MyNetworksGroup

'' network_objects:MyNetwork

CLI R80.40 Reference Guide      |      551

 dbedit

Command Description, Syntax, Examples

rmelement Description:
Removes a specified multiple field / container (with specified value) from a specified
object in specified table.
Syntax:

dbedit> rmelement <table_name> <object_name> <field_

name> <value>

Examples:
n Remove the service MyService from the group of services MyServicesGroup
from the table services:

dbedit> rmelement services MyServicesGroup ''

services:MyService

n Remove the network MyNetwork from the group of networks

MyNetworksGroup from the table network_objects:

dbedit> rmelement network_objects MyNetworksGroup

'' network_objects:MyNetwork

n Remove the element BranchObjectClass with the value Organization from the
multiple field Read in the object My_Obj in the table ldap:

dbedit> rmelement ldap my_obj

Read:BranchObjectClass Organization

rename Description:
Renames the specified object in specified table.
Syntax:

dbedit> rename <table_name> <object_name> <new_object_

name>

Example:
Rename the network object london to chicago in the table network_objects:

dbedit> rename network_objects london chicago

CLI R80.40 Reference Guide      |      552

 dbedit

Command Description, Syntax, Examples

rmbyindex Description:
Removes an element from a container by element's index.
Syntax:

dbedit> rmbyindex <table_name> <object_name> <field_

name> <index_number>

Example:
Remove the element backup_log_servers from the container log_servers by
element index 1 in the table network_objects:

dbedit> rmbyindex network_objects g log_servers:backup_

log_servers 1

add_owned_ Description:
remove_name
Adds an owned object (and removes its name) to a specified owned object field (or
container).
Syntax:

dbedit> add_owned_remove_name <table_name> <object_

name> <field_name> <value>

Example:
Add the owned object My_Gateway (and remove its name) to the owned object field
(or container) my_external_products:

dbedit> add_owned_remove_name network_objects My_

Gateway additional_products owned:my_external_products

is_delete_ Description:
allowed
Checks if the specified object can be deleted from the specified table (object cannot
be deleted if it is used by other objects).
Syntax:

dbedit> is_delete_allowed <table_name> <object_name>

Example:

dbedit> is_delete_allowed network_objects MyObj

Check if the object MyObj can be deleted from the table network_objects:

CLI R80.40 Reference Guide      |      553

 dbedit

Command Description, Syntax, Examples

set_pass Description:
Sets specified password for specified user.
Notes:
n The password must contain at least 4 characters and no more than 50
characters.
n This command cannot change the administrator's password.

Syntax:

dbedit> set_pass <Username> <Password>

Example:
Set the password 1234 for the user abcd:

dbedit> set_pass abcd 1234

savedb Description:
Saves the database. You can run this command only when the database is locked
globally (when you start the dbedit utility with the "dbedit -globallock"
command).
Syntax:

dbedit> savedb

savesession Description:
Saves the session. You can run this command only when you start the dbedit utility in
session mode (with the "dbedit -session" command).

Syntax:

dbedit> savesession

CLI R80.40 Reference Guide      |      554

 fw

fw
Description
n Performs various operations on Security or Audit log files.
n Kills the specified Check Point processes.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.

Syntax

fw [-d]
      fetchlogs <options>
      hastat <options>
      kill <options>
      log <options>
      logswitch <options>
      lslogs <options>
      mergefiles <options>
      repairlog <options>
      sam <options>
      sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security ($FWDIR/log/*.log*) or
<options> Audit ($FWDIR/log/*.adtlog*), from the specified Check Point computer.

See "fw fetchlogs" on page 247.

hastat Shows information about Check Point computers in High Availability configuration and
<options> their states.
See "fw hastat" on page 249.

CLI R80.40 Reference Guide      |      555

 fw

Parameter Description

kill Kills the specified Check Point process.

<options>
See "fw kill" on page 250.

log Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
<options> ($FWDIR/log/*.adtlog).

See "fw log" on page 251.

logswitch Switches the current active Check Point log file - Security ($FWDIR/log/fw.log) or
<options> Audit ($FWDIR/log/fw.adtlog).

See "fw logswitch" on page 260.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/*.log*) or Audit
<options> ($FWDIR/log/*.adtlog*), located on the local computer or a remote computer.

See "fw lslogs" on page 264.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log) or Audit
<options> ($FWDIR/log/*.adtlog), into a single log file.

See "fw mergefiles" on page 267.

repairlog Rebuilds pointer files for Check Point log files - Security ($FWDIR/log/*.log) or
<options> Audit ($FWDIR/log/*.adtlog).

See "fw repairlog" on page 270.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options>
See "fw sam" on page 271.

sam_policy Manages the Suspicious Activity Policy editor that lets you work with these type of
<options> rules:

or n Suspicious Activity Monitoring (SAM) rules.

samp n Rate Limiting rules.
<options>
See "fw sam_policy" on page 279.

CLI R80.40 Reference Guide      |      556

 fw fetchlogs

fw fetchlogs
Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log
Notes:
File N>
n If you do not specify the log file name explicitly, the command transfers all Security
log files ($FWDIR/log/*.log*) and all Audit log files
($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for example, 2017-0?-
*.log).
If you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check Point computer
has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main IP
address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

CLI R80.40 Reference Guide      |      557

 fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the specified
Check Point computer. Meaning, it deletes the specified log files on the specified Check Point
computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local Check Point
computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer. The new
log file name is the concatenation of the Check Point computer's name (as configured in
SmartConsole), two underscore (_) characters, and the original log file name (for example: MyGW__
2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      558

 fw hastat

fw hastat
Description
Shows information about Check Point computers in High Availability configuration and their states.

Note - This command is outdated. On cluster members, run the Gaia Clish command
"show cluster state", or the Expert mode command "cphaprob state".

Note - This command is outdated. On Management Servers, run the "cpstat" on

page 197 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ...
If you run this command on the Management Server, you can enter the applicable IP
<TargetN>
address, or the resolvable HostName of the managed Security Gateway or Cluster
Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      559

 fw kill

fw kill
Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-t <Signal Specifies which signal to send to the Check Point process.

Number>
For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the kill and
signal.
If you do not specify the signal explicitly, the command sends Signal 15
(SIGTERM).

Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process>
To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

CLI R80.40 Reference Guide      |      560

 fw log

fw log
Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c

<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> |
all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s
"<Start Timestamp>"] [-e "<End Timestamp>"] [-u <Unification Scheme
File>] [-w] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-
#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters described in
this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-a Shows only Account log entries.

-b "<Start Shows only entries that were logged between the specified start and end
Timestamp>" times.
"<End
n The <Start Timestamp> and <End Timestamp> may be a date,
Timestamp>"
a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End Timestamp> in
single or double quotes (-b 'XX' 'YY", or -b "XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-e"
parameters.
n See the date and time format below.

CLI R80.40 Reference Guide      |      561

 fw log

Parameter Description

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>"
Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b" parameter.
n See the date and time format below.

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

CLI R80.40 Reference Guide      |      562

 fw log

Parameter Description

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with the
specified IP address or object name (as configured in SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert type:
l alert
l mail
l snmp_trap
l spoof
l user_alert
l user_auth
n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries, and then
specify the time for each log entry.

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command shows
one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not show any
updates, but shows only entries that relate to the start of new
connections. To shows updates, use the semi parameter.
n semi - Step-by-step unification of log entries. For each log entry, the
output shows an entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file (this is the
default behavior).
This significantly speeds up the log processing.

CLI R80.40 Reference Guide      |      563

 fw log

Parameter Description

-o Shows detailed log chains - shows all the log segments in the log entry.

-p Does not perform resolution of the port numbers in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>"
Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current date.
n Enclose the <Start Timestamp> in single or double quotes (-s
'...', or -s "...").
n You cannot use the "-s" parameter together with the "-b" parameter.
n See the date and time format below.

-t This parameter:
1. Does not show the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

-u <Unification Specifies the path and name of the log unification scheme file.
Scheme File>
The default log unification scheme file is:
$FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the "nature" of
the log - for example, control, audit, accounting, complementary, and so on).

-x <Start Entry Shows only entries from the specified log entry number and below, counting
Number> from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from the
Number> beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show log
entries.
The default behavior is to stop.

CLI R80.40 Reference Guide      |      564

 fw log

Parameter Description

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes the
current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags

Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log Key <max_null>, or empty

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc0000000)

SequenceNum Log Sequence 1

Number

CLI R80.40 Reference Guide      |      565

 fw log

Field Header Description Example

Flags Internal flags that 428292

specify the "nature"
of the log - for
example, control,
audit, accounting,
complementary,
and so on

Action Action performed on n accept

this connection
n dropreject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of the MyGW

Security Gateway
that generated this
log

IfDir Traffic direction n <

through interface:
n >
n < - Outbound
(sent by a
Security
Gateway)
n > - Inbound
(received by
a Security
Gateway)

CLI R80.40 Reference Guide      |      566

 fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security Gateway
interface, on which n daemon
this traffic was n N/A
logged
If a Security
Gateway performed
some internal action
(for example, log
switch), then the log
entry shows
daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Gateway Server.checkpoint.com.s6t98x
that generated this
log

inzone Inbound Security Local

Zone

outzone Outbound Security External

Zone

service_id Name of the service ftp

used to inspect this
connection

src Object name or IP MyHost

address of the
connection's source
computer

dst Object name or IP MyFTPServer

address of the
connection's
destination
computer

CLI R80.40 Reference Guide      |      567

 fw log

Field Header Description Example

proto Name of the tcp

connection's
protocol

sport_svc Source port of the 64933

connection

ProductName Name of the Check n VPN-1 & FireWall-1

Point product that
generated this log n Application Control
n FloodGate-1

ProductFamily Name of the Check Network

Point product family
that generated this
log

Examples

Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      568

 fw log

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity:
2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log
flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292;
Action: drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName:
CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst:
MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-
9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_
match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END;
ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      569

 fw logswitch

fw logswitch
Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
      -h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target>
Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a Security
Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP address or
Object Name as configured in SmartConsole.

CLI R80.40 Reference Guide      |      570

 fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched
Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the switch log
file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched log
matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is 230
characters.

+ Specifies to copy the active log from the remote computer to the local computer.
Notes:
n If you specify the name of the switched log file, you must write it immediately
after this + (plus) parameter.
n The command copies the active log from the remote computer and saves it in
the $FWDIR/log/ directory on the local computer.

n The default name of the saved log file is:

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

CLI R80.40 Reference Guide      |      571

 fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote computer to the local computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/ directory
on the local computer and then deletes the switched log file on the remote
computer.
n If you specify the name of the switched log file, you must write it immediately
after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 247 command.

Compression
When this command transfers the log files from the remote computer, it compresses the file with the gzip
command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method. The
compression ratio varies with the content of the log file and is difficult to predict. Binary data are not
compressed. Text data, such as user names and URLs, are compressed.

Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      572

 fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying
the switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      573

 fw lslogs

fw lslogs
Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog)
residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>] ...
[-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime | etime}]
[<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-f <Name of Specifies the name of the log file to show. Need to specify name only.
Log File>
Notes:
n If the log file name is not specified explicitly, the command shows all Security
log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-0?-*). If
you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command. You must use the "-f"
parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2> ... -
f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

CLI R80.40 Reference Guide      |      574

 fw lslogs

Parameter Description

-s {name | Specifies the sort order of the log files using one of the following sort options:
size |
stime | n name - The file name
etime} n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point computer, with which this local Check Point
computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main
IP address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      575

 fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended information

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse order

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security Gateway with main
IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      576

 fw mergefiles

fw mergefiles
Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw
logswitch" command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw
logswitch" command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:

Warning: The size of the files you have chosen to

merge is greater than 2GB. The merge will produce
two or more files.

The names of merged files are:

l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...
l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of Log
File 1> <Name of Log File 2> ... <Name of Log File N> <Name of Merged
Log File>

CLI R80.40 Reference Guide      |      577

 fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion File> Specifies a full path and name of a file that instructs this
command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:

<IP Address of Log Server #1> <Signed

Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...

Notes
n You must specify the absolute path and the
file name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> ... Specifies the log files to merge.
<Name of Log File N>
Notes:
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

CLI R80.40 Reference Guide      |      578

 fw mergefiles

Parameter Description

<Name of Merged Log File> Specifies the output merged log file.

Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      579

 fw repairlog

fw repairlog
Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog) are
databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this command
can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/*.log *.logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/*.adtlog *.adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

CLI R80.40 Reference Guide      |      580

 fw sam

fw sam
Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections
to and from IP addresses without the need to change or reinstall the Security Policy. For more information,
see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" and "sam_alert" commands.
n SAM rules consume some CPU resources on Security Gateway.

Best Practice - Set an expiration that gives you time to investigate, but
does not affect performance. Keep only the SAM rules that you need.
If you confirm that an activity is risky, edit the Security Policy, educate
users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches 100,000.
This data log file contains the records in one of these formats:

<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>

n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security Gateway
in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM .
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

CLI R80.40 Reference Guide      |      581

 fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e
<key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway,
on which the command is enforced. These messages show whether the command
was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the
Server> Security Gateway that enforces the command.
The default is localhost.

CLI R80.40 Reference Guide      |      582

 fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected that the
Name of SAM SAM server has this SIC name, otherwise the connection fails.
Server>
Notes:
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC API
Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command to
show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security
<Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n localhost - Specifies to enforce the action on this local Check Point computer
(on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as Security
Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Security Gateway object - Specifies to enforce the action on this
specific Security Gateway object.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Group object - Specifies to enforce the action on all specific Security
Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

CLI R80.40 Reference Guide      |      583

 fw sam

Parameter Description

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.

Notes:
n To "uninhibit" the inhibited connections, run the fw sam command
with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

-C Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout>
The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+
Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match the
specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

CLI R80.40 Reference Guide      |      584

 fw sam

Parameter Description

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

-I Inhibits (drops or rejects) new connections with the specified parameters, and closes
all existing connections with the specified parameters.

Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all existing
connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

CLI R80.40 Reference Guide      |      585

 fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Srcip> <Src Netmask> <Dest IP> <Dest Netmask>
<Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the connection.

any <IP> Matches either the Source IP address or the Destination

IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the connections

according to the netmask.

CLI R80.40 Reference Guide      |      586


Parameter
subany <IP> <Netmask>
srv <Src IP> <Dest IP> <Port>
<Protocol>
subsrv <Src IP> <Netmask>
<Dest IP> <Netmask> <Port>
<Protocol>
subsrvs <Src IP> <Src Netmask>
<Dest IP> <Port> <Protocol>
subsrvd <Src IP> <Dest IP>
<Dest Netmask> <Port>
<Protocol>
dstsrv <Dest IP> <Service>
<Protocol>
subdstsrv <Dest IP> <Netmask>
<Port> <Protocol>
srcpr <IP> <Protocol>
dstpr <IP> <Protocol>
subsrcpr <IP> <Netmask>
<Protocol>
subdstpr <IP> <Netmask>
<Protocol>
fw sam
Description
Matches either the Source IP address or Destination IP
address of connections according to the netmask.
Matches the specific Source IP address, Destination IP
address, Service (port number) and Protocol.
Matches the specific Source IP address, Destination IP
address, Service (port number) and Protocol.
Source and Destination IP addresses are assigned
according to the netmask.
Matches the specific Source IP address, source
netmask, destination netmask, Service (port number)
and Protocol.
Matches specific Source IP address, Destination IP,
destination netmask, Service (port number) and
Protocol.
Matches specific Destination IP address, Service (port
number) and Protocol.
Matches specific Destination IP address, Service (port
number) and Protocol.
Destination IP address is assigned according to the
netmask.
Matches the Source IP address and protocol.
Matches the Destination IP address and protocol.
Matches the Source IP address and protocol of
connections.
Source IP address is assigned according to the
netmask.
Matches the Destination IP address and protocol of
connections.
Destination IP address is assigned according to the
netmask.
CLI R80.40 Reference Guide      |      587
 fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the specified

keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

CLI R80.40 Reference Guide      |      588

 fw sam_policy

fw sam_policy
Description
Manages the Suspicious Activity Policy editor that lets you work with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 370
Notes:
n You can run these commands interchangeably: 'fw sam_policy' and 'fw
samp'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

CLI R80.40 Reference Guide      |      589

 fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
      add <options>
      batch
      del <options>
      get <options>

fw [-d] samp
      add <options>
      batch
      del <options>
      get <options>

Syntax for IPv6

fw6 [-d] sam_policy

      add <options>
      batch
      del <options>
      get <options>

fw6 [-d] samp

      add <options>
      batch
      del <options>
      get <options>

CLI R80.40 Reference Guide      |      590

 fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

CLI R80.40 Reference Guide      |      591

 fw sam_policy add

fw sam_policy add

Description
The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy add' and
'fw samp add'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

CLI R80.40 Reference Guide      |      592

 fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b}
Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against the policy
rules.
Note - Rules with action set to Bypass cannot have a log or limit specification.
Bypassed packets and connections do not count towards overall number of
packets and connection for limit enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that matches:
n -r - Generate a regular log
n -a - Generate an alert log

CLI R80.40 Reference Guide      |      593

 fw sam_policy add

Parameter Description

-t Optional.
<Timeout>
Specifies the time period (in seconds), during which the rule will be enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be enforced on
all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the rule should
be enforced only on this Security Gateway or Cluster object (the object name
must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be enforced on all
Security Gateways that are members of this Group object (the object name
must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>"
Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Optional.
Comment>"
Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

CLI R80.40 Reference Guide      |      594

 fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator
Specifies the name of the originator for this rule.
>"
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter
Arguments> Configures the Suspicious Activity Monitoring (SAM) rule.
Specifies the IP Filter Arguments for the SAM rule (you must use at least one of
these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d

<Destination IP>] [-M <Destination Mask>] [-p <Port>]
[-r <Protocol>]

See the explanations below.

CLI R80.40 Reference Guide      |      595

 fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota
Filter Configures the Rate Limiting rule.
Arguments> Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations
below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service <Protocol
and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2
Value>] ...[<LimitN Name> <LimitN Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from the
SAM policy database immediately, add "flush true" in the fw
samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general), when
a rule's limit is violated, the Security Gateway also drops all packets
that match the rule.
The Security Gateway computes new connection rates on a per-
second basis.
At the start of the 1-second timer, the Security Gateway allows all
packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too many
new connections, then the Security Gateway blocks all remaining
packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are reset, and
the process starts over - the Security Gateway allows packets to
pass again up to the point, where the rule’s limit is violated.

CLI R80.40 Reference Guide      |      596

 fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port Number
Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

CLI R80.40 Reference Guide      |      597

 fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the source
IP addresses assigned to this country, based on
the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that are
assigned to this organization, based on the Geo
IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

CLI R80.40 Reference Guide      |      598

 fw sam_policy add

Argument Description

[destination-negated {true | Specifies the destination type and its value:

false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses that
are assigned to this organization, based on the
Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the specified
type

CLI R80.40 Reference Guide      |      599


Argument
[service-negated {true |
false}] service <Protocol and
Port numbers>
fw sam_policy add
Description
Specifies the Protocol number (see IANA Protocol
Numbers) and Port number (see IANA Service Name
and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port End>
IP protocol number and range of TCP/UDP port
numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process all
traffic except the traffic with the specified
protocols and ports
CLI R80.40 Reference Guide      |      600

Argument
[<Limit 1 Name> <Limit 1
Value>] [<Limit 2 Name> <Limit
2 Value>] ... [<Limit N Name>
<Limit N Value>]
fw sam_policy add
Description
Specifies quota limits and their values.
Note - Separate multiple quota limits with spaces.
n concurrent-conns <Value>
Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the concurrent-
conns value to the total number of active
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n pkt-rate <Value>
Specifies the maximum number of packets per
second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate value
to the rate of all connections through the Security
Gateway, expressed in parts per 65536 (formula:
N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes per
second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate value
to the bytes per second rate of all connections
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
n new-conn-rate <Value>
Specifies the maximal number of connections per
second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-rate
value to the rate of all connections per second
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
CLI R80.40 Reference Guide      |      601
 fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not cumulatively
for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific IP
protocol and destination port, and not
cumulatively for this rule.

Examples

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this rule,
including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second (new-conn-
rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11
- 172.16.7.13 (source range:172.16.7.11-172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the fwaccel dos
config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious
Activity Monitoring (SAM) policy database immediately, because this rule includes the "flush
true" parameter.

CLI R80.40 Reference Guide      |      602

 fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all packets except (service-negated true) the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the country with
specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).

n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:
[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:
n This rule bypasses (-a b) all packets that match this rule.

Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).

CLI R80.40 Reference Guide      |      603

 fw sam_policy add

n This rule applies to packets sent to TCP port 80 (service 6/80).

n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP addresses that
are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to 655/65536=~1%
(concurrent-conns-ratio 655) for any traffic (service any) except (service-
negated true) the connections from the source IP addresses that are assigned to the country
with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that match this rule,
and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

CLI R80.40 Reference Guide      |      604

 fw sam_policy batch

fw sam_policy batch

Description
The 'fw sam_policy batch' and 'fw6 sam_policy batch' commands let you:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy batch'
and 'fw samp batch'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all of the
Cluster Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Procedure

1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as necessary.

CLI R80.40 Reference Guide      |      605

 fw sam_policy batch

Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l fw sam_policy add
l fw sam_policy del
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source
range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

CLI R80.40 Reference Guide      |      606

 fw sam_policy del

fw sam_policy del

Description
The 'fw sam_policy del' and 'fw6 sam_policy del' commands let you:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy del' and
'fw samp del'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

CLI R80.40 Reference Guide      |      607

 fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.

Important:
n The quote marks and angle
brackets ('<...>') are
mandatory.
n To see the Rule UID, run the
"fw sam_policy get"
command.

Procedure

1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\
Doe src_ip_addr=1.1.1.1 req_tpe=ip

CLI R80.40 Reference Guide      |      608

 fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The fw samp del and fw6 samp del commands only remove a rule from the persistent
database. The Security Gateway continues to enforce the deleted rule until the next time you
compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only
add rule right after the fw samp del and fw6 samp del command. This flush-only add rule
immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

CLI R80.40 Reference Guide      |      609

 fw sam_policy get

fw sam_policy get

Description
The 'fw sam_policy get' and 'fw6 sam_policy get' commands let you:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n You can run these commands interchangeably: 'fw sam_policy get' and
'fw samp get'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+
{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type>
[+{-v '<Value>'}] [-n]]

CLI R80.40 Reference Guide      |      610

 fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on a
separate line.
n In the list format (with "-l"), the output shows each parameter of a rule on
a separate line.
n See the "fw sam_policy add" command.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>'
The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'}
The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples

Example 1 - Output in the default format

[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log

name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      611

 fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log
name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      612

 fw sam_policy get

Example 4 - Printing rules that match the specified filters

[Expert@HostName:0]# fw samp get
no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-
172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-
conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      613

 fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

fwm [-d]
      dbload <options>
      exportcert <options>
      fetchfile <options>
      fingerprint <options>
      getpcap <options>
      ikecrypt <options>
      load [<options>]
      logexport <options>
      mds <options>
      printcert <options>
      sic_reset
      snmp_trap <options>
      unload [<options>]
      ver [<options>]
      verify <options>

CLI R80.40 Reference Guide      |      614

 fwm

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

dbload Downloads the user database and network objects information to the specified
<options> targets
See "fwm dbload" on page 307.

exportcert Export a SIC certificate of the specified object to file.

<options>
See "fwm exportcert" on page 309.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 310.

fingerprint Shows the Check Point fingerprint.

<options>
See "fwm fingerprint" on page 311.

getpcap Fetches the IPS packet capture data from the specified Security Gateway.
<options>
See "fwm getpcap" on page 313.

ikecrypt Encrypts a secret with a key.

<options>
See "fwm ikecrypt" on page 315.

load <options> This command is obsolete for R80 and above.

Use the "mgmt_cli" on page 358 command to load a policy to a managed
Security Gateway.
See "fwm load" on page 316.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.

See "fwm logexport" on page 317.

mds <options> Shows information and performs various operations on Multi-Domain Server.
See "fwm mds" on page 322.

printcert Shows a SIC certificate's details.

<options>
See "fwm printcert" on page 324.

CLI R80.40 Reference Guide      |      615

 fwm

Parameter Description

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 329.

snmp_trap Sends an SNMP Trap to the specified host.

<options>
See "fwm snmp_trap" on page 330.

unload Unloads the policy from the specified managed Security Gateways.
<options>
See "fwm unload" on page 333.

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 337.

verify This command is obsolete for R80 and above.

<options>
Use the "mgmt_cli" on page 358 command to verify a policy.
See "fwm verify" on page 338.

CLI R80.40 Reference Guide      |      616

 fwm dbload

fwm dbload
Description
Downloads the user database and network objects information to the specified Security Gateways.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] dbload

      -a
      -c <Configuration File>
      <GW1> <GW2> ... <GWN>

CLI R80.40 Reference Guide      |      617

 fwm dbload

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

-a Executes commands on all targets specified in the default system

configuration file - $FWDIR/conf/sys.conf.
Note - You must manually create this file.

-c Specifies the OPSEC configuration file to use.

<Configuration
Note - You must manually create this file.
File>

<GW1> <GW2> ... Executes commands on the specified Security Gateways.

<GWN>
Notes:
n Enter the main IP address or Name of the Security Gateway
object as configured in SmartConsole.
n If you do not explicitly specify the Security Gateway, the
database is downloaded to localhost.

CLI R80.40 Reference Guide      |      618

 fwm exportcert

fwm exportcert
Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

<Name of Specifies the name of the managed object, whose certificate you wish to
Object> export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish to
export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

CLI R80.40 Reference Guide      |      619

 fwm fetchfile

fwm fetchfile
Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the fwopsec.conf or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/fwopsec.conf
n conf/fwopsec.v4x

-d <Local Path> Specifies the local directory to save the fetched file.

<Source> Specifies the managed remote source computer, from which to fetch the file.

Note - The local and the remote source computers must have
established SIC trust.

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      620

 fwm fingerprint

fwm fingerprint
Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

      <IP address of Target> <SSL Port>
      localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the entire
CLI session.

The debug options are:

n fwm -d
Runs the complete debug of all fwm actions.
For complete debug instructions, see the description of the fwm
process in sk97638.
n fingerprint -d
Runs the debug only for the fingerprint actions.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

CLI R80.40 Reference Guide      |      621

 fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email Address,CN=192.168.3.51,L=Locality Name
(eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email Address,CN=192.168.3.52,L=Locality Name
(eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      622

 fwm getpcap

fwm getpcap
Description
Fetches the IPS packet capture data from the specified Security Gateway.
This command only works with IPS packet captures stored on the Security Gateway in the
$FWDIR/log/captures_repository/ directory.
This command does not work with other Software Blades, such as Anti-Bot and Anti-Virus that store packet
captures in the $FWDIR/log/blob/ directory on the Security Gateway.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p <Local

Path>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

-g <Security Specifies the main IP address or Name of Security Gateway object as configured
Gateway> in SmartConsole.

-u '{<Capture Specifies the Unique ID of the packet capture file.

UID>}'
To see the Unique ID of the packet capture file, open the applicable log file in
SmartConsole > Logs & Monitor > Logs .

-p <Local Specifies the local path to save the specified packet capture file.
Path>
If you do not specify the local directory explicitly, the command saves the packet
capture file in the current working directory.

CLI R80.40 Reference Guide      |      623

 fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}' /var/log/

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      624

 fwm ikecrypt

fwm ikecrypt
Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must then be stored
in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties window on the
Encryption tab.

< Specifies the password for the Endpoint VPN Client user.
Password
>

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      625

 fwm load

fwm load
Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and above. Use the "mgmt_cli" on
page 358 command to load a policy on a managed Security Gateway.

CLI R80.40 Reference Guide      |      626

 fwm logexport

fwm logexport
Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog) to an
ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h

fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>] [-i
<Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry Number>]
[-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u <Unification Scheme
File>] [-m {initial | semi | raw}]

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

-d Specifies the output delimiter between fields of log entries:

<Delimiter>
| -s n -d <Delimiter> - Uses the specified delimiter.
n -s - Uses the ASCII character #255 (non-breaking space) as the delimiter.

Note - If you do not specify the delimiter explicitly, the default is a semicolon (;).

-t <Table Specifies the output delimiter inside table field.

Delimiter>
Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a comma (,).

CLI R80.40 Reference Guide      |      627

 fwm logexport

Parameter Description

-i <Input Specifies the name of the input log file.

File>
Notes:
n This command supports only Security log file ($FWDIR/log/*.log) and
Audit log file ($FWDIR/log/*.adtlog)
n If you do not specify the input log file explicitly, the command processes the
active Security log file $FWDIR/log/fw.log

-o <Output Specifies the name of the output file.

File>
Note - If you do not specify the output log file explicitly, the command prints its output
on the screen.

-f After reaching the end of the currently opened log file, specifies to continue to
monitor the log file indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-e After reaching the end of the currently opened log file, continue to monitor the log file
indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-x <Start Starts exporting the log entries from the specified log entry number and below,
Entry counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number, counting from
Entry the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to continue the export
of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-p Specifies to not to perform resolution of the port numbers in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

CLI R80.40 Reference Guide      |      628

 fwm logexport

Parameter Description

-u < Specifies the path and name of the log unification scheme file.
Unification
The default log unification scheme file is:
Scheme
File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

| semi |
raw} n initial - Complete unification of log entries. The command exports one
unified log entry for each ID. This is the default.
If you also specify the "-f" parameter, then the output does not export any
updates, but exports only entries that relate to the start of new connections.
To export updates as well, use the "semi" parameter.
n semi - Step-by-step unification of log entries. For each log entry, exports
entry that unifies this entry with all previously encountered entries with the
same ID.
n raw - No log unification. Exports all log entries.

CLI R80.40 Reference Guide      |      629

 fwm logexport

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.
Each of the next rows consists of a single log entry, whose fields are sorted in the same order as the first
row.
If a log entry has no information in a specific field, this field remains empty (as indicated by two successive
semi-colons ";;").
You can control which log fields appear in the output of the command output:

Ste
Description
p

1 Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2 Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

3 To include or exclude the log fields from the output, add these lines in the configuration file:

[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_
FIELDS>,field100
excluded_fields = field10,field11

Where:

n You can specify only the included_fields parameter, only the excluded_fields
parameter, or both.
n The num field must always appear first. You cannot manipulate this field.
n The <REST_OF_FIELDS> is an optional reserved token that refers to a list of fields.
l If you specify the "-f" parameter, then the <REST_OF_FIELDS> is based on a list
of fields from the $FWDIR/conf/logexport_default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS> is based
on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

CLI R80.40 Reference Guide      |      630

 fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_
client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file has been switched
to: MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the
gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_
client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the
gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      631

 fwm mds

fwm mds
Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:

mdsenv

n In the context of a Domain Management Server:

mdsenv <IP Address or Name of

Domain Management Server>

Syntax

fwm [-d] mds

      ver
      rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect

the output to a file, or use the script command to save
the entire CLI session.

For complete debug instructions, see the description of the fwm

process in sk97638.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

CLI R80.40 Reference Guide      |      632

 fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.40 - Build 11
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      633

 fwm printcert

fwm printcert
Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

      -obj <Name of Object> [-cert <Certificate Nick Name>] [-verbose]
      -ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
      -f <Name of Binary Certificate File> [-verbose]

CLI R80.40 Reference Guide      |      634

 fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

For complete debug instructions, see the description of the fwm

process in sk97638.

-obj <Name of Object> Specifies the name of the managed object, for which to show the
SIC certificate information.

-cert <Certificate Nick Specifies the certificate nick name.

Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

Examples

Example 1 - Showing the SIC certificate of a Management Server

[Expert@MGMT:0]# fwm printcert -ca internal_ca
Subject: O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      635

 fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed. Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45 f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2 a5 e0 a8 ab 45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c d2 dc 3d 36 ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2 30 a5 32 c7 46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d bc b3 f2 ae f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57 54 79 d0 0f 0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90 08 ba 63 85 b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e 95 8b 2f 48 5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34 be b8 00 ae ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b 43 3f f7 36 5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50 01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      636

 fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.3.244
CRL distribution points:
http://192.168.3.240:18264/ICA_CRL2.crl
CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      637

 fwm printcert

Example 4 - Showing the SIC certificate of a managed Cluster object in verbose mode
[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed. Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af c1 fd 20 0a 3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73 77 fa db 86 0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93 c5 4b 01 f4 3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d 23 74 5c d9 00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7 df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: 192.168.3.244
Basic Constraint:
not CA
CRL distribution Points:
URI: http://192.168.3.240:18264/ICA_CRL2.crl
DN: CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      638

 fwm sic_reset

fwm sic_reset
Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Warning:
n Before you run this command, take a Gaia Snapshot and a full backup of
the Management Server.
This command resets SIC between the Management Server and all its
managed objects.
n This operation breaks trust in all Internal CA certificates and SIC trust
across the managed environment.
Therefore, we do not recommend it at all, except for real disaster recovery.

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

CLI R80.40 Reference Guide      |      639

 fwm snmp_trap

fwm snmp_trap
Description
Sends an SNMPv1 Trap to the specified host.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n On a Multi-Domain Server, the SNMP Trap packet is sent from the IP address of
the Leading Interface.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

CLI R80.40 Reference Guide      |      640

 fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the
entire CLI session.

For complete debug instructions, see the description of the fwm

process in sk97638.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

Number>
One of these values:
n 0 - For coldStart trap
n 1 - For warmStart trap
n 2 - For linkDown trap
n 3 - For linkUp trap
n 4 - For authenticationFailure trap
n 5 - For egpNeighborLoss trap
n 6 - For enterpriseSpecific trap (this is the default value)

-s <Specific Trap Specifies the unique trap type.

Number>
Valid only of generic trap value is 6 (for enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap packets.

-c <SNMP Community> Specifies the SNMP community.

<Target> Specifies the managed target host, to which to send the SNMP Trap
packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

CLI R80.40 Reference Guide      |      641

 fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on the Security
Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host 192.168.3.51

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 103)
192.168.3.51.53450 > MyGW_192.168.3.52.snmptrap: [udp sum ok] { SNMPv1 { Trap(58) E:2620.1.1 192.168.3.240
linkDown 1486440 E:2620.1.1.11.0="My Trap Message" } }
Pressed CTRL+C

[Expert@MyGW_192.168.3.52:0]#

CLI R80.40 Reference Guide      |      642

 fwm unload

fwm unload
Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

Warning:
1. The fwm unload command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the specified Security Gateway (Cluster Member).
2. The fwm unload command removes all policies from the specified Security
Gateway (Cluster Member).
This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection
enabled.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n If you need to remove the current policy, but keep the Security Gateway (Cluster
Member) protected, then run the "comp_init_policy" on page 871 command on
the Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of these
commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 998
l "cpstart" on page 911
n In addition, see the "fw unloadlocal" on page 1100 command.

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

CLI R80.40 Reference Guide      |      643

 fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or Object
... <GWN> Name as configured in SmartConsole.

CLI R80.40 Reference Guide      |      644

 fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      645

 fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      646

 fwm ver

fwm ver
Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:

mdsenv

n In the context of a Domain Management Server:

mdsenv <IP Address or Name of

Domain Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.40 - Build 11
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      647

 fwm verify

fwm verify

Important - This command is obsolete for R80 and above. Use the "mgmt_cli" on
page 358 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in
sk97638.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      648

 inet_alert

inet_alert
Description
Notifies an Internet Service Provider (ISP) when a company's corporate network is under attack. This
command forwards log messages generated by the alert daemon on your Check Point Security Gateway
to an external Management Station. This external Management Station is usually located at the ISP site.
The ISP can then analyze the alert and react accordingly.
This command uses the Event Logging API (ELA) protocol to send the alerts. The Management Station
receiving the alert must be running the ELA Proxy.
If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must be
performed between the external Management Station running the ELA Proxy at the ISP site and the Check
Point Security Gateway generating the alert.

Procedure

Step Description

1 Connect with SmartConsole to the applicable Security Management Server or Domain

Management Server, which manages the applicable Security Gateway that should forward log
messages to an external Management Station.

2 From the top left Menu, click Global properties .

3 Click on the [+] near the Log and Alert and click Alerts .

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Policy on the applicable Security Gateway.

CLI R80.40 Reference Guide      |      649

 inet_alert

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f
<Token> <Value>] [-m <Alert Type>]

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some command> |
inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

Type>
One of these values:

n ssl_opsec-The connection is authenticated and encrypted (this is the

default).
n auth_opsec- The connection is authenticated.
n clear- The connection is neither authenticated, nor encrypted.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair as

<Value> follows:
n <Token> - The name of the field to be added to the log. Cannot contain
spaces.
n <Value> - The field's value. Cannot contain spaces.
This option can be used multiple times to add multiple <Token> <Value> pairs
to the log.

CLI R80.40 Reference Guide      |      650

 inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

Type>
This alert overrides the alert specified in the log message generated by the alert
daemon.
The response to the alert is handled according to the actions specified in the ISP
Security Policy:
These alerts execute the OS commands:
n alert - Popup alert command
n mail - Mail alert command
n snmptrap - SNMP trap alert command
n spoofalert - Anti-Spoof alert command
These NetQuota and ServerQuota alerts execute the OS commands specified in
the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

n Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4
n Send a log message to the specified ELA Proxy. Set the product field of this log message to cads
n Trigger the OS command specified in the SmartConsole > Menu > Global properties > Log and
Alert > Popup Alert Command field.

CLI R80.40 Reference Guide      |      651

 ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing debug
information.

Statistics LDAP search statistics, such as:

n All user searches
n Pending lookups (when two or more lookups are identical)
n Total lookup time (the total search time for a specific lookup)
n Cache statistics such as hits and misses
These statistics are saved in the $FWDIR/log/ldap_pid_<Process PID>.stats
file.

Logging View the alert and warning logs.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

CLI R80.40 Reference Guide      |      652

 ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR debug level.
Level>
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check Point
Name> | all} processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject | TemplateExtGrpCacheObject}
l all - Clears cache for all objects
l UserCacheObject - Clears cache for user objects
l TemplateCacheObject - Clears cache for template objects
l TemplateExtGrpCacheObject - Clears cache for external
template group objects
n cachetrace {all | UserCacheObject |
TemplateCacheObject | TemplateExtGrpCacheObject}
l all - Traces cache for all objects
l UserCacheObject - Traces cache for user objects
l TemplateCacheObject - Traces cache for template objects
l TemplateExtGrpCacheObject - Traces cache for external
template group objects
n log {on | off}
l on - Creates LDAP logs
l off - Does not create LDAP logs
n stat {<Print Interval in Sec> | 0}
l <Print Interval in Sec> - How frequently to collect the
statistics
l 0 - Stops collecting the statistics

CLI R80.40 Reference Guide      |      653

 ldapcompare

ldapcompare
Description
This is an LDAP utility that performs compare queries and prints a message whether the result returned a
match or not.
This utility opens a connection to an LDAP directory server, binds, and performs the comparison specified
on the command line or from a specified file.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute> <Value> |

<Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

CLI R80.40 Reference Guide      |      654

 ldapcompare

Compare options

Option Description

-E [!]<Extension>[=<Extension Specifies the compare extensions.

Parameter>]
Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version is 3.

-z Enables the quiet mode.

The command does not print anything. You can use the
command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

CLI R80.40 Reference Guide      |      655

 ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

[=<Extension Parameter>]
Note - The exclamation sign "!" indicates criticality.
n [!]assert=<Filter>
RFC 4528; an RFC 4515 filter string
n [!]authzid=<Authorization ID>
RFC 4370; either "dn:<DN>", or "u:<Username>"
n [!]chaining[=<Resolve Behavior>
[/<Continuation Behavior>]]
One of these:
l "chainingPreferred"
l "chainingRequired"
l "referralsPreferred"
l "referralsRequired"
n [!]manageDSAit
RFC 3296
n [!]noop
n ppolicy
n [!]postread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]preread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]relax
n abandon
SIGINT sends the abandon signal; if critical, does not
wait for SIGINT. Not really controls.
n cancel
SIGINT sends the cancel signal; if critical, does not
wait for SIGINT. Not really controls.
n ignore
SIGINT ignores the response; if critical, does not wait
for SIGINT. Not really controls.

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.

CLI R80.40 Reference Guide      |      656

 ldapcompare

Option Description

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not actually do
it.

-N Specifies not to use the reverse DNS to canonicalize SASL

host name.

-o <Option>[=<Option Specifies the general options:

Parameter>]
nettimeout={<Timeout in Sec> | none | max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Identity> Specifies the SASL authorization identity (either "dn:<DN>",

or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator password

from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

CLI R80.40 Reference Guide      |      657

 ldapmemberconvert

ldapmemberconvert
Description
This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to the
"MemberOf" attribute values in LDAP member (User or Template) entries.
This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both" mode. The
utility searches through all specified group or template entries that hold one or more "Member" attribute
values and modifies each value. The utility searches through all specified group/template entries and
fetches their "Member" attribute values.
Each value is the DN of a member entry. The entry identified by this DN is added to the "MemberOf"
attribute value of the group/template DN at hand. In addition, the utility delete those "Member" attribute
values from the group/template, unless you run the command in the "Both" mode.
When your run the command, it creates a log file ldapmemberconvert.log in the current working
directory. The command logs all modifications done and errors encountered in that log file.

Important - Back up the LDAP server database before you run this conversion utility.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP Server

Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m <Member Attribute
Name> -o <MemberOf Attribute Name> -c <Member ObjectClass Value> [-B]
[-f <File> | -g <Group DN>] [-L <LDAP Server Timeout>] [-M <Number of
Updates>] [-S <Size>] [-T <LDAP Client Timeout>] [-Z]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug
level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

CLI R80.40 Reference Guide      |      658

 ldapmemberconvert

Parameter Description

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or resolvable
hostname.
If you do not specify the LDAP Server explicitly, the command connects
to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin DN> Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly) deleting
Attribute Name> a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP "MemberOf"
Attribute Name> attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines, which
ObjectClass Value> type of member to modify.
You can specify multiple attribute values with this syntax:

-c <Member Object Class 1> -c <Member Object

Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a new
line:

<Group DN 1>
<Group DN 2>
...
<Group DN N>

Length of each line is limited to 256 characters.

-g <Group DN> Specifies the Group or Template Distinguished Name, on which to

perform the conversion.
You can specify multiple Group DNs with this syntax:

-g <Group DN 1> -g <Group DN 2> ... -g <Group

DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in seconds.
Timeout>
Default is "never".

CLI R80.40 Reference Guide      |      659

 ldapmemberconvert

Parameter Description

-M <Number of Specifies the maximal number of simultaneous member LDAP updates.

Updates>
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in number of
entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in milliseconds.
Timeout>
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups
For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for their groups,
then this conversion has to be applied on LDAP defined templates for their groups.

Troubleshooting
Symptom:
A command fails with an error message stating the connection stopped unexpectedly when you run it with
the parameter -M <Number of Updates>.

Root Cause:
The LDAP server could not handle that many LDAP requests simultaneously and closed the connection.
Solution:
Run the command again with a lower value for the "-M" parameter. The default value should be adequate,
but can also cause a connection failure in extreme situations. Continue to reduce the value until the
command runs normally. Each time you run the command with the same set of groups, the command
continues from where it left off.

CLI R80.40 Reference Guide      |      660

 ldapmemberconvert

Examples

Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o
memberof -c fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the group entry
is not modified.

CLI R80.40 Reference Guide      |      661

 ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the parameter "-c
fw1Person", but the object class of "template1" is "fw1Template".

CLI R80.40 Reference Guide      |      662

 ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF format.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b] [-c]
[-F] [-k] [-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f <Input
File> .ldif | < <Entry>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug
level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or resolvable
hostname.
If you do not specify the LDAP Server explicitly, the command connects
to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin DN> Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

CLI R80.40 Reference Guide      |      663

 ldapmodify

Parameter Description

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually perform
them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in milliseconds.
Timeout>
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif
The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data you
enter on the screen).

CLI R80.40 Reference Guide      |      664

 ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>] [-D
<LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b <Base DN>]
[-F <Separator>] [-l <LDAP Server Timeout>] [-s <Scope>] [-S <Sort
Attribute>] [-t] [-T <LDAP Client Timeout>] [-u] [-z <Number of Search
Entries>] [-Z] <Filter> [<Attributes>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR debug
level.
Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or resolvable
hostname.
If you do not specify the LDAP Server explicitly, the command connects
to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin DN> Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

CLI R80.40 Reference Guide      |      665

 ldapsearch

Parameter Description

-F <Separator> Specifies the print separator character between attribute names and
their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in seconds.
Timeout>
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Attribute> Specifies to sort the results by the values of this attribute.

-t Specifies to write values to files in the /tmp/ directory.

Writes each <attribute>-<value> pair to a separate file named:

/tmp/ldapsearch-<Attribute>-<Value>
For example, for the fw1color attribute with the value a00188, the
command writes to the file named:
/tmp/ldapsearch-fw1color-a00188

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in milliseconds.
Timeout>
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximal number of entries to search on the LDAP Server.
Search Entries>

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command retrieves all
attributes.

CLI R80.40 Reference Guide      |      666

 ldapsearch

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.
2. Connects to the LDAP Server with Base DN "cn=omi".
3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

CLI R80.40 Reference Guide      |      667

 mcd

mcd
Description
This command lets you go to the specified directory in the $FWDIR directory in the context of a Domain
Management Server.

Syntax

mdsenv <IP Address or Name of Domain Management Server>

mcd <Name of Directory in $FWDIR>

CLI R80.40 Reference Guide      |      668

 mcd

Example

[Expert@MDS:0]# mdsstat
+-----------------------------------------------------------------------------------------------------+
| Processes status checking |
+------+--------------------+-----------------+-------------+-------------+-------------+-------------+
| Type | Name | IP address | FWM | FWD | CPD | CPCA |
+------+--------------------+-----------------+-------------+-------------+-------------+-------------+
| MDS | - | 192.168.3.51 | up 15312 | up 15310 | up 10227 | up 15475 |
+------+--------------------+-----------------+-------------+-------------+-------------+-------------+
| CMA | MyDomain_Server | 192.168.3.240 | up 17225 | up 17208 | up 17101 | up 18402 |
+------+--------------------+-----------------+-------------+-------------+-------------+-------------+
| Total Domain Management Servers checked: 1 1 up 0 down |
| Tip: Run mdsstat -h for legend |
+-----------------------------------------------------------------------------------------------------+
[Expert@MDS:0]#
[Expert@MDS:0]#
[Expert@MDS:0]# mdsenv MyDomain_Server
[Expert@MDS:0]#
[Expert@MDS:0]# mcd
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/
[Expert@MDS:0]#
[Expert@MDS:0]# pwd
/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1
[Expert@MDS:0]#
[Expert@MDS:0]# ls -1
av
bin
conf
cpm-server
database
doc
hash
lib
libsw
log
scripts
state
tmp
[Expert@MDS:0]#

[Expert@MDS:0]# mcd av
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/av
[Expert@MDS:0]#
[Expert@MDS:0]# mcd bin
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/bin
[Expert@MDS:0]#
[Expert@MDS:0]# mcd conf
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/conf
[Expert@MDS:0]#
[Expert@MDS:0]# mcd log
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/log
[Expert@MDS:0]#
[Expert@MDS:0]# mcd scripts
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/scripts
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      669

 mds_backup

mds_backup
Description
The mds_backup command backs up binaries and data from a Multi-Domain Server to a user specified
working directory.
You then copy the backup files from the working directory to external storage.
This command requires Multi-Domain Superuser privileges.
The mds_backup command runs the gtar and dump commands to back up all databases. The collected
information is stored in one *.tar file. The file name is a combination of the backup date and time and is
saved in the current working directory. For example: 13Sep2015-141437.mdsbk.tar

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

CLI R80.40 Reference Guide      |      670

 mds_backup

Notes:
n Do not create or delete Domains or Domain Management Servers until the
backup operation completes.
n It is important not to run the mds_backup command from directories that are
not backed up.
For example, when you back up a Multi-Domain Server, do not run the mds_
backup command from the /opt/CPmds-<Current_Release>/
directory, because it is a circular reference (backup of directory, in which you
need to write files).
Run the mds_backup command from a location outside the product directory
tree to be backed up. This becomes the working directory.
n The mds_backup command does not collect the active Security log file
(*.log) and Audit log file (*.adtlog).
This is necessary to prevent inconsistencies during the read-write operations.

Best Practice - Perform a log switch before you start the backup
procedure.

n You can back up the Multi-Domain Server configuration without the log files.
This backup is typically significantly smaller than a full backup with logs.
To back up without log files, add this line to the file $MDSDIR/conf/mds_
exclude.dat configuration file:

log/*

n After the backup completes, copy the backup *.tar file, together with the mds_
restore, and gtar binary files, to your external backup location.

Syntax

mds_backup -h

mds_backup [-g -b [-d <Target Directory>] -s [-v] [-l]]

CLI R80.40 Reference Guide      |      671

 mds_backup

Parameters

Parameter Description

-h Shows help text.

-g Executes without prompting to disconnect GUI clients.

-b Batch mode - executes without asking anything (-g is implied).

-d <Target Specifies the output directory.

Directory>
If not specified explicitly, the backup file is saved to the current directory.
You cannot save the backup file to the root directory.

-s Stops Multi-Domain processes before the backup starts.

-v "Dry run" - Shows all files to be backed up, but does not perform the
backup operation.

-l Excludes logs from the backup.

CLI R80.40 Reference Guide      |      672

 mds_restore

mds_restore
Description
Use the mds_restore command to restore a Multi-Domain Server / Multi-Domain Log Server that was
backed up with the "mds_backup" on page 670 command.

Important - You must restore on the server that runs same software version, from
which you collected this backup.
Example: If you collected a backup on a server with version "XX" and Jumbo Hotfix
Accumulator Take "YY", then you must restore on a server with version "XX" and
Jumbo Hotfix Accumulator Take "YY".

Best Practice - If the Multi-Domain Security Management environment has multiple

Multi-Domain Servers, restore all Multi-Domain Servers at the same time.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

To restore a Multi-Domain Server:

1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode.
3. Go to the directory where the backup file is located.
4. Run:

./mds_restore <backup_file>

5. If you restore on a Multi-Domain Server with a new IP address, configure the new IP address.

CLI R80.40 Reference Guide      |      673

 mdscmd

mdscmd
Description
In versions lower than R80, this utility executed various commands on the Multi-Domain Server.
Starting from R80, this command is obsolete.
You must use other commands. If there is no alternative command, then perform the applicable action in
SmartConsole.

MDSCMD command in pre-R80 versions Alternative command in R80 and above

mdscmd addadministrator <options> None

mdscmd adddomain <options> mgmt_cli add-domain

See "mgmt_cli" on page 696.

mdscmd addlogserver <options> mgmt_cli add-domain

See "mgmt_cli" on page 696.

mdscmd addmanagement <options> mgmt_cli add-domain

See "mgmt_cli" on page 696.

mdscmd assign-globalpolicy <options> mgmt_cli set global-

assignment

See "mgmt_cli" on page 696.

mdscmd assignadmin <options> mgmt_cli set-

administrator

See "mgmt_cli" on page 696.

mdscmd assignguiclient <options> None

mdscmd deleteadministrator <options> None

mdscmd deletedomain <options> mgmt_cli delete-domain

See "mgmt_cli" on page 696.

mdscmd deletelogserver <options> None

CLI R80.40 Reference Guide      |      674

 mdscmd

MDSCMD command in pre-R80 versions Alternative command in R80 and above

mdscmd deletemanagement <options> mgmt_cli delete-domain

See "mgmt_cli" on page 696.

mdscmd disableglobaluse <options> None

mdscmd enableglobaluse <options> None

mdscmd install-globalpolicy <options> mgmt_cli assign-global-

assignment

See "mgmt_cli" on page 696.

mdscmd migratemanagement <options> None

mdscmd mirrormanagement <options> None

mdscmd reassign-globalpolicy <options> mgmt_cli set global-

assignment

mgmt_cli assign-global-
assignment

See "mgmt_cli" on page 696.

mdscmd remove-globalpolicy <options> mgmt_cli delete global-

assignment

See "mgmt_cli" on page 696.

mdscmd removeadmin <options> mgmt_cli set-

administrator

See "mgmt_cli" on page 696.

mdscmd removeguiclient <options> None

mdscmd runcrossdomainquery <options> None

mdscmd startmanagement <options> mdsstart_customer

See "mdsstart_customer" on page 688.

mdscmd stopmanagement <options> mdsstop_customer

See "mdsstop_customer" on page 695.

CLI R80.40 Reference Guide      |      675

 mdsconfig

mdsconfig
Description
This command starts the Multi-Domain Server Configuration Program. This tool lets you configure specific
settings for the installed Check Point products.

Note - This command updates the database schema before it imports. First, the
command runs pre-upgrade verification. If no errors are found, migration continues. If
there are errors, you must fix them on the source R7x Domain Management Server
according to instructions in the error messages. Then do this procedure again.

For the complete procedure, see the R80.40 Installation and Upgrade Guide.

Syntax

mdsconfig

CLI R80.40 Reference Guide      |      676

 mdsconfig

Menu Options

CLI R80.40 Reference Guide      |      677

 mdsconfig

Menu Option Description

Leading VIP Interfaces The Leading VIP Interfaces are real interfaces connected to an
external network.
These interfaces are used when you configure virtual IP
addresses for Domain Management Servers.

Licenses Manages Check Point licenses and contracts on this server.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Groups Usually, the Multi-Domain Server is given group permission for

access and execution.
You may now name such a group or instruct the installation
procedure to give no group permissions to the server.
In the latter case, only the Super-User is able to access and
execute commands on the server.

Certificate's Fingerprint Shows the ICA's Fingerprint.

This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you connect
to it with SmartConsole.

Administrators Configures Check Point system administrators for this server.

GUI Clients Configures the GUI clients that can use SmartConsole to connect
to this server.

Automatic Start of Multi- Shows and controls if Multi-Domain Server starts automatically
Domain Server during boot.

P1Shell Obsolete. Do not use this option anymore.

Important - This option and the p1shell command are

not supported (Known Limitation PMTR-45085).

Start Multi-Domain Server Configures a password to control the start of the Multi-Domain
Password Server.

IPv6 Support for Multi-Domain
Server
Enables or disables the IPv6 Support on the Multi-Domain Server.
Important - R80.40 Multi-Domain Server does not
support IPv6 address configuration (Known Limitation
PMTR-14989).

CLI R80.40 Reference Guide      |      678

 mdsconfig

Menu Option Description

IPv6 Support for Existing Enables or disables the IPv6 Support on the Domain Management
Domain Management Servers Servers.

Important - R80.40 Multi-Domain Server does not

support IPv6 address configuration (Known Limitation
PMTR-14989).

Exit Exits from the Multi-Domain Server Configuration Program.

Example - Menu on a Multi-Domain Server

[Expert@MyMDS:0]# mdsconfig

Welcome to Multi-Domain Server Configuration Program

=================================================================
This program will let you re-configure your Multi-Domain Server configuration.

Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13):

CLI R80.40 Reference Guide      |      679

 mdsenv

mdsenv
Description
Use the mdsenv command to set shell environment variables to run commands on a specified Domain
Management Server.
When run without an argument, the command sets the shell for Multi-Domain Server level commands
("mdsstart" on page 684, "mdsstop" on page 691, and so on).

Syntax

mdsenv [<Name or IP address of Domain Management Server>]

Parameters

Parameter Description

<Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

CLI R80.40 Reference Guide      |      680

 mdsenv

Example

[Expert@MyMDS:0]# mdsstat
+---------------------------------------------------------------------
--------------------------------+
| Processes status checking
|
+------+--------------------+-----------------+-------------+---------
----+-------------+-------------+
| Type | Name | IP address | FWM | FWD
| CPD | CPCA |
+------+--------------------+-----------------+-------------+---------
----+-------------+-------------+
| MDS | - | 192.168.3.51 | up 10086 | up 11422
| up 5427 | up 11440 |
+------+--------------------+-----------------+-------------+---------
----+-------------+-------------+
| CMA | MyDomain_Server | 192.168.3.240 | up 10891 | up 8199
| up 7670 | up 9536 |
+------+--------------------+-----------------+-------------+---------
----+-------------+-------------+
| Total Domain Management Servers checked: 1 1 up 0 down
|
| Tip: Run mdsstat -h for legend
|
+---------------------------------------------------------------------
--------------------------------+
[Expert@MyMDS:0]#
[Expert@MyMDS:0]# mdsenv MyDomain_Server
[Expert@MyMDS:0]#
[Expert@MyMDS:0]# echo $FWDIR
/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1
[Expert@MyMDS:0]#

CLI R80.40 Reference Guide      |      681

 mdsquerydb

mdsquerydb
Description
The mdsquerydb is an advanced database query tool that lets administrators use shell scripts to get
information from the Multi-Domain Security Management databases.
Use this command to get information from the Multi-Domain Server, Domain Management Server, and
Global databases.

Note - The system comes with pre-defined queries, defined in the

$MDSDIR/confqueries.conf configuration file. Do not change or delete these
queries.

Syntax

mdsquerydb <key_name> [-f <output_file_name>]

Parameters

Parameter Description

<key_name> Query key, which must be defined in the pre-defined queries configuration file.

-f <output_ Send the query results to the specified file name. If this parameter is not
file_name> specified, the data is sent to the standard output.

Pre-Defined Query Keys

Keys for Multi-Domain environment:

----------------------------------
GlobalNetworkObjects Get name and type of all global network objects
NetworkObjects Get all Domains' internal Check Point installed network objects
Domains Get names of all Domains Irit B comment from QA Draft
Administrators Get names of all Administrators
MDSs Get names and IPs of all MDSs
DomainManagementServers Get names of all Domain Servers
GuiClients Get names and IPs of all gui clients
CMAs Backwards Compatibility (DomainManagementServers)
Customers Backwards Compatibility (Domains)
Keys for Domain environment:
----------------------------
NetworkObjects Get name and type of all network objects
Gateways Get names and IPs of all gateways

Example 1 - Retrieve list of all defined keys

[Expert@MDS:0]# mdsquerydb

CLI R80.40 Reference Guide      |      682

 mdsquerydb

Example 2 - Send a list of Domains in the Multi-Domain Server database to the standard output

[Expert@MDS:0]# mdsenv
[Expert@MDS:0]# mdsquerydb Domains

Example 3 - Send a list of network objects in the global database to the /tmp/gateways.txt file

[Expert@MDS:0]# mdsenv
[Expert@MDS:0]# mdsquerydb NetworkObjects -f /tmp/gateways.txt

Example 4 - Get a list of gateway objects in the Domain Management Server "DServer1"

[Expert@MDS:0]# mdsenv My_Domain_Server

[Expert@MDS:0]# mdsquerydb Gateways -f /tmp/gateways.txt

CLI R80.40 Reference Guide      |      683

 mdsstart

mdsstart
Description
Starts the Multi-Domain Server and all Domain Management Servers.
To start a specific Domain Management Server, see the "mdsstart_customer" on page 688 command.

Syntax

mdsstart [-m | -s]

Parameters

Parameter Description

-m Optional: Starts only the Multi-Domain Server and not the Domain Management Servers.

-s Optional: Starts all the Domain Management Servers sequentially.

The command waits for each Domain Management Server to come up, before it starts the
next one.

Controlling the number of Domain Management Servers to start sequentially

By default, the system attempts to start up to 10 Domain Management Servers at the same time.
You can decrease the amount of time it takes to start the Multi-Domain Server when there are many
Domain Management Servers.
To do this, set the value of the environment variable NUM_EXEC_SIMUL to the number of Domain
Management Servers that start at the same time.

CLI R80.40 Reference Guide      |      684

 mdsstart

Setting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure configures the specified value for the environment variable NUM_EXEC_SIMUL in the
current shell (does not survive reboot):

Step Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Set the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=<Number of

Domain Management Servers>

Example:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=5

4 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must show the configured value.

Unsetting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure removes the configured value for the environment variable NUM_EXEC_SIMUL in the
current shell (does not survive reboot):

Parameter Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Unset the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# unset NUM_EXEC_SIMUL

4 Make sure the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must be empty.

CLI R80.40 Reference Guide      |      685

 mdsstart

Setting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure configures the specified value for the environment variable NUM_EXEC_SIMUL for all
shells (survives reboot):

Step Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Add this line at the bottom of the file:

export NUM_EXEC_SIMUL=<Number of Domain Management

Servers>

Important - After this line, you must press Enter to add a new line.

Example:

export NUM_EXEC_SIMUL=5

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must show the configured value.

CLI R80.40 Reference Guide      |      686

 mdsstart

Unsetting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure removes the configured value for the environment variable NUM_EXEC_SIMUL for all
shells (survives reboot):

Step Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP_with_
NUM_EXEC_SIMUL}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Remove this line from the file:

export NUM_EXEC_SIMUL=<Number of Domain Management

Servers>

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must be empty.

CLI R80.40 Reference Guide      |      687

 mdsstart_customer

mdsstart_customer
Description
Starts the specified Domain Management Server, if it was stopped with the "mdsstop_customer" on
page 695 command.
To start the entire Multi-Domain Server, see the "mdsstart" on page 684 command.

Syntax

mdsstart_customer <IP address or Name of Domain Management Server>

Note - If the name of the Domain Management Server includes spaces, you must
surround it with quotes ("Name of Domain Management Server").

CLI R80.40 Reference Guide      |      688

 mdsstat

mdsstat
Description
This command shows the status of specific processes on the Multi-Domain Server and Domain
Management Servers.

Syntax

mdsstat [-h] [-m] [<Name or IP Address of Domain Management Server>]

Parameters

Parameter Description

-h Displays help message.

-m Test status for Multi-Domain Server only.

<Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

Possible Statuses of Processes

Status Description

up The process is up.

down The process is down.

pnd The process is pending initialization.

init The process is initializing.

N/A The process's PID is not yet available.

N/R The process is not relevant for this Multi-Domain Server.

CLI R80.40 Reference Guide      |      689

 mdsstat

Example

[Expert@MDS:0]# mdsstat
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS | - | 192.168.3.101 | up 17284 | up 17266 | up 17251 | up 17753 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA |DOM211_Server | 192.168.3.211 | up 32227 | up 32212 | up 25725 | up 32482 |
| CMA |DOM212_Server | 192.168.3.212 | up 4248 | up 4184 | up 4094 | up 4441 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 2 2 up 0 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      690

 mdsstop

mdsstop
Description
Stops the Multi-Domain Server and all Domain Management Servers.
To stop a specific Domain Management Server, see the "mdsstop_customer" on page 695 command.

Syntax

mdsstop [-m | -s]

Parameters

Parameter Description

-m Optional: Stops only the Multi-Domain Server and not the Domain Management Servers.

-s Optional: Stops all the Domain Management Servers sequentially.

The command waits for each Domain Management Server to stop, before it stops the
next one.

Controlling the number of Domain Management Servers to stop sequentially

By default, the system attempts to stop up to 10 Domain Management Servers at the same time.
You can decrease the amount of time it takes to stop the Multi-Domain Server when there are many
Domain Management Servers.
To do this, set the value of the environment variable NUM_EXEC_SIMUL to the number of Domain
Management Servers that stop at the same time.

CLI R80.40 Reference Guide      |      691

 mdsstop

Setting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure configures the specified value for the environment variable NUM_EXEC_SIMUL in the
current shell (does not survive reboot):

Step Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Set the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=<Number of

Domain Management Servers>

Example:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=5

4 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must show the configured value.

Unsetting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure removes the configured value for the environment variable NUM_EXEC_SIMUL in the
current shell (does not survive reboot):

Parameter Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Unset the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# unset NUM_EXEC_SIMUL

4 Make sure the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must be empty.

CLI R80.40 Reference Guide      |      692

 mdsstop

Setting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure configures the specified value for the environment variable NUM_EXEC_SIMUL for all
shells (survives reboot):

Step Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Add this line at the bottom of the file:

export NUM_EXEC_SIMUL=<Number of Domain Management

Servers>

Important - After this line, you must press Enter to add a new line.

Example:

export NUM_EXEC_SIMUL=5

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must show the configured value.

CLI R80.40 Reference Guide      |      693

 mdsstop

Unsetting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure removes the configured value for the environment variable NUM_EXEC_SIMUL for all
shells (survives reboot):

Step Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP_with_
NUM_EXEC_SIMUL}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Remove this line from the file:

export NUM_EXEC_SIMUL=<Number of Domain Management

Servers>

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL

Output must be empty.

CLI R80.40 Reference Guide      |      694

 mdsstop_customer

mdsstop_customer
Description
Stops the specified Domain Management Server.
To stop the entire Multi-Domain Server, see the "mdsstop" on page 691 command.

Syntax

mdsstop_customer <IP address or Name of Domain Management Server>

Notes:
n If the name of the Domain Management Server includes spaces, you must
surround it with quotes ("Name of Domain Management Server").
n To start the specified Domain Management Server, run the "mdsstart_
customer" on page 688 command.

CLI R80.40 Reference Guide      |      695

 mgmt_cli

mgmt_cli
Description
The mgmt_cli tool lets you work directly with the management database on your Management Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe) command
and press Enter.
n For more information, see the Check Point Management API Reference.

CLI R80.40 Reference Guide      |      696

 migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If you need to back up the current management database, and you do not plan
to import it on a Management Server that runs a higher software version, then
you can use the built-in command in the $FWDIR/bin/upgrade_tools/
directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate utility from the
migration tools package created specifically for that higher software version.
See the Installation and Upgrade Guide for that higher software version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log

CLI R80.40 Reference Guide      |      697

 migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n] [--
exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File> &

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n] [--
exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File>.tgz &

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

./migrate ... &
1. Sends the "yes" input to the interactive "migrate" command through
the pipeline.
2. The "nohup" forces the "migrate" command to ignore the hangup
signals from the shell.
3. The "&" forces the command to run in the background.

As a result, when the CLI session closes, the command continues to run in the
background.
See:
n sk133312
n https://linux.die.net/man/1/bash
n https://linux.die.net/man/1/nohup

export Exports the management database and applicable Check Point configuration.

import Imports the management database and applicable Check Point configuration
that were exported from another Management Server.

CLI R80.40 Reference Guide      |      698

 migrate

Parameter Description

-l Exports and imports the Check Point logs without log indexes in the
$FWDIR/log/ directory.

Note - The command can export only closed logs (to which the
information is not currently written).

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.

Important:
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).

-n Runs silently (non-interactive mode) and uses the default options for each
setting.

Important:
n If you export a management database in this mode and the
specified name of the exported file matches the name of an
existing file, the command overwrites the existing file without
prompting.
n If you import a management database in this mode, the
"migrate import" command runs the "cpstop"
command automatically.

--exclude-uepm- n During the export operation, does not back up the PostgreSQL
postgres-db database from the Endpoint Security Management Server.
n During the import operation, does not restore the PostgreSQL
database on the Endpoint Security Management Server.

--include-uepm- n During the export operation, backs up the MSI files from the Endpoint
msi-files Security Management Server.
n During the import operation, restores the MSI files on the Endpoint
Security Management Server.

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

<Name of n During the export operation, specifies the name of the output file.
Exported File>
The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

CLI R80.40 Reference Guide      |      699

 migrate

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log' for
further details
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      700

 migrate_server

migrate_server
Important - This command is used to migrate the management database from
R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If you need to back up the current management database, and you do not plan
to import it on a Management Server that runs a higher software version, then
you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log

CLI R80.40 Reference Guide      |      701

 migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R80.40 [-skip_upgrade_
tools_check]

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R80.40 [-skip_upgrade_
tools_check] [-l | -x] [--include-uepm-msi-files] [--exclude-uepm-
postgres-db] /<Full Path>/<Name of Exported File>

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R80.40 [-skip_upgrade_
tools_check] [-l | -x] [-change_ips_file /<Full Path>/<Name of
JSON File>.json] [--include-uepm-msi-files] [--exclude-uepm-
postgres-db] /<Full Path>/<Name of Exported File>.tgz

Parameters

Paramete
Description
r

-h Shows the built-in help.

export Exports the management database and applicable Check Point configuration.

import Imports the management database and applicable Check Point configuration that were
exported from another Management Server.

Important - This command automatically restarts Check Point services (runs the
"cpstop" and "cpstart" commands).

verify Verifies the management database and applicable Check Point configuration that were
exported from another Management Server.

-v Specifies the version, to which you plan to migrate / upgrade.

R80.40

CLI R80.40 Reference Guide      |      702

 migrate_server

Paramete
Description
r

-skip_ Does not try to connect to Check Point Cloud to check for a more recent version of the
upgrad Upgrade Tools.
e_
tools_ Best Practice - Use this parameter on the Management Server that is not
check connected to the Internet.

-l Exports and imports the Check Point logs without log indexes in the $FWDIR/log/
directory.

Note - The command can export only closed logs (to which the information is
not currently written).

-x Exports and imports the Check Point logs with their log indexes in the $FWDIR/log/
directory.

Important:
n This parameter only supports Management Servers and Log Servers
R80.10 and higher.
n The command can export only closed logs (to which the information is not
currently written).

- Specifies the absolute path to the special JSON configuration file with new IPv4
change_ addresses.
ips_
This file is mandatory during an upgrade of a Multi-Domain Security Management
file
environment.
/<Full
Path Even if only one of the servers migrates to a new IP address, all the other servers must get
>/<Name this configuration file for the import process.
of JSON Example:
File
>.json [{"name":"MyPrimaryMultiDomainServer","newIpAddress4":"172.
30.40.51"},
{"name":"MySecondaryMultiDomainServer","newIpAddress4":"172
.30.40.52"}]

-- n During the export operation, backs up the MSI files from the Endpoint Security
includ Management Server.
e-uepm-
n During the import operation, restores the MSI files on the Endpoint Security
msi-
Management Server.
files

-- n During the export operation, does not back up the PostgreSQL database from the
exclud Endpoint Security Management Server.
e-uepm-
n During the import operation, does not restore the PostgreSQL database on the
postgre
Endpoint Security Management Server.
s-db

CLI R80.40 Reference Guide      |      703

 migrate_server

Paramete
Description
r

/<Full Specifies the absolute path to the exported database file. This path must exist.
Path
n During the export operation, specifies the name of the output file.
>/<Name
of The command automatically adds the *.tgz extension.
Exporte
d File> n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log' for
further details
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      704

 migrate_global_policies

migrate_global_policies
Description
This utility transfers (and upgrades, if necessary) the global configuration database from one Multi-Domain
Server to another Multi-Domain Server.

Notes:
n You can only use this command when the target Multi-Domain Server does not
have global configurations defined.
n This utility replaces all existing global configurations. Each existing global
configuration is saved with a *.pre_migrate extension.
n If you migrate only the global configurations (without the Domain Management
Servers) to a new Multi-Domain Server, disable all Security Gateways that are
enabled for global use.

Important - You cannot export an R80.X global configuration database and then use
this utility on an R80.X Multi-Domain Server.

Syntax

migrate_global_policies <Path>

Parameters

Parameter Description

<Path> The fully qualified path to the directory where the global policies files, originally exported
from the source Multi-Domain Server ($MDSDIR/conf/), are located.

Example
[email protected]_MDS:0]# migrate_global_policies /var/log/exported_global_db.22Jul2019-124547.tgz

CLI R80.40 Reference Guide      |      705

 queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and above. Use the "mgmt_cli" on
page 358 command to load a policy on a managed Security Gateway.

CLI R80.40 Reference Guide      |      706

 rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name <Object

Name>

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name <Object

Name>

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

CLI R80.40 Reference Guide      |      707

 rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Address> Specifies the IPv4 address of the DAIP object

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the entry is
Live> valid.

CLI R80.40 Reference Guide      |      708

 sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information
received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts
mechanism.

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the fw sam command.

-o Specifies to print the input of this tool to the standard output (to use with pipes in
a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is localhost.

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The default is
forever.

CLI R80.40 Reference Guide      |      709

 sam_alert

Parameter Description

-f Specifies the Security Gateway, on which to run the operation.

<Security
Gateway>
Important - If you do not specify the target Security Gateway explicitly,
this command applies to all managed Security Gateways.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified criteria,
passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria and
closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

CLI R80.40 Reference Guide      |      710

 sam_alert

SAM v2 syntax

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r |
a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to use
with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the action.
The default is forever.

-f <Security Specifies the Security Gateway, on which to run the operation.

Gateway>
Important - If you do not specify the target Security Gateway
explicitly, this command applies to all managed Security
Gateways.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is sam_alert.

-l {r | a} Specifies the log type for connections that match the specified criteria:

n r - Regular
n a - Alert
Default is None.

CLI R80.40 Reference Guide      |      711

 sam_alert

Parameter Description

-a {d | r| n | b | Specifies the action to apply on connections that match the specified

q | i} criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

CLI R80.40 Reference Guide      |      712

 stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug purposes - to
make sure the applicable SNMP OIDs provide the requested information.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2>
... <Regular_OID_N>

These are specified in the SNMP MIB files.

For Check Point MIB files, see sk90470.
n To query a Statistical OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_oid.conf file.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to query

by its IP address or resolvable hostname.

CLI R80.40 Reference Guide      |      713

 stattest

Parameter Description

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address or

resolvable hostname.

Note - Use only when you query a

remote host.

-l <Polling Interval> Specifies the time in seconds between queries.

Note - Use only when you query a

Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which to run

consecutive queries.

Note - Use only when you query a

Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of a

Virtual Device to query.

-t <Timeout> Specifies the session timeout in milliseconds.

<Regular_OID_1> <Regular_OID_2> ... Specifies the Regular OIDs to query.

<Regular_OID_N>
Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

<Statistical_OID_1> <Statistical_ Specifies the Statistical OIDs to query.

OID_2> ... <Statistical_OID_N>
Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

CLI R80.40 Reference Guide      |      714

 stattest

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

CLI R80.40 Reference Guide      |      715

 threshold_config

threshold_config
Description
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts.
You can use these thresholds to monitor many system components automatically without requesting
information from each object or device.
You configure these SNMP Monitoring Thresholds only on the Security Management Server, Multi-Domain
Server, or Domain Management Server.
During policy installation, the managed a Security Gateway and Clusters receive and apply these
thresholds as part of their policy.
For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Description

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain Management Server:

[Expert@HostName:0]# mdsenv <Name or IP address of Domain

Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

CLI R80.40 Reference Guide      |      716

 threshold_config

Step Description

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).

Threshold Engine Configuration Options:

---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path

"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"

See "cpwd_admin stop" on page 229.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path

"$CPDIR/bin/cpd" -command "cpd"

See "cpwd_admin start" on page 226.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"

See "cpwd_admin list" on page 221.

11 In SmartConsole, install the Access Control Policy on Security Gateways and Clusters.

CLI R80.40 Reference Guide      |      717

 threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name
If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file
If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file
If you do not specify the path explicitly, the file is imported from the current
working directory.

(6) Configure Configures global settings:

global alert
n How frequently alerts are sent (configured delay must be greater
settings
than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to which the
alert managed Security Gateways and Cluster Members send their SNMP alerts.
destinations
Configure Alert Destinations Options:
-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS

(8) View Shows a list of all available thresholds and their current settings. These
thresholds include:
overview
n Name
n Category (see the next option "(9)")

n State (disabled or enabled)

n Threshold (threshold point, if applicable)
n Description

CLI R80.40 Reference Guide      |      718

 threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

thresholds
Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources

See the Thresholds Categories table below.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Mode Status Local Logging Mode Status Thresholds:
-------------------------------------
(1) Local Logging Mode

(4) Log Server Connectivity Log Server Connectivity Thresholds:

-----------------------------------
(1) Connection with log server
(2) Connection with all log servers

CLI R80.40 Reference Guide      |      719

 threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

CLI R80.40 Reference Guide      |      720

 threshold_config

Notes:
n If you run the threshold_config command locally on a Security Gateway or
Cluster Members to configure the SNMP Monitoring Thresholds, then each
policy installation erases these local SNMP threshold settings and reverts them
to the global SNMP threshold settings configured on the Management Server
that manages this Security Gateway or Cluster.
n On a Security Gateway and Cluster Members, you can save the local Threshold
Engine Configuration settings to a file and load it locally later.
n The Threshold Engine Configuration is stored in the
$FWDIR/conf/thresholds.conf file.
n In a Multi-Domain Security Management environment:
l You can configure the SNMP thresholds in the context of Multi-Domain
Server (MDS) and in the context of each individual Domain Management
Server.
l Thresholds that you configure in the context of the Multi-Domain Server
are for the Multi-Domain Server only.
l Thresholds that you configure in the context of a Domain Management
Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a
Domain Management Server, then configure the SNMP threshold both in
the context of the Multi-Domain Server and in the context of the Domain
Management Server.
However, in this scenario you can only get alerts from the Multi-Domain
Server, if the monitored object exceeds the threshold.
Example:
If you configure the CPU threshold, then when the monitored value
exceeds the configured threshold, it applies to both the Multi-Domain
Server and the Domain Management Server. However, only the Multi-
Domain Server generates SNMP alerts.

CLI R80.40 Reference Guide      |      721

 $MDSVERUTIL

$MDSVERUTIL
Description
This utility returns information about the Multi-Domain Server and Domain Management Servers.
This utility is intended for internal use by Check Point scripts on the Multi-Domain Server.
You can use this utility to get some information about the Multi-Domain Server and Domain Management
Servers (for example, the names of all Domain Management Servers).

CLI R80.40 Reference Guide      |      722

 $MDSVERUTIL

Syntax

$MDSVERUTIL help

CLI R80.40 Reference Guide      |      723

 $MDSVERUTIL

$MDSVERUTIL
      AllCMAs <options>
      AllVersions
      CMAAddonDir <options>
      CMACompDir <options>
      CMAFgDir <options>
      CMAFw40Dir <options>
      CMAFw41Dir <options>
      CMAFwConfDir <options>
      CMAFwDir <options>
      CMAIp <options>
      CMAIp6 <options>
      CMALogExporterDir <options>
      CMALogIndexerDir <options>
      CMANameByFwDir <options>
      CMANameByIp <options>
      CMARegistryDir <options>
      CMAReporterDir <options>
      CMASmartLogDir <options>
      CMASvnConfDir <options>
      CMASvnDir <options>
      ConfDirVersion <options>
      CpdbUpParam <options>
      CPprofileDir <options>
      CPVer <options>
      CustomersBaseDir <options>
      DiskSpaceFactor <options>
      InstallationLogDir <options>
      IsIPv6Enabled
      IsLegalVersion <options>
      IsOsSupportsIPv6
      LatestVersion
      MDSAddonDir <options>
      MDSCompDir <options>

CLI R80.40 Reference Guide      |      724

 $MDSVERUTIL

      MDSDir <options>
      MDSFgDir <options>
      MDSFwbcDir <options>
      MDSFwDir <options>
      MDSIp <options>
      MDSIp6 <options>
      MDSLogExporterDir <options>
      MDSLogIndexerDir <options>
      MDSPkgName <options>
      MDSRegistryDir <options>
      MDSReporterDir <options>
      MDSSmartLogDir <options>
      MDSSvnDir <options>
      MDSVarCompDir <options>
      MDSVarDir <options>
      MDSVarFwbcDir <options>
      MDSVarFwDir <options>
      MDSVarSvnDir <options>
      MSP <options>
      OfficialName <options>
      OptionPack <options>
      ProductName <options>
      RegistryCurrentVer <options>
      ShortOfficialName <options>
      SmartCenterPuvUpgradeParam <options>
      SP <options>
      SVNPkgName <options>
      SvrDirectory <options>
      SvrParam <options>

Parameters

Parameter Description

help Shows the list of available commands.

CLI R80.40 Reference Guide      |      725

 $MDSVERUTIL

Parameter Description

AllCMAs <options> Returns the list of names of the configured Domain

Management Servers.
See "$MDSVERUTIL AllCMAs" on page 732.

AllVersions Returns the internal representation of versions, this Multi-

Domain Server recognizes.
See "$MDSVERUTIL AllVersions" on page 733.

CMAAddonDir <options> Returns the path to the Management Addon directory in the
context of the specified Domain Management Server.
See "$MDSVERUTIL CMAAddonDir" on page 736.

CMACompDir <options> Returns the full path for the specified Backward Compatibility
Package in the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMACompDir" on page 737.

CMAFgDir <options> Returns the full path for the $FGDIR directory in the context of
the specified Domain Management Server.
See "$MDSVERUTIL CMAFgDir" on page 738.

CMAFw40Dir <options> Returns the full path for the $FWDIR directory for FireWall-1
4.0 in the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAFw40Dir" on page 739.

CMAFw41Dir <options> Returns the full path for the $FWDIR directory for Edge
devices (that are based on FireWall-1 4.1) in the context of the
specified Domain Management Server.

Note - R80.40 does not support UTM-1 Edge and

Safe@Office devices. The information about this
command is provided only to describe the existing
syntax option until it is removed completely.

See "$MDSVERUTIL CMAFw41Dir" on page 740.

CMAFwConfDir <options> Returns the full path for the $FWDIR/conf/ directory in the
context of the specified Domain Management Server.
See "$MDSVERUTIL CMAFwConfDir" on page 741.

CMAFwDir <options> Returns the full path for the $FWDIR directory in the context of
the specified Domain Management Server.
See "$MDSVERUTIL CMAFwDir" on page 742.

CLI R80.40 Reference Guide      |      726

 $MDSVERUTIL

Parameter Description

CMAIp <options> Returns the IPv4 address of the Domain Management Server
specified by its name.
See "$MDSVERUTIL CMAIp" on page 743.

CMAIp6 <options> Returns the IPv6 address of the Domain Management Server
specified by its name.
See "$MDSVERUTIL CMAIp6" on page 744.

CMALogExporterDir Returns the full path for the $EXPORTERDIR directory in the
<options> context of the specified Domain Management Server.
See "$MDSVERUTIL CMALogExporterDir" on page 745.

CMALogIndexerDir <options> Returns the full path for the $INDEXERDIR directory in the
context of the specified Domain Management Server.
See "$MDSVERUTIL CMALogIndexerDir" on page 746.

CMANameByFwDir <options> Returns the name of the Domain Management Server based
on the context of the current $FWDIR directory.

See "$MDSVERUTIL CMANameByFwDir" on page 747.

CMANameByIp <options> Returns the name of the Domain Management Server based
on the specified IPv4 address.
See "$MDSVERUTIL CMANameByIp" on page 748.

CMARegistryDir <options> Returns the full path for the $CPDIR/registry/ directory in
the context of the specified Domain Management Server.
See "$MDSVERUTIL CMARegistryDir" on page 749.

CMAReporterDir <options> Returns the full path for the $RTDIR directory in the context of
the specified Domain Management Server.
See "$MDSVERUTIL CMAReporterDir" on page 750.

CMASmartLogDir <options> Returns the full path for the $SMARTLOGDIR directory in the
context of the specified Domain Management Server.
See "$MDSVERUTIL CMASmartLogDir" on page 751.

CMASvnConfDir <options> Returns the full path for the $CPDIR/conf/ directory in the
context of the specified Domain Management Server.
See "$MDSVERUTIL CMASvnConfDir" on page 752.

CMASvnDir <options> Returns the full path for the $CPDIR directory in the context of
the specified Domain Management Server.
See "$MDSVERUTIL CMASvnDir" on page 753.

CLI R80.40 Reference Guide      |      727

 $MDSVERUTIL

Parameter Description

ConfDirVersion <options> Returns the internal Version ID based on the context of the
current $FWDIR/conf/ directory.

See "$MDSVERUTIL ConfDirVersion" on page 754.

CpdbUpParam <options> Returns internal version numbers from the internal database.
See "$MDSVERUTIL CpdbUpParam" on page 755.

CPprofileDir <options> Returns the path to the directory that contains the
.CPprofile.sh and the .CPprofile.csh shell scripts.
See "$MDSVERUTIL CPprofileDir" on page 756.

CPVer <options> Returns internal Check Point version number.

See "$MDSVERUTIL CPVer" on page 757.

CustomersBaseDir <options> Returns the full path for the $MDSDIR/customers/

directory.
See "$MDSVERUTIL CustomersBaseDir" on page 758.

DiskSpaceFactor <options> Returns the disk-space factor (the mds_setup command

uses this value during an upgrade).
See "$MDSVERUTIL DiskSpaceFactor" on page 759.

InstallationLogDir Returns the full path for directory with all installation logs
<options> (/opt/CPInstLog/).

See "$MDSVERUTIL InstallationLogDir" on page 760.

IsIPv6Enabled Returns true, if IPv6 is enabled in Gaia OS.

Returns false, if IPv6 is disabled in Gaia OS.

See "$MDSVERUTIL IsIPv6Enabled" on page 761.

IsLegalVersion <options> Returns 0, if the specified internal Version ID is legal.

Returns 1, if the specified internal Version ID is illegal.
See "$MDSVERUTIL IsLegalVersion" on page 762.

IsOsSupportsIPv6 Returns true, if the OS supports IPv6.

Returns false, if the OS does not support IPv6.

See "$MDSVERUTIL IsOsSupportsIPv6" on page 763.

LatestVersion Returns the internal Version ID of the latest installed version.

See "$MDSVERUTIL LatestVersion" on page 764.

CLI R80.40 Reference Guide      |      728

 $MDSVERUTIL

Parameter Description

MDSAddonDir <options> Returns the path to the Management Addon directory in the
MDS context.
See "$MDSVERUTIL MDSAddonDir" on page 765.

MDSCompDir <options> Returns the full path for the specified Backward Compatibility
Package in the MDS context.
See "$MDSVERUTIL MDSCompDir" on page 766.

MDSDir <options> Returns the full path in the /opt/ directory to the $MDSDIR
directory.
See "$MDSVERUTIL MDSDir" on page 767.

MDSFgDir <options> Returns the full path for the $FGDIR directory in the MDS
context.
See "$MDSVERUTIL MDSFgDir" on page 768.

MDSFwbcDir <options> Returns the full path in the /opt/ directory (in the MDS
context) for the Backward Compatibility directory for Edge
devices.
See "$MDSVERUTIL MDSFwbcDir" on page 769.

MDSFwDir <options> Returns the full path in the /opt/ directory for the $FWDIR
directory in the MDS context.
See "$MDSVERUTIL MDSFwDir" on page 770.

MDSIp <options> Returns the IPv4 address of Multi-Domain Server.

See "$MDSVERUTIL MDSIp" on page 771.

MDSIp6 <options> Returns the IPv6 address of Multi-Domain Server.

See "$MDSVERUTIL MDSIp6" on page 772.

MDSLogExporterDir Returns the full path for the $EXPORTERDIR directory in the
<options> MDS context.
See "$MDSVERUTIL MDSLogExporterDir" on page 773.

MDSLogIndexerDir <options> Returns the full path for the $INDEXERDIR directory in the
MDS context.
See "$MDSVERUTIL MDSLogIndexerDir" on page 774.

MDSPkgName <options> Returns the name of the MDS software package.

See "$MDSVERUTIL MDSPkgName" on page 775.

CLI R80.40 Reference Guide      |      729

 $MDSVERUTIL

Parameter Description

MDSRegistryDir <options> Returns the full path for the $CPDIR/registry/ directory in
the MDS context.
See "$MDSVERUTIL MDSRegistryDir" on page 776.

MDSReporterDir <options> Returns the full path for the $RTDIR directory in the MDS
context.
See "$MDSVERUTIL MDSReporterDir" on page 777.

MDSSmartLogDir <options> Returns the full path for the $SMARTLOGDIR directory in the
MDS context.
See "$MDSVERUTIL MDSSmartLogDir" on page 778.

MDSSvnDir <options> Returns the full path in the /opt/ directory for the $CPDIR
directory in the MDS context.
See "$MDSVERUTIL MDSSvnDir" on page 779.

MDSVarCompDir <options> Returns the full path in the /var/opt/ directory for the
specified Backward Compatibility Package in the MDS context.
See "$MDSVERUTIL MDSVarCompDir" on page 780.

MDSVarDir <options> Returns the full path in the /var/opt/ directory to the
$MDSDIR directory.
See "$MDSVERUTIL MDSVarCompDir" on page 780.

MDSVarFwbcDir <options> Returns the full path in the /var/opt/ directory (in the MDS
context) for the Backward Compatibility directory for Edge
devices.
See "$MDSVERUTIL MDSVarFwbcDir" on page 782.

MDSVarFwDir <options> Returns the full path in the /var/opt/ directory for the
$FWDIR directory in the MDS context.
See "$MDSVERUTIL MDSVarFwDir" on page 783.

MDSVarSvnDir <options> Returns the full path in the /var/opt/ directory for the
$CPDIR directory in the MDS context.
See "$MDSVERUTIL MDSVarSvnDir" on page 784.

MSP <options> Returns the Minor Service Pack version.

See "$MDSVERUTIL MSP" on page 785.

OfficialName <options> Returns the official version name.

See "$MDSVERUTIL OfficialName" on page 786.

CLI R80.40 Reference Guide      |      730

 $MDSVERUTIL

Parameter Description

OptionPack <options> Returns the internal Option Pack version.

See "$MDSVERUTIL OptionPack" on page 787.

ProductName <options> Returns the official name of the Multi-Domain Server product.
See "$MDSVERUTIL ProductName" on page 788.

RegistryCurrentVer Returns the current internal version of Check Point Registry.

<options>
See "$MDSVERUTIL RegistryCurrentVer" on page 789.

ShortOfficialName Returns the short (without spaces) official version name.

<options>
See "$MDSVERUTIL ShortOfficialName" on page 790.

SmartCenterPuvUpgradeParam Returns the version to the Pre-Upgrade Verifier (PUV) in order

<options> for it to upgrade to that version.
See "$MDSVERUTIL SmartCenterPuvUpgradeParam" on
page 791.

SP <options> Returns the Service Pack version.

See "$MDSVERUTIL SP" on page 792.

SVNPkgName <options> Returns the name of the Secure Virtual Network (SVN)
package.
See "$MDSVERUTIL SVNPkgName" on page 793.

SvrDirectory <options> Returns the full path for the SmartReporter directory.
See "$MDSVERUTIL SvrDirectory" on page 794.

SvrParam <options> Returns the SmartReporter version.

See "$MDSVERUTIL SvrParam" on page 795.

CLI R80.40 Reference Guide      |      731

 $MDSVERUTIL AllCMAs

$MDSVERUTIL AllCMAs
Description
Returns the list of names of the configured Domain Management Servers.

Syntax

$MDSVERUTIL AllCMAs [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL AllCMAs

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL AllCMAs -v VID_92

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      732

 $MDSVERUTIL AllVersions

$MDSVERUTIL AllVersions
Description
Returns the internal representation of versions, this Multi-Domain Server recognizes.
You can you these internal version strings in other commands.
In addition, see these commands:
n "$MDSVERUTIL IsLegalVersion" on page 762
n "$MDSVERUTIL OfficialName" on page 786

Syntax

$MDSVERUTIL AllVersions

CLI R80.40 Reference Guide      |      733

 $MDSVERUTIL AllVersions

Mapping

Internal Version ID Official version

VID_94 R80.40

VID_93 R80.30

VID_92 R80.20

VID_91 R80

VID_90 R77.X

VID_89 R76

VID_88 R75.40VS

VID_87 R75.40

VID_86 R75.30

VID_85 R75.20

VID_84 R75

VID_83 R71.X

VID_80 R70.X

VID_65 NGX R65

VID_62 NGX R62

VID_NGX_61 NGX R61

VID_60 NGX R60

VID_541_A NG AI R55W

VID_541 NG AI R55

VID_54_VSX_R2 VSX NG AI R2

VID_54_VSX VSX NG AI 2.2N and VSX NG AI 2.3N

VID_54 NG AI R54

VID_53_VSX VSX NG AI

VID_53 NG FP3

VID_52 NG FP2

CLI R80.40 Reference Guide      |      734

 $MDSVERUTIL AllVersions

Internal Version ID Official version

VID_51 NG FP1

VID_41 4.1

Example

[Expert@MDS:0]# $MDSVERUTIL AllVersions

VID_94
VID_93
VID_92
VID_91
VID_90
VID_89
VID_88
VID_87
VID_86
VID_85
VID_84
VID_83
VID_80
VID_65
VID_62
VID_NGX_61
VID_61
VID_60
VID_541_A
VID_541
VID_54_VSX_R2
VID_54_VSX
VID_54
VID_53_VSX
VID_53
VID_52
VID_51
VID_41
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      735

 $MDSVERUTIL CMAAddonDir

$MDSVERUTIL CMAAddonDir
Description
Returns the path to the Management Addon directory in the context of the specified Domain Management
Server. Applies only to NG AI R55W version.
In addition, see the "$MDSVERUTIL MDSAddonDir" on page 765 command.

Syntax

$MDSVERUTIL CMAAddonDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAAddonDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPmgmt-R55W
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      736

 $MDSVERUTIL CMACompDir

$MDSVERUTIL CMACompDir
Description
Returns the full path for the specified Backward Compatibility Package in the context of the specified
Domain Management Server.
In addition, see these commands:
n "$MDSVERUTIL MDSCompDir" on page 766
n "$MDSVERUTIL MDSVarCompDir" on page 780

Syntax

$MDSVERUTIL CMACompDir -n <Name or IP address of Domain Management

Server> -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-n <Name or IP Specifies the Domain Management Server by its name or IPv4

address of Domain address.
Management Server>

-c <Name of Backward Specifies the name of Backward Compatibility Package.

Compatibility
The Backward Compatibility Package contains the applicable files to
Package>
install policy on Security Gateways that run a lower version than the
Multi-Domain Server.
To see the list of all Backward Compatibility Packages, run in Expert
mode:

ls -1 $MDSDIR/customers/<Name of Domain
Management Server>/ | grep CMP

Example

[Expert@MDS:0]# $MDSVERUTIL CMACompDir -n MyDomain_Server -c CPR77CMP-R80.40

/opt/CPmds-R80.40/customers/MyDomain_Server/CPR77CMP-R80.40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      737

 $MDSVERUTIL CMAFgDir

$MDSVERUTIL CMAFgDir
Description
Returns the full path for the $FGDIR directory in the context of the specified Domain Management Server.

In addition, see the "$MDSVERUTIL MDSFgDir" on page 768 command.

Syntax

$MDSVERUTIL CMAFgDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fg1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fg1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      738

 $MDSVERUTIL CMAFw40Dir

$MDSVERUTIL CMAFw40Dir
Description
Returns the full path for the $FWDIR directory for FireWall-1 4.0 in the context of the specified Domain
Management Server.

Syntax

$MDSVERUTIL CMAFw40Dir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      739

 $MDSVERUTIL CMAFw41Dir

$MDSVERUTIL CMAFw41Dir
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax option
until it is removed completely.

Description
Returns the full path for the $FWDIR directory for UTM-1 Edge devices (that are based on FireWall-1 4.1)
in the context of the specified Domain Management Server.

Syntax

$MDSVERUTIL CMAFw41Dir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPEdgecmp-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPEdgecmp-R77
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      740

 $MDSVERUTIL CMAFwConfDir

$MDSVERUTIL CMAFwConfDir
Description
Returns the full path for the $FWDIR/conf/ directory in the context of the specified Domain Management
Server.

Syntax

$MDSVERUTIL CMAFwConfDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/conf
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1/conf
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      741

 $MDSVERUTIL CMAFwDir

$MDSVERUTIL CMAFwDir
Description
Returns the full path for the $FWDIR directory in the context of the specified Domain Management Server.

In addition, see the "$MDSVERUTIL MDSFwDir" on page 770 command.

Syntax

$MDSVERUTIL CMAFwDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      742

 $MDSVERUTIL CMAIp

$MDSVERUTIL CMAIp
Description
Returns the IPv4 address of the Domain Management Server specified by its name.
In addition, see the "$MDSVERUTIL MDSIp" on page 771 command.

Syntax

$MDSVERUTIL CMAIp -n <Name or IP address of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAIp -n MyDomain_Server

192.168.3.240
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      743

 $MDSVERUTIL CMAIp6

$MDSVERUTIL CMAIp6
Description
Returns the IPv6 address of the Domain Management Server specified by its name.
In addition, see the "$MDSVERUTIL MDSIp6" on page 772 command.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL CMAIp6 -n <Name or IP address of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv6 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

CLI R80.40 Reference Guide      |      744

 $MDSVERUTIL CMALogExporterDir

$MDSVERUTIL CMALogExporterDir
Description
Returns the full path for the $EXPORTERDIR directory in the context of the specified Domain Management
Server.
In addition, see the "$MDSVERUTIL MDSLogExporterDir" on page 773 command.

Syntax

$MDSVERUTIL CMALogExporterDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMALogExporterDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPrt-R80.40/log_exporter
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      745

 $MDSVERUTIL CMALogIndexerDir

$MDSVERUTIL CMALogIndexerDir
Description
Returns the full path for the $INDEXERDIR directory in the context of the specified Domain Management
Server.
In addition, see the "$MDSVERUTIL MDSLogIndexerDir" on page 774 command.

Syntax

$MDSVERUTIL CMALogIndexerDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server by its

Management Server> name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMALogIndexerDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPrt-R80.40/log_indexer
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      746

 $MDSVERUTIL CMANameByFwDir

$MDSVERUTIL CMANameByFwDir
Description
Returns the name of the Domain Management Server based on the context of the current $FWDIR
directory.

Syntax

$MDSVERUTIL CMANameByFwDir -d $FWDIR [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMANameByFwDir -d $FWDIR

MyDomain_Server
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      747

 $MDSVERUTIL CMANameByIp

$MDSVERUTIL CMANameByIp
Description
Returns the name of the Domain Management Server based on the specified IPv4 address.

Syntax

$MDSVERUTIL CMANameByIp -i <IP address of Domain Management Server> [-

v <Version_ID>]

Parameters

Parameter Description

-i <IP address of Domain Specifies the Domain Management Server by its

Management Server> IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMANameByIp -i 192.168.3.240

MyDomain_Server
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      748

 $MDSVERUTIL CMARegistryDir

$MDSVERUTIL CMARegistryDir
Description
Returns the full path for the $CPDIR/registry/ directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSRegistryDir" on page 776 command.

Syntax

$MDSVERUTIL CMARegistryDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733
command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMARegistryDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPshrd-R80.40/registry
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      749

 $MDSVERUTIL CMAReporterDir

$MDSVERUTIL CMAReporterDir
Description
Returns the full path for the $RTDIR directory in the context of the specified Domain Management Server.

In addition, see the "$MDSVERUTIL MDSReporterDir" on page 777 command.

Syntax

$MDSVERUTIL CMAReporterDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733
command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAReporterDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPrt-R80.40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      750

 $MDSVERUTIL CMASmartLogDir

$MDSVERUTIL CMASmartLogDir
Description
Returns the full path for the $SMARTLOGDIR directory in the context of the specified Domain Management
Server.
In addition, see the "$MDSVERUTIL MDSSmartLogDir" on page 778 command.

Syntax

$MDSVERUTIL CMASmartLogDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733
command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASmartLogDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPSmartLog-R80.40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      751

 $MDSVERUTIL CMASvnConfDir

$MDSVERUTIL CMASvnConfDir
Description
Returns the full path for the $CPDIR/conf/ directory in the context of the specified Domain Management
Server.

Syntax

$MDSVERUTIL CMASvnConfDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733
command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASvnConfDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPshrd-R80.40/conf
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      752

 $MDSVERUTIL CMASvnDir

$MDSVERUTIL CMASvnDir
Description
Returns the full path for the $CPDIR directory in the context of the specified Domain Management Server.
In addition, see these commands:
n "$MDSVERUTIL MDSSvnDir" on page 779
n "$MDSVERUTIL MDSVarSvnDir" on page 784

Syntax

$MDSVERUTIL CMASvnDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733
command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASvnDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPshrd-R80.40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      753

 $MDSVERUTIL ConfDirVersion

$MDSVERUTIL ConfDirVersion
Description
Returns the internal Version ID based on the context of the current $FWDIR/conf/ directory.

For information about the internal Version ID, see the "$MDSVERUTIL AllVersions" on page 733
command.

Syntax

$MDSVERUTIL ConfDirVersion -d $FWDIR/conf

Example

[Expert@MDS:0]# $MDSVERUTIL ConfDirVersion -d $FWDIR/conf

VID_92
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      754

 $MDSVERUTIL CpdbUpParam

$MDSVERUTIL CpdbUpParam
Description
Returns internal version numbers from the internal database.
In addition, see these commands:
n "$MDSVERUTIL MSP" on page 785
n "$MDSVERUTIL SP" on page 792

Syntax

$MDSVERUTIL CpdbUpParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam

6.0.5.1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_90

6.0.4.0
[Expert@MDS:0]#

Example 3

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_65

6.0.1.0
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      755

 $MDSVERUTIL CPprofileDir

$MDSVERUTIL CPprofileDir
Description
Returns the path to the directory that contains the .CPprofile.sh and the .CPprofile.csh shell
scripts.

Syntax

$MDSVERUTIL CPprofileDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir

/opt/CPshrd-R80.40/tmp
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir -v VID_90

/opt/CPshrd-R77/tmp
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      756

 $MDSVERUTIL CPVer

$MDSVERUTIL CPVer
Description
Returns internal Check Point version number.

Syntax

$MDSVERUTIL CPVer [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CPVer

9.0
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CPVer -v VID_80

8.0
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      757

 $MDSVERUTIL CustomersBaseDir

$MDSVERUTIL CustomersBaseDir
Description
Returns the full path for the $MDSDIR/customers/ directory.

Syntax

$MDSVERUTIL CustomersBaseDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir

/opt/CPmds-R80.40/customers
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir -v VID_90

/opt/CPmds-R77/customers
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      758

 $MDSVERUTIL DiskSpaceFactor

$MDSVERUTIL DiskSpaceFactor
Description
Returns the disk-space factor. The mds_setup command uses this value during an upgrade.

Syntax

$MDSVERUTIL DiskSpaceFactor [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL DiskSpaceFactor

1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      759

 $MDSVERUTIL InstallationLogDir

$MDSVERUTIL InstallationLogDir
Description
Returns the full path for directory with all installation logs (/opt/CPInstLog/).

Syntax

$MDSVERUTIL InstallationLogDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL InstallationLogDir

/opt/CPInstLog
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      760

 $MDSVERUTIL IsIPv6Enabled

$MDSVERUTIL IsIPv6Enabled
Description
Returns true, if IPv6 is enabled in Gaia OS.
Returns false, if IPv6 is disabled in Gaia OS.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL IsIPv6Enabled

CLI R80.40 Reference Guide      |      761

 $MDSVERUTIL IsLegalVersion

$MDSVERUTIL IsLegalVersion
Description
Returns 0, if the specified internal Version ID is legal.
Returns 1, if the specified internal Version ID is illegal.

Syntax

$MDSVERUTIL IsLegalVersion -v <Version_ID>

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_92

0
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_123456

1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      762

 $MDSVERUTIL IsOsSupportsIPv6

$MDSVERUTIL IsOsSupportsIPv6
Description
Returns true, if the OS supports IPv6.
Returns false, if the OS does not support IPv6.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL IsOsSupportsIPv6

CLI R80.40 Reference Guide      |      763

 $MDSVERUTIL LatestVersion

$MDSVERUTIL LatestVersion
Description
Returns the internal Version ID of the latest installed version.

Syntax

$MDSVERUTIL LatestVersion

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL LatestVersion

VID_92
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      764

 $MDSVERUTIL MDSAddonDir

$MDSVERUTIL MDSAddonDir
Description
Returns the path to the Management Addon directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAAddonDir" on page 736 command.

Syntax

$MDSVERUTIL MDSAddonDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSAddonDir

/opt/CPmgmt-R55W
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      765

 $MDSVERUTIL MDSCompDir

$MDSVERUTIL MDSCompDir
Description
Returns the full path for the specified Backward Compatibility Package in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMACompDir" on page 737
n "$MDSVERUTIL MDSVarCompDir" on page 780

Syntax

$MDSVERUTIL MDSCompDir -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-c <Name of Specifies the name of Backward Compatibility Package.

Backward
The Backward Compatibility Package contains the applicable files to
Compatibility
install policy on Security Gateways that run a lower version than the
Package>
Multi-Domain Server.
To see the list of all Backward Compatibility Packages, run in Expert
mode:

ls -1 /opt/ | grep CMP

Example

[Expert@MDS:0]# $MDSVERUTIL MDSCompDir -c CPR77CMP-R80.40

/opt/CPR77CMP-R80.40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      766

 $MDSVERUTIL MDSDir

$MDSVERUTIL MDSDir
Description
Returns the full path in the /opt/ directory to the $MDSDIR directory.

In addition, see the "$MDSVERUTIL MDSVarDir" on page 781 command.

Syntax

$MDSVERUTIL MDSDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSDir

/opt/CPmds-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSDir -v VID_90

/opt/CPmds-R77
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      767

 $MDSVERUTIL MDSFgDir

$MDSVERUTIL MDSFgDir
Description
Returns the full path for the $FGDIR directory in the MDS context.

In addition, see the "$MDSVERUTIL CMAFgDir" on page 738 command.

Syntax

$MDSVERUTIL MDSFgDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir

/opt/CPsuite-R80.40/fg1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir -v VID_90

/opt/CPsuite-R77/fg1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      768

 $MDSVERUTIL MDSFwbcDir

$MDSVERUTIL MDSFwbcDir
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax option
until it is removed completely.

Description
Returns the full path in the /opt/ directory (in the MDS context) for the Backward Compatibility directory
for UTM-1 Edge devices.
This Backward Compatibility directory contains the applicable files to install policy on UTM-1 Edge devices.
In addition, see the "$MDSVERUTIL MDSVarFwbcDir" on page 782 command.

Syntax

$MDSVERUTIL MDSFwbcDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir

/opt/CPEdgecmp-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir -v VID_90

/opt/CPEdgecmp-R77
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      769

 $MDSVERUTIL MDSFwDir

$MDSVERUTIL MDSFwDir
Description
Returns the full path in the /opt/ directory for the $FWDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL MDSVarFwDir" on page 783
n "$MDSVERUTIL CMAFwDir" on page 742

Syntax

$MDSVERUTIL MDSFwDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir

/opt/CPsuite-R80.40/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir -v VID_90

/opt/CPsuite-R77/fw1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      770

 $MDSVERUTIL MDSIp

$MDSVERUTIL MDSIp
Description
Returns the IPv4 address of Multi-Domain Server.
In addition, see the "$MDSVERUTIL CMAIp" on page 743 command.

Syntax

$MDSVERUTIL MDSIp [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSIp

192.168.3.51
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      771

 $MDSVERUTIL MDSIp6

$MDSVERUTIL MDSIp6
Description
Returns the IPv6 address of Multi-Domain Server.
In addition, see the "$MDSVERUTIL CMAIp6" on page 744 command.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL MDSIp6 [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

CLI R80.40 Reference Guide      |      772

 $MDSVERUTIL MDSLogExporterDir

$MDSVERUTIL MDSLogExporterDir
Description
Returns the full path for the $EXPORTERDIR directory in the MDS context.

In addition, see the "$MDSVERUTIL CMALogExporterDir" on page 745 command.

Syntax

$MDSVERUTIL MDSLogExporterDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir

/opt/CPrt-R80.40/log_exporter
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      773

 $MDSVERUTIL MDSLogIndexerDir

$MDSVERUTIL MDSLogIndexerDir
Description
Returns the full path for the $INDEXERDIR directory in the MDS context.

In addition, see the "$MDSVERUTIL CMALogIndexerDir" on page 746 command.

Syntax

$MDSVERUTIL MDSLogIndexerDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir

/opt/CPrt-R80.40/log_indexer
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      774

 $MDSVERUTIL MDSPkgName

$MDSVERUTIL MDSPkgName
Description
Returns the name of the MDS software package.
In addition, see the "$MDSVERUTIL SVNPkgName" on page 793 command.

Syntax

$MDSVERUTIL MDSPkgName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName

CPmds-R80.40-00
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName -v VID_90

CPmds-R77-00
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      775

 $MDSVERUTIL MDSRegistryDir

$MDSVERUTIL MDSRegistryDir
Description
Returns the full path for the $CPDIR/registry/ directory in the MDS context.

In addition, see the "$MDSVERUTIL CMARegistryDir" on page 749 command.

Syntax

$MDSVERUTIL MDSRegistryDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir

/opt/CPshrd-R80.40/registry
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir -v VID_90

/opt/CPshrd-R77/registry
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      776

 $MDSVERUTIL MDSReporterDir

$MDSVERUTIL MDSReporterDir
Description
Returns the full path for the $RTDIR directory in the MDS context.

In addition, see the "$MDSVERUTIL CMAReporterDir" on page 750 command.

Syntax

$MDSVERUTIL MDSReporterDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir

/opt/CPrt-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir -v VID_91

/opt/CPrt-R80
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      777

 $MDSVERUTIL MDSSmartLogDir

$MDSVERUTIL MDSSmartLogDir
Description
Returns the full path for the $SMARTLOGDIR directory in the MDS context.

In addition, see the "$MDSVERUTIL CMASmartLogDir" on page 751 command.

Syntax

$MDSVERUTIL MDSSmartLogDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir

/opt/CPSmartLog-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir -v VID_91

/opt/CPSmartLog-R80
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      778

 $MDSVERUTIL MDSSvnDir

$MDSVERUTIL MDSSvnDir
Description
Returns the full path in the /opt/ directory for the $CPDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMASvnDir" on page 753
n "$MDSVERUTIL MDSVarSvnDir" on page 784

Syntax

$MDSVERUTIL MDSSvnDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir

/opt/CPshrd-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir -v VID_91

/opt/CPshrd-R80
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      779

 $MDSVERUTIL MDSVarCompDir

$MDSVERUTIL MDSVarCompDir
Description
Returns the full path in the /var/opt/ directory for the specified Backward Compatibility Package in the
MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMACompDir" on page 737
n "$MDSVERUTIL MDSCompDir" on page 766

Syntax

$MDSVERUTIL MDSVarCompDir -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-c <Name of Specifies the name of Backward Compatibility Package.

Backward
The Backward Compatibility Package contains the applicable files to
Compatibility
install policy on Security Gateways that run a lower version than the
Package>
Multi-Domain Server.
To see the list of all Backward Compatibility Packages, run in Expert
mode:

ls -1 /var/opt/ | grep CMP

Example

[Expert@MDS:0]# $MDSVERUTIL MDSVarCompDir -c CPR77CMP-R80.40

/var/opt/CPR77CMP-R80.40
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      780

 $MDSVERUTIL MDSVarDir

$MDSVERUTIL MDSVarDir
Description
Returns the full path in the /var/opt/ directory to the $MDSDIR directory.

In addition, see the "$MDSVERUTIL MDSDir" on page 767 command.

Syntax

$MDSVERUTIL MDSVarDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir

/var/opt/CPmds-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir -v VID_90

/var/opt/CPmds-R77
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      781

 $MDSVERUTIL MDSVarFwbcDir

$MDSVERUTIL MDSVarFwbcDir
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax option
until it is removed completely.

Description
Returns the full path in the /var/opt/ directory (in the MDS context) for the Backward Compatibility
directory for UTM-1 Edge devices.
This Backward Compatibility directory contains the applicable files to install policy on UTM-1 Edge devices.
In addition, see the "$MDSVERUTIL MDSFwbcDir" on page 769 command.

Syntax

$MDSVERUTIL MDSVarFwbcDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir

/var/opt/CPEdgecmp-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir -v VID_90

/var/opt/CPEdgecmp-R77
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      782

 $MDSVERUTIL MDSVarFwDir

$MDSVERUTIL MDSVarFwDir
Description
Returns the full path in the /var/opt/ directory for the $FWDIR directory in the MDS context.

In addition, see the "$MDSVERUTIL MDSFwDir" on page 770 command.

Syntax

$MDSVERUTIL MDSVarFwDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir

/var/opt/CPsuite-R80.40/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir -v VID_90

/var/opt/CPsuite-R77/fw1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      783

 $MDSVERUTIL MDSVarSvnDir

$MDSVERUTIL MDSVarSvnDir
Description
Returns the full path in the /var/opt/ directory for the $CPDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMASvnDir" on page 753
n "$MDSVERUTIL MDSSvnDir" on page 779

Syntax

$MDSVERUTIL MDSVarSvnDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir

/var/opt/CPshrd-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir -v VID_90

/var/opt/CPshrd-R77
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      784

 $MDSVERUTIL MSP

$MDSVERUTIL MSP
Description
Returns the Minor Service Pack version.
In addition, see these commands:
n "$MDSVERUTIL SP" on page 792
n "$MDSVERUTIL CpdbUpParam" on page 755

Syntax

$MDSVERUTIL MSP [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MSP

9
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MSP -v VID_91

8
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      785

 $MDSVERUTIL OfficialName

$MDSVERUTIL OfficialName
Description
Returns the official version name.
In addition, see the "$MDSVERUTIL ShortOfficialName" on page 790 command.

Syntax

$MDSVERUTIL OfficialName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL OfficialName

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_91

R80
[Expert@MDS:0]#

Example 3

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_65

NGX R65
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      786

 $MDSVERUTIL OptionPack

$MDSVERUTIL OptionPack
Description
Returns the internal Option Pack version.

Syntax

$MDSVERUTIL OptionPack [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL OptionPack

3
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL OptionPack -v VID_90

1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      787

 $MDSVERUTIL ProductName

$MDSVERUTIL ProductName
Description
Returns the official name of the Multi-Domain Server product.

Syntax

$MDSVERUTIL ProductName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL ProductName

Multi-Domain Security Management
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL ProductName -v VID_65

Provider-1
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      788

 $MDSVERUTIL RegistryCurrentVer

$MDSVERUTIL RegistryCurrentVer
Description
Returns the current internal version of Check Point Registry.

Syntax

$MDSVERUTIL RegistryCurrentVer [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example

[Expert@MDS:0]# $MDSVERUTIL RegistryCurrentVer

6.0
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      789

 $MDSVERUTIL ShortOfficialName

$MDSVERUTIL ShortOfficialName
Description
Returns the short (without spaces) official version name.
In addition, see the "$MDSVERUTIL OfficialName" on page 786 command.

Syntax

$MDSVERUTIL ShortOfficialName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL ShortOfficialName

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# ShortOfficialName -v VID_65

NGX_65
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      790

 $MDSVERUTIL SmartCenterPuvUpgradeParam

$MDSVERUTIL SmartCenterPuvUpgradeParam
Description
Returns the version to the Pre-Upgrade Verifier (PUV) in order for it to upgrade to that version.

Syntax

$MDSVERUTIL SmartCenterPuvUpgradeParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_90

R77
[Expert@MDS:0]#

Example 3
[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_65
NGX_R65
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      791

 $MDSVERUTIL SP

$MDSVERUTIL SP
Description
Returns the Service Pack version.
In addition, see these commands:
n "$MDSVERUTIL MSP" on page 785
n "$MDSVERUTIL CpdbUpParam" on page 755

Syntax

$MDSVERUTIL SP [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SP
4
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SP -v VID_91

4
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      792

 $MDSVERUTIL SVNPkgName

$MDSVERUTIL SVNPkgName
Description
Returns the name of the Secure Virtual Network (SVN) package. Applies to versions NGX R60 and above.
In addition, see the "$MDSVERUTIL MDSPkgName" on page 775 command.

Syntax

$MDSVERUTIL SVNPkgName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName

CPsuite-R80.40-00
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName -v VID_90

CPsuite-R77-00
[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      793

 $MDSVERUTIL SvrDirectory

$MDSVERUTIL SvrDirectory
Description
Returns the full path for the SmartReporter directory.

Syntax

$MDSVERUTIL SvrDirectory [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

CLI R80.40 Reference Guide      |      794

 $MDSVERUTIL SvrParam

$MDSVERUTIL SvrParam
Description
Returns the SmartReporter version.

Syntax

$MDSVERUTIL SvrParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 733 command.

CLI R80.40 Reference Guide      |      795

 Creating a Domain Management Server with the 'mgmt_cli' Command

Creating a Domain Management Server with the

'mgmt_cli' Command
Prerequisites
n Name or Identifier of the Domain. For example: MyDomain
n Name or Identifier of the new Domain Management Server. For example: MyDMS
n IPv4 address for the new Domain Management Server.
n IPv4 Address for the Multi-Domain Server.
n The Multi-Domain Server username and password for a Multi-Domain Superuser, who has
permission to create the new Domain Management Server.

To create a new Domain Management Server

1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode with the Superuser credentials.
3. Create the Domain Management Server.
Run this command:

mgmt_cli add domain name <domain_name> servers.ip address "<ipv4>"

servers.name "<server_name>" servers.multi-domain-server "<mdm_
name>"

For more information, see "mgmt_cli" on page 696.

Example:

mgmt_cli add domain name "domain1" servers.ip-address "192.0.2.1"

servers.name "domain1_ManagementServer_1" servers.multi-domain-
server "primary_mdm"

4. Connect with SmartConsole to the new Domain Management Server to configure the applicable
settings.

CLI R80.40 Reference Guide      |      796

 SmartProvisioning Commands

SmartProvisioning Commands
For more information about SmartProvisioning, see the R80.40 SmartProvisioning Administration Guide.
In addition, see Security Management Server Commands.

CLI R80.40 Reference Guide      |      797

 Managing Security through API

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the API Server
that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with third
party systems such as virtualization servers, ticketing systems, and change management systems.

API Tools
You can use these tools to run API scripts on the Management Server:
n Standalone management tool, included with SmartConsole. You can copy this tool to computers that
run Windows or Gaia operating system.
l mgmt_cli.exe (for Windows operating system)
l mgmt_cli (for Gaia operating system)
n Web Services API that allow communication and data exchange between the clients and the
Management Server over the HTTP protocol.
These also let other Check Point processes communicate with the Management Server over the
HTTPS protocol.
To learn more about the management APIs, to see code samples, and to take advantage of user forums,
see:
n The Check Point Management API Reference.
n The Developers Network section of Check Point CheckMates Community.

Configuring the API Server

To configure the API Server:
1. Connect with SmartConsole to the Security Management Server or Domain Management Server.
2. From the left navigation panel, click Manage & Settings .
3. In the upper left section, click Blades .
4. In the Management API section, click Advanced Settings .
The Management API Settings window opens.
5. Configure the Startup Settings and the Access Settings .

CLI R80.40 Reference Guide      |      798

 Managing Security through API

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot the
Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the
Automatic start option is activated by default during Management
Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic
Start option is deactivated.

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only - Only the Management Server itself can connect to the API
Server. This option only lets you use the mgmt_cli utility to send API requests. You
cannot use SmartConsole or web services to send API requests.
n All IP addresses that can be used for GUI clients - You can send API requests from all
IP addresses that are defined as Trusted Clients in SmartConsole. This includes requests
from SmartConsole, Web services and the mgmt_cli utility.
n All IP addresses - You can send API requests from all IP addresses. This includes
requests from SmartConsole, Web services and the mgmt_cli utility.

6. Publish the SmartConsole session.

7. Restart the API Server.
Run this command:

api restart

Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

CLI R80.40 Reference Guide      |      799

 Check Point LSMcli Overview

Check Point LSMcli Overview

Description
Check Point SmartLSM Command Line Utility (LSMcli) is a simple command line utility, an alternative to
SmartProvisioning SmartConsole GUI.
LSMcli lets you perform SmartProvisioning GUI operations from a command line or through a script.

Notes:
n LSMcli can run from hosts other than SmartConsole clients. Make sure to define
the hosts, from which you run the LSMcli as GUI clients.
n The first time you run the LSMcli from a client, it shows the Management
Server's fingerprint. Confirm the fingerprint.
n In the LSMcli, commands can use the abbreviation ROBO (Remote
Office/Branch Office) gateways.
In SmartProvisioning GUI, these gateways are called SmartLSM Security
Gateways.

Syntax

LSMcli {-h | --help}

LSMcli [-d] <Mgmt Server> <Username> <Password> <Action>

Parameters

Parameter Description

[-d] Runs the command in the debug mode.

<Mgmt Specifies the Security Management Server or Domain Management Server by its
Server> Name or IPv4 address.

<Username> Specifies the username used in the standard Check Point authentication method.

<Password> Specifies the password used in the standard Check Point authentication method.

<Action> Specifies the function performed (see the next sub-sections for a complete list of
actions).

CLI R80.40 Reference Guide      |      800

 Check Point LSMcli Overview

Syntax Notation
Square brackets ([ ]) are used in the LSMcli utility syntax. These brackets are correct and syntactically
necessary.
This is an example of how they are used:
n A [b [c]] - means that for parameter A, you can provide b. If you provide b, you can provide c .
n A [b] [c] - means that for parameter A, you can provide b, c , or b and c .
n A [b c] - means that for parameter A, you can provide b and c .

CLI R80.40 Reference Guide      |      801

 SmartLSM Security Gateway Management Actions

SmartLSM Security Gateway Management

Actions
This section describes commands that perform management actions on SmartLSM Gateways.

CLI R80.40 Reference Guide      |      802

 LSMcli AddROBO VPN1

LSMcli AddROBO VPN1

Description
This command adds a new Check Point SmartLSM Security Gateway to SmartProvisioning and assigns it a
SmartLSM Security Profile.
If a one-time password is supplied, a SIC certificate is created.
If an IP address is also supplied, the SIC certificate is pushed to the SmartLSM Security Gateway (in such
cases, the SmartLSM Security Gateway SIC one-time password must be initialized first).
If no IP address is supplied, the SIC certificate is pulled from the SmartLSM Security Gateway afterwards.
You can also assign an IP address range to Dynamic Objects, and specify whether or not to add them to
the VPN domain.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO VPN1

<ROBOName> <Profile> [-RoboCluster=<OtherROBOName>] [-
O=<ActivationKey> [-I=<IP>]] [[-CA=<CaName> [-
R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]] [-
D]:<DynamicObjectName>=<IP1>[-<IP2] [-D]:...

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of a SmartLSM Security Gateway.

<Profile> Name of a SmartLSM Security Profile that was defined in

SmartConsole.

<OtherROBOName> Name for an already defined SmartLSM Security Gateway that

participates in the SmartLSM Cluster with the newly created Security
Gateway (if the "-RoboCluster" argument is provided).

<ActivationKey> SIC one-time password (for this action, a certificate is generated).

<IP> IP address of the Security Gateway (for this action, a certificate is

pushed to the Security Gateway).

CLI R80.40 Reference Guide      |      803

 LSMcli AddROBO VPN1

Parameter Description

<CaName> Name of the Trusted CA object (created from SmartConsole).

The IKE certificate request is sent to this CA. Default is Check Point
Internal CA.

< Key identifier for third-party CA.

CertificateIdentifier#
>

<AuthorizationKey> Authorization Key for third-party CA.

<DynamicObjectName> Name of the Dynamic Object.

<IP1> Single IP address for the Dynamic Object.

<IP1-IP2> Range of IP addresses for the Dynamic Object.

Example 1
This command adds a new SmartLSM Security GatewayMyRoboand assigns it the specified SmartLSM
Security Profile AnyProfile.
A SIC password and an IP address are supplied, so the SIC Activation Key can be sent to the new
SmartLSM Security Gateway.
A Dynamic Object called FirstDO is resolved to an IP address for this Security Gateway.

LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass -

I=192.0.2.4 -DE:FirstDO=192.0.2.100

Example 2

LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass -

I=10.10.10.1 -DE:FirstDO=10.10.10.5 -CA=OPSEC_CA -R=cert123 -
KEY=abc456

CLI R80.40 Reference Guide      |      804

 LSMcli ModifyROBO VPN1

LSMcli ModifyROBO VPN1

Description
This command modifies a Check Point SmartLSM Security Gateway.
This action modifies the SmartProvisioning details for an existing SmartLSM Security Gateway and can be
used to update properties previously supplied by the user.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBO VPN1

<RoboName> ...

and at least one of these:

... [-P=Profile] [-RoboCluster={<OtherROBOName> | -NoRoboCluster}] [-

D:<DO Name>=<IP1>[-<IP2>] [-KeepDOs]...]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain Management
Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Profile> Name of a SmartLSM Security Profile that was defined in SmartConsole.

< Name of the already defined SmartLSM Security Gateway that is to participate in
OtherROBOName the Cluster with the newly created Security Gateway (if the "-RoboCluster"
> argument is provided).

- This parameter is equivalent to the Remove Cluster operation in the

NoRoboCluster SmartProvisioning GUI.
When you issue a ModifyROBO VPN1 command with this argument on a
Security Gateway that participates in a cluster, the cluster is removed.

<DO Name> Name of the Dynamic Object.

<IP1> Single IP address for the Dynamic Object.

<IP1-IP2> Range of IP addresses for the Dynamic Object.

CLI R80.40 Reference Guide      |      805

 LSMcli ModifyROBO VPN1

Parameter Description

-KeepDOs Keeps all existing dynamic objects in the dynamic objects list when you add new
dynamic objects.
If a dynamic object already exists in the list, its IP resolution is updated.

If this flag is not specified, the dynamic objects list is deleted when you use the
LSMcli command to add new dynamic objects.

Example
This example resolves Dynamic Objects for the given Security Gateway.

LSMcli mySrvr name pass ModifyROBO VPN1 MyRobo -

D:MyEmailServer=123.45.67.8 -D:MySpecialNet=10.10.10.1-10.10.10.6

CLI R80.40 Reference Guide      |      806

 LSMcli ModifyROBOManualVPNDomain

LSMcli ModifyROBOManualVPNDomain
Description
This command modifies the SmartLSM VPN Domain, to take effect when the VPN Domain becomes
defined as Manual.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyROBOManualVPNDomain <RoboName> {-Add=<FirstIP>-<LastIP> | -
Delete=<Index>} [-IfOverlappingIPRangesDetected={exit | ignore | warn}

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server

or Domain Management Server.

<Username> User name of standard Check Point authentication

method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM

Cluster.

<FirstIP>-<LastIP> IP address range.

<Index> Value displayed by the "LSMcli ShowInfo" on page 829

command or the "LSMcli ShowROBOTopology" on
page 818 command.

- Optional.
IfOverlappingIPRangesDetected
Determines the course of action, if overlapping IP address
ranges are detected: exit, ignore, or show a warning.

Example 1

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -

Add=192.0.2.1-192.0.2.20

Example 2

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Delete=1

CLI R80.40 Reference Guide      |      807

 LSMcli ModifyROBOTopology VPN1

LSMcli ModifyROBOTopology VPN1

Description
This command modifies the SmartLSM VPN Domain configuration for a selected Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBOTopology

VPN1 <RoboName> -VPNDomain={not_defined | external_ip_only | topology
| manual}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

< User name of standard Check Point authentication method.

Username>

< Password of standard Check Point authentication method.

Password>

< Name of the SmartLSM Security Gateway.

RoboName>

VPNDomain Specifies the VPN Domain topology:

n not_defined - Equivalent to the Not Defined option on the Topology tab of a
SmartLSM Security Gateway in the SmartProvisioning GUI (or in the output of the
"LSMcli ShowROBOTopology" on page 818 command).
n external_ip_only - Equivalent to the Only the external interface
configuration in the SmartProvisioning GUI.
n topology - Equivalent to the All IP Addresses behind the Gateway based on
Topology information configuration in the SmartProvisioning GUI.
n manual - Equivalent to Manually defined. VPN domain is defined according to
the configuration made with the "LSMcli ModifyROBOManualVPNDomain" on
page 807 command.

Example

LSMcli mySrvr name pass ModifyROBOTopology VPN1 MyRobo -

VPNDomain=manual

CLI R80.40 Reference Guide      |      808

 LSMcli ModifyROBOInterface VPN1

LSMcli ModifyROBOInterface VPN1

Description
This command modifies the Internal Interface list.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBOInterface

VPN1 <RoboName> <InterfaceName> -i=<IPAddress> [-Netmask=<NetMask>] [-
IfOverlappingIPRangesDetected={exit | ignore | warn}]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server

Domain Management Server.

<Username> User name of standard Check Point authentication

method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<InterfaceName> Name of the existing interface.

<IPAddress> IP address of the interface.

<NetMask> Net mask of the interface.

- Optional.
IfOverlappingIPRangesDetected
Determines the course of action, if overlapping IP address
ranges are detected: exit, ignore, or show a warning.

Example

LSMcli mySrvr name pass ModifyROBOInterface VPN1 MyRobo eth0 -

i=192.0.2.1 -Netmask=255.255.255.0

CLI R80.40 Reference Guide      |      809

 LSMcli AddROBOInterface VPN1

LSMcli AddROBOInterface VPN1

Description
This command adds a new interface to the selected SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBOInterface VPN1

<RoboName> <InterfaceName> -i=<IPAddress> -NetMask=<NetMask>

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of an existing interface.

InterfaceName
>

<IPAddress> IP address of the interface.

<NetMask> Net mask of the interface.

Example

LSMcli mySrvr name pass AddROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1

-Netmask=255.255.255.0

CLI R80.40 Reference Guide      |      810

 LSMcli DeleteROBOInterface VPN1

LSMcli DeleteROBOInterface VPN1

Description
This command deletes an interface from the selected Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> DeleteROBOInterface

VPN1 <RoboName> <InterfaceName>

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of an existing interface.

InterfaceName
>

Example

LSMcli mySrvr name pass DeleteROBOInterface VPN1 MyRobo eth0

CLI R80.40 Reference Guide      |      811

 LSMcli ExportIke

LSMcli ExportIke
Description
This command exports the IKE Certificate into a P12 file(encrypted with a provided password) from
SmartLSM Security Gateway, SmartLSM Cluster, or SmartLSM Cluster Member.
The default location of the exported file is the $FWDIR/conf/ directory.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ExportIke <RoboName>

<Password> <FileName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

< User name of standard Check Point authentication method.

Username
>

< Password of standard Check Point authentication method.

Password
>

< Name of the SmartLSM Security Gateway, SmartLSM Cluster, or SmartLSM Cluster
RoboName Member, whose certificate is exported.
>

< Password used to protect the p12 file.

Password
>

< Destination file name (is created).

FileName
>

Example

LSMcli mySrvr name pass ExportIke MyROBO ajg42k93N MyROBOCert.p12

CLI R80.40 Reference Guide      |      812

 LSMcli ResetIke

LSMcli ResetIke
Description
This command resets the IKE Certificate of a SmartLSM Security Gateway, SmartLSM Cluster, or
SmartLSM Cluster Member.
This action revokes the existing IKE certificate and creates a new one.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ResetIke <RoboName> [-

CA=<CaName> [-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the Security Gateway, SmartLSM Cluster, or SmartLSM

Cluster Member.

<CaName> Name of the Trusted CA object (created from SmartConsole) the IKE
certificate request is sent to this CA.

< Key identifier of the specific certificate.

CertificateIdentifier
>

<AuthorizationKey> Authorization Key to be sent to the CA for the certificate retrieval.

Example

LSMcli mySrvr name pass ResetIke MyROBO -CA=OPSEC_CA -R=cer3452s -

KEY=ad23fgh

CLI R80.40 Reference Guide      |      813

 LSMcli Remove

LSMcli Remove
Description
This command deletes a SmartLSM Security Gateway.
This action revokes all the certificates used by the SmartLSM Security Gateway, releases all the licenses
and, finally, removes the SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Remove <RoboName> <ID>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the Security Gateway.

<ID> ID of the SmartLSM Security Gateway.

Use the "LSMcli Show" on page 816 command to check the ID of the specific
SmartLSM Security Gateway.

Example

LSMcli mySrvr name pass Remove MyRobo 0.0.0.251

CLI R80.40 Reference Guide      |      814

 LSMcli ResetSic

LSMcli ResetSic
Description
This command resets the SIC Certificate of a SmartLSM Security Gateway or SmartLSM Cluster Member.
This action revokes the Security Gateway's SIC certificate and creates a new one with the one-time
password provided by the user.
If an IP address is supplied for the SmartLSM Security Gateway, the SIC certificate is pushed to the
SmartLSM Security Gateway, in which case the SmartLSM Security Gateway SIC one-time password must
be initialized first.
Otherwise, if no IP address is given, the SIC certificate is later pulled from the SmartLSM Security
Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ResetSic <RoboName>

<ActivationKey> [-I=<IPAddress>]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain Management
Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM Cluster Member.

< One-time password for the Secure Internal Communications with the SmartLSM
ActivationKey Security Gateway.
>

<IPAddress> IP address of Security Gateway (for this action, the certificate is pushed to the
Security Gateway).

Example 1

LSMcli mySrvr name pass ResetSic MyROBO aw47q1

Example 2

LSMcli mySrvr name pass ResetSic MyFixedIPROBO sp36rt1 -I=10.20.30.1

CLI R80.40 Reference Guide      |      815

 LSMcli Show

LSMcli Show
Description
This command displays a list of existing Security Gateways.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Show [-N=<Gateway

Name>] [-F=<FilterFlags>]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Gateway Name of the Security Gateway to display.

Name>
If the "-N" flag is not included, the command prints the existing Devices work space,
including SmartLSM Security Gateways.

-F=< You can use these flags to filter the printed information:
FilterFlags
> n b - ID
n c - Cluster ID
n d - List of Dynamic Objects assigned to this SmartLSM Security Gateways
n g - Gateway status
n i - IP address
n k - IKE DN
n l - Policy status
n n - Name
n p - SmartLSM Security Profile
n s - SIC DN
n t - Type
n v - Version

Note - To specify more than one filter flag, write them together. Example: -F=bn

CLI R80.40 Reference Guide      |      816

 LSMcli Show

Example 1

LSMcli mySrvr name pass Show -N=MyRobo

Example 2

LSMcli mySrvr name pass Show -F=binpt

CLI R80.40 Reference Guide      |      817

 LSMcli ShowROBOTopology

LSMcli ShowROBOTopology
Description
This command displays the Topology information of the SmartLSM Security Gateway.
It lists the defined Interfaces and their respective IP Addresses and Network Masks, and the VPN Domain
configuration.
You can use the indexes of the manually defined VPN domain IP address ranges, on the displayed list,
when you request to delete a range, with the "LSMcli ModifyROBOManualVPNDomain" on page 807
command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ShowROBOTopology

<RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of Security Gateway.

Example

LSMcli mySrvr name pass ShowROBOTopology MyRobo

CLI R80.40 Reference Guide      |      818

 LSMcli UpdateCO

LSMcli UpdateCO
Description
This command updates a Corporate Office (CO) Security Gateway.
This action updates the CO Security Gateway with up-to-date available information about the VPN
Domains of the SmartLSM Security Gateways.
Perform this action after you add a new SmartLSM Security Gateway to enable the CO gateway to initiate a
VPN tunnel to the new SmartLSM Security Gateway.
Alternatively, you can Install Policy on the CO gateway to obtain updated VPN Domain information.

Note - This command supports CO Security Gateways only.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> UpdateCO {<COgw>

| COgwCluster}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<CoGw> Name of a CO gateway.

< Name of a cluster of CO gateways.

CoGwCluster>

Example

LSMcli mySrvr name pass UpdateCO MyCO

CLI R80.40 Reference Guide      |      819

 SmartUpdate Actions

SmartUpdate Actions
This section describes commands that perform SmartUpdate actions on SmartLSM Gateways.
Before you can install software on gateways, you must first load it to the Security Management Server.

Best Practice - Run the "LSMcli VerifyInstall" on page 825 command to make sure
that the software is compatible.

Use the "LSMcli Install" on page 821 command to install the software.

Use the "LSMcli Uninstall" on page 823 command to uninstall the software.

CLI R80.40 Reference Guide      |      820

 LSMcli Install

LSMcli Install
Description
This command installs the specified software on the SmartLSM Security Gateway or SmartLSM Cluster
Member.

Note - Before you can install software on SmartLSM Security Gateways, you must first
load it to the Security Management Server.

Best Practice - Run the "LSMcli VerifyInstall" on page 825 command to make sure
that the software is compatible.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Install <RoboName>

<Product> <Vendor> <Version> <SP> [-P=<Profile>] [-boot] [-
DoNotDistribute]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major Version of the package.

<SP> Minor Version of the package.

<Profile> Assign a different SmartLSM Security Profile (already defined in

SmartConsole) after installation.

boot Reboot the SmartLSM Security Gateway after installation.

- Optional.
DoNotDistribute
Install previously distributed packages.

CLI R80.40 Reference Guide      |      821

 LSMcli Install

Example

LSMcli mySrvr name pass Install MyRobo firewall checkpoint NG_AI fcs -
P=AnyProfile -boot

CLI R80.40 Reference Guide      |      822

 LSMcli Uninstall

LSMcli Uninstall
Description
This command uninstalls the specified package from the SmartLSM Security Gateway or SmartLSM
Cluster Member.
You can use the "LSMcli ShowInfo" on page 829 command to see what products are installed on the
SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Uninstall <RoboName>

<Product> <Vendor> <Version> <SP> [-P=<Profile>] [-boot]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major Version of the package.

<SP> Minor Version of the package.

<Profile> Assign a different SmartLSM Security Profile (already defined in SmartConsole)

after uninstall.

boot Reboot the SmartLSM Security Gateway after installation.

Example

LSMcli mySrvr name pass Uninstall MyRobo firewall checkpoint NG_AI fcs
-boot

CLI R80.40 Reference Guide      |      823

 LSMcli Distribute

LSMcli Distribute
Description
This command distributes a package from the Repository to the SmartLSM Security Gateway or
SmartLSM Cluster Member, but does not install it.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Distribute <RoboName>

<Product> <Vendor> <Version> <SP>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major version of the package.

<SP> Minor version of the package.

Example

LSMcli mySrvr name pass Distribute MyRobo fw1 checkpoint NG_AI R54

CLI R80.40 Reference Guide      |      824

 LSMcli VerifyInstall

LSMcli VerifyInstall
Description
This command makes sure that the software is compatible to install on the SmartLSM Security Gateway or
SmartLSM Cluster Member.

Note - Note that this action does not perform an installation.

Best Practice - Run this command before you install the software on the SmartLSM
Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> VerifyInstall

<RoboName> <Product> <Vendor> <Version> <SP>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major version of the package.

<SP> Minor version of the package.

Example

LSMcli mySrvr name pass VerifyInstall MyRobo firewall checkpoint NG_AI

fcs

CLI R80.40 Reference Guide      |      825

 LSMcli VerifyUpgrade

LSMcli VerifyUpgrade
Description
This command verifies if you can upgrade a selected software on the SmartLSM Security Gateway or
SmartLSM Cluster Member.

Note - This command does not perform an installation.

Best Practice - Run this command before you run the "LSMcli Upgrade" on page 827
command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> VerifyUpgrade

<RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

Example

LSMcli mySrvr name pass VerifyUpgrade MyRobo

CLI R80.40 Reference Guide      |      826

 LSMcli Upgrade

LSMcli Upgrade
Description
This command upgrades all the (appropriate) available software packages on the SmartLSM Security
Gateway or SmartLSM Cluster Member.

Best Practice - Run the "LSMcli VerifyUpgrade" on page 826 command before you
run this command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Upgrade <RoboName> [-

P=<Profile>] [-boot]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Profile> Assign a different SmartLSM Security Profile (already defined in SmartConsole)

after installation.

boot Reboot the SmartLSM Security Gateway after the installation is finished.

Example

LSMcli mySrvr name pass Upgrade MyRobo -P=myprofile -boot

CLI R80.40 Reference Guide      |      827

 LSMcli GetInfo

LSMcli GetInfo
Description
This command collects product information from the SmartLSM Security Gateway or SmartLSM Cluster
Member.

Important - If you upgrade any package manually instead of using SmartUpdate, you
must run this command before you run the "LSMcli ShowInfo" on page 829 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> GetInfo <RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

Example

LSMcli mySrvr name pass GetInfo MyRobo

CLI R80.40 Reference Guide      |      828

 LSMcli ShowInfo

LSMcli ShowInfo
Description
This command displays product information for the list of the products installed on the SmartLSM Security
Gateway or SmartLSM Cluster Member.

Important - Before you run this command, run the "LSMcli GetInfo" on page 828
command to make sure the information is up-to-date.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ShowInfo <RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the Security Gateway.

Example

LSMcli mySrvr name pass ShowInfo MyRobo

CLI R80.40 Reference Guide      |      829

 LSMcli ShowRepository

LSMcli ShowRepository
Description
This command shows the list of the available products on the Management Server.
Use SmartUpdate to manage the products, load new products, remove products, and so on.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ShowRepository

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

Example

LSMcli mySrvr name pass ShowRepository

CLI R80.40 Reference Guide      |      830

 LSMcli Stop

LSMcli Stop
Description
This command stops Security Gateway services on the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 175.
n This command supports Security Gateways, SmartLSM Security Gateways, and
SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Stop {<RoboName>

| <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Stop MyRobo

CLI R80.40 Reference Guide      |      831

 LSMcli Start

LSMcli Start
Description
This command starts Security Gateway services on the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 175.
n This command supports Security Gateways, SmartLSM Security Gateways, and
SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Start {<RoboName> |

<GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Start MyRobo

CLI R80.40 Reference Guide      |      832

 LSMcli Restart

LSMcli Restart
Description
This command restarts Security Gateway services on the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 175.
n This command supports Security Gateways, SmartLSM Security Gateways, and
SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Restart {<RoboName> |

<GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Restart MyRobo

CLI R80.40 Reference Guide      |      833

 LSMcli Reboot

LSMcli Reboot
Description
This command reboots the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 175.
n This command supports Security Gateways, SmartLSM Security Gateways, and
SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Reboot {<RoboName> |

<GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Reboot MyRobo

CLI R80.40 Reference Guide      |      834

 LSMcli Push Actions

LSMcli Push Actions

These commands are used to push updated values, settings, and security rules to gateways.
After you create a gateway or a dynamic object in the SmartProvisioning system, you must assign (push) a
security policy to it.

CLI R80.40 Reference Guide      |      835

 LSMcli PushPolicy

LSMcli PushPolicy
Description
This command pushes a policy to the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 175.
n This command supports Security Gateways, SmartLSM Security Gateways, and
SmartLSM Clusters.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> PushPolicy {<RoboName>

| <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway, or SmartLSM Cluster.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass PushPolicy MyRobo

CLI R80.40 Reference Guide      |      836

 LSMcli PushDOs

LSMcli PushDOs
Description
This command updates a Dynamic Object's information on the SmartLSM Security Gateway or SmartLSM
Cluster Member.

Note - This command does not remove/release the IP address range for the deleted
Dynamic Object, but only adds new ones. To overcome this difficulty, run the "LSMcli
PushPolicy" on page 836 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> PushDOs <RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM Cluster Member.

Example

LSMcli mySrvr name pass PushDOs MyRobo

CLI R80.40 Reference Guide      |      837

 LSMcli GetStatus

LSMcli GetStatus
Description
This command fetches various statistics from the selected gateway.

Note - This command supports Security Gateways, SmartLSM Security Gateways, and
Gateway or SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> GetStatus {<RoboName>

| <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM Cluster Member.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass GetStatus MyRobo

CLI R80.40 Reference Guide      |      838

 LSMcli Gateway Conversion Actions

LSMcli Gateway Conversion Actions

These commands let you:
n Convert a gateway from a SmartLSM Security Gateway to a standard Security Gateway.
n Convert a gateway from a standard Security Gateway to a SmartLSM Security Gateway.

CLI R80.40 Reference Guide      |      839

 LSMcli Convert ROBO VPN1

LSMcli Convert ROBO VPN1

Description
This command converts a SmartLSM Security Gateway to a standard Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Convert ROBO VPN1

<Name> [-CO] [-Force]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Name> Name of the Security Gateway.

-CO Define as a CO gateway

-Force Convert the SmartLSM Security Gateway, even if no connection can be

established.

Important - Use with caution, as a forced conversion always succeeds,

even if there is no connection to the gateway. If there was no connection
with the SmartLSM Security Gateway when run this command, you must
manually configure the SmartLSM Security Gateway:
1. Connect to the command line on the Security Gateway.
2. Disable the SmartLSM support:

LSMenabler -r off

3. Configure the Security Gateway a CO gateway:

LSMenabler on

4. In SmartConsole, configure the applicable settings in the Security

Gateway object: interfaces, VPN communities, and so on.
5. Install the policy.

CLI R80.40 Reference Guide      |      840

 LSMcli Convert ROBO VPN1

Example 1

LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo -CO

Example 2

LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo -Force

CLI R80.40 Reference Guide      |      841

 LSMcli Convert Gateway VPN1

LSMcli Convert Gateway VPN1

Description
This command converts a standard Security Gateway to a SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Convert Gateway VPN1

<Name> <Profile> [-E=<EXT> [-I=<INT>] [-D=<DMZ>] [-A=<AUX>]] [-
NoRestart] [-Force]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain Management

Server> Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Name> Name of the Security Gateway.

<Profile> Assign a different SmartLSM Security Profile (already defined in SmartConsole) after
conversion.

<EXT> Name of external interface.

<INT> Name of internal interface.

<DMZ> Name of DMZ interface.

<AUX> Name of Auxiliary Network interface.

-NoRestart Do not restart Check Point services, on the remote Security Gateway, after convert
operation completed.

CLI R80.40 Reference Guide      |      842

 LSMcli Convert Gateway VPN1

Parameter Description

-Force Convert the Security Gateway, even if no connection can be established.

Important - Use with caution, as a forced conversion always succeeds,

even if there is no connection to the gateway. If there was no connection
with the SmartLSM Security Gateway when run this command, you must
manually configure the SmartLSM Security Gateway:
1. Connect to the command line on the SmartLSM Security Gateway.
2. Enable the SmartLSM support:

LSMenabler -r on

3. In SmartConsole, configure the applicable SmartLSM Security

Profile.
4. In SmartProvisioning, configure the SmartLSM Security Gateway:
select the applicable SmartLSM Security Profile, and so on

Example

LSMcli mySrvr name pass Convert Gateway VPN1 MyGW MyProfile -E=eth0 -
I=eth1 -D=eth2 -Force

CLI R80.40 Reference Guide      |      843

 Managing SmartLSM Clusters with LSMcli

Managing SmartLSM Clusters with LSMcli

With the LSMcli command, you can define SmartLSM clusters, and configure most of the options
available in SmartProvisioning GUI (in the New SmartLSM Cluster wizard and in the Edit windows).
This section lists unique commands for SmartLSM Clusters.
Other commands that also apply to SmartLSM Clusters:
n "LSMcli Distribute" on page 824
n "LSMcli GetInfo" on page 828
n "LSMcli GetStatus" on page 838
n "LSMcli Install" on page 821
n "LSMcli ModifyROBOManualVPNDomain" on page 807
n "LSMcli PushDOs" on page 837
n "LSMcli PushPolicy" on page 836
n "LSMcli Reboot" on page 834
n "LSMcli Reboot" on page 834
n "LSMcli ResetIke" on page 813
n "LSMcli ResetSic" on page 815
n "LSMcli Restart" on page 833
n "LSMcli ShowInfo" on page 829
n "LSMcli Start" on page 832
n "LSMcli Stop" on page 831
n "LSMcli Uninstall" on page 823
n "LSMcli Upgrade" on page 827
n "LSMcli VerifyInstall" on page 825
n "LSMcli VerifyUpgrade" on page 826

Note - There is no convert action for or to SmartLSM clusters.

CLI R80.40 Reference Guide      |      844

 LSMcli AddROBO VPN1Cluster

LSMcli AddROBO VPN1Cluster

Description
This command defines a new SmartLSM cluster.
You can configure all of the options available in the New SmartLSM Cluster wizard of the
SmartProvisioning GUI.
The only exception is the configuration of Topology overrides (see LSMcli ModifyROBONetaccess
VPN1Cluster).

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO VPN1Cluster

<Profile> <MainIPAddress> <SuffixName> [-S=<SubstitutedNamePart>] [-
CA=<CaName> [-R=<KeyIdentifier#>] [-KEY=<AuthorizationCode>]]

Parameters

Parameter Description SmartLSM GUI Location

<Mgmt Server> Name or IP address of the Security

Management Server or Domain
Management Server.

<Username> User name of standard Check Point

authentication method.

<Password> Password of standard Check Point

authentication method.

<Profile> Name of cluster Profile to which to map New SmartLSM Cluster

the new cluster. wizard.

<MainIPAddress> Main IP address of cluster. New SmartLSM Cluster

wizard.

<SuffixName> A suffix to be added to cluster and New SmartLSM Cluster

member Profile names. wizard.

<SubstitutedName A part of the Profile name to be replaced SmartProvisioning GUI

Part> by the suffix in the previous field. supports adding Prefix and/or
Suffix, not substitution.

<CaName> The name of the Trusted CA object, Double-click the SmartLSM

defined in SmartConsole, to which a VPN cluster object > Edit window >
certificate request is sent. VPN tab

<KeyIdentifier#> Number to identify the specific certificate, Double-click the SmartLSM

once generated. cluster object > Edit window >
VPN tab

CLI R80.40 Reference Guide      |      845

 LSMcli AddROBO VPN1Cluster

Parameter Description SmartLSM GUI Location

< Authorization Key to be sent to CA to Double-click the SmartLSM

AuthorizationCode enable certificate retrieval. cluster object > Edit window >
> VPN tab

CLI R80.40 Reference Guide      |      846

 LSMcli ModifyROBO VPN1Cluster

LSMcli ModifyROBO VPN1Cluster

Description
You can change a SmartLSM cluster main IP address.
You can resolve a dynamic object for a SmartLSM cluster.

Syntax for changing the Main IP Address

You can change a SmartLSM cluster main IP address in the SmartProvisioning GUI (double-click the
SmartLSM cluster object > Edit window > Cluster tab), or with this command:

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBO VPN1Cluster

<ROBOClusterName> -I=<MainIPAddress>

Syntax for resolving a Dynamic Object

You can resolve a dynamic object for a SmartLSM cluster in the SmartProvisioning GUI (double-click the
SmartLSM cluster object > Edit window > Dynamic Objects tab), or with this command:

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBO VPN1Cluster

<ROBOClusterName> -D:<DO Name>={<IP> | <IP1-IP2>}

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Profile> Name of cluster Profile to which to map the new cluster.

< Main IP address of cluster.

MainIPAddress
>

<DO Name> Name of the Dynamic Object.

<IP> Single IP address.

<IP1-IP2> Range of IP addresses.

CLI R80.40 Reference Guide      |      847

 LSMcli ModifyROBOTopology VPN1Cluster

LSMcli ModifyROBOTopology VPN1Cluster

Description
You can set the VPN domain of a SmartLSM cluster in the SmartProvisioning GUI (double-click the
SmartLSM cluster object > Edit window > Topology tab), or with this command.

Note - When the VPN domain is set to Manual, the IP address ranges are those set in
the SmartProvisioning GUI, or with the "LSMcli ModifyROBOManualVPNDomain" on
page 807 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBOTopology

VPN1Cluster <RoboClusterName> -VPNDomain={not_defined | external_ip_
only | topology | manual}

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM Cluster.

RoboClusterName
>

VPNDomain Specifies the VPN Domain topology:

n not_defined - Equivalent to the Not Defined option on the Topology
tab of a SmartLSM Security Gateway in the SmartProvisioning GUI (or in
the output of the "LSMcli ShowROBOTopology" on page 818
command).
n external_ip_only - Equivalent to the Only the external interface
configuration in the SmartProvisioning GUI.
n topology - Equivalent to the All IP Addresses behind the Gateway
based on Topology information configuration in the SmartProvisioning
GUI.
n manual - Equivalent to Manually defined. VPN domain is defined
according to the configuration made with the "LSMcli
ModifyROBOManualVPNDomain" on page 807 command.

CLI R80.40 Reference Guide      |      848

 LSMcli ModifyROBONetaccess VPN1Cluster

LSMcli ModifyROBONetaccess VPN1Cluster

Description
For the actual SmartLSM cluster, you can override the profile topology definitions of a cluster (virtual)
interface in the SmartProvisioning GUI (double-click the SmartLSM cluster object > Edit window >
Topology tab), or with this command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBONetaccess

VPN1Cluster <ClusterName> <InterfaceName> -Mode={by_profile|override}
[-TopologyType={external|internal}] [-DMZAccess={true|false}] [-
InternalIP={not_defined|this|specific} [-AllowedGroup=<GroupName>]] [-
AntiSpoof={true|false} [-AllowedGroup=<GroupName>][-SpoofTrack=
{none|log|alert}]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain Management
Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<ClusterName> Name of SmartLSM cluster.

< Name of the cluster (virtual) interface.

InterfaceName
If the interface's Network Objective (as defined in the Profile topology) is Sync
>
only (and not Cluster+Sync ), there is no cluster interface, only cluster member
interface.
In this case, use the Network Objective (for example, 1st Sync ) for this
parameter.

-Mode Specifies the configuration mode:

n by_profile - Configure as defined in the cluster Profile.
n override - Configure the settings here. In this case, specify the "-
TopologyType".

-TopologyType Specifies the interface topology:

n external - Leads out to the Internet.
n internal - Leads to the local network.

-DMZAccess Specifies whether this interfaces leads to DMZ (true), or not (false).

CLI R80.40 Reference Guide      |      849

 LSMcli ModifyROBONetaccess VPN1Cluster

Parameter Description

-InternalIP Specifies the network behind an internal interface:

n not_defined - Network is not defined.
n this - Network is defined by the IP address and net mask of this interface.
n specific - Network is defined by the value of the "-AllowedGroup".

-AntiSpoof Specifies whether to perform Anti-Spoofing:

n true - Perform Anti-Spoofing based on interface topology. In this case,
optionally use the "-AllowedGroup" and "-SpoofTrack".
n false- Do not perform Anti-Spoofing. If the interface is internal, and the IP
addresses behind the interface are not defined, Anti-Spoofing is not
possible.

-AllowedGroup If Anti-Spoofing is performed, specifies the Network Group object, from which
packets are not checked.
n If "-TopologyType=external", this parameter defines a group, from
which packets are not checked if Anti-Spoofing is performed
n If "-TopologyType=internal", this parameter explicitly defines the
networks behind the internal interface.

-SpoofTrack If Anti-Spoofing is performed, specifies the tracking action when spoofing is

detected:
n none - No action
n log - Generate a log
n alert - Show an alert popup

CLI R80.40 Reference Guide      |      850

 LSMcli AddClusterSubnetOverride VPN1Cluster

LSMcli AddClusterSubnetOverride VPN1Cluster

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member interfaces
n IP addresses of cluster member interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the individual
SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM Cluster wizard,
or double-click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Notes:
n If there is a set override value, and you want to change it, then use only the
"LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 853 command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only this
"AddClusterSubnetOverride" command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeleteClusterSubnetOverride VPN1Cluster" on page 855 command.
n To define overrides for a private (monitored or non-monitored) interface, use
one of these commands:
l "LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 857
l "LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on
page 859
l "LSMcli DeletePrivateSubnetOverride VPN1ClusterMember" on
page 861

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

AddClusterSubnetOverride VPN1Cluster <ROBOClusterName> <InterfaceName>
[-IName=<MembersInterfaceName>] [-MNet=<MembersNetAddress>] [-
CIP=<ClusterIPAddress> -CNetMask=<ClusterNetMask>]

You must define at least one of these parameters:

n "-IName"

n "-MNet"
n "-CIP" and "-CNetMask"

CLI R80.40 Reference Guide      |      851

 LSMcli AddClusterSubnetOverride VPN1Cluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster.

ROBOClusterName
>

<InterfaceName> Name of cluster (virtual) interface, as defined in the Profile topology.

Use the name of the cluster interface even if you set values for cluster
members' interfaces.
If the cluster interface's Network Objective (as defined in the Profile topology)
is Sync only (and not Cluster+Sync ), there is no cluster interface, only cluster
member interface.
In this case use the Network Objective (for example, 1st Sync ) for this
parameter.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of the cluster
members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile, produces
complete IP addresses.

-CIP New IP address for the cluster (virtual) interface.

-CNetMask Net mask for the cluster (virtual) interface.

CLI R80.40 Reference Guide      |      852

 LSMcli ModifyClusterSubnetOverride VPN1Cluster

LSMcli ModifyClusterSubnetOverride VPN1Cluster

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member interfaces
n IP addresses of cluster member interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the individual
SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM Cluster wizard,
or double-click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Notes:
n If there is a set override value, and you want to change it, then use only this
"ModifyClusterSubnetOverride" command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddClusterSubnetOverride VPN1Cluster" on page 851 command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeleteClusterSubnetOverride VPN1Cluster" on page 855 command.
n To define overrides for a private (monitored or non-monitored) interface, use
one of these commands:
l "LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 857
l "LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on
page 859
l "LSMcli DeletePrivateSubnetOverride VPN1ClusterMember" on
page 861

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyClusterSubnetOverride VPN1Cluster <ROBOClusterName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>] [-CIP=<ClusterIPAddress> -
CNetMask=<ClusterNetMask>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"
n "-CIP" and "-CNetMask"

CLI R80.40 Reference Guide      |      853

 LSMcli ModifyClusterSubnetOverride VPN1Cluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster.

ROBOClusterName
>

<InterfaceName> Name of cluster (virtual) interface, as defined in the Profile topology.

Use the name of the cluster interface even if you set values for cluster
members' interfaces.
If the cluster interface's Network Objective (as defined in the Profile topology)
is Sync only (and not Cluster+Sync ), there is no cluster interface, only cluster
member interface.
In this case use the Network Objective (for example, 1st Sync ) for this
parameter.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of the cluster
members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile, produces
complete IP addresses.

-CIP New IP address for the cluster (virtual) interface.

-CNetMask Net mask for the cluster (virtual) interface.

CLI R80.40 Reference Guide      |      854

 LSMcli DeleteClusterSubnetOverride VPN1Cluster

LSMcli DeleteClusterSubnetOverride VPN1Cluster

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member interfaces
n IP addresses of cluster member interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the individual
SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM Cluster wizard,
or double-click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Notes:
n If there is a set override value, and you want to change it, then use only this
"LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 853 command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddClusterSubnetOverride VPN1Cluster" on page 851 command.
n To cancel a value and return to the value set by the Profile, use this
"DeleteClusterSubnetOverride" command.
n To define overrides for a private (monitored or non-monitored) interface, use
one of these commands:
l "LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 857
l "LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on
page 859
l "LSMcli DeletePrivateSubnetOverride VPN1ClusterMember" on
page 861

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

DeleteClusterSubnetOverride VPN1Cluster <ROBOClusterName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>] [-CIP=<ClusterIPAddress> -
CNetMask=<ClusterNetMask>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"
n "-CIP" and "-CNetMask"

CLI R80.40 Reference Guide      |      855

 LSMcli DeleteClusterSubnetOverride VPN1Cluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster.

ROBOClusterName
>

<InterfaceName> Name of cluster (virtual) interface, as defined in the Profile topology.

Use the name of the cluster interface even if you set values for cluster
members' interfaces.
If the cluster interface's Network Objective (as defined in the Profile topology)
is Sync only (and not Cluster+Sync ), there is no cluster interface, only cluster
member interface.
In this case use the Network Objective (for example, 1st Sync ) for this
parameter.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of the cluster
members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile, produces
complete IP addresses.

-CIP New IP address for the cluster (virtual) interface.

-CNetMask Net mask for the cluster (virtual) interface.

CLI R80.40 Reference Guide      |      856

 LSMcli AddPrivateSubnetOverride VPN1ClusterMember

LSMcli AddPrivateSubnetOverride VPN1ClusterMember

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member monitored interfaces or non-monitored interfaces
n IP addresses of cluster member monitored interfaces or non-monitored interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the individual
SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM Cluster wizard,
or double-click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Notes:
n If there is a set override value, and you want to change it, then use only the
"LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 859
command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only this
"AddPrivateSubnetOverride" command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeletePrivateSubnetOverride VPN1ClusterMember" on page 861 command.
n To define overrides for a cluster interface, use one of these commands:
l "LSMcli AddClusterSubnetOverride VPN1Cluster" on page 851
l "LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 853
l "LSMcli DeleteClusterSubnetOverride VPN1Cluster" on page 855

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

AddPrivateSubnetOverride VPN1ClusterMember <ROBOMemberName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"

CLI R80.40 Reference Guide      |      857

 LSMcli AddPrivateSubnetOverride VPN1ClusterMember

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster member.

ROBOMemberName
>

< Name of cluster member private interface, as defined in the Profile topology.
InterfaceName>

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of the cluster
members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile, produces
complete IP addresses.

CLI R80.40 Reference Guide      |      858

 LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember

LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member monitored interfaces or non-monitored interfaces
n IP addresses of cluster member monitored interfaces or non-monitored interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the individual
SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM Cluster wizard,
or double-click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Notes:
n If there is a set override value, and you want to change it, then use only the
"ModifyPrivateSubnetOverride" command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 857
command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeletePrivateSubnetOverride VPN1ClusterMember" on page 861 command.
n To define overrides for a cluster interface, use one of these commands:
l "LSMcli AddClusterSubnetOverride VPN1Cluster" on page 851
l "LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 853
l "LSMcli DeleteClusterSubnetOverride VPN1Cluster" on page 855

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyPrivateSubnetOverride VPN1ClusterMember <ROBOMemberName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"

CLI R80.40 Reference Guide      |      859

 LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster member.

ROBOMemberName
>

< Name of cluster member private interface, as defined in the Profile topology.
InterfaceName>

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of the cluster
members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile, produces
complete IP addresses.

CLI R80.40 Reference Guide      |      860

 LSMcli DeletePrivateSubnetOverride VPN1ClusterMember

LSMcli DeletePrivateSubnetOverride VPN1ClusterMember

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member monitored interfaces or non-monitored interfaces
n IP addresses of cluster member monitored interfaces or non-monitored interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the individual
SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM Cluster wizard,
or double-click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Notes:
n If there is a set override value, and you want to change it, then use only the
"LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 859
command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 857
command.
n To cancel a value and return to the value set by the Profile, use the
"DeletePrivateSubnetOverride" command.
n To define overrides for a cluster interface, use one of these commands:
l "LSMcli AddClusterSubnetOverride VPN1Cluster" on page 851
l "LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 853
l "LSMcli DeleteClusterSubnetOverride VPN1Cluster" on page 855

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

DeletePrivateSubnetOverride VPN1ClusterMember <ROBOMemberName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"

CLI R80.40 Reference Guide      |      861

 LSMcli DeletePrivateSubnetOverride VPN1ClusterMember

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster member.

ROBOMemberName
>

< Name of cluster member private interface, as defined in the Profile topology.
InterfaceName>

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of the cluster
members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile, produces
complete IP addresses.

CLI R80.40 Reference Guide      |      862

 LSMcli RemoveCluster

LSMcli RemoveCluster
Description
This command:
1. Revokes all the certificates used by the SmartLSM cluster and its members.
2. Releases all the licenses.
3. Deletes the SmartLSM cluster and member objects.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> RemoveCluster

<ROBOClusterName>

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM Cluster.

ROBOClusterName
>

CLI R80.40 Reference Guide      |      863

 Using LSMcli Commands for Small Office Appliances

Using LSMcli Commands for Small Office

Appliances
This section describes LSMcli commands for managing Small Office Appliances and Small Office
Appliance Clusters.

CLI R80.40 Reference Guide      |      864

 LSMcli AddROBO <Appliance_Model>

LSMcli AddROBO <Appliance_Model>

Description
This command adds a Small Office Appliance Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO <Appliance_

Model> <ROBOName> <Profile> [-O=<ActivationKey> [-I=<IP>]] [[-
CA=<CaName> [-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Appliance_Model> Model of appliance:

n For 1100 appliances, enter: CPSG80
n For 1200R appliances, enter: 1200R
n For 1430 or 1450 appliances, enter: 1430/1450

n For 1470 or 1490 appliances, enter: 1470/1490

<RoboName> Name of a SmartLSM Security Gateway.

<Profile> Name of a SmartLSM Security Profile that was defined in

SmartConsole.

<ActivationKey> SIC one-time password (for this action, a certificate is generated).

IP IP address of the gateway (for this action, a certificate is pushed to

the gateway).

<CaName> Name of the Trusted CA object (created from SmartConsole).

The IKE certificate request is sent to this CA. Default is Check Point
Internal CA.

< Key identifier for third-party CA.

CertificateIdentifier#
>

<AuthorizationKey> Authorization Key for third-party CA.

CLI R80.40 Reference Guide      |      865

 LSMcli AddROBO <Appliance_Model>

Examples
n To add a 1100 appliance Security Gateway:

LSMcli 192.168.3.26 aa aaaa AddROBO CPSG80 Paris_GW small_office_

profile

n To add a 1470/1490 appliance Security Gateway:

LSMcli 192.168.3.26 aa aaaa AddROBO 1470/1490 Paris_GW small_

office_profile

CLI R80.40 Reference Guide      |      866

 LSMcli AddROBO <Appliance_Model>Cluster

LSMcli AddROBO <Appliance_Model>Cluster

Description
This command adds a Small Office Appliance Cluster.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBOAddROBO

<Appliance_Model>Cluster <Profile> <MainIPAddress> <SuffixName> [-
S=<SubstitutedNamePart>] [-CA=<CaName> [-R=<KeyIdentifier#>] [-
KEY=<AuthorizationCode>]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Appliance_ Model of appliance:

Model>Cluster
n For 1100 appliances, enter: CPSG80Cluster
n For 1200R appliances, enter: 1200RCluster

n For 1430 or 1450 appliance, enter: 1430/1450Cluster

n For 1470 or 1490 appliance, enter: 1470/1490Cluster

<Profile> Name of cluster Profile to which to map the new cluster.

<MainIPAddress> Main IP address of cluster.

<SuffixName> A suffix to be added to cluster and member Profile names.

<SubstitutedName A part of the Profile name to be replaced by the suffix in the previous field.
Part>

<CaName> The name of the Trusted CA object, defined in SmartConsole, to which a

VPN certificate request is sent.

<KeyIdentifier#> Number to identify the specific certificate, once generated.

< Authorization Key to be sent to CA to enable certificate retrieval.

AuthorizationCode
>

CLI R80.40 Reference Guide      |      867

 LSMcli AddROBO <Appliance_Model>Cluster

Example
To add a 1450 cluster:

LSMcli 192.168.3.26 aa aaaa AddRobo 1430/1450Cluster cluster_profile

1.1.1.1 Paris

CLI R80.40 Reference Guide      |      868

 Other LSMcli Commands for Small Office Appliances

Other LSMcli Commands for Small Office Appliances

n For all other commands on Small Office Appliance Gateways, replace the "VPN1" with the
"CPSG80", for all appliance types.

For example, change the profile (see "LSMcli ModifyROBO VPN1" on page 805):
l For a 1100 Security Gateway:

LSMcli 192.168.3.26 aa aaaa ModifyROBO CPSG80 Paris_GW -

P=second_small_office_profile

l For a 1200R Security Gateway:

LSMcli 192.168.3.26 aa aaaa ModifyROBO CPSG80 Paris_GW -

P=second_small_office_profile

n For all other commands on Small Office Appliance clusters, replace the "VPN1Cluster" with the
"CPSG80Cluster", for all appliance types (for example, in "LSMcli ModifyROBO VPN1Cluster" on
page 847).

CLI R80.40 Reference Guide      |      869

 Security Gateway Commands

Security Gateway Commands

For more information about Security Gateway, see the:
n R80.40 Security Management Administration Guide
n R80.40 Next Generation Security Gateway Guide

CLI R80.40 Reference Guide      |      870

 comp_init_policy

comp_init_policy
Description
Generates, loads, or removes the Initial Policy on a Security Gateway, or a Cluster Member.
Until the Security Gateway or cluster administrator installs the user-defined Security Policy on the Security
Gateway or Cluster Members for the first time, security is enforced by an Initial Policy.
The Initial Policy operates by adding "implied rules" to the Default Filter.
These rules forbid most of the communication, but allow the communication needed for the installation of
the Security Policy.
The Initial Policy also protects a Security Gateway or Cluster Members in these cases:
n During Check Point product upgrades
n When a SIC certificate is reset on the Security Gateway or Cluster Member
n When Check Point product license expires
The Initial Policy is enforced until a policy is installed, and is never loaded again. In subsequent boots, the
regular policy is loaded immediately after the Default Filter.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Notes:
n You must run this command from the Expert mode.
n The Initial Policy overwrites the user-defined policy.
n Output of the "cpstat -f policy fw" command (see "cpstat" on
page 912) shows the name of this policy as "InitialPolicy".
n Security Gateway, or Cluster Member stores the installed Access Control Policy
in these directories:
l $FWDIR/state/__tmp/FW1/
l $FWDIR/state/local/FW1/
l $FWDIR/state/<Name of Cluster Object>/FW1/
n Refer to these related commands:
l "control_bootsec" on page 874
l "fwboot bootconf" on page 1111
l "fw defaultgen" on page 996
l "fwboot default" on page 1125

CLI R80.40 Reference Guide      |      871

 comp_init_policy

Syntax

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U]

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G]

Parameters

Parameter Description

No The command runs with the last used parameter.

Parameters

-u Performs these steps:

-U 1. Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section the
Check Point Registry file ($CPDIR/registry/HKLM_registry.data).
2. Removes the policy files from the $FWDIR/state/local/FW1/ directory.

-g Performs these steps:

-G 1. Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section in the
Check Point Registry file ($CPDIR/registry/HKLM_registry.data).
2. Generates the Initial Policy in the $FWDIR/state/local/FW1/ directory.

You can use this parameter, if there is no Initial Policy generated.

If Initial Policy was already generated, make sure that after removing the Initial Policy,
you delete the $FWDIR/state/local/FW1/ directory on the Security Gateway, or
Cluster Member.
This parameter generates the Initial Policy and ensures that Security Gateway loads it
the next time it fetches a policy (at "cpstart", at next boot, or with the "fw fetch
localhost" command).
The "comp_init_policy -g" command only works, if currently there is no policy
installed on the Security Gateway, or Cluster Member.
If you run one of these pairs of the commands, the original policy is still loaded:
n comp_init_policy -g
fw fetch localhost
n comp_init_policy -g
cpstart
n comp_init_policy -g
reboot

CLI R80.40 Reference Guide      |      872

 comp_init_policy

Example

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.40/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7744
-rw-r--r-- 1 admin root 20166 Jun 13 16:34 install_policy_report.txt
-rw-r--r-- 1 admin root 55 Jun 13 16:34 install_policy_report_timing.txt
-rw-r--r-- 1 admin root 37355 Jun 13 16:34 local.Sandbox-persistence.xml
... output was cut for brevity ...
-rw-r--r-- 1 admin root 2278 Jun 13 16:34 local.vsx_cluster_netobj
-rw-r--r-- 1 admin root 5172 Jun 13 16:34 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r--r-- 1 admin root 10328 Jun 13 16:34 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-r----- 1 admin root 14743 Jun 13 16:34 manifest.C
-rw-r--r-- 1 admin root 7381 Jun 13 16:34 policy.info
-rw-r--r-- 1 admin root 2736 Jun 13 16:34 policy.map
-rw-r--r-- 1 admin root 51 Jun 13 16:34 sig.map
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -u
erasing local state..
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -g
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 19:51 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 19:51 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 19:51 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 19:51 local.ft
-rw-rw---- 1 admin root 317 Jul 19 19:51 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 19:51 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 19:51 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 19:51 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 19:51 local.magic
-rw-rw---- 1 admin root 3 Jul 19 19:51 local.set
-rw-rw---- 1 admin root 51 Jul 19 19:51 sig.map
[Expert@GW:0]#

CLI R80.40 Reference Guide      |      873

 control_bootsec

control_bootsec
Description
Controls the boot security - loading of both the Default Filter policy (defaultfilter) and the Initial
Policy (InitialPolicy) during boot on a Security Gateway, or a Cluster Member.

Warning - If you disable the boot security, you leave your Security Gateway, or a
Cluster Member without any protection during the boot. Before you disable the boot
security, we recommend to disconnect your Security Gateway, or a Cluster Member
from the network completely.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Notes:
n You must run this command from the Expert
mode.
n The changes made with this command survive
reboot.
n Refer to these related commands:
l comp_init_policy
l fwboot bootconf
l fw defaultgen
l fwboot default

Syntax

[Expert@GW:0]# $FWDIR/bin/control_bootsec [-g | -G]

[Expert@GW:0]# $FWDIR/bin/control_bootsec {-r | -R}

CLI R80.40 Reference Guide      |      874

 control_bootsec

Parameters

Parameter Description

No Enables the boot security:

Parameter
1. Executes the "$FWDIR/boot/fwboot bootconf set_def
-g $FWDIR/boot/default.bin" command that updates the path to the Default
Filter policy in the $FWDIR/boot/boot.conf file to point to the correct policy file
-G
(DEFAULT_FILTER_PATH /etc/fw.boot/default.bin).
2. Executes the "$FWDIR/bin/comp_init_policy -g" command that:
a. Removes the attribute ":InitialPolicySafe (true)" from the section ": (FW1"
in the Check Point Registry (the $CPDIR/registry/HKLM_
registry.data file).
b. Generates the Initial Policy files in the $FWDIR/state/local/FW1/
directory.

-r Disables the boot security:

-R 1. Executes the "$FWDIR/boot/fwboot bootconf set_def" command that
updates the path to the Default Filter policy in the $FWDIR/boot/boot.conf file
to point nowhere (DEFAULT_FILTER_PATH 0).
2. Executes the "$FWDIR/bin/comp_init_policy -u" command that:
a. Adds the attribute ":InitialPolicySafe (true)" to the section ": (FW1" in the
Check Point Registry (the $CPDIR/registry/HKLM_registry.data
file).
b. Deletes all files in the $FWDIR/state/local/FW1/ directory.

CLI R80.40 Reference Guide      |      875

 control_bootsec

Example 1 - Disabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.40/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7736
-rw-rw---- 1 admin root 11085 Jul 19 20:16 install_policy_report.txt
-rw-rw---- 1 admin root 56 Jul 19 20:16 install_policy_report_timing.txt
-rw-rw---- 1 admin root 37355 Jul 19 20:16 local.Sandbox-persistence.xml
-rw-rw---- 1 admin root 3 Jul 19 20:16 local.ad_query_profiles
... ... ...
-rw-r----- 1 admin root 14743 Jul 19 20:16 manifest.C
-rw-rw---- 1 admin root 7381 Jul 19 20:16 policy.info
-rw-rw---- 1 admin root 2736 Jul 19 20:16 policy.map
-rw-rw---- 1 admin root 51 Jul 19 20:16 sig.map
[Expert@GW:0]#

[Expert@GW:0]# $FWDIR/bin/control_bootsec -r
Disabling boot security
FW-1 will not load a default filter on boot
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

:InitialPolicySafe (true)
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

CLI R80.40 Reference Guide      |      876

 control_bootsec

Example 2 - Enabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.40/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# control_bootsec -g
Enabling boot security
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH /opt/CPsuite-R80.40/fw1/boot/default.bin
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 20:22 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 20:22 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 20:22 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 20:22 local.ft
-rw-rw---- 1 admin root 317 Jul 19 20:22 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 20:22 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 20:22 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 20:22 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 20:22 local.magic
-rw-rw---- 1 admin root 3 Jul 19 20:22 local.set
-rw-rw---- 1 admin root 51 Jul 19 20:22 sig.map
[Expert@GW:0]#

CLI R80.40 Reference Guide      |      877

 cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
      -h
      admin <options>
      auto <options>
      ca <options>
      client <options>
      finger <options>
      lic <options>
      snmp <options>

Syntax on a Security Gateway

cp_conf
      -h
      adv_routing <options>
      auto <options>
      corexl <options>
      fullha <options>
      ha <options>
      intfs <options>
      lic <options>
      sic <options>
      snmp <options>

CLI R80.40 Reference Guide      |      878

 cp_conf

Parameters

Parameter Description

-h Shows the entire built-in usage.

admin Configures Check Point system administrators for the Security Management
<options> Server.
See "cp_conf admin" on page 88.

adv_routing Enables or disables the Advanced Routing feature on this Security Gateway.
<options>
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto <options> Shows and configures the automatic start of Check Point products during boot.
See "cp_conf auto" on page 91.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain Name
(FQDN).
n Initializes the Internal Certificate Authority (ICA).

See "cp_conf ca" on page 93.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 95.

corexl Enables or disables CoreXL on this Security Gateway.

<options>
See "cp_conf corexl" on page 883.

finger Shows the ICA's Fingerprint.

<options>
See "cp_conf finger" on page 99.

fullha Manages Full High Availability Cluster.

<options>
See "cp_conf fullha" on page 885.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 886.

intfs Sets the topology of interfaces on a Security Gateway, which you manage with
<options> SmartProvisioning.
See "cp_conf intfs" on page 887.

CLI R80.40 Reference Guide      |      879

 cp_conf

Parameter Description

lic <options> Manages Check Point licenses.

See "cp_conf lic" on page 101.

sic <options> Manages SIC on this Security Gateway.

See "cp_conf sic" on page 890.

snmp <options> Do not use these outdated commands.

To configure SNMP, see the R80.40 Gaia Administration Guide - Chapter
System Management - Section SNMP.

CLI R80.40 Reference Guide      |      880

 cp_conf auto

cp_conf auto
Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 133 menu.

Note - On a Multi-Domain Server, use the option Automatic Start of Multi-Domain

Server in the "mdsconfig" on page 676menu.

Syntax

cp_conf auto
      -h
{enable | disable} <Product1> <Product2> ...
      get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} <Product1> Controls whether the installed Check Point products start
<Product2> ... automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      881

 cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

CLI R80.40 Reference Guide      |      882

 cp_conf corexl

cp_conf corexl
Description
Enables or disables CoreXL.
For more information, see the R80.40 Performance Tuning Administration Guide.

Important:
n This command is for Check Point use only.
To configure CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 892
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must reboot it.
n In Custer, you must configure all the Cluster Members in the same way.

Syntax
n To enable CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall instances:

cp_conf corexl [-v] enable [n] [-6 k]

n To disable CoreXL:

cp_conf corexl [-v] disable

The related command is:"fwboot corexl" on page 1116.

Parameters

Parameter Description

-v Leaves the high memory (vmalloc) unchanged.

n Denotes the number of IPv4 CoreXL Firewall instances.

k Denotes the number of IPv6 CoreXL Firewall instances.

CLI R80.40 Reference Guide      |      883

 cp_conf corexl

Example
Currently, the Security Gateway runs two IP4v CoreXL Firewall instances (KERN_INSTANCE_NUM = 2).
We change the number of IP4v CoreXL Firewall instances to three.

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2 | 7 | 28
1 | Yes | 1 | 0 | 11
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 2
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cp_conf corexl -v enable 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# reboot
.. ... ...
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 7 | 28
1 | Yes | 2 | 0 | 11
2 | Yes | 1 | 4 | 10
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      884

 cp_conf fullha

cp_conf fullha
Description
Manages the state of the Full High Availability Cluster:
n Enables the Full High Availability Cluster
n Disables the Full High Availability Cluster
n Deletes the Full High Availability peer
n Shows the Full High Availability state

Important - To configure a Full High Availability cluster, follow the R80.40 Installation
and Upgrade Guide.

Syntax

cp_conf fullha
      enable
      del_peer
      disable
      state

Parameters

Parameter Description

enable Enables the Full High Availability on this computer.

del_peer Deletes the Full High Availability peer from the configuration.

disable Disables the Full High Availability on this computer.

state Shows the Full High Availability state on this computer.

Example

[Expert@Cluster_Member:0]# cp_conf fullha state

FullHA is currently enabled
[Expert@Cluster_Member:0]#

CLI R80.40 Reference Guide      |      885

 cp_conf ha

cp_conf ha
Description
Enables or disables cluster membership on this Security Gateway.

Important - This command is for Check Point use only. To configure cluster
membership, you must use the "cpconfig" on page 892 command.
For more information, see the R80.40 ClusterXL Administration Guide.

Syntax

cp_conf ha {enable | disable} [norestart]

Parameters

Parameter Description

enable Enables cluster membership on this Security Gateway.

This command is equivalent to the option Enable cluster membership for this
gateway in the "cpconfig" on page 892 menu.

disable Disables cluster membership on this Security Gateway.

This command is equivalent to the option Disable cluster membership for this
gateway in the "cpconfig" on page 892 menu.

norestart Optional: Specifies to apply the configuration change without the restart of Check Point
services. The new configuration takes effect only after reboot.

Example 1 - Enable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

Example 2 - Disable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      886

 cp_conf intfs

cp_conf intfs
Description
Sets the topology of interfaces on a Security Gateway, which you manage with SmartProvisioning.
For more information, see the R80.40 SmartProvisioning Administration Guide.

Syntax

cp_conf intfs
      get
      set
            auxiliary <Name of Interface>
            DMZ <Name of Interface>
            external <Name of Interface>
            internal <Name of Interface>

Parameters

Parameter Description

get Shows the list of configured interfaces.

set Configures the topology of the specified interface:

n auxiliary
n DMZ
n external
n internal

CLI R80.40 Reference Guide      |      887

 cp_conf lic

cp_conf lic
Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 133 menu.

Note:
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf lic
      -h
      add -f <Full Path to License File>
      add -m <Host> <Date> <Signature Key> <SKU/Features>
      del <Signature Key>
      get [-x]

CLI R80.40 Reference Guide      |      888

 cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to License Adds a license from the specified Check Point license
File> file.
You get this license file in the Check Point User Center.
This is the same command as the "cplic db_add" on
page 144.

add -m <Host> <Date> Adds the license manually.

<Signature Key> <SKU/Features>
You get these license details in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 144.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 149.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also shows the
signature key for every installed license.
This is the same command as the "cplic print" on
page 153.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-

XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

CLI R80.40 Reference Guide      |      889

 cp_conf sic

cp_conf sic
Description
Manages SIC on the Security Gateway.
For additional information, see sk65764: How to reset SIC.

Note - This command corresponds to the option Secure Internal Communication in

the "cpconfig" on page 892 menu.

Syntax

cp_conf
      -h
      sic
            cert_pull <Management Server> <DAIP GW object>
            init <Activation Key> [norestart]
            state

Parameters

Parameter Description

-h Shows the built-in usage.

cert_pull <Management For DAIP Security Gateways, pulls a SIC certificate from the
Server> <DAIP GW specified Management Server for the specified DAIP Security
object> Gateway:
n <Management Server> - IPv4 address or HostName of the
Security Management Server or Domain Management
Server
n <DAIP GW object> - Name of the DAIP Security Gateway
object as configured in SmartConsole

init <Activation Key> Resets the one-time SIC activation key.

[norestart]
The optional parameter "norestart" specifies not to restart
Check Point services.

state Shows the current state of the SIC Trust.

CLI R80.40 Reference Guide      |      890

 cp_conf sic

Example

[Expert@MyGW:0]# cp_conf sic state

Trust State: Trust established

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      891

 cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool lets you configure specific settings for the installed Check Point products.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this Security
Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Secure Internal Communication
Manages SIC on the Security Gateway or Cluster Member.
This change requires a restart of Check Point services on the
Security Gateway or Cluster Member.
For more information, see:
n The R80.40 Security Management Administration Guide.
n sk65764: How to reset SIC.

CLI R80.40 Reference Guide      |      892


Menu Option
Enable cluster membership for
this gateway
Disable cluster membership for
this gateway
Enable Check Point Per Virtual
System State
Disable Check Point Per Virtual
System State
Enable Check Point ClusterXL
for Bridge Active/Standby
Disable Check Point ClusterXL
for Bridge Active/Standby
Check Point CoreXL
cpconfig
Description
Enables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Disables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Enables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R80.40 VSX Administration Guide.
Disables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R80.40 VSX Administration Guide.
Enables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Disables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Manages CoreXL on the Security Gateway or Cluster Member.
After all changes in CoreXL configuration, you must reboot the
Security Gateway or Cluster Member.
For more information, see the R80.40 Performance Tuning
Administration Guide.
CLI R80.40 Reference Guide      |      893
 cpconfig

Menu Option Description

Automatic start of Check Point Shows and controls which of the installed Check Point products
Products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Check Point CoreXL
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

CLI R80.40 Reference Guide      |      894

 cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on your Check
Point computer.
For more information, see sk92739.

CLI R80.40 Reference Guide      |      895

 cplic

cplic
Description
The cplic command lets you manage Check Point licenses.
You can run this command in Gaia Clish or in the Expert Mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local Management You execute these commands locally on the Check Point computers.
licensing Servers,
commands
Security
Gateways and
Cluster
Members

Remote Management You execute these commands on the Security Management Server or
licensing Servers only Domain Management Server. These changes affect the managed
commands Security Gateways and Cluster Members.

License Management You execute these commands on the Security Management Server or
Repository Servers only Domain Management Server. These changes affect the licenses
commands stored in the local license repository.

For more about managing licenses, see the R80.40 Security Management Administration Guide.

Syntax for Local Licensing on a Security Gateway or Cluster Member

cplic [-d]
{-h | -help}
      check <options>
      contract <options>
      del <options>
      print <options>
      put <options>

CLI R80.40 Reference Guide      |      896

 cplic

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security Gateway or
<options> Security Management Server.
See "cplic check" on page 898.

contract Manages (deletes and installs) the Check Point Service Contract on the local
<options> Check Point computer.
See "cplic contract" on page 900.

del <options> Deletes a Check Point license on a host, including unwanted evaluation, expired,
and other licenses.
See "cplic del" on page 902.

print Prints details of the installed Check Point licenses on the local Check Point
<options> computer.
See "cplic print" on page 903.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 905.

CLI R80.40 Reference Guide      |      897

 cplic check

cplic check
Description
Confirms that the license includes the feature on the local Security Gateway or Management Server. See
sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product>
Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member (all
blades), or Management Server (all blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

<Version>

{-c | - Outputs the number of licenses connected to this feature.

count}

CLI R80.40 Reference Guide      |      898

 cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy .
A feature can be valid on a given date on one license, but invalid on another.

{-r | - Checks how many routers are allowed.

routers}
The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1
fw1:6.0:rt fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit
fw1:6.0:prov fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u
fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt
fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

[Expert@GW]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf
fw1:6.0:av fw1:6.0:vsx5 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:connect
fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited
fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps fw1:6.0:pam
fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm
fw1:6.0:blades fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u

cplic check 'cluster-u': 9 licenses

[Expert@GW]#

CLI R80.40 Reference Guide      |      899

 cplic contract

cplic contract
Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member, you must update the license repository on the applicable Management
Server - either with the "cplic get" on page 151 command, or in SmartUpdate.

Syntax

cplic contract -h

cplic [-d] contract

      del
            -h
            <Service Contract ID>
      put
            -h
[{-o | -overwrite}] <Service Contract File>

CLI R80.40 Reference Guide      |      900

 cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the $CPDIR/conf/cp.contract file

on the local Check Point computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract file on

the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File>
First, you must download the Service Contract file from your Check Point
User Center account.

CLI R80.40 Reference Guide      |      901

 cplic del

cplic del
Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other licenses.
This command can delete a license on both local computer, and on remote managed computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 153 command.

<Object Name> The name of the Security Gateway / Cluster Member object as defined in
SmartConsole.

CLI R80.40 Reference Guide      |      902

 cplic print

cplic print
Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output

File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      903

 cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      904

 cplic put

cplic put
Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -

select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-only}] -
l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-o | - On a Security Gateway / Cluster Member, this command erases only the local
overwrite} licenses, but not central licenses that are installed remotely.

{-c | - Verifies the license. Checks if the IP of the license matches the Check Point
check-only} computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP address of the
select} Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the Check Point
boot} computer.
Use of this option will prevent certain error messages.

CLI R80.40 Reference Guide      |      905

 cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only}
For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for a local
license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the license.
SKU/Features
For example: CPSUITE-EVAL-3DES-vNG
>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration date The license expiration date. It can be never.

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016  CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      906

 cpprod_util

cpprod_util
Description
This utility lets you work with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4} "<Value>"

{0|1}

cpprod_util -dump

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue
Important - Do not run these commands unless explicitly instructed by Check
Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified product or feature:

n One of these integers: 0, 1, 4

n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the output file is
RegDump.

CLI R80.40 Reference Guide      |      907

 cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant Domain
Management Server.
n If you run the cpprod_util command without parameters, it prints:
l The list of all available products and features (for example, "FwIsFirewallMgmt",
"FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the cpprod_util command, you need to redirect the stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples

Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      908

 cpprod_util

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High

Availability
[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade
is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the Endpoint Policy Management blade
is enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      909

 cpprod_util

Example - Showing a list of all installed Check Point Products Packages on a Security
Gateway
[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP

(DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      910

 cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Syntax

cpstart [-fwflag {-default | -proc | -driver}]

Parameters

Important - These parameters are for Check Point internal use. Do not use them,
unless explicitly instructed by Check Point Support or R&D to do so.

Parameter Description

-fwflag - Starts Check Point processes and loads the Default Filter policy
default (defaultfilter).

-fwflag -proc Starts Check Point processes.

-fwflag - Loads the Check Point kernel modules.

driver

CLI R80.40 Reference Guide      |      911

 cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o
<Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

The output shows the SNMP queries and SNMP responses for the applicable SNMP
OIDs.

-h <Host> Optional.
When you run this command on a Management Server, this parameter specifies the
managed Security Gateway.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object name.
The default is localhost.

Note - On a Multi-Domain Server, you must run this command in the

context of the applicable Domain Management Server:mdsenv <IP
Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s Optional.
<SICname>
Secure Internal Communication (SIC) name of the Application Monitoring (AMON)
server.

CLI R80.40 Reference Guide      |      912

 cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor in the
<Application Flag>. To see all flavors, run the cpstat command without any
parameters.

-o <Polling Optional.
Interval>
Specifies the polling interval (in seconds) - how frequently the command collects and
shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this is the default
value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the "-e
<Period>" parameter.
Example:

cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results before it stops.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling Interval>
and then stops.
Example:

cpstat os -f perf -o 2 -c 2

CLI R80.40 Reference Guide      |      913

 cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the statistics.
You must use this parameter together with the "-o <Polling Interval>"
parameter.
You can use this parameter together with the "-c <Count>" parameter.
Example:

cpstat os -f perf -o 2 -c 2 -e 60

< Mandatory.
Application
See the table below with flavors for the application flags.
Flag>

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Software Flag Flavors
Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn, aspm, dlp,
Software appi, anti_bot, default, content_
Blades awareness, threat-emulation, default

Operating os default, ifconfig, routing, routing6,

System memory, old_memory, cpu, disk, perf,
multi_cpu, multi_disk, raidInfo, sensors,
power_supply, hw_info, all, average_cpu,
average_memory, statistics, updates,
licensing, connectivity, vsx

Firewall fw default, interfaces, policy, perf, hmem,

kmem, inspect, cookies, chains, fragments,
totals, totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_connection,
all

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins, ldap,

Awareness components, adquery, idc, muh

CLI R80.40 Reference Guide      |      914

 cpstat

Feature or
Software Flag Flavors
Blade

Application appi default, subscription_status, update_

Control status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

URL Filtering urlf default, subscription_status, update_

status, RAD_status, top_last_hour, top_
last_day, top_last_week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_mails,

Prevention subscription_status, update_status, ab_
prm_contracts, av_prm_contracts, ab_prm_
contracts, av_prm_contracts

Threat threat- default, general_statuses, update_status,

Emulation emulation scanned_files, malware_detected, scanned_
on_cloud, malware_on_cloud, average_
process_time, emulated_file_size, queue_
size, peak_size, file_type_stat_file_
scanned, file_type_stat_malware_detected,
file_type_stat_cloud_scanned, file_type_
stat_cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_type_stat_
cache_hit_rate, file_type_stat_error_
count, file_type_stat_no_resource_count,
contract, downloads_information_current,
downloading_file_information, queue_table,
history_te_incidents, history_te_comp_
hosts

Threat scrub default, subscription_status, threat_

Extraction extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns, cpu, all,

memory, cpu_usage_per_core

IPsec VPN vpn default, product, IKE, ipsec, traffic,

compression, accelerator, nic, statistics,
watermarks, all

Data Loss dlp default, dlp, exchange_agents, fingerprint

Prevention

CLI R80.40 Reference Guide      |      915

 cpstat

Feature or
Software Flag Flavors
Blade

Content ctnt default

Awareness

QoS fg all

High ha default, all

Availability

Policy Server polsrv default, all

for Remote
Access VPN
clients

Desktop Policy dtps default, all

Server for
Remote
Access VPN
clients

LTE / GX gx default, contxt_create_info, contxt_

delete_info, contxt_update_info, contxt_
path_mng_info, GXSA_GPDU_info, contxt_
initiate_info, gtpv2_create_info, gtpv2_
delete_info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation
Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

CLI R80.40 Reference Guide      |      916

 cpstat

Feature or
Software Flag Flavors
Blade

Thresholds thresholds default, active_thresholds, destinations,

configured error
with the
threshold_
config
command

Historical persistency product, TableConfig, SourceConfig

status values

Examples

Example - Interfaces on a Security Gateway

[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
--------------------------------------------------------------------------------------------------------
------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy name|Slaves|Ports|IPv6
Address|IPv6 Len|
--------------------------------------------------------------------------------------------------------
------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
--------------------------------------------------------------------------------------------------------
------------

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      917

 cpstat

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

Example - CPU utilization
[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      918

 cpstat

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

Connected clients
-------------------------------------------------------
|Client type |Administrator|Host |Database lock|
-------------------------------------------------------
|SmartConsole|admin |JOHNDOE-PC |false |
-------------------------------------------------------

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      919

 cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Syntax

cpstop [-fwflag {-default | -proc | -driver}]

Parameters

Important - These parameters are for Check Point internal use. Do not use them,
unless explicitly instructed by Check Point Support or R&D to do so.

Parameter Description

-fwflag n Shuts down Check Point processes

-default
n Loads the Default Filter policy (defaultfilter)

-fwflag n Shuts down Check Point processes

-proc
n Keeps the currently loaded kernel policy
n Maintains the Connections table, so that after you run the "cpstart" on page 911
command, you do not experience dropped packets because they are "out of state"

Note - Only security rules that do not use user space processes continue to work.

-fwflag Unloads the Check Point kernel modules.

-driver
Therefore, no policy is loaded.

Warning - This leaves your Security Gateway, or a Cluster Member without

protection. Before you run this command, we recommend to disconnect your
Security Gateway, or a Cluster Member from the network completely.

Example
See these articles:
n sk35496
n sk113045

CLI R80.40 Reference Guide      |      920

 cpview

cpview
Overview of CPView
Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk
space) and information for different Software Blades (only on Security Gateway).
The CPView continuously updates the data in easy to access views.
On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

CLI R80.40 Reference Guide      |      921

 cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow keys Moves between menus and views. Scrolls in a view.

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the capture>

H Shows a tooltip with CPView options.

Space bar Immediately refreshes the statistics.

CLI R80.40 Reference Guide      |      922

 dynamic_objects

dynamic_objects
Description
Manages dynamic objects and their applicable ranges of IP addresses on the Security Gateway.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Workflow

Step Description

1 In SmartConsole:
1. Define the applicable dynamic object.
2. Install the Access Control Policy on the Security Gateway.

2 On the Security Gateway, run the dynamic_objects command to:

1. Create the applicable dynamic object with the same name

2. Assign the applicable ranges of IP address to the new dynamic
object.

CLI R80.40 Reference Guide      |      923

 dynamic_objects

Syntax
n To show all configured dynamic objects and their ranges of IP addresses:

dynamic_objects -l

n To create a new dynamic object (and assign a range of IP addresses to it):

dynamic_objects -n <object_name> [-r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -a]

n To add a new a range of IP addresses to the specific existing dynamic object:

dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -a

n To delete a range of IP addresses from the specific existing dynamic object:

dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -d

n To update the specific existing dynamic object (and assign a different range of IP addresses to it):

dynamic_objects -u <object_name> [-r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>]]

n To compare the configured dynamic objects and objects configured in SmartConsole:

dynamic_objects -c

n To delete the specific existing dynamic object (and all ranges of IP addresses assigned to it):

dynamic_objects -do <object_name>

n To delete all the existing dynamic objects (and all ranges of IP addresses assigned to them):

dynamic_objects -e

CLI R80.40 Reference Guide      |      924

 dynamic_objects

Parameters

Parameter Description

<object_name> Specifies the name of the object:

n As defined in SmartConsole
n As defined with the "dynamic_objects -n <object
name>" command

-r <FromIP1> Specifies the ranges of IP addresses in the format of pairs:

<ToIP2> ...
[<FromIPx> <ToIPy>] <From_IP_Address> <To_IP_Address>

For example, to specify two ranges, from 192.168.2.30 to 192.168.2.40

and from 192.168.2.50 to 192.168.2.60, enter these four IP addresses:

192.168.2.30 192.168.2.40 192.168.2.50

192.168.2.60

-a Adds the specified ranges of IP addresses to the specified dynamic

object.

-c Compare the dynamic objects in the dynamic objects database

($FWDIR/database/dynamic_objects.db) and in the
$FWDIR/conf/objects.C file.

-d Deletes range of IP addresses from the dynamic object.

-do Deletes the specified dynamic object.

-e Deletes all configured dynamic objects from the dynamic objects

database ($FWDIR/database/dynamic_objects.db).

-l Lists the configured dynamic objects in the dynamic objects database

($FWDIR/database/dynamic_objects.db).

-n Creates a new dynamic object.

-u Updates the specified dynamic object.

If you specify a range of IP addresses, then the new range replaces all
current ranges that are currently assigned to this dynamic object.

CLI R80.40 Reference Guide      |      925

 dynamic_objects

Example 1 - Create a new dynamic object named "bigserver" and assign to it the range of IP addresses
192.168.2.30-192.168.2.40
Run either these two commands:
dynamic_objects -n bigserver
dynamic_objects -o bigserver -r 192.168.2.30 192.168.2.40 -a

Or this single command:

dynamic_objects -n bigserver -r 192.168.2.20 192.168.2.40 -a

Example 2 - Update the ranges of IP addresses assigned to the dynamic object named "bigserver" from
the current range to the new range 192.168.2.60-192.168.2.80
dynamic_objects -u bigserver -r 192.168.2.60 192.168.2.80

CLI R80.40 Reference Guide      |      926

 cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes such as
Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products and
Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log file.
The cpwd_admin utility shows the status of the monitored processes, and configures the Check Point
WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates abnormally.
In the output of the cpwd_admin list command, the MON column shows N for
passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning (not stuck on
deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows Y for actively
monitored processes.
The list of actively monitored processes is predefined by Check Point. Users cannot
change or configure it.

CLI R80.40 Reference Guide      |      927

 cpwd_admin

Syntax

cpwd_admin
      config <options>
      del <options>
      detach <options>
      exist
      flist <options>
      getpid <options>
      kill
      list <options>
      monitor_list
      start <options>
      start_monitor
      stop <options>
      stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options>
See "cpwd_admin config" on page 211.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 214.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options>
See "cpwd_admin detach" on page 215.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 216.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_list_

<options> <Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 217.

getpid Shows the PID of a monitored process.

<options>
See "cpwd_admin getpid" on page 219.

CLI R80.40 Reference Guide      |      928

 cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options>
See "cpwd_admin kill" on page 220.

Important - Do not run this command unless explicitly instructed by Check

Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 221.

monitor_ Prints the status of actively monitored processes on the screen.

list
See "cpwd_admin monitor_list" on page 225.

start Starts a process as monitored by the WatchDog.

<options>
See "cpwd_admin start" on page 226.

start_ Starts the active WatchDog monitoring - WatchDog monitors the predefined
monitor processes actively.
See "cpwd_admin start_monitor" on page 228.

stop Stops a monitored process.

<options>
See "cpwd_admin stop" on page 229.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes only
monitor passively.
See "cpwd_admin stop_monitor" on page 231.

CLI R80.40 Reference Guide      |      929

 cpwd_admin config

cpwd_admin config
Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
      -h
      -a <options>
      -d <options
      -p
      -r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_1> Adds the WatchDog configuration

<Configuration_Parameter_2>=<Value_2> ... parameters.
<Configuration_Parameter_N>=<Value_N>
Note - Spaces are not
allowed between the name of
the configuration parameter,
the equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog configuration

<Configuration_Parameter_2> ... parameters that user added with the
<Configuration_Parameter_N> "cpwd_admin config -a"
command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

CLI R80.40 Reference Guide      |      930

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ Text string up On a VSX Gateway, configures the CTX value that is assigned to
ctx to 128 monitored processes, for which no CTX is specified.
characters

display_ n 0 On a VSX Gateway, configures whether the WatchDog shows the

ctx (default) CTX column in the output of the cpwd_admin list command
(between the APP and the PID columns):
n 1
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: If rerun_mode=1, specifies the maximal number of times the

-1, 0, >0 WatchDog tries to restart a process.
n Default: n -1 - Always tries to restart
5
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_ n Range: Configures the maximal number of processes managed by the

procs 30 - WatchDog.
2000
n Default:
2000

rerun_ n 0 Configures whether the WatchDog restarts processes after they fail:
mode
n 1 n 0 - Does not restart a failed process. Monitor and log only.
(default)
n 1 - Restarts a failed process (this is the default).

reset_ n Range: Configures the time (in seconds) the WatchDog waits after the
startups >0 process starts and before the WatchDog resets the process's
startup_counter to 0.
n Default:
3600 To see the process's startup counter, in the output of the cpwd_
admin list command, refer to the #START column.

sleep_ n 0 Configures how the WatchDog restarts the process:

mode
n 1 n 0 - Ignores timeout and restarts the process immediately
(default)
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: If rerun_mode=1, specifies how much time (in seconds) passes
timeout 0 - 3600 from a process failure until WatchDog tries to restart it.
n Default:
60

CLI R80.40 Reference Guide      |      931

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

stop_ n Range: Configures the time (in seconds) the WatchDog waits for a process
timeout >0 stop command to complete.
n Default:
60

zero_ n Range: After failing no_limit times to restart a process, the WatchDog
timeout >0 waits zero_timeout seconds before it tries again.
n Default: The value of the zero_timeout must be greater than the value of
7200 the timeout.

The WatchDog saves the user defined configuration parameters in the $CPDIR/registry/HKLM_
registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      932

 cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
      -h
      -a <options>
      -d <options
      -p
      -r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_1> Adds the WatchDog configuration

<Configuration_Parameter_2>=<Value_2> ... parameters.
<Configuration_Parameter_N>=<Value_N>
Note - Spaces are not allowed between
the name of the configuration
parameter, the equal sign, and the
value.

-d <Configuration_Parameter_1> Deletes the WatchDog configuration

<Configuration_Parameter_2> ... parameters that user added with the
<Configuration_Parameter_N> cpwd_admin config -a
command.

-p Shows the WatchDog configuration

parameters that user added with the
cpwd_admin config -a
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

CLI R80.40 Reference Guide      |      933

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ Text string up On a VSX Gateway, configures the CTX value that is assigned to
ctx to 128 monitored processes, for which no CTX is specified.
characters

display_ n 0 On a VSX Gateway, configures whether the WatchDog shows the

ctx (default) CTX column in the output of the cpwd_admin list command
(between the APP and the PID columns):
n 1
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: If rerun_mode=1, specifies the maximal number of times the

-1, 0, >0 WatchDog tries to restart a process.
n Default: n -1 - Always tries to restart
5
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_ n Range: Configures the maximal number of processes managed by the

procs 30 - WatchDog.
2000
n Default:
2000

rerun_ n 0 Configures whether the WatchDog restarts processes after they fail:
mode
n 1 n 0 - Does not restart a failed process. Monitor and log only.
(default)
n 1 - Restarts a failed process (this is the default).

reset_ n Range: Configures the time (in seconds) the WatchDog waits after the
startups >0 process starts and before the WatchDog resets the process's
startup_counter to 0.
n Default:
3600 To see the process's startup counter, in the output of the cpwd_
admin list command, refer to the #START column.

sleep_ n 0 Configures how the WatchDog restarts the process:

mode
n 1 n 0 - Ignores timeout and restarts the process immediately
(default)
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: If rerun_mode=1, specifies how much time (in seconds) passes
timeout 0 - 3600 from a process failure until WatchDog tries to restart it.
n Default:
60

CLI R80.40 Reference Guide      |      934

 cpwd_admin config

Configuration Accepted
Description
Parameter Values

stop_ n Range: Configures the time (in seconds) the WatchDog waits for a process
timeout >0 stop command to complete.
n Default:
60

zero_ n Range: After failing no_limit times to restart a process, the WatchDog
timeout >0 waits zero_timeout seconds before it tries again.
n Default: The value of the zero_timeout must be greater than the value of
7200 the timeout.

The WatchDog saves the user defined configuration parameters in the $CPDIR/registry/HKLM_
registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      935

 cpwd_admin del

cpwd_admin del
Description
Temporarily deletes a monitored process from the WatchDog database of monitored processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 221 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 196 command.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      936

 cpwd_admin detach

cpwd_admin detach
Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 221 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 196 command.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin detach-name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      937

 cpwd_admin exist

cpwd_admin exist
Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      938

 cpwd_admin flist

cpwd_admin flist
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

CLI R80.40 Reference Guide      |      939

 cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin config" on page 211).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 208):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#
[Expert@HostName:0]# date --date="@1564617600"
Thu Aug 1 03:00:00 IDT 2019
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      940

 cpwd_admin getpid

cpwd_admin getpid
Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

< Name of the monitored Check Point process as you see in the output of the "cpwd_
Application admin list" on page 221 command in the leftmost column APP.
Name>
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      941

 cpwd_admin kill

cpwd_admin kill
Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 205 and "cpstart" on page 196 commands.

Syntax

cpwd_admin kill

CLI R80.40 Reference Guide      |      942

 cpwd_admin list

cpwd_admin list
Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

CLI R80.40 Reference Guide      |      943

 cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_ Shows the time when the WatchDog started the monitored process for the last time.
TIME

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_limit
configuration parameters (see "cpwd_admin config" on page 211).

MON Shows how the WatchDog monitors this process (see the explanation for the "cpwd_
admin" on page 208):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Examples

Example - Default output on a Management Server

[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-R80.40/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R80.40/log_indexer/log_indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-R80.40/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      944

 cpwd_admin list

Example - Default output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list
APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2019 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 N mpdaemon /opt/CPshrd-
R80.40/log/mpdaemon.elg /opt/CPshrd-R80.40/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 N ci_http_server -j -f
/opt/CPsuite-R80.40/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2019 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2019 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 N DAService_script
[Expert@HostName:0]#

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/java_solr
COMMAND = java_solr /opt/CPrt-R80.40/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/log_indexer/log_indexer
COMMAND = /opt/CPrt-R80.40/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R80.40/smartlog_server
COMMAND = /opt/CPSmartLog-R80.40/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      945

 cpwd_admin list

Example - Verbose output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list -full
APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 3/u N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R80.40/log/mpdaemon.elg /opt/CPshrd-
R80.40/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R80.40/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      946

 cpwd_admin monitor_list

cpwd_admin monitor_list
Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 208.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      947

 cpwd_admin start

cpwd_admin start
Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> | u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Parameters

Parameter Description

-name <Application Name, under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

-path "<Full Path The full path (with or without Check Point environment variables) to the
to Executable>" executable including the executable name.
Must enclose in double-quotes.
Examples:

n For FWM: "$FWDIR/bin/fwm"

n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-R80.40/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl"

CLI R80.40 Reference Guide      |      948

 cpwd_admin start

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>"
Must enclose in double-quotes.
Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-R80.40/fw1/scripts/cpm.sh
-s"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl -c
"/opt/CPuepm-R80.40/engine/conf/cptnl_
srv.conf""

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout" configuration

<Timeout> parameter.
See "cpwd_admin config" on page 211.

-retry_limit Configures the value of the "retry_limit" configuration parameter.

{<Limit> | u}
See "cpwd_admin config" on page 211.

n <Limit> - Tries to restart the process the specified number of

times
n u - Tries to restart the process unlimited number of times

Example
For the list of process and the applicable syntax, see sk97638.

CLI R80.40 Reference Guide      |      949

 cpwd_admin start_monitor

cpwd_admin start_monitor
Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes actively.
See the explanation for the "cpwd_admin" on page 208 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      950

 cpwd_admin stop

cpwd_admin stop
Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path "<Full

Path to Executable>" -command "<Command Syntax>" [-env {inherit |
<Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows the
Name> monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

CLI R80.40 Reference Guide      |      951

 cpwd_admin stop

Parameter Description

-path "<Full Path to The full path (with or without Check Point environment variables) to the
Executable>" executable including the executable name.
Must enclose in double-quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

-command "<Command The command and its arguments to run.

Syntax>"
Must enclose in double-quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit |
<Env_Var>=<Value>}
Configures whether to inherit the environment variables from the shell.
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

CLI R80.40 Reference Guide      |      952

 cpwd_admin stop_monitor

cpwd_admin stop_monitor
Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 208 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      953

 fw

fw
Description
n Fetches and unloads Threat Prevention policy.
n Controls the Firewall module.
n Generates the Default Filter policy files.
n Fetches the policy from the Management Server, peer Cluster Member, or local directory.
n Fetches the specified Security or Audit log files from the specified Check Point computer.
n Shows the list of interfaces and their IP addresses.
n Shows information about Check Point computers in High Availability configuration and their states.
n Controls ISP links in ISP Redundancy configuration.
n Kills the specified Check Point processes.
n Shows a list of hosts protected by the Security Gateway.
n Shows the content of Check Point log files.
n Switches the current active log file.
n Shows a list of Security or Audit log files.
n Merges several input log files into a single log file.
n Runs FW Monitor to capture the traffic that passes through the Security Gateway.
n Rebuilds pointer files for Security or Audit log files.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.
n Shows the contents of the Unified Policy kernel tables.
n Shows the currently installed policy.
n Shows and deletes the contents of the specified kernel tables.
n Executes the offline Unified Policy.
n Removes all policies from the Security Gateway or Cluster Member.
n Shows the Security Gateway major and minor version number and build number.

CLI R80.40 Reference Guide      |      954

 fw

Syntax

fw [-d] [-i]
      amw <options>
      ctl <options>
      defaultgen
      fetch <options>
      fetchlogs <options>
      getifs
      hastat <options>
isp_link <options>
      kill <options>
      lichosts <options>
      log <options>
      logswitch <options>
      lslogs <options>
      mergefiles <options>
      repairlog <options>
      sam <options>
      sam_policy <options>
      showuptables <options>
      stat
      tab <options>
      unloadlocal
      up_execute <options>
      ver <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

CLI R80.40 Reference Guide      |      955

 fw

Parameter Description

-i Specifies the CoreXL Firewall instance.

See "fw -i" on page 958.

amw Fetches and unloads Threat Prevention policy.

<options>
See "fw amw" on page 959.

ctl Controls the Firewall module.

See "fw ctl" on page 962.

defaultgen Generates the Default Filter policy files.

See "fw defaultgen" on page 996.

fetch Fetches the policy from the Management Server, peer Cluster Member, or local
<options> directory.
See "fw fetch" on page 998.

fetchlogs Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
<options> ($FWDIR/log/*.adtlog*) from the specified Check Point computer.

See "fw fetchlogs" on page 1000.

getifs Shows the list with this information:

n The name of interfaces, to which the Check Point Firewall kernel attached.
n The IP addresses assigned to the interfaces.

See "fw getifs" on page 1002.

hastat Shows information about Check Point computers in High Availability configuration
<options> and their states.
See "fw hastat" on page 1003.

isp_link Controls ISP links in the ISP Redundancy configuration.

<options>
See "fw isp_link" on page 1004.

kill Kills the specified Check Point processes.

<options>
See "fw kill" on page 1005.

lichosts Shows a list of hosts protected by the Security Gateway.

<options>
See "fw lichosts" on page 1006.

log Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or
<options> Audit ($FWDIR/log/*.adtlog).

See "fw log" on page 1007.

CLI R80.40 Reference Guide      |      956

 fw

Parameter Description

logswitch Switches the current active log file - Security ($FWDIR/log/fw.log) or Audit
<options> ($FWDIR/log/fw.adtlog).

See "fw logswitch" on page 1016.

lslogs Shows a list of Security log files ($FWDIR/log/*.log*) or Audit log files
<options> ($FWDIR/log/*.adtlog*) residing on the local computer or a remote
computer.
See "fw lslogs" on page 1020.

mergefiles Merges several input log files - Security ($FWDIR/log/*.log) or Audit

<options> ($FWDIR/log/*.adtlog) - into a single log file.

See "fw mergefiles" on page 1023.

monitor Runs FW Monitor to capture the traffic that passes through the Security Gateway.
<options>
See "fw monitor" on page 1026.

repairlog Rebuilds pointer files for Security log files ($FWDIR/log/*.log) or Audit
<options> ($FWDIR/log/*.adtlog) log files.

See "fw repairlog" on page 1056.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options>
See "fw sam" on page 1057.

sam_policy Manages the Suspicious Activity Policy editor.

<options>
See "fw sam_policy" on page 1065.

showuptables Shows the contents of the Unified Policy kernel tables.

<options>
See "fw showuptables" on page 1090.

stat Shows the currently installed policy.

See "fw stat" on page 1091.

tab Shows and deletes the contents of the specified kernel tables.
<options>
See "fw tab" on page 1093.

unloadlocal Uninstalls all policies from the Security Gateway or Cluster Member.
See "fw unloadlocal" on page 1100.

up_execute Executes the offline Unified Policy.

<options>
See "fw up_execute" on page 1104.

ver Shows the Security Gateway major and minor version number and build number.
<options>
See "fw ver" on page 1107.

CLI R80.40 Reference Guide      |      957

 fw -i

fw -i
Description
By default, the "fw" on page 954 commands apply to the entire Security Gateway.
The fw commands show aggregated information for all CoreXL Firewall instances.
The fw -i commands apply to the specified CoreXL Firewall instance.

Syntax

fw -i <ID of CoreXL Firewall instance> <Command>

Parameters

Parameter Description

<ID of CoreXL Specifies the ID of the CoreXL Firewall instance.

Firewall instance>
To see the available IDs, run the "fw ctl multik stat" on page 1464
command.

<Command> Only these commands support the fw -i syntax:

n fw -i <ID> conntab ...
n fw -i <ID> ctl get ...
n fw -i <ID> ctl leak ...
n fw -i <ID> ctl pstat ...
n fw -i <ID> ctl set ...
n fw -i <ID> monitor ...
n fw -i <ID> tab ...

For details and additional parameters for any of these commands, refer
to the corresponding entry for each command.

Example 1 - Show the Connections table for CoreXL Firewall instance #1

fw -i 1 tab -t connections

Example 2 - Show various internal statistics for CoreXL Firewall instance #1

fw -i 1 ctl pstat

CLI R80.40 Reference Guide      |      958

 fw amw

fw amw
Description
Fetches and unloads Threat Prevention policy.
Threat Prevention policy applies to these Software Blades:
n Anti-Bot
n Anti-Spam
n Anti-Virus
n IPS
n Threat Emulation
n Threat Extraction

Syntax
n To fetch the Threat Prevention policy from the Management Server:

fw [-d] amw fetch -f [-i] [-n] [-r]

n To fetch the Threat Prevention policy from a peer Cluster Member, and, if it fails, then from the
Management Server:

fw [-d] amw fetch -f -c [-i] [-n] [-r]

n To fetch the Threat Prevention policy from the specified Check Point computer(s):

fw [-d] amw fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

n To fetch the Threat Prevention policy stored locally on the Security Gateway:

fw [-d] amw fetch local [-nu]

fw [-d] amw fetch localhost [-nu]

n To fetch the Threat Prevention policy stored locally on the Security Gateway in the specified
directory:

fw [-d] amw fetchlocal [-lu] -d <Full Path to Directory>

n To unload the current Threat Prevention policy:

fw [-d] amw unload

CLI R80.40 Reference Guide      |      959

 fw amw

Parameters

Parameter Description

fw -d amw Runs the command in debug mode.

...
Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

fw amw fetch Fetches the Threat Prevention policy from the specified Check Point computer(s).
These can be a Management Server, or a peer Cluster Member.

fw amw fetch Fetches the Threat Prevention policy that is stored locally on the Security
local Gateway in the $FWDIR/state/local/AMW/ directory.

fw amw fetch
localhost

fw amw Fetches the Threat Prevention policy that stored locally on the Security Gateway
fetchlocal in the specified directory.

fw amw Unloads the current Threat Prevention policy from the Security Gateway.
unload
Important - This significantly decreases the security on the Security
Gateway. This is the same as if you disable the Threat Prevention
Software Blades on the Security Gateway.

-c Specifies that you fetch the policy from a peer Cluster Member.

Notes:
n Must also use the "-f" parameter.
n Works only in cluster.

-f Specifies that you fetch the policy from a Management Server listed in the
$FWDIR/conf/masters file.

-i On a Security Gateway with dynamically assigned IP address (DAIP), specifies to

ignore the SIC name and object name.

-lu Specifies to perform a late update - to load signatures just after the Security
Gateway copies the policy files to the local directory
$FWDIR/state/local/AMW/.

-n Specifies not to load the fetched policy, if it is the same as the policy already
located on the Security Gateway.

-nu Specifies not to update the currently installed policy.

CLI R80.40 Reference Guide      |      960

 fw amw

Parameter Description

-r On a Cluster Member, specifies to ignore this option in SmartConsole Install

Policy window:
For gateway clusters, if installation on a cluster member fails, do not install on that
cluster

Best Practice - Use this parameter if a peer Cluster Member is Down.

<Master 1> Specifies the Check Point computer(s), from which to fetch the Threat Prevention
[<Master 2> policy.
...]
You can fetch the Threat Prevention policy from the Management Server, or a
peer Cluster Member.

Notes:
n If you fetch the Threat Prevention policy from the Management
Server, you can enter one of these:
l The main IP address of the Management Server object.
l The object name of the Management Server.
l The hostname that the Security Gateway resolves to the
main IP address of the Management Server.
n If you fetch the Threat Prevention policy from a peer Cluster
Member, you can enter one of these:
l The main IP address of the Cluster Member object.
l The IP address of the Sync interface on the Cluster
Member.
n If the fetch from the first specified <Master> fails, the Security
Gateway fetches the policy from the second specified <Master>
, and so on. If the Security Gateway fails to connect to each
specified <Masters>, the Security Gateway fetches the policy
from the localhost.
n If you do not specify the <Masters> explicitly, the Security
Gateway fetches the policy from the localhost.

-d <Full Specifies local directory on the Security Gateway, from which to fetch the Threat
Path to Prevention policy files.
Directory>

Example

[Expert@MyGW:0]# fw amw fetch local

Installing Threat Prevention policy from local
Fetching Threat Prevention policy succeeded
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      961

 fw ctl

fw ctl
Description
Controls the Firewall kernel module.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Syntax

fw [-d] ctl
      arp <options>
      bench <options>
      block <options>
      chain
      conn
      conntab <options>
      cpasstat <options>
      debug <options>
      get <options>
      iflist
      install
      kdebug <options>
      pstat <options>
      set <options>
      tcpstrstat <options>
      uninstall

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

CLI R80.40 Reference Guide      |      962

 fw ctl

Parameter Description

arp <options> Shows the configured Proxy ARP entries based on the
$FWDIR/conf/local.arp file on the Security Gateway.
See "fw ctl arp" on page 965.

bench Runs the CPU benchmark tests that collect these statistics:
<options>
n FireWall Lock Statistics
n Outbound Packets Statistics
n Inbound Packets Statistics

See "fw ctl bench" on page 966.

block Blocks all connections to, from, and through the Security Gateway.
<options>
See "fw ctl block" on page 968.

chain Shows the list of Firewall Chain Modules.

See "fw ctl chain" on page 969.

conn Shows the list of Firewall Connection Modules.

See "fw ctl conn" on page 971.

conntab Shows formatted list of current connections from the Connections kernel table
<options> (ID 8158).
See "fw ctl conntab" on page 973.

cpasstat Generates statistics report about Check Point Active Streaming (CPAS).
<options>
See "fw ctl cpasstat" on page 977.

debug Generates kernel debug messages from Check Point Firewall kernel to a debug
<options> buffer.
See "'fw ctl debug' and 'fw ctl kdebug'" on page 978.

dlpkstat Generates statistics report about Data Loss Prevention kernel module.
<options>
See "fw ctl dlpkstat" on page 979.

get <options> Shows the value of the specified kernel parameter.

See "fw ctl get" on page 980.

iflist Shows the list with this information:

n The name of interfaces, to which the Check Point Firewall kernel attached.
n The internal numbers of the interfaces in the Check Point Firewall kernel.

See "fw ctl iflist" on page 982.

CLI R80.40 Reference Guide      |      963

 fw ctl

Parameter Description

install Tells the operating system to start passing packets to Firewall.

See "fw ctl install" on page 983.

kdebug Generates kernel debug messages from Check Point Firewall kernel to a debug
<options> buffer.
See "'fw ctl debug' and 'fw ctl kdebug'" on page 978.

leak Generates leak detection report.

<options>
See "fw ctl leak" on page 984.

pstat Shows Security Gateway various internal statistics.

<options>
See "fw ctl pstat" on page 988.

set <options> Configures the specified value for the specified kernel parameter.
See "fw ctl set" on page 991.

tcpstrstat Generates statistics report about TCP Streaming.

<options>
See "fw ctl tcpstrstat" on page 993.

uninstall Tells the operating system to stop passing packets to Firewall, and unloads the
current Security Policy.
See "fw ctl uninstall" on page 995.

CLI R80.40 Reference Guide      |      964

 fw ctl arp

fw ctl arp

Description
Shows the configured Proxy ARP entries based on the $FWDIR/conf/local.arp file on the Security
Gateway.
For more information about the Proxy ARP, see sk30197.

Syntax

fw [-d] ctl arp

[-h]
[-n]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-h Shows the built-in help.

-n Specifies not to resolve hostnames.

CLI R80.40 Reference Guide      |      965

 fw ctl bench

fw ctl bench

Description
The benchmark mechanism provides a way to measure the time spent in the code between two points.
This command runs the CPU benchmark tests that collect these statistics:
n FireWall Lock Statistics
n Outbound Packets Statistics
n Inbound Packets Statistics.

Note - This command writes the output of these tests to the dmesg.

Syntax

fw [-d] ctl bench

      -h
      lock
[{ioctl | packet} [<Limit>]]
[stop]
      packet [{<Limit> | stop}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-h Shows the built-in help.

CLI R80.40 Reference Guide      |      966

 fw ctl bench

Parameter Description

lock Runs the lock benchmark that collects the FireWall Lock Statistics.
[ioctl[  Available options:
<Limit>]]
n No parameters - Starts the lock benchmark.
[packet
n ioctl - Calculates the IOCTL flow statistics.
[<Limit>]]
n packet - Calculates the packet flow statistics.
[stop]
n <Limit> - Specifies the time limit (in seconds) for the benchmark to
run. Default is 10 seconds. Maximum is 200 seconds.
n stop - Stops the current lock benchmark.

packet Runs the packet benchmark test that collects these statistics:
[{<Limit> |
n Outbound Packets Statistics
stop}]
n Inbound Packets Statistics
Available options:
n No parameters - Starts the packet benchmark.
n <Limit> - Specifies the time limit (in seconds) for the benchmark to
run. Default is 10 seconds. Maximum is 200 seconds.
n stop - Stops the current packet benchmark.

CLI R80.40 Reference Guide      |      967

 fw ctl block

fw ctl block

Description
Blocks all connections to, from, and through the Security Gateway.

Important - The "fw ctl block on" command immediately blocks all connections
without a prompt and regardless the currently installed policy. To unblock the
connections, you must either reboot the Security Gateway, or connect to the Security
Gateway over a serial console (or Lights Out Management Card) and run the "fw ctl
block off" command.

Syntax

fw [-d] ctl block

      off
      on

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

off Removes the block of all connections.

on Blocks all connections.

CLI R80.40 Reference Guide      |      968

 fw ctl chain

fw ctl chain

Description
Shows the list of Firewall Chain Modules.
This list shows various inspection Chain Modules, through which the traffic passes on this Security
Gateway.
The available Chain Modules depend on the configuration and enabled Software Blades.

Important - In Cluster, outputs of this command must be the same on all the Cluster Members.

Syntax

fw [-d] ctl chain

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

CLI R80.40 Reference Guide      |      969

 fw ctl chain

Example

[Expert@MyGW:0]# fw ctl chain

in chain (23):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -7d000000 (ffffffff8a96ee80) (00000003) vpn multik forward in
4: - 2000000 (ffffffff8a97d830) (00000003) vpn decrypt (vpn)
5: - 1fffffa (ffffffff8a9533a0) (00000001) l2tp inbound (l2tp)
6: - 1fffff8 (ffffffff8b67f0e0) (00000001) Stateless verifications (in) (asm)
7: - 1fffff7 (ffffffff8b67ec00) (00000001) fw multik misc proto forwarding
8: - 1fffff2 (ffffffff8a982aa0) (00000003) vpn tagging inbound (tagging)
9: - 1fffff0 (ffffffff8a983460) (00000003) vpn decrypt verify (vpn_ver)
10: 0 (ffffffff8b85a950) (00000001) fw VM inbound (fw)
11: 1 (ffffffff8a97ed70) (00000003) vpn policy inbound (vpn_pol)
12: 2 (ffffffff8b681700) (00000001) fw SCV inbound (scv)
13: 3 (ffffffff8a982130) (00000003) vpn before offload (vpn_in)
14: 4 (ffffffff8b0fa5c0) (00000003) QoS inbound offload chain module
15: 5 (ffffffff8b574730) (00000003) fw offload inbound (offload_in)
16: 10 (ffffffff8b84c9c0) (00000001) fw post VM inbound (post_vm)
17: 100000 (ffffffff8b807970) (00000001) fw accounting inbound (acct)
18: 22000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath inbound chain mod (fg_sched)
19: 7f730000 (ffffffff8b3d3aa0) (00000001) passive streaming (in) (pass_str)
20: 7f750000 (ffffffff8b17dff0) (00000001) TCP streaming (in) (cpas)
21: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (in) (ipopt_res)
22: 7fb00000 (ffffffff8a9fe8a0) (00000001) Cluster Late Correction (ha_for)
out chain (19):
0: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (ffffffff8a96ee60) (00000003) vpn multik forward out
2: - 1ffffff (ffffffff8a97fb70) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (ffffffff8b168640) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (ffffffff8b3d3aa0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (ffffffff8a982aa0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (ffffffff8b67f0e0) (00000001) Stateless verifications (out) (asm)
7: 0 (ffffffff8b85a950) (00000001) fw VM outbound (fw)
8: 10 (ffffffff8b84c9c0) (00000001) fw post VM outbound (post_vm)
9: 2000000 (ffffffff8a982900) (00000003) vpn policy outbound (vpn_pol)
10: 15000000 (ffffffff8b0fac30) (00000003) QoS outbound offload chain modul (fg_pol)
11: 1ffffff0 (ffffffff8a951790) (00000001) l2tp outbound (l2tp)
12: 20000000 (ffffffff8a978280) (00000003) vpn encrypt (vpn)
13: 21000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath outbound chain mod (fg_sched)
14: 7f000000 (ffffffff8b807970) (00000001) fw accounting outbound (acct)
15: 7f700000 (ffffffff8b17cb10) (00000001) TCP streaming post VM (cpas)
16: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (out) (ipopt_res)
17: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
18: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      970

 fw ctl conn

fw ctl conn

Description
Shows the list of Firewall Connection Modules.
This list shows various inspection Connection Modules, through which the traffic passes on this Security
Gateway.
The available Connection Modules depend on the configuration and enabled Software Blades.

Important - In Cluster, outputs of this command must be the same on all the Cluster Members.

Syntax

fw [-d] ctl conn

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

CLI R80.40 Reference Guide      |      971

 fw ctl conn

Example

[Expert@MyGW:0]# fw ctl chain

Registered connections modules:
No. Name Newconn Packet End Reload Dup Type Dup
Handler
Connectivity level 0:
1: Accounting 1: Accounting 0000000000000000 0000000000000000 FFFFFFFF8B8395A0
0000000000000000 Special FFFFFFFF8B831720
2: Authentication 2: Authentication FFFFFFFF8B3150A0 0000000000000000 0000000000000000
0000000000000000 Special FFFFFFFF8B34FCC0
8: NAT 8: NAT 0000000000000000 0000000000000000 FFFFFFFF8B6D1AF0
0000000000000000 Special FFFFFFFF8B6B8410
9: RTM 9: RTM 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
10: RTM2 10: RTM2 0000000000000000 0000000000000000 FFFFFFFF8B014970
0000000000000000 None
11: SPII 11: SPII FFFFFFFF8B412060 0000000000000000 FFFFFFFF8B41AF40
FFFFFFFF8B4016A0 None
13: VPN 13: VPN FFFFFFFF8A965440 0000000000000000 FFFFFFFF8AA4CC40
0000000000000000 Special FFFFFFFF8AA60490
Connectivity level 1:
13: VPN 13: VPN 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      972

 fw ctl conntab

fw ctl conntab

Description
Shows formatted list of current connections from the Connections kernel table (ID 8158).
Use this command if you want to see the simplified information about the current connections.

Best Practices:
n Use the "fw ctl conntab" command to see the simplified information about
the current connections.
n Use the "fw tab -t connections -f" command ("fw tab" on page 1093)
to see the detailed (and more technical) information about the current
connections.

Syntax

Important - You can specify many parameters at the same time.

fw [-d] ctl conntab

{-h | -help}
      -sip=<Source IP Address in Decimal Format>
      -sport=<Port Number in Decimal Format>
      -dip=<Destination IP Address>
      -dport=<Port Number in Decimal Format>
      -proto=<Protocol Name>
      -service=<Name of Service>
      -rule=<Rule Number in Decimal Format>

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

CLI R80.40 Reference Guide      |      973

 fw ctl conntab

Parameter Description

-sip=<Source IP Address in Filters the output by the specified Source IP address.

Decimal Format>

-sport=<Port Number in Decimal Filters the output by the specified Source Port
Format> number.
See IANA Service Name and Port Number Registry.

-dip=<Destination IP Address in Filters the output by the specified Destination IP

Decimal Format> address.

-dport=<Port Number in Decimal Filters the output by the specified Destination Port
Format> number.
See IANA Service Name and Port Number Registry.

-proto=<Protocol Name> Filters the output by the specified Protocol name.

For example:
n TCP
n UDP
n ICMP

See IANA Protocol Numbers.

-service=<Name of Service> See the names of Services in SmartConsole, or in the

output of this command.

-rule=<Rule Number in Decimal See your Rule Base in SmartConsole, or in the output
Format> of the command.

Examples

Example 1 - Default output

[Expert@MyGW:0]# fw ctl conntab
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3593/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,59249], dest=[192.168.204.1,53], UDP); 20/40, rule=0, service=domain-udp(335), Ifnsout=1,
conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,37892], dest=[192.168.204.1,53], UDP); 20/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 2 - Filter by a destination port

[Expert@MyGW:0]# fw ctl conntab -dport=22
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3594/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      974

 fw ctl conntab

Example 3 - Filter by a destination port

[Expert@MyGW:0]# fw ctl conntab -dport=53
<(outbound, src=[192.168.204.40,33585], dest=[192.168.204.1,53], UDP); 39/40, rule=0, service=domain-udp(335), Ifnsout=1,
conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,56661], dest=[192.168.204.1,53], UDP); 39/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 4 - Filter by a source port

[Expert@MyGW:0]# fw ctl conntab -sport=54201
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3600/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 5 - Filter by a protocol

[Expert@MyGW:0]# fw ctl conntab -proto=UDP
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 37/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 6 - Filter by a protocol

[Expert@MyGW:0]# fw ctl conntab -proto=TCP
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3596/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 7 - Filter by a service

[Expert@MyGW:0]# fw ctl conntab -service=domain-udp
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 35/40, rule=0, service=domain-udp(335), Ifnsin=1,
Ifnsout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 8 - Filter by a rule number

[Expert@MyGW:0]# fw ctl conntab -rule=2
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3597/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 9 - Filter by a destination IP address, destination port, protocol, and service

[Expert@MyGW:0]# fw ctl conntab -dip=192.168.204.40 -dport=22 -proto=TCP -service=ssh
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3599/3600, rule=2, tcp state=TCP_ESTABLISHED,
service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      975

 fw ctl conntab

Example 10 - Formatted detailed output from the Connections table (for comparison)
[Expert@MyGW:0]# fw tab -t connections -f

Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep,
sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited;
LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 54201; Dest: 192.168.204.1; DPort: 53;
Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1; Ifnsout:
1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 54201;
Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 54201; Dest_1: 192.168.204.1; DPort_1:
53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 54201;
Protocol: tcp; CPTFMT_sep_1: ->; Direction_2: 0; Source_2: 192.168.204.1; SPort_2: 54201; Dest_2: 192.168.204.40; DPort_2:
22; Protocol_2: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 54201; Dest: 192.168.204.40; DPort: 22;
Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -
1; Bits: 02007800000f9000; Expires: 3596/3600; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 44966;
Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 44966; Dest_1: 192.168.204.1; DPort_1:
53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;
: -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 44966; Dest: 192.168.204.1; DPort: 53;
Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout:
1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      976

 fw ctl cpasstat

fw ctl cpasstat

Description
Generates statistics report about Check Point Active Streaming (CPAS).

Syntax

fw [-d] ctl cpasstat [-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-r Resets the counters.

CLI R80.40 Reference Guide      |      977

 'fw ctl debug' and 'fw ctl kdebug'

'fw ctl debug' and 'fw ctl kdebug'

Description
These commands generate kernel debug messages from Check Point Firewall kernel to a debug buffer.
For more information, see the R80.40 Next Generation Security Gateway Guide - Chapter Kernel Debug
on Security Gateway.

CLI R80.40 Reference Guide      |      978

 fw ctl dlpkstat

fw ctl dlpkstat

Description
Generates statistics report about Data Loss Prevention, inspected HTTP requests, and Identity Awareness
Captive Portal.
This report contains these statistics:

Category Information

DLP Kernel Statistics Information Emails and HTTP requests

User Mode Responses Statistics Emails and HTTP requests

Identity Awareness - Captive Portal HTTP requests redirected to the Captive Portal

Identity Awareness - Fetch Users Synchronous and asynchronous Identity Awareness

Statistics queries

Best Practice - This report is very useful when you:

n Debug problems with HTTP protocol that occur under traffic stress.
n Examine the traffic shape (for example, to know how many HTTP "POST" and
HTTP "GET" requests pass through the Security Gateway).

Syntax

fw [-d] ctl dlpkstat [-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-r Resets the counters.

CLI R80.40 Reference Guide      |      979

 fw ctl get

fw ctl get

Description
Shows the current value of the specified kernel parameter.

Important:
n In Cluster, you must configure all the Cluster Members in the same way.
n In VSX Gateway, the configured values of kernel parameters apply to all existing
Virtual Systems and Virtual Routers.

Notes:
n Kernel parameters let you change the advanced behavior of your Security
Gateway.
n There are two types of kernel parameters - integer and string.
n Security Gateway gets the names and the default values of the kernel
parameters from these kernel module files:
l $FWDIR/boot/modules/fw_kern_64.o
l $FWDIR/boot/modules/fw_kern_64_v6.o
l $FWDIR/boot/modules/fw_kern_64_3_10_64.o
l $FWDIR/boot/modules/fw_kern_64_3_10_64_v6.o
l $PPKDIR/boot/modules/sim_kern_64.o
l $PPKDIR/boot/modules/sim_kern_64_v6.o
l $PPKDIR/boot/modules/sim_kern_64_3_10_64.o
l $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o
n Refer to the related command "fw ctl set" on page 991.
n Refer to the related article sk33156: Creating a file with all the kernel
parameters and their values

Syntax

fw [-d] ctl get

      int <Name of Integer Kernel Parameter> [-a]
      str <Name of String Kernel Parameter> [-a]

CLI R80.40 Reference Guide      |      980

 fw ctl get

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

<Name of Integer Kernel Specifies the name of the integer kernel parameter.
Parameter>

<Name of String Kernel Specifies the name of the string kernel parameter.
Parameter>

-a Specifies to search for this kernel parameter in this

order:
1. In $FWDIR/modules/fw_*.o
2. In $PPKDIR/modules/sim_*.o

Example for an integer kernel parameter

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit -a

FW:
fw_kdprintf_limit = 100
PPAK 0: fw_kdprintf_limit = 10
[Expert@MyGW:0]#

Example for a string kernel parameter

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset -a

FW:
fileapp_default_encoding_charset = 'UTF-8'
PPAK 0: Get failed.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      981

 fw ctl iflist

fw ctl iflist

Description
Shows the list with this information:
n The name of interfaces, to which the Check Point Firewall kernel attached.
n The internal numbers of the interfaces in the Check Point Firewall kernel.

Notes:
n This list shows all detected interfaces, even if there are no IP addresses
assigned on them.
n You use this list when you analyze a kernel debug, which shows only the internal
numbers of the interfaces (for example, ifn=2).
n Related "cpstat" on page 912 commands:
l cpstat -f ifconfig os
l cpstat -f interfaces fw

Syntax

fw [-d] ctl iflist

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Example

[Expert@MyGW:0]# fw ctl iflist

fw ctl iflist
1 : eth0
2 : eth1
3 : eth2
4 : eth3
5 : eth4
6 : eth5
7 : eth6
8 : eth7
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      982

 fw ctl install

fw ctl install

Description
Tells the operating system to start passing packets to Firewall.
This command runs automatically when the Security Gateway or an administrator runs the "cpstart" on
page 911 command.

Warning

If you run the "fw ctl uninstall" on page 995 command and then the "fw ctl install" command, it
does not restore the Security Policy.
You must run one of these commands: "fw fetch" on page 998, or "cpstart" on page 911.

Syntax

fw [-d] ctl install

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

CLI R80.40 Reference Guide      |      983

 fw ctl leak

fw ctl leak

Description
Generates leak detection report. This report is for Check Point use only.

Important - This command save the report into the active /var/log/messages file
and the dmesg buffer.

Syntax

fw [-d] ctl leak

{-h | -help}
[{-a | -A}] [-t <Internal Object Type>] [-o <Internal Object
ID>]
[-d] [-l] [-p]
[-s]

Parameters

Parameter Description

fw -d ctl leak Runs the command in debug mode.

...
Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the built-in help.

-a Specifies to perform leak detection for potential leaks.

This parameter is mutually exclusive with the parameter "-A".

-A Specifies to perform leak detection for all leaks.

This parameter is mutually exclusive with the parameter "-a".

-d Dumps object data.

This parameter is mutually exclusive with the parameter "-s".

-l Prints the action log.

This parameter is mutually exclusive with the parameter "-s".

CLI R80.40 Reference Guide      |      984

 fw ctl leak

Parameter Description

-o <Internal Specifies to perform leak detection for the specified internal object ID.
Object ID>

-p Purges the internal objects from the lists.

This parameter is mutually exclusive with the parameter "-s".

-s Shows summary only.

This parameter is mutually exclusive with the parameters "-d", "-l", and "-
p".

-t <Internal Specifies the internal object types, for which to perform leak detection.
Object Type>
Available internal object types are:
n chain
n connh
n cookie
n kbuf
n num

If you do not specify the internal object type explicitly, the command performs
leak detection for all internal object types.

Procedure

Step Description

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Back up the current /var/log/messages file:

[Expert@GW_HostName:0]# cp -v
/var/log/messages{,_BKP}

4 Delete the information from the current /var/log/messages file:

[Expert@GW_HostName:0]# echo '' >

/var/log/messages

5 Delete the information from the current dmesg buffer:

[Expert@GW_HostName:0]# dmesg -c

CLI R80.40 Reference Guide      |      985

 fw ctl leak

Step Description

6 Generate the leak detection report (see the Syntax section above):

[Expert@GW_HostName:0]# fw [-d] ctl leak

<options>

7 Make sure the command generated the leak detection report:

[Expert@GW_HostName:0]# dmesg

[Expert@GW_HostName:0]# cat
/var/log/messages

8 Collect the leak detection report:

[Expert@GW_HostName:0]# cp -v
/var/log/messages{,_LEAK_DETECTION}

9 Analyze the leak detection report:

/var/log/messages_LEAK_DETECTION

CLI R80.40 Reference Guide      |      986

 fw ctl leak

Example

[Expert@MyGW:0]# cp -v /var/log/messages{,_BKP}
`/var/log/messages' -> `/var/log/messages_BKP'
[Expert@MyGW:0]#
[Expert@MyGW:0]# echo '' > /var/log/messages
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg -c
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl leak -s
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg
[fw4_0];fwleak_report: type chain - 0 objects
[fw4_0];fwleak_report: type cookie - 0 objects
[fw4_0];fwleak_report: type kbuf - 0 objects
[fw4_0];fwleak_report: type connh - 0 objects
[fw4_1];fwleak_report: type chain - 0 objects
[fw4_1];fwleak_report: type cookie - 0 objects
[fw4_1];fwleak_report: type kbuf - 0 objects
[fw4_1];fwleak_report: type connh - 0 objects
[fw4_2];fwleak_report: type chain - 0 objects
[fw4_2];fwleak_report: type cookie - 0 objects
[fw4_2];fwleak_report: type kbuf - 0 objects
[fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /var/log/messages
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]
[Expert@MyGW:0]# cp -v /var/log/messages{,_LEAK_DETECTION}
`/var/log/messages' -> `/var/log/messages_LEAK_DETECTION'
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      987

 fw ctl pstat

fw ctl pstat

Description
Shows Security Gateway various internal statistics:
n System Capacity Summary
n Hash kernel memory (hmem) statistics
n System kernel memory (smem) statistics
n Kernel memory (kmem) statistics
n Cookies
n Connections
n Fragments
n NAT
n Handles

Syntax

Important - You can specify many parameters at the same time.

fw [-d] ctl pstat [-c] [-h] [-k] [-l] [-m] [-o] [-s] [-v {4 | 6}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the entire
CLI session.

-c Shows detailed CoreXL Dispatcher statistics:

n fwmultik_global_stats splits for each CoreXL Firewall
instance.
n fwmultik_gconn_stats for each CPU.
n fwmultik_stats for each CPU.

-h Shows additional Hash kernel memory (hmem) statistics.

-k Shows additional Kernel memory (kmem) statistics.

CLI R80.40 Reference Guide      |      988

 fw ctl pstat

Parameter Description

-l Shows Handles statistics.

-m Shows general CoreXL Dispatcher statistics.

-o Shows additional Cookies statistics.

-s Shows additional System kernel memory (smem) statistics.

-v 4 Shows statistics for IPv4 (-v 4) traffic only, or for IPv6 (-v 4) traffic only.
-v 6 Default is to show statistics for both IPv4 and IPv6 traffic.

CLI R80.40 Reference Guide      |      989

 fw ctl pstat

Examples

Example 1 - fw ctl pstat

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

Total memory allocated: 742391808 bytes in 181248 (4096 bytes) blocks using 1 pool
Total memory bytes used: 0 unused: 742391808 (100.00%) peak: 68247020
Total memory blocks used: 0 unused: 181248 (100%) peak: 17227
Allocations: 2193027 alloc, 0 failed alloc, 2154121 free

System kernel memory (smem) statistics:

Total memory bytes used: 913975068 peak: 1165010872
Total memory bytes wasted: 7883999
Blocking memory bytes used: 4896272 peak: 6916084
Non-Blocking memory bytes used: 909078796 peak: 1158094788
Allocations: 13217 alloc, 0 failed alloc, 10027 free, 0 failed free
vmalloc bytes used: 908585924 expensive: no

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2204456 alloc, 0 failed alloc
2162587 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      990

 fw ctl set

fw ctl set

Description
Configures the specified value for the specified kernel parameter.

Important:
n In Cluster, you must configure all the Cluster Members in the same way.
n In VSX Gateway, the configured values of kernel parameters apply to all existing
Virtual Systems and Virtual Routers.
n The configuration made with this command does not survive reboot.
To make this configuration permanent, you must edit one of the applicable
configuration files:
l $FWDIR/boot/modules/fwkern.conf
l $FWDIR/boot/modules/vpnkern.conf
l $PPKDIR/conf/simkern.conf.
For more information, see sk26202.

Notes:
n Kernel parameters let you change the advanced behavior of your Security
Gateway.
n There are two types of kernel parameters - integer and string.
n Security Gateway gets the names and the default values of the kernel
parameters from these kernel module files:
l $FWDIR/boot/modules/fw_kern_64.o
l $FWDIR/boot/modules/fw_kern_64_v6.o
l $FWDIR/boot/modules/fw_kern_64_3_10_64.o
l $FWDIR/boot/modules/fw_kern_64_3_10_64_v6.o
l $PPKDIR/boot/modules/sim_kern_64.o
l $PPKDIR/boot/modules/sim_kern_64_v6.o
l $PPKDIR/boot/modules/sim_kern_64_3_10_64.o
l $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o
n Refer to the related command "fw ctl get" on page 980.
n Refer to the related article sk33156: Creating a file with all the kernel
parameters and their values

CLI R80.40 Reference Guide      |      991

 fw ctl set

Syntax

fw [-d] ctl set

      int <Name of Integer Kernel Parameter> <Integer Value>
      str <Name of String Kernel Parameter> '<String Value>'

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

<Name of Integer Kernel Specifies the name of the integer kernel parameter.
Parameter>

<Integer Value> Specifies the integer value for the integer kernel
parameter.

<Name of String Kernel Specifies the name of the string kernel parameter.
Parameter>

'<String Value>' Specifies the string value for the string kernel
parameter.

Example for an integer kernel parameter

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit

fw_kdprintf_limit = 100
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set int fw_kdprintf_limit 50
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 50
[Expert@MyGW:0]#

Example for a string kernel parameter

[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str '__print__'

[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = '__print__'
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str ''
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = ''
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      992

 fw ctl tcpstrstat

fw ctl tcpstrstat

Description
Generates statistics report about TCP Streaming.

Syntax

fw [-d] ctl tcpstrstat

[-p]
[-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-p Shows verbose statistics.

-r Resets the counters.

CLI R80.40 Reference Guide      |      993

 fw ctl tcpstrstat

Example 1 - Default output

[Expert@MyGW:0]# fw ctl tcpstrstat

General Counters:
=================
Connections:
Concurrent num of connections ............. 0
Concurrent num of si connections .......... 0
Packets:
Total num of packets ...................... 2567
Total packets in bytes .................... 202394
Concurrent num of async packets ........... 0
Memory:
Allocated memory in bytes ................. 0
Referenced skbuffs num .................... 0
Referenced skbuffs size in bytes .......... 0
External packet references................. 0
Allocated memory per connection ........... 0
Rejected packets/connections:
Total num of rejected packets ............. 0
Dropped packets/connections:
Total num of dropped packets .............. 0
Stripped/Truncated packets:
Total num of stripped packets ............. 0
Total num of truncated packets ............ 0
Paused packets:
Total num of c2s|s2c paused packets ....... 0 | 0
Concurrent num of UDP held packets ........ 0

Applications Counters:
======================
Application Name: ASPII_MT
Connections:
Total num of connections .................. 954
Concurrent num of connections ............. 0
Total num of c2s|s2c connections .......... 954 | 954
Concurrent num of c2s|s2c connections ..... 0 | 0
Packets:
Total num of c2s|s2c data packets ......... 2567 | 0
Total c2s|s2c data packets in bytes ....... 130518 | 0

FastForward Counters:
=====================
FF connection:
Total num of c2s|s2c FFconns .............. 0 | 0
Total num of c2s|s2c saved packets ........ 0 | 0
Total num of c2s|s2c bytes requests ....... 0 | 0
Total num of c2s|s2c saved bytes .......... 0 | 0

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      994

 fw ctl uninstall

fw ctl uninstall

Description
1. Tells the operating system to stop passing packets to Firewall.
2. Unloads the current Security Policy.
3. Unloads the current Firewall Chain Modules (see "fw ctl chain" on page 969).
4. Unloads the current Firewall Connection Modules except for RTM (see "fw ctl conn" on page 971).

Warnings

1. If you run the "fw ctl uninstall" command, the networks behind the Security Gateway
become unprotected.
2. If you run the "fw ctl uninstall" command and then the "fw ctl install" on page 983
command, it does not restore the Security Policy.
You must run one of these commands: "fw fetch" on page 998, or "cpstart" on page 911.

Syntax

fw [-d] ctl uninstall

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

CLI R80.40 Reference Guide      |      995

 fw defaultgen

fw defaultgen
Description
Manually generates the Default Filter policy files.
Refer to these related commands:
n "comp_init_policy" on page 871
n "control_bootsec" on page 874
n "fwboot default" on page 1125
n "fwboot bootconf" on page 1111

Syntax

fw [-d] defaultgen

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

defaultgen Generates the Default Filter policy files:

n For IPv4 traffic:

$FWDIR/state/default.bin

n For IPv6 traffic:

$FWDIR/state/default.bin6

If the Default Filter policy file already exists, the command creates a backup copy
($FWDIR/state/default.bin.bak and
$FWDIR/state/default.bin6.bak).

CLI R80.40 Reference Guide      |      996

 fw defaultgen

Example

[Expert@MyGW:0]# fw defaultgen
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
hostaddr(MyGW) failed
Backing up default.bin6 as default.bin6.bak
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      997

 fw fetch

fw fetch
Description
Fetches the Security Policy from the specified host and installs it to the kernel.

Syntax
n To fetch the policy from the Management Server:

fw [-d] fetch -f [-i] [-n] [-r]

n To fetch the policy from a peer Cluster Member, and, if it fails, then from the Management Server:

fw [-d] fetch -f -c [-i] [-n] [-r]

n To fetch the policy from the specified Check Point computer(s):

fw [-d] fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

n To fetch the policy stored locally on the Security Gateway:

fw [-d] fetch local [-nu]

fw [-d] fetch localhost [-nu]

n To fetch the policy stored locally on the Security Gateway in the specified directory:

fw [-d] fetchlocal -d <Full Path to Directory>

Parameters

Parameter Description

fw -d fetch... Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-c Specifies that you fetch the policy from a peer Cluster Member.

Notes:
n Must also use the "-f" parameter.
n Works only in cluster.

-f Specifies that you fetch the policy from a Management Server listed in the
$FWDIR/conf/masters file.

CLI R80.40 Reference Guide      |      998

 fw fetch

Parameter Description

-i On a Security Gateway with dynamically assigned IP address (DAIP),

specifies to ignore the SIC name and object name.

-n Specifies not to load the fetched policy, if it is the same as the policy already
located on the Security Gateway.

-nu Specifies not to update the currently installed policy.

-r On a Cluster Member, specifies to ignore this option in SmartConsole Install

Policy window:
For gateway clusters, if installation on a cluster member fails, do not install
on that cluster

Best Practice - Use this parameter if a peer Cluster Member is

Down.

<Master 1> Specifies the Check Point computer(s), from which to fetch the policy.
[<Master 2> ...]
You can fetch the policy from the Management Server, or a peer Cluster
Member.

Notes:
n If you fetch the policy from the Management Server, you
can enter one of these:
l The main IP address of the Management Server
object.
l The object name of the Management Server.
l The hostname that the Security Gateway resolves to
the main IP address of the Management Server.
n If you fetch the policy from a peer Cluster Member, you can
enter one of these:
l The main IP address of the Cluster Member object.
l The IP address of the Sync interface on the Cluster
Member.
n If the fetch from the first specified <Master> fails, the
Security Gateway fetches the policy from the second
specified <Master> , and so on. If the Security Gateway
fails to connect to each specified <Masters>, the Security
Gateway fetches the policy from the localhost.
n If you do not specify the <Masters> explicitly, the Security
Gateway fetches the policy from the localhost.

-d <Full Path to Specifies the local directory on the Security Gateway, from which to fetch the
Directory> policy files.

CLI R80.40 Reference Guide      |      999

 fw fetchlogs

fw fetchlogs
Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log
Notes:
File N>
n If you do not specify the log file name explicitly, the command transfers all Security
log files ($FWDIR/log/*.log*) and all Audit log files
($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for example, 2017-0?-
*.log).
If you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check Point computer
has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main IP
address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

CLI R80.40 Reference Guide      |      1000

 fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the specified
Check Point computer. Meaning, it deletes the specified log files on the specified Check Point
computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local Check Point
computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer. The new
log file name is the concatenation of the Check Point computer's name (as configured in
SmartConsole), two underscore (_) characters, and the original log file name (for example: MyGW__
2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      1001

 fw getifs

fw getifs
Description
Shows the list with this information:
n The name of interfaces, to which the Check Point Firewall kernel attached.
n The IP addresses assigned to the interfaces.

Notes:
n This list shows only interfaces that have IP addresses assigned
on them.
n Related "cpstat" on page 912 commands:
l cpstat -f ifconfig os
l cpstat -f interfaces fw

Syntax

fw [-d] getifs

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Example

[Expert@MyGW:0]# fw getifs
localhost eth0 192.168.30.40 255.255.255.0
localhost eth1 172.30.60.80 255.255.255.0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1002

 fw hastat

fw hastat
Description
Shows information about Check Point computers in High Availability configuration and their states.

Note - This command is outdated. On cluster members, run the Gaia Clish command
"show cluster state", or the Expert mode command "cphaprob state".

Note - This command is outdated. On Management Servers, run the "cpstat" on

page 197 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ...
If you run this command on the Management Server, you can enter the applicable IP
<TargetN>
address, or the resolvable HostName of the managed Security Gateway or Cluster
Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1003

 fw isp_link

fw isp_link
Description
Controls the state of ISP Links in the ISP Redundancy configuration on Security Gateway.
See the R80.40 Next Generation Security Gateway Guide.

Syntax

fw [-d] isp_link
{-h | -help}
[<Name of Object>] <Name of ISP Link>
      down
      up

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

{-h | - Shows the built-in usage.

help}

<Name of Only when you run this command on a Management Server:

Object>
The name of the Security Gateway or Cluster Member object as defined in
SmartConsole (from the left navigation panel, click Gateways & Servers ).

<Name of The name of the ISP Link as defined in the Security Gateway or Cluster object:
ISP Link>
1. In SmartConsole, from the left navigation panel, click Gateways & Servers .
2. Open the Security Gateway or Cluster object.
3. From the left tree, click Other > ISP Redundancy .

down Changes the state of the specified ISP Link to DOWN.

up Changes the state of the specified ISP Link to UP.

CLI R80.40 Reference Guide      |      1004

 fw kill

fw kill
Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-t <Signal Specifies which signal to send to the Check Point process.

Number>
For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the kill and
signal.
If you do not specify the signal explicitly, the command sends Signal 15
(SIGTERM).

Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process>
To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

CLI R80.40 Reference Guide      |      1005

 fw lichosts

fw lichosts
Description
Shows IP addresses of internal hosts that Security Gateway detected and counted based on the installed
license.

Syntax

fw [-d] lichosts [-l] [-x]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-l Shows the output in the long format.

-x Shows the output in the hexadecimal format.

Example

[Expert@MyGW:0]# fw lichosts
License allows an unlimited number of hosts
[Expert@MyGW:0]

Related SK article
sk10200 - 'too many internal hosts' error in /var/log/messages on Security Gateway.

CLI R80.40 Reference Guide      |      1006

 fw log

fw log
Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c

<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> |
all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s
"<Start Timestamp>"] [-e "<End Timestamp>"] [-u <Unification Scheme
File>] [-w] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-
#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters described in
this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-a Shows only Account log entries.

-b "<Start Shows only entries that were logged between the specified start and end
Timestamp>" times.
"<End
n The <Start Timestamp> and <End Timestamp> may be a date,
Timestamp>"
a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End Timestamp> in
single or double quotes (-b 'XX' 'YY", or -b "XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-e"
parameters.
n See the date and time format below.

CLI R80.40 Reference Guide      |      1007

 fw log

Parameter Description

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>"
Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b" parameter.
n See the date and time format below.

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

CLI R80.40 Reference Guide      |      1008

 fw log

Parameter Description

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with the
specified IP address or object name (as configured in SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert type:
l alert
l mail
l snmp_trap
l spoof
l user_alert
l user_auth
n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries, and then
specify the time for each log entry.

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command shows
one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not show any
updates, but shows only entries that relate to the start of new
connections. To shows updates, use the semi parameter.
n semi - Step-by-step unification of log entries. For each log entry, the
output shows an entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file (this is the
default behavior).
This significantly speeds up the log processing.

CLI R80.40 Reference Guide      |      1009

 fw log

Parameter Description

-o Shows detailed log chains - shows all the log segments in the log entry.

-p Does not perform resolution of the port numbers in the log file (this is the
default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>"
Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current date.
n Enclose the <Start Timestamp> in single or double quotes (-s
'...', or -s "...").
n You cannot use the "-s" parameter together with the "-b" parameter.
n See the date and time format below.

-t This parameter:
1. Does not show the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log file, it
continues to monitor the log file indefinitely and shows the new entries
that match the specified conditions.

Note - Applies only to the active log file $FWDIR/log/fw.log or

$FWDIR/log/fw.adtlog

-u <Unification Specifies the path and name of the log unification scheme file.
Scheme File>
The default log unification scheme file is:
$FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the "nature" of
the log - for example, control, audit, accounting, complementary, and so on).

-x <Start Entry Shows only entries from the specified log entry number and below, counting
Number> from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from the
Number> beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show log
entries.
The default behavior is to stop.

CLI R80.40 Reference Guide      |      1010

 fw log

Parameter Description

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes the
current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags

Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log Key <max_null>, or empty

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc0000000)

SequenceNum Log Sequence 1

Number

CLI R80.40 Reference Guide      |      1011

 fw log

Field Header Description Example

Flags Internal flags that 428292

specify the "nature"
of the log - for
example, control,
audit, accounting,
complementary,
and so on

Action Action performed on n accept

this connection
n dropreject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of the MyGW

Security Gateway
that generated this
log

IfDir Traffic direction n <

through interface:
n >
n < - Outbound
(sent by a
Security
Gateway)
n > - Inbound
(received by
a Security
Gateway)

CLI R80.40 Reference Guide      |      1012

 fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security Gateway
interface, on which n daemon
this traffic was n N/A
logged
If a Security
Gateway performed
some internal action
(for example, log
switch), then the log
entry shows
daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Gateway Server.checkpoint.com.s6t98x
that generated this
log

inzone Inbound Security Local

Zone

outzone Outbound Security External

Zone

service_id Name of the service ftp

used to inspect this
connection

src Object name or IP MyHost

address of the
connection's source
computer

dst Object name or IP MyFTPServer

address of the
connection's
destination
computer

CLI R80.40 Reference Guide      |      1013

 fw log

Field Header Description Example

proto Name of the tcp

connection's
protocol

sport_svc Source port of the 64933

connection

ProductName Name of the Check n VPN-1 & FireWall-1

Point product that
generated this log n Application Control
n FloodGate-1

ProductFamily Name of the Check Network

Point product family
that generated this
log

Examples

Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1014

 fw log

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_
name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity:
2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_
match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy
Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table:
TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp;
sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log
flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292;
Action: drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName:
CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst:
MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-
9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_
match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END;
ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1015

 fw logswitch

fw logswitch
Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
      -h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target>
Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a Security
Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP address or
Object Name as configured in SmartConsole.

CLI R80.40 Reference Guide      |      1016

 fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched
Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the switch log
file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched log
matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is 230
characters.

+ Specifies to copy the active log from the remote computer to the local computer.
Notes:
n If you specify the name of the switched log file, you must write it immediately
after this + (plus) parameter.
n The command copies the active log from the remote computer and saves it in
the $FWDIR/log/ directory on the local computer.

n The default name of the saved log file is:

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

CLI R80.40 Reference Guide      |      1017

 fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote computer to the local computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/ directory
on the local computer and then deletes the switched log file on the remote
computer.
n If you specify the name of the switched log file, you must write it immediately
after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the saved log
file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 247 command.

Compression
When this command transfers the log files from the remote computer, it compresses the file with the gzip
command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method. The
compression ratio varies with the content of the log file and is difficult to predict. Binary data are not
compressed. Text data, such as user names and URLs, are compressed.

Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1018

 fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying
the switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1019

 fw lslogs

fw lslogs
Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog)
residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>] ...
[-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime | etime}]
[<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-f <Name of Specifies the name of the log file to show. Need to specify name only.
Log File>
Notes:
n If the log file name is not specified explicitly, the command shows all Security
log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-0?-*). If
you enter a wildcard, you must enclose it in double quotes or single quotes.
n You can specify multiple log files in one command. You must use the "-f"
parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2> ... -
f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

CLI R80.40 Reference Guide      |      1020

 fw lslogs

Parameter Description

-s {name | Specifies the sort order of the log files using one of the following sort options:
size |
stime | n name - The file name
etime} n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point computer, with which this local Check Point
computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name or main
IP address of the Check Point Computer as configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member, then
<Target> is the main IP address of the applicable object as configured in
SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      1021

 fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended information

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse order

[Expert@HostName:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security Gateway with main
IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14*" -f '2019-06-15*' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1022

 fw mergefiles

fw mergefiles
Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw
logswitch" command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw
logswitch" command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:

Warning: The size of the files you have chosen to

merge is greater than 2GB. The merge will produce
two or more files.

The names of merged files are:

l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...
l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of Log
File 1> <Name of Log File 2> ... <Name of Log File N> <Name of Merged
Log File>

CLI R80.40 Reference Guide      |      1023

 fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion File> Specifies a full path and name of a file that instructs this
command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:

<IP Address of Log Server #1> <Signed

Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...

Notes
n You must specify the absolute path and the
file name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> ... Specifies the log files to merge.
<Name of Log File N>
Notes:
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

CLI R80.40 Reference Guide      |      1024

 fw mergefiles

Parameter Description

<Name of Merged Log File> Specifies the output merged log file.

Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      1025

 fw monitor

fw monitor
Description
Firewall Monitor is the Check Point traffic capture tool.
In a Security Gateway, traffic passes through different inspection points - Chain Modules in the Inbound
direction and then in the Outbound direction (see "fw ctl chain" on page 969).
The FW Monitor tool captures the traffic at each Chain Module in both directions.
You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like
Wireshark.

Notes:
n Only one instance of "fw monitor" can run at a time.
n You can stop the "fw monitor" instance in one of these ways:
l In the shell, in which the "fw monitor" instance runs, press CTRL + C
keys
l In another shell, run this command: fw monitor -U
n Each time you run the FW Monitor, it compiles its temporary policy files
($FWDIR/tmp/monitorfilter.*).
n From R80.20, the FW Monitor is able to show the traffic accelerated with
SecureXL.
n For more information, see sk30583 and How to use FW Monitor.

Syntax for IPv4

fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of

Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter
File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest
Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o
<Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po
<Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v
<VSID>] [-x <Offset>[,<Length>] [-w]]

Syntax for IPv6

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number
of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter
File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest
Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o
<Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po
<Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v
<VSID>] [-x <Offset>[,<Length>] [-w]]

CLI R80.40 Reference Guide      |      1026

 fw monitor

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

-d Runs the command in debug mode and shows some information about
how the FW Monitor starts and compiles the specified INSPECT filter:
-D
n -d
Simple debug output.
n -D
Verbose output.

Note - You can specify both parameters to show more

information.

-ci <Number of Specifies how many packets to capture.

Inbound Packets>
The FW Monitor stops the traffic capture if it counted the specified number
-co <Number of of packets.
Outbound Packets>
n -ci
Specifies the number of inbound packets to count.
n -co
Specifies the number of inbound packets to count

Best Practice - You can use the "-ci" and the "-co"
parameters together. This is especially useful during large
volumes of traffic. In such scenarios, FW Monitor may bind so
many resources (for writing to the console, or to a file) that
recognizing the break sequence (CTRL+C) might take a very
long time.

CLI R80.40 Reference Guide      |      1027

 fw monitor

Parameter Description

-e <INSPECT Captures only specific packets of non-accelerated traffic:

Expression>
n "-e <INSPECT Expression>"
or
Defines the INSPECT filter expression on the command line.
-f {<INSPECT
n "-f <INSPECT Filter File>"
Filter File> | -}
Reads the INSPECT filter expression from the specified file. You
must enter the full path and name of the plain-text file that contains
the INSPECT filter expression.
n "-f -"
Reads the INSPECT filter expression from the standard input. After
you enter the INSPECT filter expression, you must enter the ^D
(CTRL+D) as the EOF (End Of File) character.

Warning - These INSPECT filters do not apply to the

accelerated traffic.

Important - Make sure to enclose the INSPECT filter expression

correctly in single quotes (ASCII value 39) or double quotes
(ASCII value 34).

Notes:
n Refer to the $FWDIR/lib/fwmonitor.def file for
useful macro definitions.
n See syntax examples below ("Examples for the "-e"
parameter" on page 1042).

-F "<Source Specifies the capture filter (for both accelerated and non-accelerated
IP>,<Source traffic):
Port>,<Dest
n <Source IP> - Specifies the source IP address
IP>,<Dest
Port>,<Protocol n <Source Port> - Specifies the source Port Number (see IANA
Number>" Service Name and Port Number Registry)
n <Dest IP> - Specifies the destination IP address
n <Dest Port> - Specifies the destination Port Number (see IANA
Service Name and Port Number Registry)
n <Protocol Number> - Specifies the Protocol Number (see
IANA Protocol Numbers)

CLI R80.40 Reference Guide      |      1028

 fw monitor

Parameter Description

Notes:
n See syntax examples below ("Examples for the "-F"
parameter" on page 1054).
n The "-F" parameter uses these Kernel Debug Filters:

For more information, see the R80.40 Next Generation

Security Gateway Guide - Chapter Kernel Debug on
Security Gateway - Section Kernel Debug Filters.
l For Source IP address:

simple_debug_filter_saddr_<N>
"<IP Address>"

l For Source Ports:

simple_debug_filter_sport_<N>
<1-65535>

l For Destination IP address:

simple_debug_filter_daddr_<N>
"<IP Address>"

l For Destination Ports:

simple_debug_filter_dport_<N>
<1-65535>

l For Protocol Number:

command_simple_debug_filter_
proto_<N> <0-254>

n Value 0 is used as "any".

n You can specify up to 5 capture filters with this parameter
(up to 5 instances of the "-F" parameter in the syntax).
The FW Monitor performs the logical "OR" between all
specified simple capture filters.

CLI R80.40 Reference Guide      |      1029

 fw monitor

Parameter Description

-H Creates an IP address filter.

For more information, see the R80.40 Next Generation Security Gateway
Guide - Chapter Kernel Debug on Security Gateway - Section Kernel
Debug Filters.
You can specify up to 3 capture filters with this parameter (up to 3
instances of the "-H" parameter in the syntax).
Example - Capture only HTTP traffic to and from the Host 1.1.1.1:

fw ctl debug –H "1.1.1.1"

-i Flushes the standard output.

Note - This parameter is valid only with the "-v <VSID>"

parameter.

Best Practice - Use this parameter to make sure FW Monitor

immediately writes the captured data for each packet to the
standard output. This is especially useful if you want to kill a
running FW Monitor process, and want to be sure that FW
Monitor writes all the data to the specified file.

-l <Length> Specifies the maximal length of the captured packets. FW Monitor reads
only the specified number of bytes from each packet.

Notes:
n This parameter is optional.
n This parameter lets you capture only the headers from
each packet (for example, IP and TCP) and omit the
payload. This decreases the size of the output file. This
also helps the internal FW Monitor buffer not to fill too
fast.
n Make sure to capture the minimal required number of
bytes, to capture the Layer 3 IP header and Layer 4
Transport header.

CLI R80.40 Reference Guide      |      1030

 fw monitor

Parameter Description

-m {i, I, o, O, e, Specifies the capture mask (inspection point) in relation to Chain Modules,
E} in which the FW Monitor captures the traffic.
These are the inspection points, through which each packet passes on a
Security Gateway.
n -m i
Pre-Inbound only (before the packet enters a Chain Module in the
inbound direction)
n -m I
Post-Inbound only (after the packet passes a Chain Module in the
inbound direction)
n -m o
Pre-Outbound only (before the packet enters a Chain Module in the
outbound direction)
n -m O
Post-Outbound only (after the packet passes through a Chain
Module in the outbound direction)
n -m e
Pre-Outbound VPN only (before the packet enters a VPN Chain
Module in the outbound direction)
n -m E
Post-Outbound VPN only (after the packet passes through a VPN
Chain Module in the outbound direction)

CLI R80.40 Reference Guide      |      1031

 fw monitor

Parameter Description

Notes:
n You can specify several capture masks (for example, to see NAT on
the egress packets, enter "... -m o O ...").
n You can use this capture mask parameter "-m {i, I, o, O,
e, E}" together with the chain module position parameter "-p{i
| I | o | O}".
n In the inbound direction:
l All chain positions before the FireWall Virtual Machine
module (the "fw ctl chain" on page 969 command shows it as
fw VM inbound) are Pre-Inbound.
l All chain modules after the FireWall Virtual Machine module
are Post-Inbound.
n In the outbound direction:
l All chain position before the FireWall Virtual Machine module
are Pre-Outbound.
l All chain modules after the FireWall Virtual Machine module
are Post-Outbound.
n By default, the FW Monitor captures the traffic only in the FireWall
Virtual Machine module.
n The packet direction relates to each specific packet, and not to the
connection's direction.
n The letters "q" and "Q" after the inspection point mean that the QoS
policy is applied to the interface.

Example packet flows:

n From a Client to a Server through the FireWall Virtual Machine
module:
[Client] --> ("i") {FW VM attached to eth1}
("I") [Security Gateway] ("o") {FW VM attached
to eth2} ("O") --> [Server]
n From a Server to a Client through the FireWall Virtual Machine
module:
[Client] <-- ("O") {FW VM attached to eth1}
("o") [Security Gateway] ("I") {FW VM attached
to eth2} ("i") <-- [Server]

CLI R80.40 Reference Guide      |      1032

 fw monitor

Parameter Description

-o <Output File> Specifies the output file, to which FW Monitor writes the captured raw
data.

Important - If you do not specify the path explicitly, FW Monitor

creates this output file in the current working directory. Because
this output file can grow very fast to very large size, we always
recommend to specify the full path to the largest partition
/var/log/.
The format of this output file is the same format used by tools like snoop
(refer to RFC 1761).
You can later analyze the captured traffic with the same FW Monitor tool,
or with special tools like Wireshark.

-pi <Position> Inserts the FW Monitor Chain Module at the specified position between
the kernel Chain Modules (see the "fw ctl chain" on page 969).
-pI <Position>
If the FW Monitor writes the captured data to the specified output file (with
-po <Position> the parameter "-o <Output File>"), it also writes the position of the
-pO <Position> FW Monitor chain module as one of the fields.

or You can insert the FW Monitor Chain Module in these positions only:

-p all [-a] n -pi <Position>

Inserts the FW Monitor Chain Module in the specified Pre-Inbound
position.
n -pI <Position>
Inserts the FW Monitor Chain Module in the specified Post-Inbound
position.
n -po <Position>
Inserts the FW Monitor Chain Module in the specified Pre-
Outbound position.
n -pO <Position>
Inserts the FW Monitor Chain Module in the specified Post-
Outbound position
n -p all [-a]
Inserts the FW Monitor Chain Module at all positions (both Inbound
and Outbound).

Warning - This parameter causes very high load on the

CPU, but provides the most complete traffic capture.

The "-a" parameter specifies to use absolute chain positions. This

parameter changes the chain ID from a relative value (which only
makes sense with the matching output from the "fw ctl chain" on
page 969 command) to an absolute value.

CLI R80.40 Reference Guide      |      1033

 fw monitor

Parameter Description

Notes:
n <Position> can be one of these:
l A relative position number
In the output of the "fw ctl chain" on page 969 command,
refer to the numbers in the leftmost column (for example, 0,
5, 14).
l A relative position alias
In the output of the "fw ctl chain" on page 969 command,
refer to the internal chain module names in the rightmost
column in the parentheses (for example, sxl_in, fw,
cpas).
l An absolute position
In the output of the "fw ctl chain" on page 969 command,
refer to the numbers in the second column from the left (for
example, -7fffffff, -1fffff8, 7f730000). In the syntax, you must
write these numbers in the hexadecimal format (for example,
-0x7fffffff, -0x1fffff8, 0x7f730000).
n You can use this chain module position parameter "-p{i | I| o
| O} ..." together with the capture mask parameter "-m {i,
I, o, O, e, E}".
n In the inbound direction:
l All chain positions before the FireWall Virtual Machine
module (the "fw ctl chain" on page 969 command shows it as
"fw VM inbound") are Pre-Inbound.
l All chain modules after the FireWall Virtual Machine module
are Post-Inbound.
n In the outbound direction:
l All chain position before the FireWall Virtual Machine module
are Pre-Outbound.
l All chain modules after the FireWall Virtual Machine module
are Post-Outbound.
n By default, the FW Monitor captures the traffic only in the FireWall
Virtual Machine module.
n The chain module position parameters "-p{i | I| o | O}
..." parameters do not apply to the accelerated traffic, which is still
monitored at the default inbound and outbound positions.
n For more information about the inspection points, see the
applicable table below.

CLI R80.40 Reference Guide      |      1034

 fw monitor

Parameter Description

-T Shows the timestamp for each packet:

DDMMMYYYY HH:MM:SS.mmmmmm

Best Practice - Use this parameter if you do not save the output
to a file, but print it on the screen.

-u Shows UUID for each packet (it is only possible to print either the UUID, or
the SUUID - not both):
or
n -u
-s
Prints connection's Universal-Unique-ID (UUID) for each packet
n -s
Prints connection's Session UUID (SUUID) for each packet

-U Removes the simple capture filters specified with this parameter:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest

Port>,<Protocol Number>"

-v <VSID> On a VSX Gateway or VSX Cluster Member, captures the packets on the
specified Virtual System or Virtual Router.
By default, FW Monitor captures the packets on all Virtual Systems and
Virtual Routers.
Example:

fw monitor -v 4 -e "accept;" -o /var/log/fw_

mon.cap

-w Captures the entire packet, instead of only the header.

Must be used together with one of these parameters:
n -o <Output File>
n -x <Offset>[,<Length>]

CLI R80.40 Reference Guide      |      1035

 fw monitor

Parameter Description

-x <Offset> Specifies the position in each packet, where the FW Monitor starts to
[,<Length>] capture the data from each packet.
Optionally, it is also possible to limit the amount of data the FW Monitor
captures.
n <Offset>
Specifies how many bytes to skip from the beginning of each
packet. FW Monitor starts to capture the data from each packet only
after the specified number of bytes.
n <Length>
Specifies the maximal length of the captured packets. FW Monitor
reads only the specified number of bytes from each packet.
For example, to skip over the IP header and TCP header, enter "-x
52,96"

Inspection points in Security Gateway and in FW Monitor output

Note - The Inbound and Outbound traffic direction relates to each specific packet, and not to the
connection.

CLI R80.40 Reference Guide      |      1036

 fw monitor

n Inbound

Relation to FireWall Notion of inspection point

Name of inspection point
Virtual Machine in the FW Monitor output

Pre-Inbound Before the inbound FireWall VM i (for example, eth4:i)

Post-Inbound After the inbound FireWall VM I (for example, eth4:I)

Pre-Inbound VPN Inbound before decrypt id (for example, eth4:id)

Post-Inbound VPN Inbound after decrypt ID (for example, eth4:ID)

Pre-Inbound QoS Inbound before QoS iq (for example, eth4:iq)

Post-Inbound QoS Inbound after QoS IQ (for example, eth4:IQ)

n Outbound

Relation to FireWall Notion of inspection point

Name of inspection point
Virtual Machine in the FW Monitor output

Pre-Outbound Before the outbound FireWall VM o (for example, eth4:o)

Post-Outbound After the outbound FireWall VM O (for example, eth4:O)

Pre-Outbound VPN Outbound before encrypt e (for example, eth4:e)

Post-Outbound VPN Outbound after encrypt E (for example, eth4:E)

Pre-Outbound QoS Outbound before QoS oq (for example, eth4:oq)

Post-Outbound QoS Outbound after QoS OQ (for example, eth4:OQ)

Generic Examples

Example 1 - Default syntax

[Expert@MyGW:0]# fw monitor
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:I[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31790
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a47
... ... ...
monitor: caught sig 2
monitor: unloading
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1037

 fw monitor

Example 2 - Showing timestamps in the output for each packet

[Expert@MyGW:0]# fw monitor -T
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] 12Sep2018 19:08:05.453947 eth0:oq[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124
id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.453960 eth0:OQ[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124
id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454059 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454064 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454072 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454074 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.463165 eth0:iq[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
[vs_0][fw_1] 12Sep2018 19:08:05.463177 eth0:IQ[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
monitor: unloading
[Expert@MyGW:0]#

Example 3 - Capturing only three Pre-Inbound packets at the FireWall Virtual Machine
module
[Expert@MyGW:0]# fw monitor -m i -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31905
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e683b
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31906
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e68ef
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31907
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e69a3
monitor: unloading
Read 3 inbound packets and 0 outbound packets
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1038

 fw monitor

Example 4 - Inserting the FW Monitor chain is before the chain #2 and capture only three
Pre-Inbound packets

CLI R80.40 Reference Guide      |      1039

 fw monitor

[Expert@MyGW:0]# fw ctl chain

in chain (15):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
5: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
6: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
7: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
8: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
10: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
11: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
12: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
13: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
14: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
6: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
7: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
8: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
9: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
12: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
13: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw monitor -pi 2 -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800001 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
3: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

CLI R80.40 Reference Guide      |      1040

 fw monitor

14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)

15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228
id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228
id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412 id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412
id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716 id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716
id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
monitor: unloading
Read 3 inbound packets and 5 outbound packets
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1041

 fw monitor

Example 5 - Showing list of Chain Modules with the FW Monitor, when you do not change
the default capture positions
[Expert@MyGW:0]# fw ctl chain
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

Examples for the "-e" parameter

Example 1 - Capture everything

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap

Example 2 - Capture traffic to / from specific hosts

To specify a host, you can use one of these expressions:

n Use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both
Source IP address and Destination IP address
n Use a specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>"
and a specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_
format>"
Example filters:

CLI R80.40 Reference Guide      |      1042

 fw monitor

n Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y)

or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

n Capture everything between hosts X,Z and hosts Y,Z in all Firewall kernel chains:

[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or

dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o
/var/log/fw_mon.cap

n Capture everything to/from host X or to/from host Y or to/from host Z:

[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y)

or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x)

or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or
dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

Example 3 - Capture traffic to / from specific ports

Note - You must specify port numbers in Decimal format. Refer to the
/etc/services file on the Security Gateway, or to IANA Service Name and Port
Number Registry.

To specify a port, you can use one of these expressions:

n Use "port(<IANA_Port_Number>)", which applies to both Source Port and Destination
Port
n Use a specific Source Port "sport=<IANA_Port_Number>" and a specific Destination Port
"dport=<IANA_Port_Number>"
n In addition:
l For specific TCP port, you can use "tcpport(<IANA_Port_Number>)", which
applies to both Source TCP Port and Destination TCP Port
l For specific UDP port, you can use "udpport(<IANA_Port_Number>)", which
applies to both Source UDP Port and Destination UDP Port
Example filters:
n Capture everything to/from port X:

[Expert@HostName]# fw monitor -e "port(x), accept;" -o

/var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "(sport=x or dport=x), accept;"

-o /var/log/fw_mon.cap

n Capture everything except port X:

CLI R80.40 Reference Guide      |      1043

 fw monitor

[Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)),

accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "not (sport=x or dport=x),

accept;" -o /var/log/fw_mon.cap

n Capture everything except SSH:

[Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)),

accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "not (sport=22 or dport=22),

accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "not tcpport(22), accept;" -o

/var/log/fw_mon.cap

n Capture everything to/from host X except SSH:

[Expert@HostName]# fw monitor -e "(host(x.x.x.x) and (sport!=22

or dport!=22)), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x)

and (not (sport=22 or dport=22))), accept;" -o /var/log/fw_
mon.cap

[Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not tcpport

(22)), accept;" -o /var/log/fw_mon.cap

n Capture everything except NTP:

[Expert@HostName]# fw monitor -e "not udpport(123), accept;" -o

/var/log/fw_mon.cap

Example 4 - Capture traffic over specific protocol

Note - You must specify protocol numbers in Decimal format. Refer to the
/etc/protocols file on the Security Gateway, or to IANA Protocol Numbers.

To specify a protocol, you can use one of these expressions:

n Use "ip_p=<IANA_Protocol_Number>"

Examples:
l To specify TCP protocol with byte offset, use "ip_p=6"

l To specify UDP protocol with byte offset, use "ip_p=11"

l To specify ICMP protocol with byte offset, use "ip_p=1"

CLI R80.40 Reference Guide      |      1044

 fw monitor

n Use "accept [9:1]=<IANA_Protocol_Number>"

Examples:
l To specify TCP protocol with byte offset, use "accept [9:1]=6"
l To specify UDP protocol with byte offset, use "accept [9:1]=11"
l To specify ICMP protocol with byte offset, use "accept [9:1]=1"
n In addition, you can explicitly use these expressions to specify protocols:

Summary Table

Which protocol to specify On which port(s) traffic is captured Expression

TCP N/A "tcp, accept;"

UDP N/A "udp, accept;"

ICMPv4 N/A "icmp, accept;"

or
"icmp4, accept;"

ICMPv6 N/A "icmp6, accept;"

HTTP TCP 80 "http, accept;"

HTTPS TCP 443 "https, accept;"

PROXY TCP 8080 "proxy, accept;"

DNS UDP 53 "dns, accept;"

IKE UDP 500 "ike, accept;"

NAT-T UDP 4500 "natt, accept;"

ESP and IKE IP proto 50 and UDP 500 "vpn, accept;"

All VPN-related data: a. IP proto 50 "vpnall, accept;"

a. ESP b. UDP 2746

b. IPsec over UDP c. UDP 500
c. IKE d. UDP 4500
d. NAT-T e. TCP 18264
e. CRL f. UDP 259
f. RDP g. UDP 18234
g. Tunnel Test h. TCP 264
h. Topology i. TCP 1701
i. L2TP j. UDP 18233
j. SCV k. TCP 443 + TCP 444
k. Multi-Portal l. and so on
l. and so on

Multi-Portal connections TCP 443 and TCP 444 "multi, accept;"

CLI R80.40 Reference Guide      |      1045

 fw monitor

Which protocol to specify On which port(s) traffic is captured Expression

SSH TCP 22 "ssh, accept;"

FTP TCP 20 and TCP 21 "ftp, accept;"

Telnet TCP 23 "telnet, accept;"

SMTP TCP 25 "smtp, accept;"

POP3 TCP 110 "pop3, accept;"

Example filters:
n Filter to capture everything on protocol X:

[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o

/var/log/fw_mon.cap

n Filter to capture rverything on protocol X and port Z on protocol Y:

[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)),

accept;" -o /var/log/fw_mon.cap

n Filter to capture capture everything TCP between host X and host Y:

[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap

[Expert@HostName]# fw monitor -e "accept [9:1]=6 , ((src=x.x.x.x

, dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"

[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x ,

dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o
/var/log/fw_mon.cap

Example 5 - Capture traffic with specific protocol options

Note - Refer to the $FWDIR/lib/tcpip.def file on Security Gateway.

Summary Table for IPv4

Option Description Expression Example

Source IPv4 address of the IPv4 ip_src = fw monitor -e "ip_src

packet <IPv4_ = 192.168.22.33,
Address> accept;"

CLI R80.40 Reference Guide      |      1046

 fw monitor

Option Description Expression Example

Destination IPv4 address of the IPv4 ip_dst = fw monitor -e "ip_dst

packet <IPv4_ = 192.168.22.33,
Address> accept;"

Time To Live of the IPv4 packet ip_ttl = fw monitor -e "ip_ttl

<Number> = 255, accept;"

Total Length of the IPv4 packet in ip_len = fw monitor -e "ip_len

bytes <Length_in_ = 64, accept;"
Bytes>

TOS field of the IPv4 packet ip_tos = fw monitor -e "ip_tos

<Number> = 0, accept;"

IANA Protocol Number (either in Dec ip_p = <IANA_ Example for TCP:
or in Hex) encapsulated in the IPv4 Protocol_
fw monitor -e "ip_p =
packet Number>
6, accept;"
Examples for UDP:
fw monitor -e "ip_p =
17, accept;"
fw monitor -e "ip_p =
0x11, accept;"
Example for ICMPv4:
fw monitor -e "ip_p =
1, accept;"

Summary Table for IPv6

Option Description Expression Example

Source IPv6 address of the IPv6 ip_src6p = fw monitor -e "ip_src6p =

packet <IPv6_ 0:0:0:0:0:ffff:c0a8:1621,
Address> accept;"

Destination IPv6 address of the ip_dst6p = fw monitor -e "ip_dst6p =

IPv6 packet <IPv6_ 0:0:0:0:0:ffff:c0a8:1621,
Address> accept;"

Payload Length of the IPv6 ip_len6 = fw monitor -e "ip_len6 =

packet in bytes <Length_in_ 1000, accept;"
Bytes>

Hop Limit ("Time To Live") of the ip_ttl6 = fw monitor -e "ip_ttl6 = 255,

IPv6 packet <Number> accept;"

CLI R80.40 Reference Guide      |      1047

 fw monitor

Option Description Expression Example

Next Header of the IPv6 packet - ip_p6 = <IANA_ fw monitor -e "ip_p6 = 6,

encapsulated IANA Protocol Protocol_ accept;"
Number Number>

Summary Table for TCP

Option Description Expression Example

SYN flag is set in TCP packet syn fw monitor -e "ip_p =

6, syn, accept;"

ACK flag is set in TCP packet ack fw monitor -e "ip_p =

6, ack, accept;"

RST flag is set in TCP packet rst fw monitor -e "ip_p =

6, rst, accept;"

FIN flag is set in TCP packet fin fw monitor -e "ip_p =

6, fin, accept;"

First packet of TCP first fw monitor -e "ip_p =

connection 6, first, accept;"
(SYN flag is set, but ACK flag
is not set in TCP packet)

Not the first packet of TCP not_first fw monitor -e "ip_p =

connection 6, not_first, accept;"
(SYN flag is not set in TCP
packet)

Established TCP connection established fw monitor -e "ip_p =

6, established,
(either ACK flag is set, or SYN
accept;"
flag is not set in TCP packet)

Last packet of TCP last fw monitor -e "ip_p =

connection 6, last, accept;"
(both ACK flag and FIN flag
are set in TCP packet)

End of TCP connection tcpdone fw monitor -e "ip_p =

6, tcpdone, accept;"
(either RST flag is set, or FIN
flag is set in TCP packet)

CLI R80.40 Reference Guide      |      1048

 fw monitor

Option Description Expression Example

General way to match the th_flags = <Sum_

TCP Flag Example
flags inside in TCP packets of_Flags_Hex_
Values>
SYN fw monitor -
(0x2) e "th_flags
= 0x2,
accept;"

ACK fw monitor -
(0x10) e "th_flags
= 0x10,
accept;"

PSH fw monitor -
(0x8) e "th_flags
= 0x8,
accept;"

FIN (0x1) fw monitor -

e "th_flags
= 0x1,
accept;"

RST fw monitor -
(0x4) e "th_flags
= 0x4,
accept;"

URG fw monitor -
(0x20) e "th_flags
= 0x20,
accept;"

SYN + fw monitor -
ACK e "th_flags
= 0x12,
accept;"

PSH + fw monitor -
ACK e "th_flags
= 0x18,
accept;"

FIN + fw monitor -
ACK e "th_flags
= 0x11,
accept;"

CLI R80.40 Reference Guide      |      1049

 fw monitor

Option Description Expression Example

TCP Flag Example

RST + fw monitor -
ACK e "th_flags
= 0x14,
accept;"

TCP source port th_sport = <Port_ fw monitor -e "th_sport

Number> = 59259, accept;"

TCP destination port th_dport = <Port_ fw monitor -e "th_dport

Number> = 22, accept;"

TCP sequence number th_seq = <Number> Example for Dec format:

(either in Dec or in Hex)
fw monitor -e "th_seq =
3937833514, accept;"
Example for Hex format:
fw monitor -e "th_seq =
0xeab6922a, accept;"

TCP acknowledged number th_ack = <Number> Example for Dec format:

(either in Dec or in Hex)
fw monitor -e "th_ack =
509054325, accept;"
Example for Hex format:
fw monitor -e "th_ack =
0x1e578d75, accept;"

Summary Table for UDP

Option
Expression Example
Description

UDP source port uh_sport = <Port_ fw monitor -e "uh_sport = 53,

Number> accept;"

UDP destination uh_dport = <Port_ fw monitor -e "uh_dport = 53,

port Number> accept;"

Summary Table for ICMPv4

Option Description Expression Example

ICMPv4 packets with specified icmp_type = fw monitor -e "icmp_type

Type <Number> = 0, accept;"

CLI R80.40 Reference Guide      |      1050

 fw monitor

Option Description Expression Example

ICMPv4 packets with specified icmp_code = fw monitor -e "icmp_code

Code <Number> = 0, accept;"

ICMPv4 packets with specified icmp_id = fw monitor -e "icmp_id =

Identifier <Number> 20583, accept;"

ICMPv4 packets with specified icmp_seq = fw monitor -e "icmp_seq =

Sequence number <Number> 1, accept;"

ICMPv4 Echo Request packets echo_req fw monitor -e "echo_req,

(Type 8, Code 0) accept;"

ICMPv4 Echo Reply packets (Type echo_reply fw monitor -e "echo_

0, Code 0) reply, accept;"

ICMPv4 Echo Request and ping fw monitor -e "ping,

ICMPv4 Echo Reply packets accept;"

Traceroute packets as traceroute fw monitor -e

implemented in Unix OS "traceroute, accept;"
(UDP packets on ports above
30000 and
with TTL<30; or ICMP Time
exceeded packets)

Traceroute packets as tracert fw monitor -e "tracert,

implemented in Windows OS accept;"
(ICMP Request packets with
TTL<30;
or ICMP Time exceeded packets)

Length of ICMPv4 packets icmp_ip_len = fw monitor -e "icmp_ip_

<length> len = 84, accept;"

Summary Table for ICMPv6

Option Description Expression Example

ICMPv6 packets with icmp6_type = fw monitor -e "icmp6_type =

specified Type <Number> 1, accept;"

ICMPv6 packets with icmp6_code = fw monitor -e "icmp6_code =

specified Code <Number> 3, accept;"

Example 6 - Capture specific bytes in packets

Syntax:

CLI R80.40 Reference Guide      |      1051

 fw monitor

fw monitor -e "accept [ <Offset> : <Length> , <Byte Order> ]

<Relational-Operator> <Value>;"

Parameters:

Parameter Explanation

<Offset> Specifies the offset relative to the beginning of the IP packet from where the
value should be read.

<Length> Specifies the number of bytes:

n 1 = byte
n 2 = word
n 4 = dword
If length is not specified, FW Monitor assumes 4 (dword).

<Byte Order> Specifies the byte order:

n b = big endian, or network order
n l = little endian, or host order
If order is not specified, FW Monitor assumes little endian byte order.

<Relational- Relational operator to express the relation between the packet data and the
Operator value:
n < - less than
n > - greater than
n <= - less than or equal to
n >= - greater than
n = or is - equal to
n != or is not - not equal to

<Value> One of the data types known to INSPECT (for example, an IP address, or
an integer).

Explanations:
n The IP-based protocols are stored in the IP packet as a byte at offset 9.
l To filter based on a Protocol encapsulated into IP, use this syntax:

[Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_

Protocol_Number>;"

n The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source
address) and at offset 16 (Destination address).

CLI R80.40 Reference Guide      |      1052

 fw monitor

l To filter based on a Source IP address, use this syntax:

[Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_

Address_in_Doted_Decimal_format>;"

l To filter based on a Destination IP address, use this syntax:

[Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_

Address_in_Doted_Decimal_format>;"

n The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22
(Destination port).
l To filter based on a Source port, use this syntax:

[Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_

Number_in_Decimal_format>;"

l To filter based on a Destination port, use this syntax:

[Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_

Number_in_Decimal_format>;"

Example filters:
n Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x ,

[16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"

n Capture everything on port X:

[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or

[22:2,b]=x;" -o /var/log/fw_mon.cap

Example 7 - Capture traffic to/from specific network

You must specify the network address and length of network mask (number of bits).
There are 3 options:

Traffic direction Expression

To or From a "net(<Network_IP_Address>, <Mask_Length>), accept;"

network

To a network "to_net(<Network_IP_Address>, <Mask_Length>),

accept;"

From a network "from_net(<Network_IP_Address>, <Mask_Length>),

accept;"

Example filters:

CLI R80.40 Reference Guide      |      1053

 fw monitor

n Capture everything to/from network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "net(192.168.33.0, 24),

accept;"

n Capture everything sent to network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24),

accept;"

n Capture everything sent from network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24),

accept;"

Example 8 - Filter out irrelevant "noise"

Filter in only TCP protocol, and HTTP and HTTPS ports

Filter out the SSH and FW Logs

[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22

or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or
dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap

Examples for the "-F" parameter

You can specify up to 5 capture filters with this parameter (up to 5 instances of the "-F" parameter in the
syntax).
The FW Monitor performs the logical "OR" between all specified simple capture filters.
Value 0 is used as "any".

Example 1 - Capture everything

[Expert@HostName]# fw monitor -F "0,0,0,0,0" -o /var/log/fw_mon.cap

Example 2 - Capture traffic to / from specific hosts

n Capture all traffic from Source IP x.x.x.x (any port) to Destination IP y.y.y.y (any port), over all
protocols:

[Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -o

/var/log/fw_mon.cap

n Capture all traffic between Host x.x.x.x (any port) and Host y.y.y.y (any port), over all protocols:

[Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -F

"y.y.y.y,0, x.x.x.x ,0,0" -o /var/log/fw_mon.cap

CLI R80.40 Reference Guide      |      1054

 fw monitor

Example 3 - Capture traffic to / from specific ports

n Capture traffic from any Source IP from Source Port X to any Destination IP to Destination Port Y,
over all protocols:

[Expert@HostName]# fw monitor -F "0,x,0,y,0" -o /var/log/fw_

mon.cap

n Capture traffic between all hosts, between Port X and Port Y, over all protocols:

[Expert@HostName]# fw monitor -F "0,x,0,y,0" -F "0,y,0,x,0" -o

/var/log/fw_mon.cap

Example 4 - Capture traffic over specific protocol

n Capture traffic between all hosts, between all ports, over a Protocol with assigned number X:

[Expert@HostName]# fw monitor -F "0,0,0,0,x" -o /var/log/fw_

mon.cap

Example 5 - Capture traffic between specific hosts between specific ports over specific
protocol

[Expert@HostName]# fw monitor -F "a.a.a.a,b,c.c.c.c,d,e" -F

"c.c.c.c,d,a.a.a.a,b,e" -o /var/log/fw_mon.cap

To capture only HTTP traffic between the Client 1.1.1.1 and the Server 2.2.2.2:

fw montior –F "1.1.1.1,0,2.2.2.2,80,6" –F "2.2.2.2,80,1.1.1.1,0,6" -

o /var/log/fw_mon.cap

CLI R80.40 Reference Guide      |      1055

 fw repairlog

fw repairlog
Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files ($FWDIR/log/*.adtlog) are
databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this command
can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/*.log *.logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/*.adtlog *.adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

CLI R80.40 Reference Guide      |      1056

 fw sam

fw sam
Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block connections
to and from IP addresses without the need to change or reinstall the Security Policy. For more information,
see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" and "sam_alert" commands.
n SAM rules consume some CPU resources on Security Gateway.

Best Practice - Set an expiration that gives you time to investigate, but
does not affect performance. Keep only the SAM rules that you need.
If you confirm that an activity is risky, edit the Security Policy, educate
users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches 100,000.
This data log file contains the records in one of these formats:

<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>

n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security Gateway
in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM .
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

CLI R80.40 Reference Guide      |      1057

 fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e
<key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security Gateway,
on which the command is enforced. These messages show whether the command
was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of the
Server> Security Gateway that enforces the command.
The default is localhost.

CLI R80.40 Reference Guide      |      1058

 fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected that the
Name of SAM SAM server has this SIC name, otherwise the connection fails.
Server>
Notes:
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC API
Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command to
show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security
<Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n localhost - Specifies to enforce the action on this local Check Point computer
(on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as Security
Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Security Gateway object - Specifies to enforce the action on this
specific Security Gateway object.
You can use this syntax only on Security Management Server or Domain
Management Server.
n Name of Group object - Specifies to enforce the action on all specific Security
Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

CLI R80.40 Reference Guide      |      1059

 fw sam

Parameter Description

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.

Notes:
n To "uninhibit" the inhibited connections, run the fw sam command
with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

-C Cancels the fw sam command to inhibit connections with the specified parameters.

Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout>
The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+
Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match the
specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

CLI R80.40 Reference Guide      |      1060

 fw sam

Parameter Description

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

-I Inhibits (drops or rejects) new connections with the specified parameters, and closes
all existing connections with the specified parameters.

Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all existing
connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

CLI R80.40 Reference Guide      |      1061

 fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Srcip> <Src Netmask> <Dest IP> <Dest Netmask>
<Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port> <Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the connection.

any <IP> Matches either the Source IP address or the Destination

IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the connections

according to the netmask.

CLI R80.40 Reference Guide      |      1062


Parameter
subany <IP> <Netmask>
srv <Src IP> <Dest IP> <Port>
<Protocol>
subsrv <Src IP> <Netmask>
<Dest IP> <Netmask> <Port>
<Protocol>
subsrvs <Src IP> <Src Netmask>
<Dest IP> <Port> <Protocol>
subsrvd <Src IP> <Dest IP>
<Dest Netmask> <Port>
<Protocol>
dstsrv <Dest IP> <Service>
<Protocol>
subdstsrv <Dest IP> <Netmask>
<Port> <Protocol>
srcpr <IP> <Protocol>
dstpr <IP> <Protocol>
subsrcpr <IP> <Netmask>
<Protocol>
subdstpr <IP> <Netmask>
<Protocol>
fw sam
Description
Matches either the Source IP address or Destination IP
address of connections according to the netmask.
Matches the specific Source IP address, Destination IP
address, Service (port number) and Protocol.
Matches the specific Source IP address, Destination IP
address, Service (port number) and Protocol.
Source and Destination IP addresses are assigned
according to the netmask.
Matches the specific Source IP address, source
netmask, destination netmask, Service (port number)
and Protocol.
Matches specific Source IP address, Destination IP,
destination netmask, Service (port number) and
Protocol.
Matches specific Destination IP address, Service (port
number) and Protocol.
Matches specific Destination IP address, Service (port
number) and Protocol.
Destination IP address is assigned according to the
netmask.
Matches the Source IP address and protocol.
Matches the Destination IP address and protocol.
Matches the Source IP address and protocol of
connections.
Source IP address is assigned according to the
netmask.
Matches the Destination IP address and protocol of
connections.
Destination IP address is assigned according to the
netmask.
CLI R80.40 Reference Guide      |      1063
 fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the specified

keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

CLI R80.40 Reference Guide      |      1064

 fw sam_policy

fw sam_policy
Description
Manages the Suspicious Activity Policy editor that lets you work with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 370
Notes:
n You can run these commands interchangeably: 'fw sam_policy' and 'fw
samp'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

CLI R80.40 Reference Guide      |      1065

 fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
      add <options>
      batch
      del <options>
      get <options>

fw [-d] samp
      add <options>
      batch
      del <options>
      get <options>

Syntax for IPv6

fw6 [-d] sam_policy

      add <options>
      batch
      del <options>
      get <options>

fw6 [-d] samp

      add <options>
      batch
      del <options>
      get <options>

CLI R80.40 Reference Guide      |      1066

 fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

CLI R80.40 Reference Guide      |      1067

 fw sam_policy add

fw sam_policy add

Description
The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy add' and
'fw samp add'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

CLI R80.40 Reference Guide      |      1068

 fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b}
Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against the policy
rules.
Note - Rules with action set to Bypass cannot have a log or limit specification.
Bypassed packets and connections do not count towards overall number of
packets and connection for limit enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that matches:
n -r - Generate a regular log
n -a - Generate an alert log

CLI R80.40 Reference Guide      |      1069

 fw sam_policy add

Parameter Description

-t Optional.
<Timeout>
Specifies the time period (in seconds), during which the rule will be enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be enforced on
all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the rule should
be enforced only on this Security Gateway or Cluster object (the object name
must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be enforced on all
Security Gateways that are members of this Group object (the object name
must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>"
Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Optional.
Comment>"
Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

CLI R80.40 Reference Guide      |      1070

 fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator
Specifies the name of the originator for this rule.
>"
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter
Arguments> Configures the Suspicious Activity Monitoring (SAM) rule.
Specifies the IP Filter Arguments for the SAM rule (you must use at least one of
these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d

<Destination IP>] [-M <Destination Mask>] [-p <Port>]
[-r <Protocol>]

See the explanations below.

CLI R80.40 Reference Guide      |      1071

 fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota
Filter Configures the Rate Limiting rule.
Arguments> Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations
below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service <Protocol
and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2
Value>] ...[<LimitN Name> <LimitN Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from the
SAM policy database immediately, add "flush true" in the fw
samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general), when
a rule's limit is violated, the Security Gateway also drops all packets
that match the rule.
The Security Gateway computes new connection rates on a per-
second basis.
At the start of the 1-second timer, the Security Gateway allows all
packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too many
new connections, then the Security Gateway blocks all remaining
packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are reset, and
the process starts over - the Security Gateway allows packets to
pass again up to the point, where the rule’s limit is violated.

CLI R80.40 Reference Guide      |      1072

 fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port Number
Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

CLI R80.40 Reference Guide      |      1073

 fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the source
IP addresses assigned to this country, based on
the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that are
assigned to this organization, based on the Geo
IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

CLI R80.40 Reference Guide      |      1074

 fw sam_policy add

Argument Description

[destination-negated {true | Specifies the destination type and its value:

false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses that
are assigned to this organization, based on the
Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the specified
type

CLI R80.40 Reference Guide      |      1075


Argument
[service-negated {true |
false}] service <Protocol and
Port numbers>
fw sam_policy add
Description
Specifies the Protocol number (see IANA Protocol
Numbers) and Port number (see IANA Service Name
and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port End>
IP protocol number and range of TCP/UDP port
numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process all
traffic except the traffic with the specified
protocols and ports
CLI R80.40 Reference Guide      |      1076

Argument
[<Limit 1 Name> <Limit 1
Value>] [<Limit 2 Name> <Limit
2 Value>] ... [<Limit N Name>
<Limit N Value>]
fw sam_policy add
Description
Specifies quota limits and their values.
Note - Separate multiple quota limits with spaces.
n concurrent-conns <Value>
Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the concurrent-
conns value to the total number of active
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n pkt-rate <Value>
Specifies the maximum number of packets per
second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate value
to the rate of all connections through the Security
Gateway, expressed in parts per 65536 (formula:
N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes per
second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate value
to the bytes per second rate of all connections
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
n new-conn-rate <Value>
Specifies the maximal number of connections per
second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-rate
value to the rate of all connections per second
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
CLI R80.40 Reference Guide      |      1077
 fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not cumulatively
for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific IP
protocol and destination port, and not
cumulatively for this rule.

Examples

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this rule,
including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second (new-conn-
rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11
- 172.16.7.13 (source range:172.16.7.11-172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the fwaccel dos
config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious
Activity Monitoring (SAM) policy database immediately, because this rule includes the "flush
true" parameter.

CLI R80.40 Reference Guide      |      1078

 fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all packets except (service-negated true) the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the country with
specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).

n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:
[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:
n This rule bypasses (-a b) all packets that match this rule.

Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).

CLI R80.40 Reference Guide      |      1079

 fw sam_policy add

n This rule applies to packets sent to TCP port 80 (service 6/80).

n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP addresses that
are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to 655/65536=~1%
(concurrent-conns-ratio 655) for any traffic (service any) except (service-
negated true) the connections from the source IP addresses that are assigned to the country
with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that match this rule,
and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

CLI R80.40 Reference Guide      |      1080

 fw sam_policy batch

fw sam_policy batch

Description
The 'fw sam_policy batch' and 'fw6 sam_policy batch' commands let you:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy batch'
and 'fw samp batch'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all of the
Cluster Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Procedure

1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as necessary.

CLI R80.40 Reference Guide      |      1081

 fw sam_policy batch

Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l fw sam_policy add
l fw sam_policy del
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source
range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

CLI R80.40 Reference Guide      |      1082

 fw sam_policy del

fw sam_policy del

Description
The 'fw sam_policy del' and 'fw6 sam_policy del' commands let you:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy del' and
'fw samp del'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

CLI R80.40 Reference Guide      |      1083

 fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.

Important:
n The quote marks and angle
brackets ('<...>') are
mandatory.
n To see the Rule UID, run the
"fw sam_policy get"
command.

Procedure

1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\
Doe src_ip_addr=1.1.1.1 req_tpe=ip

CLI R80.40 Reference Guide      |      1084

 fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The fw samp del and fw6 samp del commands only remove a rule from the persistent
database. The Security Gateway continues to enforce the deleted rule until the next time you
compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only
add rule right after the fw samp del and fw6 samp del command. This flush-only add rule
immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

CLI R80.40 Reference Guide      |      1085

 fw sam_policy get

fw sam_policy get

Description
The 'fw sam_policy get' and 'fw6 sam_policy get' commands let you:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n You can run these commands interchangeably: 'fw sam_policy get' and
'fw samp get'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+
{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type>
[+{-v '<Value>'}] [-n]]

CLI R80.40 Reference Guide      |      1086

 fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on a
separate line.
n In the list format (with "-l"), the output shows each parameter of a rule on
a separate line.
n See the "fw sam_policy add" command.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>'
The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'}
The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples

Example 1 - Output in the default format

[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log

name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      1087

 fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log
name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      1088

 fw sam_policy get

Example 4 - Printing rules that match the specified filters

[Expert@HostName:0]# fw samp get
no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-
172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-
conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      1089

 fw showuptables

fw showuptables
Description
Shows the formatted contents of the Unified Policy kernel tables.

Syntax

fw [-d] showuptables
[-h]
[-i]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

-h Shows the built-in usage.

-i Shows the implied rules layers.

CLI R80.40 Reference Guide      |      1090

 fw stat

fw stat
Description
Shows the following information about the policy on the Security Gateway:
n Name of the installed policy.
n Date of the last policy installation.
n Names of the interfaces protected by the installed policy, and in which direction the policy protects
them.

Important - This command is outdated and exists only for backward compatibility with
very old versions. Use the "cpstat -f policy fw" command instead (see
"cpstat" on page 912).

Syntax

fw [-d] stat [-l | -s] [<Name of Object>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

No Shows default output - all information is on one line.

Parameters

-l Shows long output.

Shows each interface and its protected traffic direction is on a separate line.
In addition, shows this information:
n Total - Number of packets the Security Gateway received on this interface
n Reject - Number of packets the Security Gateway rejected on this interface
n Drop - Number of packets the Security Gateway dropped on this interface
n Accept - Number of packets the Security Gateway accepted on this interface
n Log - Whether Security Gateway sends its logs from this interface (0 - no, 1 - yes)

-s Shows short output.

Shows each interface and its protected traffic direction is on a separate line.

CLI R80.40 Reference Guide      |      1091

 fw stat

Parameter Description

<Name of Specifies the name of the Security Gateway or Cluster Member object (as defined in
Object> SmartConsole), from which to show the information. Use this parameter only on the
Management Server.
This requires the established SIC with that Check Point computer.

Example 1 - Default output

[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost MyGW_Policy 10Sep2018 14:01:25 : [>eth0] [<eth0] [>eth1]
[Expert@MyGW:0]#

Example 2 - Short output

[Expert@MyGW:0]# fw stat -s
HOST IF POLICY DATE
localhost >eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost <eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost >eth1 MyGW_Policy 10Sep2018 14:01:25 :
[Expert@MyGW:0]#

Example 3 - Long output

[Expert@MyGW:0]# fw stat -l
HOST IF POLICY DATE TOTAL REJECT DROP
localhost >eth0 MyGW_Policy 10Sep2018
localhost <eth0 MyGW_Policy 10Sep2018
localhost >eth1 MyGW_Policy 10Sep2018
[Expert@MyGW:0]#
ACCEPT LOG
14:01:25 : 14377 0 316 14061 1
14:01:25 : 60996 0 0 60996 0
14:01:25 : 304 0 304 0 0

Example 4 - Long output from the Management Server

[Expert@MGMY:0]# fw stat -l MyGW

HOST IF POLICY DATE TOTAL REJECT
MyGW >eth0 MyGW_Policy 12Sep2018
MyGW <eth0 MyGW_Policy 12Sep2018
MyGW >eth2 MyGW_Policy 12Sep2018
MyGW <eth2 MyGW_Policy 12Sep2018
[Expert@MGMT:0]#
DROP ACCEPT LOG
16:34:56 : 120113 0 0 120113 0
16:34:56 : 10807 0 0 10807 0
16:34:56 : 3 0 0 3 0
16:34:56 : 3 0 0 3 0

CLI R80.40 Reference Guide      |      1092

 fw tab

fw tab
Description
Shows data from the specified Security Gateway kernel tables.
This command also lets you change the content of dynamic kernel tables. You cannot change the content
of static kernel tables.
Kernel tables (also known as State tables) store data that the Firewall and other Software Blades use to
inspect packets. These kernel tables are a critical component of Stateful Inspection.

Best Practices:
n Use the "fw tab -t connections -f" command to see the detailed (and
more technical) information about the current connections in the Connections
kernel table (ID 8158).
n Use the "fw ctl conntab" on page 973 command to see the simplified information
about the current connections in the Connections kernel table (ID 8158).

Syntax

fw [-d]
{-h | -help}
[-v] [-t <Table>] [-c | -s] [-f] [-o <Output File>] [-r] [-u | -
m <Limit>] [-a -e "<Entry>"] [ -x [-e "<Entry>"]] [-y] [<Name of
Object>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

{-h | - Shows the built-in usage.

help}

CLI R80.40 Reference Guide      |      1093

 fw tab

Parameter Description

-t Specifies the kernel table by its name of unique ID.

<Table>
To see the names and IDs of the available kernel tables, run:

fw tab -s

Because the output of this command is very long, we recommend to redirect it to a file.
For example:

fw tab -s > /tmp/output.txt

-a -e Adds the specified entry to the specified kernel table.

"<
If a kernel table has the expire attribute, when you add an entry with the "-a -e
Entry>"
<Entry>" parameter, the new entry gets the default table timeout.
You can use this parameter only on the local Security Gateway.

Warning - If you add a wrong entry, you can make your Security Gateway
unresponsive.

-c Shows formatted kernel table data in the common format. This is the default.

-e Specifies the entry in the kernel table.

"<
Entry>"
Important - Each kernel table has its own internal format.

-f Shows formatted kernel table data. For example, shows:

n All IP addresses and port numbers in the decimal format.
n All dates and times in human readable format.

Note - Each table can use a different style.

Important - If the specified kernel table is large, this consumes a large amount
of RAM. This can make your Security Gateway unresponsive.

-o Saves the output in the specified file in the CL format as a Check Point Firewall log.
<Output
You can later open this file with the "fw log" on page 1007 command.
File>
If you do not specify the full path explicitly, this command saves the output file in the
current working directory.

CLI R80.40 Reference Guide      |      1094

 fw tab

Parameter Description

-m Specifies the maximal number of kernel table entries to show.

<Limit>
This command counts the entries from the beginning of the kernel table.

-r Resolves IP addresses in the formatted output.

-s Shows a short summary of the kernel table data.

-u Specifies to show an unlimited number of kernel table entries.

Important - If the specified kernel table is large, this consumes a large amount
of RAM. This can make your Security Gateway unresponsive.

-v Shows the CoreXL Firewall instance number as a prefix for each line.

-x [-e Deletes all entries or the specified entry from the specified kernel table.
<
You can use this parameter only on the local Security Gateway.
Entry>]

Warning - If you delete a wrong entry, you can break the current connections
through your Security Gateway. This includes the remote SSH connection.

-y Specifies not to show a prompt before Security Gateway executes a command.

For example, this applies to the parameters "-a" and "-x".

<Name Specifies the name of the Security Gateway or Cluster Member object (as defined in
of SmartConsole), from which to show the information. Use this parameter only on the
Object> Management Server.
This requires the established SIC with that Check Point computer.
If you do not use this parameter, the default is localhost.

CLI R80.40 Reference Guide      |      1095

 fw tab

Example 1 - Show the summary of all kernel tables

[Expert@MyGW:0]# fw tab -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost vsx_firewalled 0 1 1 0
localhost firewalled_list 1 2 2 0
localhost external_firewalled_list 2 0 0 0
localhost management_list 3 2 2 0
localhost external_management_list 4 0 0 0
localhost log_server_list 5 0 0 0
localhost ips1_sensors_list 6 0 0 0
localhost all_tcp_services 7 141 141 0
localhost tcp_services 8 1 1 0
... ...
localhost connections 8158 2 56 2
... ...
localhost up_251_rule_to_clob_uuid 14083 0 0 0
... ...
localhost urlf_cache_tbl 29 0 0 0
localhost proxy_outbound_conn_tbl 30 0 0 0
localhost dns_cache_tbl 31 0 0 0
localhost appi_referrer_table 32 0 0 0
localhost uc_hits_htab 33 0 0 0
localhost uc_cache_htab 34 0 0 0
localhost uc_incident_to_instance_htab 35 0 0 0
localhost fwx_cntl_dyn_ghtab 36 0 0 0
localhost frag_table 37 0 0 0
localhost dos_blacklist_notifs 38 0 0 0
[Expert@MyGW:0]#

Example 2 - Show the raw data from the Connections table

[Expert@MyGW:0]# fw tab -t connections

localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24
25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
1996/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28,
00000016, 00000006> (00000805)
<00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9679de, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edaa98, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3597/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000c9f6, 00000006> -> <00000000, c0a8cc01, 0000c9f6, c0a8cc28,
00000016, 00000006> (00000805)
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1096

 fw tab

Example 3 - Show the formatted data from the Connections table

[Expert@MyGW:0]# fw tab -t connections -f

Using cptfmt
Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_Name: connections; : (+);
Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30
31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime: 10Sep2018 20:30:48;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 55411; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout:
335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 2/40;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 53901; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2;
Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires:
2002/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1:
192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 51702; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2;
Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires:
3600/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 22; Dest: 192.168.204.1; DPort: 51702; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1:
192.168.204.1; SPort_1: 51702; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName:
cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 53; Dest: 192.168.204.40; DPort: 55411; Protocol: udp; CPTFMT_sep_1: ->; Direction_2: 1; Source_2:
192.168.204.40; SPort_2: 55411; Dest_2: 192.168.204.1; DPort_2: 53; Protocol_2: udp; FW_symval: 2054;
LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1097

 fw tab

Example 4 - Show only two entries from the Connections table

[Expert@MyGW:0]# fw tab -t connections -m 2

localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24
25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
1961/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28,
00000016, 00000006> (00000805)
...(4 More)
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1098

 fw tab

Example 5 - Show the raw data from the Connections table and show the IDs of CoreXL Firewall instances
for each entry

[Expert@MyGW:0]# fw tab -t 8158 -v

localhost:
-------- connections --------
dynamic, id 8158, num ents 6, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24
25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
[fw_0] <00000001, c0a80335, 00004710, c0a803f0, 00008652, 00000006> -> <00000000, c0a803f0, 00008652,
c0a80335, 00004710, 00000006> (00000805)
[fw_0] <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006; 0002d001, 00046000, 10000000, 0000000e,
00000000, 5b9a4129, 00030000, 3503a8c0, c0000000, ffffffff, ffffffff, 00000001, 00000001, 00000800,
00000000, 80008080, 00000000, 00000000, 338ea330, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3162/3600>
[fw_0] <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f,
00000000, 5b8fed6a, 00030001, 3503a8c0, c0000000, 00000001, 00000001, ffffffff, ffffffff, 00000800,
08000000, 00000080, 00000000, 00000000, 337b0978, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3599/3600>
[fw_0] <00000000, c0a803f0, 0000470f, c0a80335, 00008adf, 00000006> -> <00000001, c0a80335, 00008adf,
c0a803f0, 0000470f, 00000006> (00000806)
[fw_0] <00000001, c0a80334, 00004710, c0a803f0, 0000a659, 00000006> -> <00000000, c0a803f0, 0000a659,
c0a80334, 00004710, 00000006> (00000805)
[fw_0] <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f,
00000000, 5b8feabb, 0000007a, 3403a8c0, c0000000, ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
10000000, 04000080, 00000000, 00000000, 3364aed0, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3484/3600>
[fw_1] <00000001, c0a80334, 00004710, c0a803f0, 0000bc74, 00000006> -> <00000000, c0a803f0, 0000bc74,
c0a80334, 00004710, 00000006> (00000805)
[fw_1] <00000001, c0a80335, 00000016, ac14a810, 0000e056, 00000006> -> <00000000, ac14a810, 0000e056,
c0a80335, 00000016, 00000006> (00000805)
[fw_1] <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006; 0001c001, 00044000, 00000003, 000001df,
00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 00000800,
08000000, 00000080, 00000000, 00000000, 33410370, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3600/3600>
[fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f,
00000000, 5b8fe89b, 00000001, 3403a8c0, c0000001, ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
10000000, 04000080, 00000000, 00000000, 335841e0, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3600/3600>
[fw_2] <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f,
00000000, 5b8fed7e, 00030000, 3503a8c0, c0000002, 00000001, 00000001, ffffffff, ffffffff, 00000800,
08000000, 00000080, 00000000, 00000000, 33337660, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3556/3600>
[fw_2] <00000001, c0a80335, 00004710, c0a803f0, 0000ab74, 00000006> -> <00000000, c0a803f0, 0000ab74,
c0a80335, 00004710, 00000006> (00000805)
[fw_2] <00000001, c0a80335, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4,
c0a80335, 00001fb4, 00000011> (00000805)
[fw_2] <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011; 00010001, 00004000, 00000003, 00000028,
00000000, 5b8fed76, 00030000, 3503a8c0, c0000002, 00000001, ffffffff, ffffffff, ffffffff, 00000800,
08000000, 00000084, 00000000, 00000000, 336d4e30, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 38/40>
[fw_2] <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011; 00010001, 00004100, 00000003, 00000028,
00000000, 5b8fed72, 0000025f, 3403a8c0, c0000002, ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
10000000, 04000084, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 39/40>
[fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4,
c0a80334, 00001fb4, 00000011> (00000805)
Table fetched in 3 chunks
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1099

 fw unloadlocal

fw unloadlocal
Description
Uninstalls all policies from the Security Gateway or Cluster Member.

Warning

1. The "fw unloadlocal" command prevents all traffic from passing through the Security
Gateway (Cluster Member), because it disables the IP Forwarding in the Linux kernel on the
Security Gateway (Cluster Member).
2. The "fw unloadlocal" command removes all policies from the Security Gateway (Cluster
Member). This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection enabled.

Notes
n If you need to remove the current policy, but keep the Security Gateway (Cluster Member)
protected, then run the "comp_init_policy" on page 871 command on the Security Gateway (Cluster
Member).
n To load the policies on the Security Gateway (Cluster Member), run one of these commands on the
Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 998
l "cpstart" on page 911
n See the related command "fwm unload" on page 333.

Syntax

fw [-d] unloadlocal

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

CLI R80.40 Reference Guide      |      1100

 fw unloadlocal

Example

CLI R80.40 Reference Guide      |      1101

 fw unloadlocal

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: My_Policy
Policy install time: Tue Oct 23 18:23:14 2018
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw unloadlocal

Uninstalling Security Policy from all.all@MyGW

Done.
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0

CLI R80.40 Reference Guide      |      1102

 fw unloadlocal

net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw fetch localhost

Installing Security Policy My_Policy on all.all@MyGW
Fetching Security Policy from localhost succeeded
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1103

 fw up_execute

fw up_execute
Description
Executes the offline Unified Policy.

Syntax

fw [-d] up_execute ipp=<IANA Protocol Number> [src=<Source IP>]

[dst=<Destination IP>] [sport=<Source Port>] [dport=<Destination
Port>] [protocol=<IANA Protocol Name>]
[application=<Application/Category Name 1>
[application=<Application/Category Name 2> ...]]

Parameters

Parameter Description

No Parameters Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

ipp=<IANA Protocol Number> IANA Protocol Number in the Hexadecimal format.

Important - This parameter is always

mandatory.

For example:
n TCP = 6
n UDP = 17
n ICMP = 1

See IANA Protocol Numbers.

src=<Source IP> Source IP address.

dst=<Destination IP> Destination IP address.

sport=<Source Port> Source Port number in the Decimal format.

See IANA Service Name and Port Number Registry.

CLI R80.40 Reference Guide      |      1104

 fw up_execute

Parameter Description

dport=<Destination Port> Destination Port number in the Decimal format.

Important - This parameter is mandatory

for the TCP (6) and UDP (17) protocols.

See IANA Service Name and Port Number Registry.

protocol=<IANA Protocol Name> Name of the protocol.

For example:
n TCP
n UDP
n ICMP
n HTTP

See IANA Protocol Numbers.

application=< Name of the Application/Category as defined in

Application/Category Name> SmartConsole.
You can specify multiple applications.

Example 1

[Expert@MyGW:0]# fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1105

 fw up_execute

Example 2

[Expert@MyGW:0]# fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP application=Facebook

application=Opera

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1106

 fw ver

fw ver
Description
Shows this information about the Security Gateway software:
n Major version
n Minor version
n Build number
n Kernel build number

Syntax

fw [-d] ver [-k] [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

ver Shows:

n Major version
n Minor version
n Build number

-k n Shows:
n Major version
n Minor version
n Build number
n Kernel build number

-f <Output Saves the output to the specified file.

File>
If you do not specify the full path explicitly, this command saves the output file in the
current working directory.

CLI R80.40 Reference Guide      |      1107

 fw ver

Example 1

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R80.40 - Build 123
[Expert@MyGW:0]#

Example 2

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R80.40 - Build 456
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1108

 fwboot

fwboot
Description
Configures Check Point boot options.

Important - Most of these commands are for Check Point use only.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot
      bootconf <options>
      corexl <options>
      cpuid <options>
      default <options>
      fwboot_ipv6 <options>
      fwdefault <options>
      ha_conf <options>
      ht <options>
      multik_reg <options>
      post_drv <options>

Parameters

Parameter Description

bootconf Shows and configures the security boot options.

<options>
See "fwboot bootconf" on page 1111.

corexl Configures and monitors the CoreXL.

<options>
See "fwboot corexl" on page 1116.

cpuid <options> Shows the number of available CPUs and CPU cores on this Security
Gateway.
See "fwboot cpuid" on page 1123.

default Loads the specified Default Filter policy on this Security Gateway.
<options>
Se e "fwboot default" on page 1125.

CLI R80.40 Reference Guide      |      1109

 fwboot

Parameter Description

fwboot_ipv6 Shows the internal memory address of the hook function for the specified
<options> CoreXL Firewall instance.
See "fwboot fwboot_ipv6" on page 1126.

fwdefault Loads the specified Default Filter policy on this Security Gateway.
<options>
See "fwboot fwdefault" on page 1127.

ha_conf Configures the cluster mechanism during boot.

<options>
See "fwboot ha_conf" on page 1128.

ht <options> Shows and configures the SMT (HyperThreading) feature (sk93000) boot
options.
See "fwboot ht" on page 1129.

multik_reg Shows the internal memory address of the registration function for the
<options> specified CoreXL Firewall instance.
See "fwboot multik_reg" on page 1132.

post_drv Loads the Firewall driver for CoreXL during boot.

<options>
See "fwboot post_drv" on page 1134.

CLI R80.40 Reference Guide      |      1110

 fwboot bootconf

fwboot bootconf
Description
Configures boot security options.

Notes:
n You must run this command from the Expert mode.
n The settings are saved in the
$FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the

$FWDIR/boot/boot.conf file manually.
Edit the file only with this command.

n Refer to these related commands:

l "fwboot corexl" on page 1116
l "control_bootsec" on page 874
n Refer to these related commands:
l fwboot corexl

Syntax to show the current boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

      get_corexl
      get_core_override
      get_def
      get_ipf
      get_ipv6
      get_kernnum
      get_kern6num

CLI R80.40 Reference Guide      |      1111

 fwboot bootconf

Syntax to configure the boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

      set_corexl {0 | 1}
      set_core_override <number>
      set_def [</path/filename>]
      set_ipf {0 | 1}
      set_ipv6 {0 | 1}
      set_kernnum <number>
      set_kern6num <number>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

get_corexl Shows if the CoreXL is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the COREXL_INSTALLED.

get_core_ Shows the number of overriding CPU cores.

override
The SMT (HyperThreading) feature (sk93000) uses this configuration to set
the number of CPU cores after reboot.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CORE_OVERRIDE.

get_def Shows the configured path and the name of the Default Filter policy file
(default is $FWDIR/boot/default.bin).

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the DEFAULT_FILTER_PATH.

CLI R80.40 Reference Guide      |      1112

 fwboot bootconf

Parameter Description

get_ipf Shows if the IP Forwarding during boot is enabled or disabled:

n 0 - disabled (Security Gateway does not forward traffic between its
interfaces during boot)
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CTL_IPFORWARDING.

get_ipv6 Shows if the IPv6 support is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the IPV6_INSTALLED.

get_kernnum Shows the configured number of IPv4 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the KERN_INSTANCE_NUM.

get_kern6num Shows the configured number of IPv6 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the KERN6_INSTANCE_NUM.

set_corexl {0 | Enables or disables CoreXL:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the COREXL_INSTALLED.
n To configure CoreXL, use the "cpconfig" on page 892
menu.

CLI R80.40 Reference Guide      |      1113

 fwboot bootconf

Parameter Description

set_core_ Configures the number of overriding CPU cores.

override
The SMT (HyperThreading) feature (sk93000) uses this configuration to set
<number>
the number of CPU cores after reboot.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CORE_OVERRIDE.

set_def Configures the path and the name of the Default Filter policy file (default is
[< $FWDIR/boot/default.bin).
/path/filename>]
Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the DEFAULT_FILTER_PATH.
n If you do not specify the path and the name explicitly, then
the value of the DEFAULT_FILTER_PATH is set to 0.
As a result, Security Gateway does not load a Default Filter
during boot.

Best Practice - The best location for this file is the

$FWDIR/boot/ directory.

set_ipf {0 | 1} Configures the IP forwarding during boot:

n 0 - disables (forbids the Security Gateway to forward traffic between
its interfaces during boot)
n 1 - enables

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CTL_IPFORWARDING.

set_ipv6 {0 | 1} Enables or disables the IPv6 Support:

n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the IPV6_INSTALLED.
n Configure the IPv6 Support in Gaia Portal, or Gaia Clish.
See the R80.40 Gaia Administration Guide.

CLI R80.40 Reference Guide      |      1114

 fwboot bootconf

Parameter Description

set_kernnum Configures the number of IPv4 CoreXL Firewall instances.

<number>
Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 892
menu.

set_kern6num Configures the number of IPv6 CoreXL Firewall instances.

<number>
Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN6_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 892
menu.

CLI R80.40 Reference Guide      |      1115

 fwboot corexl

fwboot corexl
Description
Configures and monitors the CoreXL.

Note - The settings are saved in the $FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the $FWDIR/boot/boot.conf file manually.

Edit the file only with this command.

Syntax to show CoreXL configuration

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

      core_count
      curr_instance4_count
      curr_instance6_count
      def_instance4_count
      def_instance6_count
      eligible
      installed
      max_instance4_count
      max_instances4_32bit
      max_instances4_64bit
      max_instance6_count
      max_instances_count
      max_instances_32bit
      max_instances_64bit
      min_instance_count
      unsupported_features

CLI R80.40 Reference Guide      |      1116

 fwboot corexl

Syntax to configure CoreXL

Important:
n The configuration commands are for Check Point use only. To configure
CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 892
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must
reboot it.
n In Cluster, you must configure all the Cluster Members in the same way

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

      def_by_allowed [n]
      default
[-v] disable
[-v] enable [n] [-6 k]
      vmalloc_recalculate

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

core_count Returns the number of CPU cores on this computer.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl core_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1117

 fwboot corexl

Parameter Description

curr_ Returns the current configured number of IPv4 CoreXL Firewall instances.
instance4_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

curr_ Returns the current configured number of IPv6 CoreXL Firewall instances.
instance6_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
[Expert@MyGW:0]#

def_by_ Sets the default configuration for CoreXL according to the specified allowed number
allowed of CPU cores.
[n]

default Sets the default configuration for CoreXL.

def_ Returns the default number of IPv4 CoreXL Firewall instances for this Security
instance4_ Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1118

 fwboot corexl

Parameter Description

def_ Returns the default number of IPv4 CoreXL Firewall instances for this Security
instance6_ Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

[-v] Disables CoreXL.

disable
n -v - Leaves the high memory (vmalloc) unchanged.

See the "cp_conf corexl" on page 883 command.

eligible Returns whether CoreXL can be enabled on this Security Gateway.

n 0 - CoreXL cannot be enabled
n 1 - CoreXL can be enabled

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl eligible
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

[-v] Enables CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall
enable [n] instances.
[-6 k]
n -v - Leaves the high memory (vmalloc) unchanged.
n n - Denotes the number of IPv4 CoreXL Firewall instances.
n k - Denotes the number of IPv6 CoreXL Firewall instances.

See the "cp_conf corexl" on page 883 command.

installed Returns whether CoreXL is installed (enabled) on this Security Gateway.

n 0 - CoreXL is not enabled
n 1 - CoreXL is enabled

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl installed
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1119

 fwboot corexl

Parameter Description

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for this
instance4_ Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance4_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for a
instances Security Gateway that runs Gaia with 32-bit kernel.
4_32bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_32bit
[Expert@MyGW:0]# echo $?
14
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for a
instances Security Gateway that runs Gaia with 64-bit kernel.
4_64bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_64bit
[Expert@MyGW:0]# echo $?
38
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv6 CoreXL Firewall instances for this
instance6_ Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance6_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1120

 fwboot corexl

Parameter Description

max_ Returns the total maximal allowed number of CoreXL Firewall instances (IPv4 and
instances_ IPv6) for this Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_count
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances for a Security
instances_ Gateway that runs Gaia with 32-bit kernel.
32bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_32bit
[Expert@MyGW:0]# echo $?
16
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances for a Security
instances_ Gateway that runs Gaia with 64-bit kernel.
64bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_64bit
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

min_ Returns the minimal allowed number of IPv4 CoreXL Firewall instances.
instance_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl min_
instance_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

vmalloc_ Updates the value of the vmalloc parameter in the /boot/grub/grub.conf

recalculat file.
e

CLI R80.40 Reference Guide      |      1121

 fwboot corexl

Parameter Description

unsupporte Returns 1 if at least one feature is configured, which CoreXL does not support.
d_features
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
unsupported_features
corexl unsupported feature: QoS is configured.
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1122

 fwboot cpuid

fwboot cpuid
Description
Shows the number of available CPUs and CPU cores on this Security Gateway.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot cpuid

{-h | -help | --help}
      -c
      --full
      ht_aware
      -n
      --possible

Parameters

Parameter Description

No Parameters Shows the IDs of the available CPU cores on this Security Gateway.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid
3 2 1 0
[Expert@MyGW:0]#

-c Counts the number of available CPU cores on this Security Gateway.

The command stores the returned number as its exit code.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -c
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1123

 fwboot cpuid

Parameter Description

--full Shows a full map of the available CPUs and CPU cores on this Security Gateway.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --full
cpuid phys_id core_id thread_id
0 0 0 0
1 2 0 0
2 4 0 0
3 6 0 0
[Expert@MyGW:0]#

ht_aware Shows the CPU cores in the order of their awareness of Hyper-Threading.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid ht_aware
3 2 1 0
[Expert@MyGW:0]#

-n Counts the number of available CPUs on this Security Gateway.

The command stores the returned number as its exit code.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

--possible Counts the number of possible CPU cores.

The command stores the returned number as its exit code.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --
possible
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1124

 fwboot default

fwboot default
Description
Loads the specified Default Filter policy on this Security Gateway.

Notes:
n You must run this command from the Expert mode.
n This command is the same as the "fwboot default" above
command.
n Refer to these related commands:
l "fw defaultgen" on page 996
l "fwboot bootconf" on page 1111
l "control_bootsec" on page 874
l "comp_init_policy" on page 871

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot default <Default Filter Policy

File>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Default Filter Policy Specifies the full path and name of the Default Filter policy
File> file.
The default is $FWDIR/boot/default.bin

Example

[Expert@MyGW:0]# $FWDIR/boot/fwboot default $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]

CLI R80.40 Reference Guide      |      1125

 fwboot fwboot_ipv6

fwboot fwboot_ipv6
Description
Shows the internal memory address of the hook function for the specified CoreXL Firewall instance.

Important - This command is for Check Point use only.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot fwboot_ipv6 <Number of CoreXL

Firewall instance> hook [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

-d Shows the decimal 64-bit address of the hook

function.

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 0 hook

0xffffffff89f8fc00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 1 hook

0xffffffff8cd71c00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 2 hook

0xffffffff8fb53c00
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1126

 fwboot fwdefault

fwboot fwdefault
Description
Loads the specified Default Filter policy on this Security Gateway.

Notes:
n You must run this command from the Expert mode.
n This command is the same as the "fwboot default" on
page 1125command.
n Refer to these related commands:
l "fw defaultgen" on page 996
l "fwboot bootconf" on page 1111
l "control_bootsec" on page 874
l "comp_init_policy" on page 871

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot fwdefault <Default Filter

Policy File>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Default Filter Policy Specifies the full path and name of the Default Filter policy
File> file.
The default file is $FWDIR/boot/default.bin

Example

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwdefault $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]

CLI R80.40 Reference Guide      |      1127

 fwboot ha_conf

fwboot ha_conf
Description
Configures the cluster mechanism during boot.

Important - This command is for Check Point use only.

Notes:
n You must run this command from the Expert mode.
n Refer to these related commands:
l "fw defaultgen" on page 996
l "fwboot bootconf" on page 1111
l "control_bootsec" on page 874
l "comp_init_policy" on page 871
n To install a cluster, see the R80.40 Installation and Upgrade Guide.
n To configure a cluster , see the R80.40 Installation and Upgrade Guide and
R80.40 ClusterXL Administration Guide.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ha_conf

CLI R80.40 Reference Guide      |      1128

 fwboot ht

fwboot ht
Description
Shows and configures the boot options for the SMT (HyperThreading) feature (sk93000).

Important - This command is for Check Point use only. To configure SMT
(HyperThreading) feature, follow sk93000.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ht
      --core_override [<number>]
      --disable
      --eligible
      --enable
      --enabled
      --supported

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

--core_override Shows or configures the number of overriding CPU cores.

[<number>]
The SMT feature uses this configuration to set the number of CPU
cores after reboot.

--disable Disables the SMT feature.

CLI R80.40 Reference Guide      |      1129

 fwboot ht

Parameter Description

--eligible Returns a number that shows if this system is eligible for the SMT
feature. Run:

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
eligible
[Expert@MyGW:0]# echo $?

n If you get 1 - The system is eligible for the SMT.

n If you get 0 - The system is not eligible for the SMT.
The possible causes are:
l The system is not a Check Point appliance.
l The system does not support the SMT.
l The system does not run Gaia OS.
l The appliance runs Gaia OS with 32-bit kernel and has
more than 4 CPU cores.

--enable Enables the SMT feature.

--enabled Returns a number that shows if SMT feature is enabled on this

system. Run:

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
enabled
[Expert@MyGW:0]# echo $?

n If you get 1 - The SMT is enabled.

n If you get 0 - The SMT is disabled.
The possible causes are:
l The system does not run Gaia OS.
l The SMT is disabled in software.

CLI R80.40 Reference Guide      |      1130

 fwboot ht

Parameter Description

--supported Returns a number that shows if this system supports the SMT feature.
Run:

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
supported
[Expert@MyGW:0]# echo $?

n If you get 1 - System supports the SMT.

n If you get 0 - System does not support the SMT.
The possible causes are:
l The system's CPU does not support the SMT.
l The SMT is disabled in the system's BIOS.
l The SMT is disabled in software.

CLI R80.40 Reference Guide      |      1131

 fwboot multik_reg

fwboot multik_reg
Description
Shows the internal memory address of the registration function for the specified CoreXL Firewall instance.

Important - This command is for Check Point use only.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of CoreXL

Firewall instance> {ipv4 | ipv6} [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

ipv4 Specifies to work with IPv4 CoreXL Firewall

instances.

ipv6 Specifies to work with IPv6 CoreXL Firewall

instances.

-d Shows the decimal 64-bit address of the hook

function.

CLI R80.40 Reference Guide      |      1132

 fwboot multik_reg

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 0 ipv4

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 1 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 2 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1133

 fwboot post_drv

fwboot post_drv
Description
Loads the Firewall driver for CoreXL during boot.

Important:
n This command is for Check Point use only.
n If you run this command, Security Gateway can block all traffic. In such case, you
must connect to the Security Gateway over a console and restart Check Point
services with the "cpstop" on page 920 and "cpstart" on page 911 commands.
Alternatively, you can reboot the Security Gateway.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot post_drv {ipv4 | ipv6}

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

ipv4 Loads the IPv4 Firewall driver for CoreXL.

ipv6 Loads the IPv6 Firewall driver for CoreXL.

CLI R80.40 Reference Guide      |      1134

 sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the information
received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User Defined Alerts
mechanism.

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the fw sam command.

-o Specifies to print the input of this tool to the standard output (to use with pipes in
a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is localhost.

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The default is
forever.

CLI R80.40 Reference Guide      |      1135

 sam_alert

Parameter Description

-f Specifies the Security Gateway, on which to run the operation.

<Security
Gateway>
Important - If you do not specify the target Security Gateway explicitly,
this command applies to all managed Security Gateways.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified criteria,
passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria and
closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

CLI R80.40 Reference Guide      |      1136

 sam_alert

SAM v2 syntax

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r |
a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to use
with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the action.
The default is forever.

-f <Security Specifies the Security Gateway, on which to run the operation.

Gateway>
Important - If you do not specify the target Security Gateway
explicitly, this command applies to all managed Security
Gateways.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is sam_alert.

-l {r | a} Specifies the log type for connections that match the specified criteria:

n r - Regular
n a - Alert
Default is None.

CLI R80.40 Reference Guide      |      1137

 sam_alert

Parameter Description

-a {d | r| n | b | Specifies the action to apply on connections that match the specified

q | i} criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

CLI R80.40 Reference Guide      |      1138

 stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug purposes - to
make sure the applicable SNMP OIDs provide the requested information.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2>
... <Regular_OID_N>

These are specified in the SNMP MIB files.

For Check Point MIB files, see sk90470.
n To query a Statistical OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_oid.conf file.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to query

by its IP address or resolvable hostname.

CLI R80.40 Reference Guide      |      1139

 stattest

Parameter Description

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address or

resolvable hostname.

Note - Use only when you query a

remote host.

-l <Polling Interval> Specifies the time in seconds between queries.

Note - Use only when you query a

Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which to run

consecutive queries.

Note - Use only when you query a

Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of a

Virtual Device to query.

-t <Timeout> Specifies the session timeout in milliseconds.

<Regular_OID_1> <Regular_OID_2> ... Specifies the Regular OIDs to query.

<Regular_OID_N>
Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

<Statistical_OID_1> <Statistical_ Specifies the Statistical OIDs to query.

OID_2> ... <Statistical_OID_N>
Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

CLI R80.40 Reference Guide      |      1140

 stattest

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

CLI R80.40 Reference Guide      |      1141

 usrchk

usrchk
Description
Controls the UserCheck daemon (usrchkd).

Syntax

usrchk
      hits <options>
      incidents <options>
      debug <options>

Note - You can also enter partial names of the sub-commands and their options.

CLI R80.40 Reference Guide      |      1142

 usrchk

Parameters

Parameter Description

No Parameter Shows the built-in help.

This applies to sub-commands as well.
For example, run just the "usrchk hits" command.

hits <options> Shows user hits (violations).

The available options are:

n Show user hits:

l List all existing hits:

usrchk hits list all

l Show hits for a specified user:

usrchk hits list user <UserName>

l Show hits for a specified interaction object:

usrchk hits list uci <Name of UserCheck

Interaction Object>

n Clear user hits:

l Clear all existing hits:

usrchk hits clear all

l Clear hits for a specified user:

usrchk hits clear user <UserName>

l Clear hits for a specified interaction object:

usrchk hits clear uci <Name of UserCheck

Interaction Object>

n Database operations:
l Reload hits from the database:

usrchk hits db reload

l Update hits changes in the database:

usrchk hits db reload update

CLI R80.40 Reference Guide      |      1143

 usrchk

Parameter Description

incidents Sends emails to users about incidents.

<options>
The available option is:
n Send emails to users about their expiring email violations:

usrchk incidents expiring

debug Controls the debug of the UserCheck daemon.

<options>
The available options are:

n Enable the debug:

usrchk debug on

Important - After you run this command "usrchk debug

on", you must run the command "usrchk debug set ..."
to configure the required filter.

Important - When you enable the debug, it affects the

performance of the usrchkd daemon. Make sure to disable the
debug after you complete your troubleshooting.

n Disable the debug:

usrchk debug off

CLI R80.40 Reference Guide      |      1144

 usrchk

Parameter Description

n Filter which debug logs UserCheck writes to the log file based on the
specified Debug Topics and Severity:

usrchk debug set <Topic Name> <Severity>

The available Debug Topics are:

l all
l Check Point Support provides more specific topics, based on the
reported issue
The available Severities are:
l all
l critical
l events
l important
l surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:

usrchk debug set all all

n Show the UserCheck current debug status:

usrchk debug stat

n Unset the specified Debug Topic(s):

usrchk debug unset <Topic Name>

n Reset all debug topics:

usrchk debug reset

n Rotate the UserCheck log files:

usrchk debug

n Show the memory consumption by the usrchkd daemon:

usrchk debug memory

CLI R80.40 Reference Guide      |      1145

 usrchk

Parameter Description

n Show and set the number of indentation spaces in the

$FWDIR/log/usrchk.elg file.

usrchk debug spaces [<0 - 5>]

You can specify the number of spaces:

l 0 (this is the default)
l 1
l 2
l 3
l 4
l 5

Notes:
n To show all UserCheck interaction objects, run:

usrchk hits list all

n You can only run a command that contains "user

<UserName>" if:
l Identity Awareness is enabled on the Security Gateway.
l User object is used in the same policy rules as
UserCheck objects.

CLI R80.40 Reference Guide      |      1146

 ClusterXL Commands

ClusterXL Commands
For more information about Check Point cluster, see the R80.40 ClusterXL Administration Guide.

CLI R80.40 Reference Guide      |      1147

 ClusterXL Configuration Commands

ClusterXL Configuration Commands

Description
These commands let you configure internal behavior of the Clustering Mechanism.

Important:
n We do not recommend that you run these commands. These commands must
be run automatically only by the Security Gateway or the Check Point Support.
n In Cluster, you must configure all the Cluster Members in the same way

Syntax

Notes:
n In Gaia Clish:
Enter the set cluster<ESC><ESC> to see all the available commands.
n In Expert mode:
Run the cphaconf command see all the available commands.
You can run the cphaconf commands only from the Expert mode.
n Syntax legend:
1. Curly brackets or braces { }:
Enclose a list of available commands or parameters, separated by the
vertical bar |, from which user can enter only one.
2. Angle brackets < > :
Enclose a variable - a supported value user needs to specify explicitly.
3. Square brackets or brackets [ ]:
Enclose an optional command or parameter, which user can also enter.
n You can include these commands in scripts to run them automatically.
The meaning of each command is explained in the next sections.
Table: ClusterXL Configuration Commands
Description Command in Command in
of Command Gaia Clish Expert Mode

Configure how to show the Cluster Member in set cphaconf mem_id_mode {id
local ClusterXL logs - by its Member ID or its cluster | name}
Member Name (see "Configuring the Cluster member
Member ID Mode in Local Logs" on page 1152) idmode {id
| name}

CLI R80.40 Reference Guide      |      1148

 ClusterXL Configuration Commands

Table: ClusterXL Configuration Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Register a single Critical Device (Pnote) on the N / A cphaconf set_pnote -d

Cluster Member (see "Registering a Critical <Name of Device> -t
Device" on page 1153) <Timeout in Sec> -s
{ok|init|problem} [-p]
[-g] register

Unregister a single Critical Device (Pnote) on N / A cphaconf set_pnote -d

the Cluster Member (see "Unregistering a <Name of Device> [-p] [-
Critical Device" on page 1155) g] unregister

Report (change) a state in a single Critical N / A cphaconf set_pnote -d

Device (Pnote) on the Cluster Member (see <Name of Device> -s
"Reporting the State of a Critical Device" on {ok|init|problem} [-g]
page 1156) report

Register several Critical Devices (Pnotes) from N / A cphaconf set_pnote -f

a file on the Cluster Member (see "Registering <Name of File> [-g]
Critical Devices Listed in a File" on page 1157) register

Unregister all Critical Devices (Pnotes) on the N / A cphaconf set_pnote -a [-

Cluster Member (see "Unregistering All Critical g] unregister
Devices" on page 1159)

Configure the Cluster Control Protocol (CCP) set cphaconf ccp_encrypt

Encryption on the Cluster Member (see cluster {off | on}
"Configuring the Cluster Control Protocol member
(CCP) Settings" on page 1160) cphaconf ccp_encrypt_key
ccpenc
<Key String>
{off | on}

Configure the Cluster Forwarding Layer on the set cphaconf forward {off |
Cluster Member (controls the forwarding of cluster on}
traffic between Cluster Members) member
forwarding
Note - For Check Point use only.
{off | on}

Print the current cluster configuration as loaded N / A cphaconf debug_data

in the kernel on the Cluster Member (for details,
see sk93306)

Start internal failover between slave interfaces N / A cphaconf failover_bond

of specified bond interface - only in Bond High <bond_name>
Availability mode (for details, see sk93306)

Configure what happens during a failover after N / A cphaconf enable_bond_

a Bond already failed over internally (for details, failover <bond_name>
see sk93306)

CLI R80.40 Reference Guide      |      1149

 ClusterXL Configuration Commands

Table: ClusterXL Configuration Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Initiate manual cluster failover (see "Initiating set clusterXL_admin {down |

Manual Cluster Failover" on page 1161) cluster up}
member
admin
{down |
up}

Configure the minimal number of required N / A cphaconf bond_ls {set

slaves interfaces for Bond Load Sharing (see <Bond Name> <Value> |
"Configuring the Minimal Number of Required remove <Bond Name>}
Slave Interfaces for Bond Load Sharing" on
page 1165)

Configuring Link Monitoring on the Cluster N / A N / A

Interfaces (see "Configuring Link Monitoring on
the Cluster Interfaces" on page 1166)

Configuring the Multi-Version Cluster N / A cphaconf mvc {off | on}

Mechanism (see "Configuring the Multi-Version
Cluster Mechanism" on page 1169)

List of the Gaia Clish set cluster member commands

set cluster member admin {down | up} [permanent]

set cluster member ccpenc {off | on}
set cluster member forwarding {off | on}
set cluster member idmode {id | name}
set cluster member mvc {off | on}

CLI R80.40 Reference Guide      |      1150

 ClusterXL Configuration Commands

List of the cphaconf commands

Note - Some commands are not applicable to 3rd party clusters.

cphaconf [-D] <options> start

cphaconf stop
cphaconf [-t <Sync IF 1>...] [-d <Non-Monitored IF 1>...] add
cphaconf clear-secured
cphaconf clear-non-monitored
cphaconf debug_data
cphaconf delete_link_local [-vs <VSID>] <IF name>
cphaconf set_link_local [-vs <VSID>] <IF name> <Cluster IP>
cphaconf mem_id_mode {id | name}
cphaconf failover_bond <bond_name>
cphaconf [-s] {set | unset | get} var <Kernel Parameter Name>
[<Value>]
cphaconf bond_ls {set <Bond Name> <Value> | remove <Bond Name>}
cphaconf set_pnote -d <Device> -t <Timeout in sec> -s {ok | init |
problem} [-p] [-g] register
cphaconf set_pnote -f <File> [-g] register
cphaconf set_pnote -d <Device> [-p] [-g] unregister
cphaconf set_pnote -a [-g] unregister
cphaconf set_pnote -d <Device> -s {ok | init | problem} [-g] report
cphaconf ccp_encrypt {off | on}
cphaconf ccp_encrypt_key <Key String>

CLI R80.40 Reference Guide      |      1151

 Configuring the Cluster Member ID Mode in Local Logs

Configuring the Cluster Member ID Mode in Local Logs

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This command lets you configure how to show the Cluster Member in the local ClusterXL logs - by its
Member ID (default), or its Member Name.
This configuration affects these local logs:
n /var/log/messages
n dmesg
n $FWDIR/log/fwd.elg
See "Viewing the Cluster Member ID Mode in Local Logs" on page 1210.

Syntax

Shell Command

Gaia Clish set cluster member idmode {id | name}

Expert mode cphaconf mem_id_mode {id | name}

Example

[Expert@Member1:0]# cphaprob names

Current member print mode in local logs is set to: ID

[Expert@Member1:0]#
[Expert@Member1:0]# cphaconf mem_id_mode name

Member print mode in local logs: NAME

[Expert@Member1:0]#
[Expert@Member1:0]# cphaprob names

Current member print mode in local logs is set to: NAME

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1152

 Registering a Critical Device

Registering a Critical Device

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
You can add a user-defined critical device to the default list of critical devices. Use this command to
register <device> as a critical process, and add it to the list of devices that must run for the Cluster Member
to be considered active. If <device> fails, then the Cluster Member is seen as failed.
If a Critical Device fails to report its state to the Cluster Member in the defined timeout, the Critical Device,
and by design the Cluster Member, are seen as failed.
Define the status of the Critical Device that is reported to ClusterXL upon registration.
This initial status can be one of these:
n ok - Critical Device is alive.
n init - Critical Device is initializing. The Cluster Member is Down. In this state, the Cluster Member
cannot become Active.
n problem - Critical Device failed. If this state is reported to ClusterXL, the Cluster Member
immediately goes Down. This causes a failover.

Syntax

Shell Command

Gaia N/A
Clish

Expert cphaconf set_pnote -d <Name of Critical Device> -t <Timeout in

mode Sec> -s {ok | init | problem} [-p] [-g] register

Notes:
n For no timeout, use the value 0.
n The "-p" flag makes these changes permanent.
After you reboot the Cluster Member, the status of critical devices that were
registered with this flag is saved.
n The "-g" flag applies the command to all configured Virtual Systems.

Restrictions
n Total number of critical devices (pnotes) on Cluster Member is limited to 16.
n Name of any critical device (pnote) on Cluster Member is limited to 15 characters, and must not
include white spaces.

CLI R80.40 Reference Guide      |      1153

 Registering a Critical Device

Related topics
n "Viewing Critical Devices" on page 1180
n "Reporting the State of a Critical Device" on page 1156
n "Registering Critical Devices Listed in a File" on page 1157
n "Unregistering a Critical Device" on page 1155
n "Unregistering All Critical Devices" on page 1159

CLI R80.40 Reference Guide      |      1154

 Unregistering a Critical Device

Unregistering a Critical Device

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This command lets you unregister a user-defined Critical Device (Pnote). This means that this device is no
longer considered critical.
If a Critical Device was registered with a state "problem", before you ran this command, then after you
run this command, the status of the Cluster Member depends only on the states of the remaining Critical
Devices.

Syntax

Shell Command

Gaia Clish N/A

Expert cphaconf set_pnote -d <Name of Critical Device> [-p] [-g]

mode unregister

Notes:
n The "-p" flag makes these changes permanent.
This means that after you reboot, these Critical Devices remain
unregistered.
n The "-g" flag applies the command to all configured Virtual Systems.

Related topics
n "Viewing Critical Devices" on page 1180
n "Reporting the State of a Critical Device" on page 1156
n "Registering a Critical Device" on page 1153
n "Registering Critical Devices Listed in a File" on page 1157
n "Unregistering All Critical Devices" on page 1159

CLI R80.40 Reference Guide      |      1155

 Reporting the State of a Critical Device

Reporting the State of a Critical Device

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This command lets you report (change) manually the state of a Critical Device to ClusterXL.
The reported state can be one of these:
n ok - Critical Device is alive.
n init - Critical Device is initializing. The Cluster Member is Down. In this state, the Cluster Member
cannot become Active.
n problem - Critical Device failed. If this state is reported to ClusterXL, the Cluster Member
immediately goes Down. This causes a failover.
If a Critical Device fails to report its state to the Cluster Member within the defined timeout, the Critical
Device, and by design the Cluster Member, are seen as failed. This is true only for Critical Devices with
timeouts. If a Critical Device is registered with the "-t 0" parameter, there is no timeout. Until the Critical
Device reports otherwise, the state of the Critical Device is considered to be the last reported state.

Syntax

Shell Command

Gaia N/A
Clish

Expert cphaconf set_pnote -d <Name of Critical Device> -s {ok | init |

mode problem} [-g] report

Notes:
n The "-g" flag applies the command to all configured Virtual Systems.
n If the "<Name of Critical Device>" reports its state as "problem", then
the Cluster Member reports its state as failed.

Related topics
n "Viewing Critical Devices" on page 1180
n "Registering a Critical Device" on page 1153
n "Registering Critical Devices Listed in a File" on page 1157
n "Unregistering a Critical Device" on page 1155
n "Unregistering All Critical Devices" on page 1159

CLI R80.40 Reference Guide      |      1156

 Registering Critical Devices Listed in a File

Registering Critical Devices Listed in a File

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This command lets you register all the user-defined Critical Devices listed in the specified file.
This file must be a plain-text ASCII file, with each Critical Device defined on a separate line.
Each definition must contain three parameters, which must be separated by a space or a tab character:

<Name of Device> <Timeout> <Status>

Where:

Parameter Description

<Name The name of the Critical Device.

of
n Maximal name length is 15 characters
Device>
n The name must not include white spaces (space or tab characters).

< If the Critical Device <Name of Device> fails to report its state to the Cluster Member
Timeout within this specified number of seconds, the Critical Device (and by design the Cluster
> Member), are seen as failed.
For no timeout, use the value 0 (zero).

< The Critical Device <Name of Device> reports one of these statuses to the Cluster
Status> Member:
n ok - Critical Device is alive.
n init- Critical Device is initializing. The Cluster Member is Down. In this state, the
Cluster Member cannot become Active.
n problem - Critical Device failed. If this state is reported to ClusterXL, the Cluster
Member immediately goes Down. This causes a failover.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaconf set_pnote -f /<Path>/<Name of File> [-g] register

Note - The "-g" flag applies the command to all configured Virtual Systems.

CLI R80.40 Reference Guide      |      1157

 Registering Critical Devices Listed in a File

Related topics
n "Viewing Critical Devices" on page 1180
n "Reporting the State of a Critical Device" on page 1156
n "Registering a Critical Device" on page 1153
n "Unregistering a Critical Device" on page 1155
n "Unregistering All Critical Devices" on page 1159

CLI R80.40 Reference Guide      |      1158

 Unregistering All Critical Devices

Unregistering All Critical Devices

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This command lets you unregister all critical devices from the Cluster Member.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaconf set_pnote -a [-g] unregister

Notes:
n The "-a" flag specifies that all Pnotes must be unregistered
n The "-g" flag applies the command to all configured Virtual
Systems

Related topics
n "Viewing Critical Devices" on page 1180
n "Reporting the State of a Critical Device" on page 1156
n "Registering a Critical Device" on page 1153
n "Registering Critical Devices Listed in a File" on page 1157
n "Unregistering a Critical Device" on page 1155

CLI R80.40 Reference Guide      |      1159

 Configuring the Cluster Control Protocol (CCP) Settings

Configuring the Cluster Control Protocol (CCP) Settings

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
Cluster Members configure the Cluster Control Protocol (CCP) mode automatically.

Important - In R80.40, the CCP always runs in the unicast mode.

You can configure the Cluster Control Protocol (CCP) Encryption on the Cluster Members.
See "Viewing the Cluster Control Protocol (CCP) Settings" on page 1215.

Syntax for configuring the Cluster Control Protocol (CCP) Encryption

Shell Command

Gaia Clish set cluster member ccpenc {off | on}

Expert mode cphaconf ccp_encrypt {off | on}

cphaconf ccp_encrypt_key <Key String>

CLI R80.40 Reference Guide      |      1160

 Initiating Manual Cluster Failover

Initiating Manual Cluster Failover

Description
This command lets you initiate a manual cluster failover (see sk55081).

Syntax

Shell Command

Gaia Clish set cluster member admin {down | up}

Expert mode clusterXL_admin {down | up}

CLI R80.40 Reference Guide      |      1161

 Initiating Manual Cluster Failover

Example

CLI R80.40 Reference Guide      |      1162

 Initiating Manual Cluster Failover

[Expert@Member1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE Member1

2 11.22.33.246 0% STANDBY Member2

Active PNOTEs: None

... ...

[Expert@Member1:0]#

[Expert@Member1:0]# clusterXL_admin down

This command does not survive reboot. To make the change permanent, please run 'set cluster member admin
down/up permanent' in clish or add '-p' at the end of the command in expert mode
Setting member to administratively down state ...
Member current state is DOWN
[Expert@Member1:0]#

[Expert@Member1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 0% DOWN Member1

2 11.22.33.246 100% ACTIVE Member2

Active PNOTEs: ADMIN

Last member state change event:

Event Code: CLUS-111400
State change: ACTIVE -> DOWN
Reason for state change: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 19:35:06 2019

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 19:35:06 2019

Cluster failover count:

Failover counter: 2
Time of counter reset: Sun Sep 8 16:08:34 2019 (reboot)

[Expert@Member1:0]#

[Expert@Member1:0]# clusterXL_admin up
This command does not survive reboot. To make the change permanent, please run 'set cluster member admin
down/up permanent' in clish or add '-p' at the end of the command in expert mode
Setting member to normal operation ...
Member current state is STANDBY
[Expert@Member1:0]#

[Expert@Member1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 0% STANDBY Member1

2 11.22.33.246 100% ACTIVE Member2

Active PNOTEs: None

Last member state change event:

CLI R80.40 Reference Guide      |      1163

 Initiating Manual Cluster Failover

Event Code: CLUS-114802

State change: DOWN -> STANDBY
Reason for state change: There is already an ACTIVE member in the cluster (member 2)
Event time: Sun Sep 8 19:37:03 2019

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 19:35:06 2019

Cluster failover count:

Failover counter: 2
Time of counter reset: Sun Sep 8 16:08:34 2019 (reboot)

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1164

 Configuring the Minimal Number of Required Slave Interfaces for Bond Load Sharing

Configuring the Minimal Number of Required Slave

Interfaces for Bond Load Sharing

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This command configures the minimal number of required slave interfaces for the specified bond interface
in Load Sharing mode.
This command saves the configuration in the $FWDIR/conf/cpha_bond_ls_config.conf file.

See "Viewing Bond Interfaces" on page 1192.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaconf bond_ls set <Bond Name> <Value>

cphaconf bond_ls remove <Bond Name>

Example

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf

# ... (truncated for brevity) ...
# Example:
# bond0 2

[Expert@Member1:0]#

[Expert@Member1:0]# cphaconf bond_ls set bond1 2

Set operation succeeded

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf

# ... (truncated for brevity) ...
# Example:
# bond0 2

bond1 2
[Expert@Member1:0]#

[Expert@Member1:0]# cphaconf bond_ls remove bond1

Remove operation succeeded

[Expert@Member1:0]#

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf

# ... (truncated for brevity) ...
# Example:
# bond0 2

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1165

 Configuring Link Monitoring on the Cluster Interfaces

Configuring Link Monitoring on the Cluster Interfaces

Important - In Cluster, you must configure all the Cluster Members in the same way.

Description
This procedure lets you configure the Cluster Member to monitor only the physical link on the cluster
interfaces (instead of monitoring the Cluster Control Protocol (CCP) packets):
n If a link disappears on the configured interface, the Cluster Member changes the interface's state to
DOWN.
This causes the Cluster Member to change its state to DOWN.
n If a link appears again on the configured interface, the Cluster Member changes the interface's state
back to UP.
This causes the Cluster Member to change its state back to ACTIVE or STANDBY.
See "Viewing Cluster State" on page 1175.

CLI R80.40 Reference Guide      |      1166

 Configuring Link Monitoring on the Cluster Interfaces

Procedure

Step Instructions

1 Connect to the command line on the Cluster Member.

2 Log in to the Expert mode.

3 See if the $FWDIR/conf/cpha_link_monitoring.conf file already exists:

stat $FWDIR/conf/cpha_link_monitoring.conf

4 If the $FWDIR/conf/cpha_link_monitoring.conf file already exists, create a backup

copy:

cp -v $FWDIR/conf/cpha_link_monitoring.conf{,_BKP}

If the $FWDIR/conf/cpha_link_monitoring.conf file does not exist, create it:

touch $FWDIR/conf/cpha_link_monitoring.conf

5 Edit the $FWDIR/conf/cpha_link_monitoring.conf file:

vi $FWDIR/conf/cpha_link_monitoring.conf

6 n To monitor the link only on specific interfaces:

Enter the names of the applicable interfaces - each name on a new separate line.
Example:

eth2
eth4

n To monitor the link on all interfaces:

Enter only this word:

all

7 Save the changes in the file and exit the editor.

CLI R80.40 Reference Guide      |      1167

 Configuring Link Monitoring on the Cluster Interfaces

Step Instructions

8 Reboot the Cluster Member.

Important - This can cause a failover.

Best Practices:

n In High Availability cluster

1. Perform the configuration steps on all Cluster Members
2. Reboot all the Standby Cluster Members
3. Initiate a manual failover on the Active Cluster Member
4. Reboot the former Active Cluster Member

n In Load Sharing Unicast cluster

1. Perform the configuration steps on all Cluster Members
2. Reboot all the non-Pivot Cluster Members
3. Initiate a manual failover on the Pivot Cluster Member
4. Reboot the former Pivot Cluster Member

n In Load Sharing Multicast cluster

1. Perform the configuration steps on all Cluster Members
2. Reboot all Cluster Members except one
3. Initiate a manual failover on the remaining Cluster Member
4. Reboot the remaining Cluster Member

Note - See "Initiating Manual Cluster Failover" on page 1161.

CLI R80.40 Reference Guide      |      1168

 Configuring the Multi-Version Cluster Mechanism

Configuring the Multi-Version Cluster Mechanism

Description
This command lets you change the state of the Multi-Version Cluster (MVC) Mechanism - enable or
disable it.

Important:
n The MVC Mechanism is disabled by default.
n For limitations of the MVC Mechanism, see the R80.40 Installation and Upgrade
Guide > Chapter Upgrading Gateways and Clusters > Section Upgrading
ClusterXL, VSX Cluster, VRRP Cluster > Section Multi-Version Cluster
Upgrade.

Syntax

Shell Command

Gaia Clish set cluster member mvc {off | on}

Expert mode cphaconf mvc {off | on}

Parameters

Parameter Description

off Disables the MVC Mechanism on this Cluster Member.

on Enables the MVC Mechanism on this Cluster Member.

Notes:
n This command does not provide an output. To view the current state of the MVC
Mechanism, see "Viewing the State of the Multi-Version Cluster Mechanism" on
page 1217.
n The change made with this command survives reboot.
n If a specific scenario requires you to disable the MVC Mechanism before the first
start of an R80.40 Cluster Member (for example, immediately after an upgrade
to R80.40), then disable it before the first policy installation on this Cluster
Member.

CLI R80.40 Reference Guide      |      1169

 ClusterXL Monitoring Commands

ClusterXL Monitoring Commands

Description
Use the monitoring commands to make sure that the cluster and the Cluster Members work properly, and
to define Critical Devices. A Critical Device (also known as a Problem Notification, or pnote) is a special
software device on each Cluster Member, through which the critical aspects for cluster operation are
monitored. When the critical monitored component on a Cluster Member fails to report its state on time, or
when its state is reported as problematic, the state of that member is immediately changed to 'Down'.

Syntax

Notes:
n In Gaia Clish:
Enter the show cluster<ESC><ESC> to see all the available commands.
n In Expert mode:
Run the cphaprob command see all the available commands.
You can run the cphaprob commands from Gaia Clish as well.
n Syntax legend:
1. Curly brackets or braces { }:
Enclose a list of available commands or parameters, separated by the
vertical bar |, from which user can enter only one.
2. Angle brackets < > :
Enclose a variable - a supported value user needs to specify explicitly.
3. Square brackets or brackets [ ]:
Enclose an optional command or parameter, which user can also enter.
n You can include these commands in scripts to run them automatically.
The meaning of each command is explained in the next sections.
Table: ClusterXL Monitoring Commands
Description Command in Command in
of Command Gaia Clish Expert Mode

Show states of Cluster Members and their names (see show cluster cphaprob [-
"Viewing Cluster State" on page 1175) state vs <VSID>]
state

Show Critical Devices (Pnotes) and their states on the show cluster cphaprob [-
Cluster Member (see "Viewing Critical Devices" on members pnotes l] [-ia] [-
page 1180) {all | problem} e] list

CLI R80.40 Reference Guide      |      1170

 ClusterXL Monitoring Commands

Table: ClusterXL Monitoring Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Show cluster interfaces on the cluster member (see show cluster cphaprob [-
"Viewing Cluster Interfaces" on page 1187) members vs all] [-a]
interfaces {all [-m] if
| secured |
virtual |
vlans}

Show cluster bond configuration on the Cluster Member show cluster cphaprob
(see "Viewing Bond Interfaces" on page 1192) bond {all | show_bond
name <bond_ [<bond_
name>} name>]

Show groups of bonds on the Cluster Member (see N / A cphaprob

"Viewing Bond Interfaces" on page 1192) show_bond_
groups

Show (and reset) cluster failover statistics on the Cluster show cluster cphaprob [-
Member (see "Viewing Cluster Failover Statistics" on failover [reset reset {-c |
page 1197) {count | -h}] [-l
history}] <count>]
show_
failover

Show information about the software version (including show cluster cphaprob
hotfixes) on the local Cluster Member and its release release
matches/mismatches with other Cluster Members (see
"Viewing Software Versions on Cluster Members" on
page 1199)

Show Delta Sync statistics on the Cluster Member (see show cluster cphaprob [-
"Viewing Delta Synchronization" on page 1200) statistics sync reset]
[reset] syncstat

Show Delta Sync statistics for the Connections table on show cluster cphaprob [-
the Cluster Member (see "Viewing Cluster Delta Sync statistics reset]
Statistics for Connections Table" on page 1208) transport ldstat
[reset]

Show the Cluster Control Protocol (CCP) mode on the show cluster cphaprob [-
Cluster Member (see "Viewing Cluster Interfaces" on members vs all] -a
page 1187) interfaces if
virtual

Show the IGMP membership of the Cluster Member show cluster cphaprob
(see "Viewing IGMP Status" on page 1207) members igmp igmp

Show cluster unique IP's table on the Cluster Member show cluster cphaprob
(see "Viewing Cluster IP Addresses" on page 1209) members ips tablestat

CLI R80.40 Reference Guide      |      1171

 ClusterXL Monitoring Commands

Table: ClusterXL Monitoring Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Show the Cluster Member ID Mode in local logs - by show cluster cphaprob
Member ID (default) or Member Name (see "Viewing members idmode names
the Cluster Member ID Mode in Local Logs" on
page 1210)

Show interfaces, which the RouteD monitors on the show ospf cphaprob
Cluster Member when you configure OSPF (see interfaces routedifcs
"Viewing Interfaces Monitored by RouteD" on [detailed]
page 1211)

Show roles of RouteD daemon on Cluster Members show cluster cphaprob

(see "Viewing Roles of RouteD Daemon on Cluster roles roles
Members" on page 1212)

Show Cluster Correction Statistics (see "Viewing N / A cphaprob [{-

Cluster Correction Statistics" on page 1213) d | -f | -
s}] corr

Show the Cluster Control Protocol (CCP) mode (see show cluster cphaprob -a
"Viewing the Cluster Control Protocol (CCP) Settings" members if
on page 1215) interfaces
virtual

Show the Cluster Control Protocol (CCP) Encryption show cluster cphaprob
settings (see "Viewing the Cluster Control Protocol members ccpenc ccp_encrypt
(CCP) Settings" on page 1215)

Shows the state of the Multi-Version Cluster (see show cluster N / A

"Viewing the State of the Multi-Version Cluster members mvc
Mechanism" on page 1217)

Shows the latency and the drop rate of each interface N / A N / A

(see "Viewing Latency and Drop Rate of Interfaces" on
page 1216)

Show Full Connectivity Upgrade statistics (see "Viewing N / A cphaprob

Full Connectivity Upgrade Statistics" on page 1218) fcustat

CLI R80.40 Reference Guide      |      1172

 ClusterXL Monitoring Commands

List of the Gaia Clish show cluster commands

show cluster
      bond
            all
            name <Name of Bond>
      failover
      members
            ccpenc
            idmode
            igmp
            interfaces
                  all
                  secured
                  virtual
                  vlans
            ips
            mvc
            pnotes
                  all
                  problem
      release
      roles
      state
      statistics
            sync [reset]
            transport [reset]

CLI R80.40 Reference Guide      |      1173

 ClusterXL Monitoring Commands

List of the cphaprob commands

Note - Some commands are not applicable to 3rd party clusters.

cphaprob [-vs <VSID>] state

cphaprob [-reset {-c | -h}] [-l <count>] show_failover
cphaprob names
cphaprob [-reset] [-a] syncstat
cphaprob [-reset] ldstat
cphaprob [-l] [-i[a]] [-e] list
cphaprob [-vs all] [-a] [-m] if
cphaprob latency
cphaprob show_bond [<bond_name>]
cphaprob show_bond_groups
cphaprob igmp
cphaprob fcustat
cphaprob tablestat
cphaprob routedifcs
cphaprob roles
cphaprob release
cphaprob ccp_encrypt
cphaprob [{-d | -f | -s}] corr

CLI R80.40 Reference Guide      |      1174

 Viewing Cluster State

Viewing Cluster State

Description
This command lets you monitor the cluster status (after you set up the cluster).

Syntax

Shell Command

Gaia Clish 1. set virtual-system

<VSID>
2. show cluster state

Expert mode cphaprob [-vs <VSID>] state

Example

Member1> show cluster state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE(!) Member1

2 11.22.33.246 0% DOWN Member2

Active PNOTEs: COREXL

Last member state change event:

Event Code: CLUS-116505
State change: INIT -> ACTIVE(!)
Reason for state change: All other machines are dead (timeout), FULLSYNC PNOTE
Event time: Sun Sep 8 15:28:39 2019
v Cluster failover count:
Failover counter: 0
Time of counter reset: Sun Sep 8 15:28:21 2019 (reboot)

Member1>

Description of the "cphaprob state" command output fields:

CLI R80.40 Reference Guide      |      1175

 Viewing Cluster State

Table: Description of the output fields

Field Description

Cluster Can be one of these:

Mode
n Load Sharing (Multicast).
n Load Sharing (Unicast).
n High Availability (Primary Up).
n High Availability (Active Up).
n Virtual System Load Sharing
n For third-party clustering products: Service, refer to Clustering Definitions and
Terms, for more information.

ID n In the High Availability mode - indicates the Cluster Member priority, as

configured in the cluster object in SmartConsole.
n In Load Sharing mode - indicates the Cluster Member ID, as configured in the
cluster object in SmartConsole.

Unique Usually, shows the IP addresses of the Sync interfaces.

Address
In some cases, can show IP addresses of other cluster interfaces.

Assigned n In the ClusterXL High Availability mode - shows the Active Cluster Member with
Load 100% load, and all other Standby Cluster Members with 0% load.
n In ClusterXL Load Sharing modes (Unicast and Multicast) - shows all Active
Cluster Members with 100% load.

State n In the ClusterXL High Availability mode, only one Cluster Member in a fully-
functioning cluster must be ACTIVE, and the other Cluster Members must be in
the STANDBY state.
n In the ClusterXL Load Sharing modes (Unicast and Multicast), all Cluster
Members in a fully-functioning cluster must be ACTIVE.
n In 3rd-party clustering configuration, all Cluster Members in a fully-functioning
cluster must be ACTIVE. This is because this command only reports the status
of the Full Synchronization process.
See the summary table below.

Name Shows the names of Cluster Members' objects as configured in SmartConsole.

Active Shows the Critical Devices that report theirs states as "problem" (see "Viewing
PNOTEs Critical Devices" on page 1180).

Last member Shows information about the last time this Cluster Member changed its cluster state.
state change
event

Event Code Shows an event code.

For information, see sk125152.

CLI R80.40 Reference Guide      |      1176

 Viewing Cluster State

Table: Description of the output fields (continued)

Field Description

State change Shows the previous cluster state and the new cluster state of this Cluster Member.

Reason for Shows the reason why this Cluster Member changed its cluster state.
state change

Event time Shows the date and the time when this Cluster Member changed its cluster state.

Last cluster Shows information about the last time a cluster failover occurred.
failover
event

Transition to Shows which Cluster Member became the new Active.

new ACTIVE

Reason Shows the reason for the last cluster failover.

Event time Shows the date and the time of the last cluster failover.

Cluster Shows information about the cluster failovers.

failover
count

Failover Shows the number of cluster failovers since the boot.

counter
Notes:
n This value survives reboot.
n This counter is synchronized between Cluster Members.

Time of Shows the date and the time of the last counter reset, and the reset initiator.
counter reset

When you examine the state of the Cluster Member, consider whether it forwards packets, and whether it
has a problem that prevents it from forwarding packets. Each state reflects the result of a test on critical
devices. This table shows the possible cluster states, and whether or not they represent a problem.
Table: Description of the cluster states
Is this
Cluster Forwarding
Description state a
State packets?
problem?

ACTIVE Everything is OK. Yes No

CLI R80.40 Reference Guide      |      1177

 Viewing Cluster State

Table: Description of the cluster states (continued)

Is this
Cluster Forwarding
Description state a
State packets?
problem?

ACTIVE(!) A problem was detected, but the Cluster Member still Yes Yes
forwards packets, because it is the only member in the
ACTIVE cluster, or because there are no other Active members in the
(!F) cluster. In any other situation, the state of the member is
ACTIVE Down.
(!P) n ACTIVE(!) - See above.
ACTIVE n ACTIVE(!F) - See above. Cluster Member is in the
(!FP) freeze state.
n ACTIVE(!P) - See above. This is the Pivot Cluster
Member in Load Sharing Unicast mode.
n ACTIVE(!FP) - See above. This is the Pivot Cluster
Member in Load Sharing Unicast mode and it is in the
freeze state.

DOWN One of the Critical Devices reports its state as "problem" No Yes
(see "Viewing Critical Devices" on page 1180).

LOST The peer Cluster Member lost connectivity to this local No Yes
Cluster Member (for example, while the peer Cluster Member
is rebooted).

CLI R80.40 Reference Guide      |      1178

 Viewing Cluster State

Table: Description of the cluster states (continued)

Is this
Cluster Forwarding
Description state a
State packets?
problem?

READY State Ready means that the Cluster Member recognizes itself No No
as a part of the cluster and is literally ready to go into action,
but, by design, something prevents it from taking action.
Possible reasons that the Cluster Member is not yet Active
include:
n Not all required software components were loaded and
initialized yet and/or not all configuration steps finished
successfully yet. Before a Cluster Member becomes
Active, it sends a message to the rest of the Cluster
Members, to check if it can become Active. In High
Availability mode it checks if there is already an Active
member and in Load Sharing Unicast mode it checks if
there is a Pivot member already. The member remains
in the Ready state until it receives the response from
the rest of the Cluster Members and decides which,
which state to choose next (Active, Standby, Pivot, or
non-Pivot).
n Software installed on this Cluster Member has a higher
version than all the other Cluster Members. For
example, when a cluster is upgraded from one version
of Check Point Security Gateway to another, and the
Cluster Members have different versions of Check
Point Security Gateway, the Cluster Members with the
new version have the Ready state, and the Cluster
Members with the previous version have the
Active/Active Attention state.
This applies only when the Multi-Version Cluster
Mechanism is disabled (see "Viewing the State of the
Multi-Version Cluster Mechanism" on page 1217).
See sk42096 for a solution.

STANDBY Applies only to a High Availability mode. Means that the No No

Cluster Member waits for an Active Cluster Member to fail in
order to start packet forwarding.

BACKUP Applies only to a VSX Cluster in Virtual System Load Sharing No No

mode with three or more Cluster Members configured.
State of a Virtual System on a third (and so on) VSX Cluster
Member.

INIT The Cluster Member is in the phase after the boot and until No No
the Full Sync completes.

CLI R80.40 Reference Guide      |      1179

 Viewing Critical Devices

Viewing Critical Devices

Description
There are a number of built-in Critical Devices, and the Administrator can define additional Critical Devices.
When a Critical Device reports its state as a "problem", the Cluster Member reports its state as "DOWN".
To see the list of Critical Devices on a Cluster Member, and of all the other Cluster Members, run the
commands listed below on the Cluster Member.
Table: Built-in Critical Devices
Meaning of the Meaning of the
Critical Device Description
"OK" state "problem" state

Problem Monitors all the Critical Devices. None of the At least one of the
Notification Critical Devices Critical Devices on this
on this Cluster Cluster Member
Member report its reports its state as
state as problem.
problem.

Init Monitors if "HA module" was This Cluster

initialized successfully. See Member receives
sk36372. cluster state
information from
peer Cluster
Members.

Interface Monitors the state of cluster All cluster At least one of the
Active Check interfaces. interfaces on this cluster interfaces on
Cluster Member this Cluster Member is
are up (CCP down (CCP packets
packets are sent are not sent and/or
and received on received on time).
all cluster
interfaces).

Load Pnote is currently not used (see

Balancing sk36373).
Configuration

Recovery Monitors the state of a Virtual State of a Virtual State of a Virtual

Delay System (see sk92353). System can be System cannot be
changed on this changed yet on this
Cluster Member. Cluster Member.

CLI R80.40 Reference Guide      |      1180

 Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of the Meaning of the
Critical Device Description
"OK" state "problem" state

CoreXL Monitors CoreXL configuration for Number of Number of configured

Configuration inconsistencies on all Cluster configured CoreXL Firewall
Members. CoreXL Firewall instances on this
instances on this Cluster Member is
Cluster Member different from peer
is the same as on Cluster Members.
all peer Cluster
Members. Important - A Cluster
Member with a
greater number of
CoreXL Firewall
instances changes its
state to DOWN.

Fullsync Monitors if Full Sync on this This Cluster This Cluster Member
Cluster Member completed Member was not able to
successfully. completed Full complete Full Sync.
Sync
successfully.

Policy Monitors if the Security Policy is This Cluster Security Policy is not
installed. Member currently installed on
successfully this Cluster Member.
installed Security
Policy.

fwd Monitors the Security Gateway fwd daemon on fwd daemon on this
process called fwd. this Cluster Cluster Member did
Member reported not report its state on
its state on time. time.

cphad Monitors the ClusterXL process cphamcset cphamcset daemon

called cphamcset. daemon on this on this Cluster
also see the Cluster Member Member did not report
$FWDIR/log/cphamcset.elg reported its state its state on time.
file. on time.

routed Monitors the Gaia process called routed daemon routed daemon on
routed. on this Cluster this Cluster Member
Member reported did not report its state
its state on time. on time.

cvpnd Monitors the Mobile Access back- cvpnd daemon cvpnd daemon on
end process called cvpnd. on this Cluster this Cluster Member
This pnote appears if Mobile Member reported did not report its state
Access Software Blade is enabled. its state on time. on time.

ted Monitors the Threat Emulation ted daemon on ted daemon on this
process called ted. this Cluster Cluster Member did
Member reported not report its state on
its state on time. time.

CLI R80.40 Reference Guide      |      1181

 Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of the Meaning of the
Critical Device Description
"OK" state "problem" state

VSX Monitors all Virtual Systems in VSX On VS0, means Minimum of blocking
Cluster. that states of all states of all Virtual
Virtual Systems Systems is not "active"
are not Down on (the VSIDs will be
this Cluster printed on the line
Member. Problematic
VSIDs:) on this
On other Virtual
Cluster Member.
Systems, means
that VS0 is alive
on this Cluster
Member.

Instances This pnote appears in VSX HA The number of There is a mismatch

mode (not VSLS) cluster. CoreXL Firewall between the number
instances in the of CoreXL Firewall
received CCP instances in the
packet matches received CCP packet
the number of and the number of
loaded CoreXL loaded CoreXL
Firewall instances Firewall instances on
on this VSX this VSX Cluster
Cluster Member Member or this Virtual
or this Virtual System (see
System. sk106912).

Hibernating This pnote appears in VSX VSLS This Virtual

mode cluster with 3 and more System is in
Cluster Members. This pnote "Backup"
shows if this Virtual System is in (hibernated) state
"Backup" (hibernated) state. Also on this Cluster
see sk114557. Member.

admin_down Monitors the Critical Device User ran the

admin_down. clusterXL_admin
down command on
this Cluster Member.
See "The clusterXL_
admin Script" on
page 1228.

host_monitor Monitors the Critical Device All monitored IP At least one of the
host_monitor. addresses on this monitored IP
Cluster Member addresses on this
User executed the replied to pings. Cluster Member did
$FWDIR/bin/clusterXL_ not reply to at least
monitor_ips script. one ping.
See "The clusterXL_monitor_ips
Script" on page 1232.

CLI R80.40 Reference Guide      |      1182

 Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of the Meaning of the
Critical Device Description
"OK" state "problem" state

A name of a user User executed the All monitored At least one of the
space process $FWDIR/bin/clusterXL_ user space monitored user space
(except fwd, monitor_process script. processes on this on this Cluster
routed, cvpnd, See "The clusterXL_monitor_ Cluster Member Member processes is
ted) process Script" on page 1236. are running. not running.

Syntax

Shell Command

Gaia Clish show cluster members pnotes {all | problem}

Expert mode cphaprob [-l] [-ia] [-e] list

Where:

Command Description

show cluster Shows cluster full list of Critical Devices

members pnotes
all

show cluster Prints the list of all the "Built-in Devices" and the "Registered
members pnotes Devices"
problem

cphaprob -l Prints the list of all the "Built-in Devices" and the "Registered
Devices"

cphaprob -i list When there are no issues on the Cluster Member, shows:
There are no pnotes in problem state
When a Critical Device reports a problem, prints only the Critical Device that
reports its state as "problem".

cphaprob -ia When there are no issues on the Cluster Member, shows:
list There are no pnotes in problem state
When a Critical Device reports a problem, prints the Critical Device
"Problem Notification" and the Critical Device that reports its state
as "problem"

cphaprob -e list When there are no issues on the Cluster Member, shows:
There are no pnotes in problem state
When a Critical Device reports a problem, prints only the Critical Device that
reports its state as "problem"

CLI R80.40 Reference Guide      |      1183

 Viewing Critical Devices

Related topics
n "Reporting the State of a Critical Device" on page 1156
n "Registering a Critical Device" on page 1153
n "Registering Critical Devices Listed in a File" on page 1157
n "Unregistering a Critical Device" on page 1155
n "Unregistering All Critical Devices" on page 1159

CLI R80.40 Reference Guide      |      1184

 Viewing Critical Devices

Examples

Example 1 - Critical Device 'fwd'

Critical Device fwd reports its state as problem because the fwd process is down.

[Expert@Member1:0]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Device Name: Recovery Delay

Current state: OK

Device Name: CoreXL Configuration

Current state: OK

Registered Devices:

Device Name: Fullsync

Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: Policy

Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: routed

Registration number: 2
Timeout: none
Current state: OK
Time since last report: 940.3 sec

Device Name: fwd

Registration number: 3
Timeout: 30 sec
Current state: problem
Time since last report: 1782.9 sec
Process Status: DOWN

Device Name: cphad

Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 1778.3 sec
Process Status: UP

Device Name: VSX

Registration number: 5
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

Device Name: Init

Registration number: 6
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1185

 Viewing Critical Devices

Example 2 - Critical Device 'CoreXL Configuration'

Critical Device CoreXL Configuration reports its state as problem because the numbers of
CoreXL Firewall instances do not match between the Cluster Members.

[Expert@Member1:0]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Device Name: Recovery Delay

Current state: OK

Device Name: CoreXL Configuration

Current state: problem (non-blocking)

Registered Devices:

Device Name: Fullsync

Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: Policy

Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: routed

Registration number: 2
Timeout: none
Current state: OK
Time since last report: 940.3 sec

Device Name: fwd

Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 1782.9 sec
Process Status: UP

Device Name: cphad

Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 1778.3 sec
Process Status: UP

Device Name: VSX

Registration number: 5
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

Device Name: Init

Registration number: 6
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1186

 Viewing Cluster Interfaces

Viewing Cluster Interfaces

Description
This command lets you see the state of the Cluster Member interfaces and the virtual cluster interfaces.
ClusterXL treats the interfaces as Critical Devices. ClusterXL makes sure that interfaces can send and
receive CCP packets.
ClusterXL also sets the required minimal number of functional interfaces to the largest number of
functional interfaces ClusterXL detected since the last reboot. If the number of functional interfaces is less
than the required number, ClusterXL declares the Cluster Member as failed and starts a failover. The
same applies to the synchronization interfaces, where only good synchronization interfaces are counted.
When an interface is DOWN, it means that the interface cannot receive or send CCP packets, or both. An
interface may also be able to receive, but not send CCP packets. The time you see in the command's
output is the number of seconds that elapsed since the interface was last able to receive or send a CCP
packet.

Syntax

Shell Command

Gaia Clish 1. set virtual-system <VSID>

2. show cluster members interfaces {all | secured | virtual
| vlans}

Expert cphaprob [-vs all] [-a] [-m] if

mode

CLI R80.40 Reference Guide      |      1187

 Viewing Cluster Interfaces

Where:

Command Description

show cluster members interfaces
all
Shows full list of all cluster interfaces:
n including the number of required interfaces
n including Network Objective
n including VLAN monitoring mode, or list of
monitored VLAN interfaces

show cluster members interfaces
secured
Shows only cluster interfaces (Cluster and Sync) and
their states:
n without Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

show cluster members interfaces
virtual
Shows full list of cluster virtual interfaces and their
states:
n including the number of required interfaces
n including Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

show cluster members interfaces Shows only monitored VLAN interfaces

vlans

cphaprob if Shows only cluster interfaces (Cluster and Sync) and

their states:
n without Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

cphaprob -a if Shows full list of cluster interfaces and their states:

n including the number of required interfaces
n including Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

cphaprob -a -m if
Shows full list of all cluster interfaces and their states:
n including the number of required interfaces
n including Network Objective
n including VLAN monitoring mode, or list of
monitored VLAN interfaces

CLI R80.40 Reference Guide      |      1188

 Viewing Cluster Interfaces

Output
The output of these commands must be identical to the configuration in the cluster object's Network
Management page in SmartConsole.

Example

[Expert@Member1:0]# cphaprob -a -m if

CCP mode: Manual (Unicast)

Required interfaces: 4
Required secured interfaces: 1

Interface Name: Status:

eth0 UP
eth1 (S) UP
eth2 (LM) UP
bond1 (LS) UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 3

eth0 192.168.3.247
eth2 44.55.66.247
bond1 77.88.99.247

No VLANs are monitored on the member

[Expert@Member1:0]#

Description of the "cphaprob -a -m if" command output fields:

Table: Description of the output fields
Field, or Text Description

CCP mode Shows the CCP mode.

The default mode is Unicast.

Important - In R80.40, the CCP always runs in the unicast

mode.

Required interfaces Shows the total number of monitored cluster interfaces, including
the Sync interface.
This number is based on the configuration of the cluster object >
Network Management page.

Required secured interfaces Shows the total number of the required Sync interfaces.
This number is based on the configuration of the cluster object >
Network Management page.

CLI R80.40 Reference Guide      |      1189

 Viewing Cluster Interfaces

Table: Description of the output fields (continued)

Field, or Text Description

Non-Monitored This means that Cluster Member does not monitor the state of this
interface.
In SmartConsole, in the cluster object > Network Management
page, administrator configured the Network Type Private for this
interface.

UP This means that Cluster Member monitors the state of this interface.
The current cluster state of this interface is UP, which means this
interface can send and receive CCP packets.
In SmartConsole, in the cluster object > Network Management
page, administrator configured one of these Network Types for this
interface: Cluster, Sync , or Cluster + Sync .

DOWN This means that Cluster Members monitors the state of this
interface.
The current cluster state of this interface is DOWN, which means
this interface cannot send CCP packets, receive CCP packets, or
both.
In SmartConsole, in the cluster object > Network Management
page, administrator configured one of these Network Types for this
interface: Cluster, Sync , or Cluster + Sync .

(S) This interface is a Sync interface.

In SmartConsole, in the cluster object > Network Management
page, administrator configured one of these Network Types for this
interface: Sync , or Cluster + Sync .

(LM) This interface is configured in the $FWDIR/conf/cpha_link_

monitoring.conf file.
Cluster Member monitors only the link on this interface (does not
monitor the received or sent CCP packets).
See "Configuring Link Monitoring on the Cluster Interfaces" on
page 1166.

(HA) This interface is a Bond interface in High Availability mode.

(LS) This interface is a Bond interface in Load Sharing mode.

Virtual cluster interfaces Shows the total number of the configured virtual cluster interfaces.
This number is based on the configuration of the cluster object >
Network Management page.

No VLANs are monitored on Shows the VLAN monitoring mode - there are no VLAN interfaces
the member configured on the cluster interfaces.

CLI R80.40 Reference Guide      |      1190

 Viewing Cluster Interfaces

Table: Description of the output fields (continued)

Field, or Text Description

Monitoring mode is Monitor Shows the VLAN monitoring mode - there are some VLAN interfaces
all VLANs: All VLANs are configured on the cluster interfaces, and Cluster Member monitors
monitored all VLAN IDs.

Monitoring mode is Monitor Shows the VLAN monitoring mode - there are some VLAN interfaces
specific VLAN: Only specified configured on the cluster interfaces, and Cluster Member monitors
VLANs are monitored only specific VLAN IDs.

CLI R80.40 Reference Guide      |      1191

 Viewing Bond Interfaces

Viewing Bond Interfaces

Description
This command lets you see the configuration of bond interfaces and their slave interfaces.

Syntax

Shell Command

Gaia Clish 1. show cluster bond {all | name <bond_

name>}
2. show bonding groups

Expert mode cphaprob show_bond [<bond_name>]

cphaprob show_bond_groups

Where:

Command Description

show cluster bond all Shows configuration of all configured bond interfaces
show bonding groups
cphaprob show_bond

show cluster bond name <bond_ Shows configuration of the specified bond interface
name>
cphaprob show_bond <bond_name>

cphaprob show_bond_groups Shows the configured Groups of Bonds and their

settings.

CLI R80.40 Reference Guide      |      1192

 Viewing Bond Interfaces

Examples

Example 1 - 'cphaprob show_bond'

[Expert@Member2:0]# cphaprob show_bond

|Slaves |Slaves |Slaves

Bond name |Mode |State |configured |link up |required
-----------+-------------------+------+-----------+--------+--------
bond1 | High Availability | UP | 2 | 2 | 1

Legend:
-------
UP! - Bond interface state is UP, yet attention is required
Slaves configured - number of slave interfaces configured on the bond
Slaves link up - number of operational slaves
Slaves required - minimal number of operational slaves required for bond to be UP

[Expert@Member2:0]#

Member2> show bonding groups

Bonding Interface: 1
Bond Configuration
xmit-hash-policy Not configured
down-delay 200
primary Not configured
lacp-rate Not configured
mode active-backup
up-delay 200
mii-interval 100
Bond Interfaces
eth3
eth4
Member2>

Description of the output fields for the "cphaprob show_bond" and "show cluster bond all"
commands:
Table: Description of the output fields
Field Description

Bond name Name of the Gaia bonding group.

Mode Bonding mode of this Gaia bonding group.

One of these:
n High Availability
n Load Sharing

State State of the Gaia bonding group:

n UP - Bond interface is fully operational
n UP! - Bond interface state is UP, yet attention is required
n DOWN - Bond interface failed

Slaves Total number of physical slave interfaces configured in this Gaia bonding group.
configured

CLI R80.40 Reference Guide      |      1193

 Viewing Bond Interfaces

Table: Description of the output fields (continued)

Field Description

Slaves link Number of operational physical slave interfaces in this Gaia bonding group.
up

Slaves Minimal number of operational physical slave interfaces required for the state of this
required Gaia bonding group to be UP.

Example 2 - 'cphaprob show_bond <bond_name>'

[Expert@Member2:0]# cphaprob show_bond bond1

Bond name: bond1

Bond mode: High Availability
Bond status: UP

Configured slave interfaces: 2

In use slave interfaces: 2
Required slave interfaces: 1

Slave name | Status | Link

----------------+-----------------+-------
eth4 | Active | Yes
eth3 | Backup | Yes

[Expert@Member2:0]#

Description of the output fields for the "cphaprob show_bond <bond_name>" and "show
cluster bond name <bond_name>" commands:
Table: Description of the output fields
Field Description

Bond Name of the Gaia bonding group.

name

Bond Bonding mode of this Gaia bonding group. One of these:

mode
n High Availability
n Load Sharing

Bond Status of the Gaia bonding group. One of these:

status
n UP - Bond interface is fully operational
n UP! - Bond interface state is UP, yet attention is required
n DOWN - Bond interface failed

Configured Total number of physical slave interfaces configured in this Gaia bonding group.
slave
interfaces

In use Number of operational physical slave interfaces in this Gaia bonding group.
slave
interfaces

CLI R80.40 Reference Guide      |      1194

 Viewing Bond Interfaces

Table: Description of the output fields (continued)

Field Description

Required Minimal number of operational physical slave interfaces required for the state of this
slave Gaia bonding group to be UP.
interfaces

Slave Names of physical slave interfaces configured in this Gaia bonding group.
name

Status Status of physical slave interfaces in this Gaia bonding group.

One of these:
n Active - In High Availability or Load Sharing bonding mode. This slave
interface is currently handling traffic.
n Backup - In High Availability bonding mode only. This slave interface is ready
and can support internal bond failover.
n Not Available - In High Availability or Load Sharing bonding mode. The
physical link on this slave interface is lost, or this Cluster Member is in status
Down. The bond cannot failover internally in this state.

Link State of the physical link on the physical slave interfaces in this Gaia bonding group.
One of these:
n Yes - Link is present
n No - Link is lost

Example 3 - 'cphaprob show_bond_groups'

[Expert@Member2:0]# cphaprob show_bond_groups

| Required | Bonds | Bonds

Group of bonds name | State | active bonds | in group | status
--------------------+-----------+--------------+----------+--------+
GoB0 | UP | 1 | |
| | | bond1 | UP
| | | bond2 | UP

Legend:
---------
Bonds in group - a list of the bonds in the bond group
Required active bonds - number of required active bonds
[Expert@Member2:0]#

Description of the output fields for the "cphaprob show_bond_groups" command:

Table: Description of the output fields
Field Description

Group of bonds name Name of the Group of Bonds.

CLI R80.40 Reference Guide      |      1195

 Viewing Bond Interfaces

Table: Description of the output fields (continued)

Field Description

State State of the Group of Bonds. One of these:

n UP - Group of Bonds is fully operational
n DOWN - Group of Bonds failed

Required active bonds Number of required active bonds in this Group of Bonds.

Bonds in group Names of the Gaia bond interfaces configured in this Group of Bonds.

Bonds status State of the Gaia bond interface. One of these:

n UP - Bond interface is fully operational
n DOWN - Bond interface failed

CLI R80.40 Reference Guide      |      1196

 Viewing Cluster Failover Statistics

Viewing Cluster Failover Statistics

Description
This command lets you see the cluster failover statistics on the Cluster Member:
n Number of failovers that happened
n Failover reason
n The time of the last failover event

Syntax to show the statistics

Shell Command

Gaia Clish show cluster failover

Expert mode cphaprob [-l <number>] show_failover

Syntax to reset the statistics

Shell Command

Gaia Clish show cluster failover reset {count | history}

Expert mode cphaprob -reset {-c | -h} show_failover

Parameters

Parameter Description

-l <number> Specifies how many of last failover events to show (between 1 and 50)

count Resets the counter of failover events

-c

history Resets the history of failover events

-h

CLI R80.40 Reference Guide      |      1197

 Viewing Cluster Failover Statistics

Example

[Expert@Member1:0]# cphaprob show_failover

Last cluster failover event:

Transition to new ACTIVE: Member 2 -> Member 1
Reason: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 18:21:44 2019

Cluster failover count:

Failover counter: 1
Time of counter reset: Sun Sep 8 16:08:34 2019 (reboot)

Cluster failover history (last 20 failovers since reboot/reset on Sun Sep 8 16:08:34 2019):

No. Time: Transition: CPU: Reason:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -
1 Sun Sep 8 18:21:44 2019 Member 2 -> Member 1 01 ADMIN_DOWN PNOTE

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1198

 Viewing Software Versions on Cluster Members

Viewing Software Versions on Cluster Members

Description
This command lets you see information about the software version (including private hotfixes) on the local
Cluster Member and its matches / mismatches with other Cluster Members.

Syntax

Shell Command

Gaia Clish show cluster release

Expert mode cphaprob release

Example

[Expert@Member1:0]# cphaprob release

Release: R80.40 T136

Kernel build: 994000117

FW1 build: 994000116
FW1 private fixes: None

ID SW release

1 (local) R80.40 T136

2 R80.40 T136

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1199

 Viewing Delta Synchronization

Viewing Delta Synchronization

Heavily loaded clusters and clusters with geographically separated members pose special challenges.
High connection rates, and large distances between the members can lead to delays that affect the
operation of the cluster.
Monitor the operation of the State Synchronization mechanism in highly loaded and distributed clusters.

Perform these troubleshooting steps:

1. Examine the Delta Sync statistics counters:

Shell Command

Gaia Clish show cluster statistics sync

Expert mode cphaprob syncstat

2. Change the values of the applicable synchronization global configuration parameters.

3. Reset the Delta Sync statistics counters:

Shell Command

Gaia Clish show cluster statistics sync reset

Expert mode cphaprob -reset syncstat

4. Examine the Delta Sync statistics to see if the problem is solved.

5. Solve any identified problem.

CLI R80.40 Reference Guide      |      1200

 Viewing Delta Synchronization

Example output of the "show cluster statistics sync" and "cphaprob syncstat"
commands from a Cluster Member:

Delta Sync Statistics

Sync status: OK

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent messages:
Total generated sync messages................ 26079
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 1

Received messages:
Total received updates....................... 3710
Received retransmission requests............. 0

Sync Interface:
Name......................................... eth1
Link speed................................... 1000Mb/s
Rate......................................... 46000 [Bps]
Peak rate.................................... 46000 [Bps]
Link usage................................... 0%
Total........................................ 376827[KB]

Queue sizes (num of updates):

Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Sun Sep 8 16:09:15 2019 (triggered by fullsync).

Each section of the output is described below.

The "Sync status:" section

This section shows the status of the Delta Sync mechanism. One of these:
n Sync status: OK
n Sync status: Off - Full-sync failure
n Sync status: Off - Policy installation failure
n Sync status: Off - Cluster module not started
n Sync status: Off - SIC failure
n Sync status: Off - Full-sync checksum error
n Sync status: Off - Full-sync received queue is full
n Sync status: Off - Release version mismatch

CLI R80.40 Reference Guide      |      1201

 Viewing Delta Synchronization

n Sync status: Off - Connection to remote member timed-out

n Sync status: Off - Connection terminated by remote member
n Sync status: Off - Could not start a connection to remote member
n Sync status: Off - cpstart
n Sync status: Off - cpstop
n Sync status: Off - Manually disabled sync
n Sync status: Off - Was not able to start for more than X second
n Sync status: Off - Boot
n Sync status: Off - Connectivity Upgrade (CU)
n Sync status: Off - cphastop
n Sync status: Off - Policy unloaded
n Sync status: Off - Hibernation
n Sync status: Off - OSU deactivated
n Sync status: Off - Sync interface down
n Sync status: Fullsync in progress
n Sync status: Problem (Able to send sync packets, unable to receive
sync packets)
n Sync status: Problem (Able to send sync packets, saving incoming
sync packets)
n Sync status: Problem (Able to send sync packets, able to receive
sync packets)
n Sync status: Problem (Unable to send sync packets, unable to
receive sync packets)
n Sync status: Problem (Unable to send sync packets, saving incoming
sync packets)
n Sync status: Problem (Unable to send sync packets, able to receive
sync packets)

The "Drops:" section

This section shows statistics for drops on the Delta Sync network.

CLI R80.40 Reference Guide      |      1202

 Viewing Delta Synchronization

Table: Description of the output fields

Field Description

Lost Shows how many Delta Sync updates this Cluster Member considers as lost (based on
updates sequence numbers in CCP packets).
If this counter shows a value greater than 0, this Cluster Member lost Delta Sync
updates.
Possible mitigation:
Increase the size of the Sending Queue and the size of the Receiving Queue:
n Increase the size of the Sending Queue, if the counter Received reject
notification is increasing.
n Increase the size of the Receiving Queue, if the counter Received reject
notification is not increasing.

Lost bulk Shows how many times this Cluster Member missed Delta Sync updates.
update
(bulk update = twice the size of the local receiving queue)
events
This counter increases when this Cluster Member receives a Delta Sync update with a
sequence number much greater than expected. This probably indicates some
networking issues that cause massive packet drops.
This counter increases when the amount of missed Delta Sync updates is more than
twice the local Receiving Queue Size.
Possible mitigation:
n If the counter's value is steady, this might indicate a one-time synchronization
problem that can be resolved by running manual Full Sync. See sk37029.
n If the counter's value keeps increasing, probable there are some networking
issues. Increase the sizes of both the Receiving Queue and Sending Queue.

Oversized Shows how many oversized Delta Sync updates were discarded before sending them.
updates
This counter increases when Delta Sync update is larger than the local Fragments
not sent
Queue Size.
Possible mitigation:
n If the counter's value is steady, increase the size of the Sending Queue.
n If the counter's value keeps increasing, contact Check Point Support.

CLI R80.40 Reference Guide      |      1203

 Viewing Delta Synchronization

The "Sync at risk:" section

This section shows statistics that the Sending Queue is at full capacity and rejects Delta Sync
retransmission requests.
Table: Description of the output fields
Field Description

Sent reject Shows how many times this Cluster Member rejected Delta Sync retransmission
notifications requests from its peer Cluster Members, because this Cluster Member does not hold
the requested Delta Sync update anymore.

Received Shows how many reject notifications this Cluster Member received from its peer
reject Cluster Members.
notification

The "Sent updates:" section

This section shows statistics for Delta Sync updates sent by this Cluster Member to its peer Cluster
Members.
Table: Description of the output fields
Field Description

Total Shows how many Delta Sync updates were generated.

generated
This counts the Delta Sync updates, Retransmission Requests, Retransmission
sync
Acknowledgments, and so on.
messages

Sent Shows how many times this Cluster Member asked its peer Cluster Members to
retransmission retransmit specific Delta Sync update(s).
requests
Retransmission requests are sent when certain Delta Sync updates (with a
specified sequence number) are missing, while the sending Cluster Member
already received Delta Sync updates with advanced sequences.
Note - Compare the number of Sent retransmission requests to the Total
generated sync messages of the other Cluster Members.
A large counter's value can imply connectivity problems. If the counter's value is
unreasonably high (more than 30% of the Total generated sync messages of
other Cluster Members), contact Check Point Support equipped with the entire
output and a detailed description of the network topology and configuration.

Sent Shows how many times this Cluster Member retransmitted specific Delta Sync
retransmission update(s) at the requests from its peer Cluster Members.
updates

Peak Shows the peak amount of fragments in the Fragments Queue on this Cluster
fragments per Member (usually, should be 1).
update

CLI R80.40 Reference Guide      |      1204

 Viewing Delta Synchronization

The "Received updates:" section

This section shows statistics for Delta Sync updates that were received by this Cluster Member from its
peer Cluster Members.
Table: Description of the output fields
Field Description

Total received Shows the total number of Delta Sync updates this Cluster Member received from
updates its peer Cluster Members.
This counts only Delta Sync updates (not Retransmission Requests,
Retransmission Acknowledgments, and others).

Received Shows how many retransmission requests this Cluster Member received from its
retransmission peer Cluster Members.
requests
A large counter's value can imply connectivity problems. If the counter's value is
unreasonably high (more than 30% of the Total generated sync messages on
this Cluster Member), contact Check Point Support equipped with the entire
output and a detailed description of the network topology and configuration.

The "Queue sizes (num of updates):" section

This section shows the sizes of the Delta Sync queues.

Table: Description of the output fields
Field Description

Sending Shows the size of the cyclic queue, which buffers all the Delta Sync updates that were
queue already sent until it receives an acknowledgment from the peer Cluster Members.
size
This queue is needed for retransmitting the requested Delta Sync updates.
Each Cluster Member has one Sending Queue.
Default: 512 Delta Sync updates, which is also the minimal value.

Receiving Shows the size of the cyclic queue, which buffers the received Delta Sync updates in
queue two cases:
size
n When Delta Sync updates are missing, this queue is used to hold the remaining
received Delta Sync updates until the lost Delta Sync updates are retransmitted
(Cluster Members must keep the order, in which they save the Delta Sync
updates in the kernel tables).
n This queue is used to re-assemble a fragmented Delta Sync update.
Each Cluster Member has one Receiving Queue.
Default: 256 Delta Sync updates, which is also the minimal value.

CLI R80.40 Reference Guide      |      1205

 Viewing Delta Synchronization

Table: Description of the output fields (continued)

Field Description

Fragments Shows the size of the queue, which is used to prepare a Delta Sync update before
queue moving it to the Sending Queue.
size
Notes:
n This queue must be smaller than the Sending Queue.
n This queue must be significantly smaller than the Receiving Queue.
Default: 50 Delta Sync updates, which is also the minimal value.

The "Timers:" section

This section shows the Delta Sync timers.

Field Description

Delta Sync Shows the interval at which this Cluster Member sends the Delta Sync updates
interval (ms) from its Sending Queue.
The base time unit is 100ms (or 1 tick).
Default: 100 ms, which is also the minimum value.
See Increasing the Sync Timer.

The "Reset on XXX (triggered XXX)" section

Shows the date and the time of last statistics reset.

In parentheses, it shows how the last statistics was triggered - "manually", or "by fullsync".

CLI R80.40 Reference Guide      |      1206

 Viewing IGMP Status

Viewing IGMP Status

Description
This command lets you view the IGMP membership status.

Syntax

Shell Command

Gaia Clish show cluster members igmp

Expert mode cphaprob igmp

Example

[Expert@Member1:0]# cphaprob igmp

IGMP Membership: Enabled

Supported Version: 2
Report Interval [sec]: 60

IGMP queries are replied only by Operating System

Interface Host Group Multicast Address Last ver. Last Query[sec]

------------------------------------------------------------------------------
eth0 224.168.3.247 01:00:5e:28:03:f7 N/A N/A
eth1 224.22.33.250 01:00:5e:16:21:fa N/A N/A
eth2 224.55.66.247 01:00:5e:37:42:f7 N/A N/A

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1207

 Viewing Cluster Delta Sync Statistics for Connections Table

Viewing Cluster Delta Sync Statistics for Connections Table

Description
This command lets you see Delta Sync statistics about the operations performed in the Connections
Kernel Table (id 8158).
The output shows operations such as creating a new connection (SET), updating a connection
(REFRESH), deleting a connection (DELETE), and so on.

Syntax

Shell Command

Gaia Clish show cluster statistics transport [reset]

Expert mode cphaprob [-reset] ldstat

The "reset" flag resets the kernel statistics, which were collected since the last reboot or reset.

Example

[Expert@Member1:0]# cphaprob ldstat

Operand Calls Bytes Average Ratio %

----------------------------------------------------------
ERROR 0 0 0 0
SET 354 51404 145 33
RENAME 0 0 0 0
REFRESH 1359 70668 52 46
DELETE 290 10440 36 6
SLINK 193 12352 64 8
UNLINK 0 0 0 0
MODIFYFIELDS 91 7280 80 4
RECORD DATA CONN 0 0 0 0
COMPLETE DATA CONN 0 0 0 0

Total bytes sent: 161292 (0 MB) in 1797 packets. Average 89

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1208

 Viewing Cluster IP Addresses

Viewing Cluster IP Addresses

Description
This command lets you see the IP addresses and interfaces of the Cluster Members.

Syntax

Shell Command

Gaia Clish show cluster members ips

Expert mode cphaprob tablestat

Example

Note - To see name of interfaces that correspond to numbers in the "Interface"

column, run the "fw ctl iflist" on page 982 command.

[Expert@Member1:0]# cphaprob tablestat

---- Unique IP's Table ----

Member Interface IP-Address

------------------------------------------

(Local)
0 1 192.168.3.245
0 2 11.22.33.245
0 3 44.55.66.245

1 1 192.168.3.246
1 2 11.22.33.246
1 3 44.55.66.246

------------------------------------------

[Expert@Member1:0]#
[Expert@Member1:0]# fw ctl iflist
1 : eth0
2 : eth1
3 : eth2
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1209

 Viewing the Cluster Member ID Mode in Local Logs

Viewing the Cluster Member ID Mode in Local Logs

Description
This command lets you see how the local ClusterXL logs show the Cluster Member - by its Member ID
(default), or its Member Name.
See "Configuring the Cluster Member ID Mode in Local Logs" on page 1152.

Syntax

Shell Command

Gaia Clish show cluster members idmode

Expert mode cphaprob names

Example

[Expert@Member1:0]# cphaprob names 

Current member print mode in local logs is set to: ID

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1210

 Viewing Interfaces Monitored by RouteD

Viewing Interfaces Monitored by RouteD

Description
This command lets you see the interfaces, which the RouteD daemon monitors on the Cluster Member
when you configure OSPF.
The idea is that if you configure OSPF, Cluster Member monitors these interfaces and does not bring up
the Cluster Member unless RouteD daemon says it is OK to bring up the Cluster Member. This is used
mainly in ClusterXL High Availability Primary Up configuration to avoid premature failbacks.

Syntax

Shell Command

Gaia Clish show ospf interfaces [detailed]

Expert mode cphaprob routedifcs

Example 1

[Expert@Member1:0]# cphaprob routedifcs 

No interfaces are registered.

[Expert@Member1:0]#

Example 2

[Expert@Member1:0]# cphaprob routedifcs 

Monitored interfaces registered by routed:

eth0
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1211

 Viewing Roles of RouteD Daemon on Cluster Members

Viewing Roles of RouteD Daemon on Cluster Members

Description
This command lets you view on which Cluster Member the RouteD daemon runs as a Master.

Notes:
n In ClusterXL High Availability, the RouteD daemon must run as a Master only on
the Active Cluster Member.
n In ClusterXL Load Sharing, the RouteD daemon must run as a Master only on
one of the Active Cluster Members and as a Non-Master on all other Cluster
Members.
n In VRRP Cluster, the RouteD daemon must run as a Master only on the VRRP
Master Cluster Member.

Syntax

Shell Command

Gaia Clish show cluster role

Expert mode cphaprob roles

Example

[Expert@Member1:0]# cphaprob roles

ID Role

1 (local) Master
2 Non-Master

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1212

 Viewing Cluster Correction Statistics

Viewing Cluster Correction Statistics

Description
This command lets you view the Cluster Correction Statistics on each Cluster Member.
The Cluster Correction Layer (CCL) is a mechanism that deals with asymmetric connections.
The CCL provides connections stickiness by "correcting" the packets to the correct Cluster Member:
n In most cases, the CCL makes the correction from the CoreXL SND.
n In some cases (like Dynamic Routing, or VPN), the CCL makes the correction from the Firewall or
SecureXL.
In some cases, ClusterXL needs to send some data along with the corrected packet (currently, only in
VPN). For such packets, the output shows "with metadata".

Note - For more information about CoreXL, see the R80.40 Performance Tuning
Administration Guide.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaprob [{-d | -f | -s}] corr

Where:

Command Description

cphaprob corr Shows Cluster Correction Statistics for all traffic.

cphaprob -d corr Shows Cluster Correction Statistics for CoreXL SND only.

cphaprob -f corr Shows Cluster Correction Statistics for CoreXL Firewall instances only.

cphaprob -s corr Shows Cluster Correction Statistics for SecureXL only.

CLI R80.40 Reference Guide      |      1213

 Viewing Cluster Correction Statistics

Example 1 - For all traffic

[Expert@Member1:0]# cphaprob corr

Getting stats for SXL device 0, may take a few seconds...

Cluster Correction Stats (All Traffic):

------------------------------------------------------
Sent packets: 156 (0 with metadata)
Sent bytes: 34,568
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
Local asymmetric conns: 0
[Expert@Member1:0]#

Example 2 - For CoreXL SND only

[Expert@Member1:0]# cphaprob -d corr

Cluster Correction Stats (Dispatcher Corrections only):

------------------------------------------------------
Sent packets: 0 (0 with metadata)
Sent bytes: 0
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
[Expert@Member1:0]#

Example 3 - For CoreXL Firewall instances only

[Expert@Member1:0]# cphaprob -f corr

Cluster Correction Stats (Firewall instances only):

------------------------------------------------------
Sent packets: 156 (0 with metadata)
Sent bytes: 34,568
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
Local asymmetric conns: 0
[Expert@Member1:0]#

Example 4 - For SecureXL only

[Expert@Member1:0]# cphaprob -s corr

Getting stats for SXL device 0, may take a few seconds...

Cluster Correction Stats (SXL Devices only):

------------------------------------------------------
Sent packets: 0 (0 with metadata)
Sent bytes: 0
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
Local asymmetric conns: 0
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1214

 Viewing the Cluster Control Protocol (CCP) Settings

Viewing the Cluster Control Protocol (CCP) Settings

Description
n You can view the Cluster Control Protocol (CCP) mode on the Cluster Members.
n You can view the Cluster Control Protocol (CCP) Encryption on the Cluster Members - enabled or
disabled (and the encryption key).
See "Configuring the Cluster Control Protocol (CCP) Settings" on page 1160

Syntax for viewing the Cluster Control Protocol (CCP) mode

Shell Command

Gaia Clish show cluster members interfaces virtual

Expert mode cphaprob -a if

Important - In R80.40, the CCP always runs in the unicast mode.

Syntax for viewing the Cluster Control Protocol (CCP) Encryption

Shell Command

Gaia Clish show cluster members ccpenc

Expert mode cphaprob ccp_encrypt

cphaprob ccp_encrypt_key

CLI R80.40 Reference Guide      |      1215

 Viewing Latency and Drop Rate of Interfaces

Viewing Latency and Drop Rate of Interfaces

Description
This command lets you see the latency and the drop rate of each interface.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaprob latency

Example

[Expert@Member1:0]# cphaprob latency

id 2
Latency | Drop
[msec] | rate

eth0 0.000 0%
eth1 0.000 0%
eth2 0.000 0%

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1216

 Viewing the State of the Multi-Version Cluster Mechanism

Viewing the State of the Multi-Version Cluster Mechanism

Description
This command lets you see the state of the Multi-Version Cluster (MVC) Mechanism - enabled (ON) or
disabled (OFF).

See "Configuring the Multi-Version Cluster Mechanism" on page 1169.

Syntax

Shell Command

Gaia Clish show cluster members mvc

Expert mode cphaprob mvc

Example

Member1> show cluster members mvc

ON

Member1>

CLI R80.40 Reference Guide      |      1217

 Viewing Full Connectivity Upgrade Statistics

Viewing Full Connectivity Upgrade Statistics

Description
This command lets you see the Full Connectivity Upgrade statistics when you upgrade between minor
versions.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaprob fcustat

Example

[Expert@Member1:0]# cphaprob fcustat

During FCU....................... no
Connection module map............ none

Table id map (remote->local)..... none

Table handlers ..................

8151 --> 0x0x7f97c421d860 (sip_state)
8158 --> 0x0x7f97c43d8e30 (connections)
LD handlers......................
ok - 0
failed - 0

Global handlers ................. none

[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1218

 cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool lets you configure specific settings for the installed Check Point products.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this Security
Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Secure Internal Communication
Manages SIC on the Security Gateway or Cluster Member.
This change requires a restart of Check Point services on the
Security Gateway or Cluster Member.
For more information, see:
n The R80.40 Security Management Administration Guide.
n sk65764: How to reset SIC.

CLI R80.40 Reference Guide      |      1219


Menu Option
Enable cluster membership for
this gateway
Disable cluster membership for
this gateway
Enable Check Point Per Virtual
System State
Disable Check Point Per Virtual
System State
Enable Check Point ClusterXL
for Bridge Active/Standby
Disable Check Point ClusterXL
for Bridge Active/Standby
Check Point CoreXL
cpconfig
Description
Enables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Disables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Enables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R80.40 VSX Administration Guide.
Disables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R80.40 VSX Administration Guide.
Enables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Disables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Manages CoreXL on the Security Gateway or Cluster Member.
After all changes in CoreXL configuration, you must reboot the
Security Gateway or Cluster Member.
For more information, see the R80.40 Performance Tuning
Administration Guide.
CLI R80.40 Reference Guide      |      1220
 cpconfig

Menu Option Description

Automatic start of Check Point Shows and controls which of the installed Check Point products
Products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Check Point CoreXL
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

CLI R80.40 Reference Guide      |      1221

 cphastart

cphastart
Description
Starts the cluster configuration on a Cluster Member after it was stopped with the "cphastop" on page 1223
command.

Best Practice - To start a Cluster Member, use the "cpstart" on page 911 command.

Note - This command does not initiate a Full Synchronization on the Cluster Member.

Syntax

cphastart
[-h]
[-d]

Parameters

Parameter Description

-h Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

Refer to:
n These lines in the output file:
prepare_command_args: -D ... start
/opt/CPsuite-R80.40/fw1/bin/cphaconf clear-secured
/opt/CPsuite-R80.40/fw1/bin/cphaconf -D ...(truncated
here for brevity)... start
n The $FWDIR/log/cphastart.elg log file.

CLI R80.40 Reference Guide      |      1222

 cphastop

cphastop
Description
Stops the cluster software on a Cluster Member.

Best Practice - To stop a Cluster Member, use the "cpstop" on page 920 command.

Notes:
n This command stops the Cluster Member from passing traffic.
n This command stops the State Synchronization between this Cluster Member
and its peer Cluster Members.
n After you run this command, you can still open connections directly to this
Cluster Member.
n To start the cluster software, run the "cphastart" on page 1222 command.

Syntax

cphastop

CLI R80.40 Reference Guide      |      1223

 cp_conf fullha

cp_conf fullha
Description
Manages the state of the Full High Availability Cluster:
n Enables the Full High Availability Cluster
n Disables the Full High Availability Cluster
n Deletes the Full High Availability peer
n Shows the Full High Availability state

Important - To configure a Full High Availability cluster, follow the R80.40 Installation
and Upgrade Guide.

Syntax

cp_conf fullha
      enable
      del_peer
      disable
      state

Parameters

Parameter Description

enable Enables the Full High Availability on this computer.

del_peer Deletes the Full High Availability peer from the configuration.

disable Disables the Full High Availability on this computer.

state Shows the Full High Availability state on this computer.

Example

[Expert@Cluster_Member:0]# cp_conf fullha state

FullHA is currently enabled
[Expert@Cluster_Member:0]#

CLI R80.40 Reference Guide      |      1224

 cp_conf ha

cp_conf ha
Description
Enables or disables cluster membership on this Security Gateway.

Important - This command is for Check Point use only. To configure cluster
membership, you must use the "cpconfig" on page 892 command.
For more information, see the R80.40 ClusterXL Administration Guide.

Syntax

cp_conf ha {enable | disable} [norestart]

Parameters

Parameter Description

enable Enables cluster membership on this Security Gateway.

This command is equivalent to the option Enable cluster membership for this
gateway in the "cpconfig" on page 892 menu.

disable Disables cluster membership on this Security Gateway.

This command is equivalent to the option Disable cluster membership for this
gateway in the "cpconfig" on page 892 menu.

norestart Optional: Specifies to apply the configuration change without the restart of Check Point
services. The new configuration takes effect only after reboot.

Example 1 - Enable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

Example 2 - Disable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1225

 fw hastat

fw hastat
Description
Shows information about Check Point computers in High Availability configuration and their states.

Note - This command is outdated. On cluster members, run the Gaia Clish command
"show cluster state", or the Expert mode command "cphaprob state".

Note - This command is outdated. On Management Servers, run the "cpstat" on

page 197 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ...
If you run this command on the Management Server, you can enter the applicable IP
<TargetN>
address, or the resolvable HostName of the managed Security Gateway or Cluster
Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

CLI R80.40 Reference Guide      |      1226

 fwboot ha_conf

fwboot ha_conf
Description
Configures the cluster mechanism during boot.

Important - This command is for Check Point use only.

Notes:
n You must run this command from the Expert mode.
n Refer to these related commands:
l "fw defaultgen" on page 996
l "fwboot bootconf" on page 1111
l "control_bootsec" on page 874
l "comp_init_policy" on page 871
n To install a cluster, see the R80.40 Installation and Upgrade Guide.
n To configure a cluster , see the R80.40 Installation and Upgrade Guide and
R80.40 ClusterXL Administration Guide.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ha_conf

CLI R80.40 Reference Guide      |      1227

 The clusterXL_admin Script

The clusterXL_admin Script

Description
You can use the clusterXL_admin script to initiate a manual fail-over from a Cluster Member.
Location of this script on your Cluster Members is:

$FWDIR/bin/clusterXL_admin

Script Workflow
This shell script does one of these:
n Registers a Critical Device called "admin_down" and reports the state of that Critical Device as
"problem".
This gracefully changes the state of the Cluster Member to "DOWN".
n Reports the state of the registered Critical Device "admin_down" as "ok".
This gracefully changes the state of the Cluster Member to "UP".
Then, the script unregisters the Critical Device "admin_down".

For more information, see sk55081.

CLI R80.40 Reference Guide      |      1228

 The clusterXL_admin Script

Example

CLI R80.40 Reference Guide      |      1229

 The clusterXL_admin Script

#! /bin/csh -f
#
# The script will cause the machine to get into down state, thus the member will not filter packets.
# It will supply a simple way to initiate a failover by registering a new device in problem state when
# a failover is required and will unregister the device when wanting to return to normal operation.
# USAGE:
# clusterXL_admin <up|down>

set PERSISTENT = ""

# checking number of arguments

if ( $#argv > 2 || $#argv < 1 ) then
echo "clusterXL_admin : Invalid Argument Count"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
else if ( "$1" != "up" && "$1" != "down" ) then
echo "clusterXL_admin : Invalid Argument ($1)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
else if ( $#argv == 2 ) then
if ( "$2" != "-p" ) then
echo "clusterXL_admin : Invalid Argument ($2)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
endif
set PERSISTENT = "-p"
endif

#checking if cpha is started

$FWDIR/bin/cphaprob stat | grep "Cluster" > /dev/null
if ($status) then
echo "HA is not started"
exit 1
endif

# Inform the user that the command can run with persistent mode.
if ("$PERSISTENT" != "-p") then
echo "This command does not survive reboot. To make the change permanent, please run 'set cluster
member admin down/up permanent' in clish or add '-p' at the end of the command in expert mode"
endif

if ( $1 == "up" ) then

echo "Setting member to normal operation ..."
$FWDIR/bin/cphaconf set_pnote -d admin_down $PERSISTENT unregister > & /dev/null
if ( `uname` == 'IPSO' ) then
sleep 5
else
sleep 1
endif

set stateArr = `$FWDIR/bin/cphaprob stat | grep "local"`

$FWDIR/bin/cphaprob stat | egrep "Sync only|Bridge Mode" > /dev/null

#If it's third party or bridge mode, use column 4 , otherwise 5
if ($status) then
set state = $stateArr[5]
else
set state = $stateArr[4]
endif

echo "Member current state is $state"

if (($state != "Active" && $state != "Standby") && ($state != "ACTIVE" && $state != "STANDBY" &&
$state != "ACTIVE(!)")) then
echo "Operation failed: member is still down, please run 'show cluster members pnotes
problem' in clish or 'cphaprob list' in expert mode for further details"
endif
exit 0
endif

if ( $1 == "down" ) then

echo "Setting member to administratively down state ..."
$FWDIR/bin/cphaconf set_pnote -d admin_down -t 0 -s problem $PERSISTENT register > & /dev/null

CLI R80.40 Reference Guide      |      1230

 The clusterXL_admin Script

sleep 1

set stateArr = `$FWDIR/bin/cphaprob stat | grep "local"`

$FWDIR/bin/cphaprob stat | egrep "Sync only|Bridge Mode" > /dev/null

#If it's third party or bridge mode, use column 4 , otherwise 5
if ($status) then
set state = $stateArr[5]
else
set state = $stateArr[4]
endif

echo "Member current state is $state"

if ( $state == "Active attention" || $state == "ACTIVE(!)" ) then
echo "All the members within the cluster have problem/s and the local member was chosen to
become active"
else
if ( $state != "Down" && $state != "DOWN" ) then
echo "Operation failed: member is still down, please run 'show cluster members
pnotes problem' in clish or 'cphaprob list' in expert mode for further details"
endif
endif
exit 0
else
echo "clusterXL_admin : Invalid Option ($1)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
endif

CLI R80.40 Reference Guide      |      1231

 The clusterXL_monitor_ips Script

The clusterXL_monitor_ips Script

Description
You can use the clusterXL_monitor_ips script to ping a list of predefined IP addresses and change the
state of the Cluster Member to DOWN or UP based on the replies to these pings. For this script to work, you
must write the IP addresses in the $FWDIR/conf/cpha_hosts file - each IP address on a separate
line. This file does not support comments or spaces.
Location of this script on your Cluster Members is:

$FWDIR/bin/clusterXL_monitor_ips

Script Workflow
1. Registers a Critical Device called "host_monitor" with the status "ok".
2. Starts to send pings to the list of predefined IP addresses in the $FWDIR/conf/cpha_hosts file.
3. While the script receives responses to its pings, it does not change the status of that Critical Device.
4. If the script does not receive a response to even one ping, it reports the state of that Critical Device
as "problem".
This gracefully changes the state of the Cluster Member to DOWN.
If the script receives responses to its pings again, it changes the status of that Critical Device to "ok"
again.
For more information, see sk35780.

Important - You must do these changes on all Cluster Members.

CLI R80.40 Reference Guide      |      1232

 The clusterXL_monitor_ips Script

Example

CLI R80.40 Reference Guide      |      1233

 The clusterXL_monitor_ips Script

#!/bin/sh
#
# The script tries to ping the hosts written in the file $FWDIR/conf/cpha_hosts. The names (must be
resolveable) ot the IPs of the hosrs must be written in seperate lines.
# the file must not contain anything else.
# We ping the given hosts every number of seconds given as parameter to the script.
# USAGE:
# cpha_monitor_ips X silent
# where X is the number of seconds between loops over the IPs.
# if silent is set to 1, no messages will appear on the console
#
# We initially register a pnote named "host_monitor" in the problem notification mechanism
# when we detect that a host is not responding we report the pnote to be in "problem" state.
# when ping succeeds again - we report the pnote is OK.

silent=0

if [ -n "$2" ]; then

if [ $2 -le 1 ]; then
silent=$2
fi
fi
hostfile=$FWDIR/conf/cpha_hosts
arch=`uname -s`
if [ $arch = "Linux" ]
then
#system is linux
ping="ping -c 1 -w 1"
else
ping="ping"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -t 0 -s ok register
TRUE=1
while [ "$TRUE" ]
do
result=1
for hosts in `cat $hostfile`
do
if [ $silent = 0 ]
then
echo "pinging $hosts using command $ping $hosts"
fi
if [ $arch = "Linux" ]
then
$ping $hosts > /dev/null 2>&1
else
$ping $hosts $1 > /dev/null 2>&1
fi
status=$?
if [ $status = 0 ]
then
if [ $silent = 0 ]
then
echo " $hosts is alive"
fi
else
if [ $silent = 0 ]
then
echo " $hosts is not responding "
fi
result=0
fi
done
if [ $silent = 0 ]
then
echo "done pinging"
fi
if [ $result = 0 ]
then
if [ $silent = 0 ]
then
echo " Cluster member should be down!"

CLI R80.40 Reference Guide      |      1234

 The clusterXL_monitor_ips Script

fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -s problem report
else
if [ $silent = 0 ]
then
echo " Cluster member seems fine!"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -s ok report
fi
if [ "$silent" = 0 ]
then
echo "sleeping"
fi
sleep $1
echo "sleep $1"
done

CLI R80.40 Reference Guide      |      1235

 The clusterXL_monitor_process Script

The clusterXL_monitor_process Script

Description
You can use the clusterXL_monitor_process script to monitor if the specified user space processes run,
and cause cluster fail-over if these processes do not run. For this script to work, you must write the correct
case-sensitive names of the monitored processes in the $FWDIR/conf/cpha_proc_list file - each
process name on a separate line. This file does not support comments or spaces.
Location of this script on your Cluster Members is:

$FWDIR/bin/clusterXL_monitor_process

Script Workflow
1. Registers Critical Devices (with the status "ok") called as the names of the processes you specified
in the $FWDIR/conf/cpha_proc_list file.
2. While the script detects that the specified process runs, it does not change the status of the
corresponding Critical Device.
3. If the script detects that the specified process do not run anymore, it reports the state of the
corresponding Critical Device as "problem".
This gracefully changes the state of the Cluster Member to "DOWN".
If the script detects that the specified process runs again, it changes the status of the corresponding
Critical Device to "ok" again.

For more information, see sk92904.

Important - You must do these changes on all Cluster Members.

CLI R80.40 Reference Guide      |      1236

 The clusterXL_monitor_process Script

Example

CLI R80.40 Reference Guide      |      1237

 The clusterXL_monitor_process Script

#!/bin/sh
#
# This script monitors the existance of processes in the system. The process names should be written
# in the $FWDIR/conf/cpha_proc_list file one every line.
#
# USAGE :
# cpha_monitor_process X silent
# where X is the number of seconds between process probings.
# if silent is set to 1, no messages will appear on the console.
#
#
# We initially register a pnote for each of the monitored processes
# (process name must be up to 15 charachters) in the problem notification mechanism.
# when we detect that a process is missing we report the pnote to be in "problem" state.
# when the process is up again - we report the pnote is OK.

if [ "$2" -le 1 ]
then
silent=$2
else
silent=0
fi
if [ -f $FWDIR/conf/cpha_proc_list ]
then
procfile=$FWDIR/conf/cpha_proc_list
else
echo "No process file in $FWDIR/conf/cpha_proc_list "
exit 0
fi

arch=`uname -s`

for process in `cat $procfile`

do
$FWDIR/bin/cphaconf set_pnote -d $process -t 0 -s ok -p register > /dev/null 2>&1
done

while [ 1 ]
do

result=1

for process in `cat $procfile`

do
ps -ef | grep $process | grep -v grep > /dev/null 2>&1

status=$?

if [ $status = 0 ]
then
if [ $silent = 0 ]
then
echo " $process is alive"
fi
# echo "3, $FWDIR/bin/cphaconf set_pnote -d $process -s ok report"
$FWDIR/bin/cphaconf set_pnote -d $process -s ok report
else
if [ $silent = 0 ]
then
echo " $process is down"
fi

$FWDIR/bin/cphaconf set_pnote -d $process -s problem report

result=0
fi

done

if [ $result = 0 ]

then
if [ $silent = 0 ]

CLI R80.40 Reference Guide      |      1238

 The clusterXL_monitor_process Script

then
echo " One of the monitored processes is down!"
fi
else
if [ $silent = 0 ]
then
echo " All monitored processes are up "
fi

fi
if [ "$silent" = 0 ]
then
echo "sleeping"
fi

sleep $1

done

CLI R80.40 Reference Guide      |      1239

 SecureXL Commands

SecureXL Commands
For more information about SecureXL, see:
n R80.40 Performance Tuning Administration Guide - Chapter SecureXL.
n sk98722 - ATRG: SecureXL.

CLI R80.40 Reference Guide      |      1240

 'fwaccel' and 'fwaccel6'

'fwaccel' and 'fwaccel6'

Description
The fwaccel commands control the acceleration for IPv4 traffic.
The fwaccel6 commands control the acceleration for IPv6 traffic.

Syntax for IPv4

fwaccel help

fwaccel [-i <SecureXL ID>]

      cfg <options>
      conns <options>
      dbg <options>
      dos <options>
            feature <options>
      off <options>
      on <options>
      ranges <options>
      stat <options>
      stats <options>
      synatk <options>
      tab <options>
      templates <options>
      ver

Syntax for IPv6

fwaccel6 help

fwaccel6
      conns <options>
      dbg <options>
      dos <options>
            feature <options>
      off <options>
      on <options>
      ranges <options>
      stat <options>
      stats <options>
      synatk <options>
      tab <options>
      templates <options>
      ver

CLI R80.40 Reference Guide      |      1241

 'fwaccel' and 'fwaccel6'

Parameters and Options

Parameter and Options Description

help Shows the built-in help.

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

cfg <options> Controls the SecureXL acceleration parameters.

See "fwaccel cfg" on page 1244.

conns <options> Shows all connections that pass through SecureXL.

See "fwaccel conns" on page 1247.

dbg <options> Controls the "SecureXL Debug" on page 1421.

See "fwaccel dbg" on page 1422.

dos <options> Controls the Rate Limiting for DoS Mitigation in SecureXL.
See "fwaccel dos" on page 1257.

feature <options> Controls the specified SecureXL features.

See "fwaccel feature" on page 1281.

off <options> Stops the acceleration on-the-fly. This does not survive reboot.
See "fwaccel off" on page 1284.

on <options> Starts the acceleration on-the-fly, if it was previously stopped.

See "fwaccel on" on page 1288.

ranges <options> Shows the loaded ranges.

See "fwaccel ranges" on page 1292.

stat <options> Shows the SecureXL status.

See "fwaccel stat" on page 1298.

stats <options> Shows the acceleration statistics.

See "fwaccel stats" on page 1304.

synatk <options> Controls the Accelerated SYN Defender.

See "fwaccel synatk" on page 1327.

tab <options> Shows the contents of the specified SecureXL table.

See "fwaccel tab" on page 1352.

CLI R80.40 Reference Guide      |      1242

 'fwaccel' and 'fwaccel6'

Parameter and Options Description

templates <options> Shows the SecureXL templates.

See "fwaccel templates" on page 1356.

ver Shows the SecureXL and FireWall version.

See "fwaccel ver" on page 1360.

CLI R80.40 Reference Guide      |      1243

 fwaccel cfg

fwaccel cfg
Description
The fwaccel cfg command controls the SecureXL acceleration parameters.

Important - In Cluster, you must configure all the Cluster Members in the same way

Syntax

fwaccel cfg
      -h
      -a {<Number of Interface> | <Name of Interface> | reset}
      -b {on | off}
      -c <Number>
      -d <Number>
      -e <Number>
      -i {on | off}
      -l <Number>
      -m <Seconds>
      -p {on | off}
      -r <Number>
      -v <Seconds>
      -w {on | off}

Important:
n These commands do not provide output. You cannot see the currently configured
values.
n Changes made with these commands do not survive reboot.

Parameters

Parameter Description

-h Shows the applicable built-in help.

CLI R80.40 Reference Guide      |      1244

 fwaccel cfg

Parameter Description

-a <Number n -a <Number of Interface> - Configures the SecureXL not to

of accelerate traffic on the interface specified by its internal number in Check
Interface> Point kernel.

-a <Name of n -a <Name of Interface> - Configures the SecureXL not to accelerate

Interface> traffic on the interface specified by its name.

-a reset n -a reset - Configures the SecureXL to accelerate traffic on all interfaces

(resets the non-accelerated configuration).

Notes:
n This command does not support Falcon Acceleration Cards.
n To see the required information about the interfaces, run these
commands in the specified order:
"fw getifs" on page 1002
"fw ctl iflist" on page 982
n To see if the "fwaccel cfg -a ..." command failed, run this
command:

tail -n 10 /var/log/messages

-b {on | Controls the SecureXL Drop Templates match (sk66402):

off}
n on - Enables the SecureXL Drop Templates match
n off - Disables the SecureXL Drop Templates match

Note - In R80.40, SecureXL does not support this parameter yet..

-c <Number> Configures the maximal number of connections, when SecureXL disables the
templates.

-d <Number> Configures the maximal number of delete retries.

-e <Number> Configures the maximal number of general errors.

-i {on | Configures SecureXL to ignore API version mismatch:

off}
n on - Ignore API version mismatch.
n off - Do not ignore API version mismatch (this is the default).

CLI R80.40 Reference Guide      |      1245

 fwaccel cfg

Parameter Description

-l <Number> Configures the maximal number of entries in the SecureXL templates database.
Valid values are:
n 0 - To disable the limit (this is the default).
n Between 10 and 524288 - To configure the limit.

Important - If you configure a limit, you must stop and start the
acceleration for this change to take effect. Run the "fwaccel off" on
page 1284 command and then the "fwaccel on" on page 1288
command.

-m <Seconds> Configures the timeout for entries in the SecureXL templates database.
Valid values are:
n 0 - To disable the timeout (this is the default).
n Between 10 and 524288 - To configure the timeout.

-p {on | Configures the offload of Connection Templates (if possible):

off}
n on - Enables the offload of new templates (this is the default).
n off - Disables the offload of new templates.

-r <Number> Configures the maximal number of retries for SecureXL API calls.

-v <Seconds> Configures the interval between SecureXL statistics request.

Valid values are:

n 0 - To disable the interval.

n 1 and greater - To configure the interval.

-w {on | Configures the support for warnings about the IPS protection Sequence Verifier:
off}
n on - Enable the support for these warnings.
n off - Disables the support for these warnings.

CLI R80.40 Reference Guide      |      1246

 fwaccel conns

fwaccel conns
Description
The fwaccel conns and fwaccel6 conns commands show the list of the SecureXL connections on the local
Security Gateway, or Cluster Member.

Warning - If the number of concurrent connections is large, when you run these
commands, they can consume memory and CPU at very high level (see sk118716).

Syntax for IPv4

fwaccel [-i <SecureXL ID>] conns

      -h
      -f <filter>
      -m <Number of Entries>
      -s

Syntax for IPv6

fwaccel6 conns
      -h
      -f <Filter>
      -m <Number of Entries>
      -s

Parameters

Parameter Description

-h Shows the applicable built-in help.

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

CLI R80.40 Reference Guide      |      1247

 fwaccel conns

Parameter Description

-f <Filter> Show the SecureXL Connections Table entries based on the specified filter
flags.

Notes:
n To see the available filter flags, run:

fwaccel conns -h

n Each filter flag is one letter - capital, or small.

n You can specify more than one flag.
For example:

fwaccel conns -f AaQq

CLI R80.40 Reference Guide      |      1248

 fwaccel conns

Parameter Description

Available filter flags are:

n A - Shows accounted connections (for which SecureXL counted the
number of packets and bytes).
n a - Shows not accounted connections.
n C - Shows encrypted (VPN) connections.
n c - Shows clear-text (not encrypted) connections.
n F - Shows connections that SecureXL forwarded to Firewall.
Note - In R80.40, SecureXL does not support this parameter.
n f - Shows cut-through connections (which SecureXL accelerated).
Note - In R80.40, SecureXL does not support this parameter.
n H - Shows connections offloaded to the SAM card.
Note - R80.40, does not support the SAM card (Known Limitation
PMTR-18774).
n h - Shows connections created in the SAM card.
Note - R80.40, does not support the SAM card (Known Limitation
PMTR-18774).
n L - Shows connections, for which SecureXL created internal links.
n l - Shows connections, for which SecureXL did not create internal
links.
n N - Shows connections that undergo NAT.
Note - In R80.40, SecureXL does not support this parameter.
n n - Shows connections that do not undergo NAT.
Note - R80.40, SecureXL does not support this parameter.
n Q - Shows connections that undergo QoS.
n q - Shows connections that do not undergo QoS.
n S - Shows connections that undergo PXL.
n s - Shows connections that do not undergo PXL.
n U - Shows unidirectional connections.
n u - Shows bidirectional connections.

-m <Number of Specifies the maximal number of connections to show.

Entries>
Note - In R80.40, SecureXL does not support this parameter.

CLI R80.40 Reference Guide      |      1249

 fwaccel conns

Parameter Description

-s Shows the summary of SecureXL Connections Table (number of

connections).
Warning - Depending on the number of current connections, might consume
memory at very high level.

Example - Default output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel conns

Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- -------
1.1.1.200 50586 1.1.1.100 18191 6 F............. 2/2 2/- 3 0
192.168.0.244 35925 192.168.0.242 18192 6 F............. 1/1 -/- 1 0
192.168.0.93 257 192.168.0.242 53932 6 F............. 1/1 1/- 0 0
192.168.0.242 22 172.30.168.15 57914 6 F............. 1/1 -/- 2 0
192.168.0.244 34773 192.168.0.242 18192 6 F............. 1/1 -/- 2 0
192.168.0.88 138 192.168.0.255 138 17 F............. 1/1 -/- 0 0
1.1.1.100 18191 1.1.1.200 55336 6 F............. 2/2 2/- 4 0
192.168.0.242 18192 192.168.0.244 38567 6 F............. 1/1 -/- 4 0
192.168.0.242 53932 192.168.0.93 257 6 F............. 1/1 1/- 0 0
192.168.0.242 18192 192.168.0.244 62714 6 F............. 1/1 -/- 1 0
192.168.0.244 33558 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
1.1.1.200 36359 1.1.1.100 18191 6 F............. 2/2 2/- 5 0
1.1.1.200 55336 1.1.1.100 18191 6 F............. 2/2 2/- 4 0
192.168.0.242 60756 192.168.0.93 257 6 F............. 1/1 1/- 4 0
1.1.1.100 18191 1.1.1.200 36359 6 F............. 2/2 2/- 5 0
1.1.1.100 18191 1.1.1.200 50586 6 F............. 2/2 2/- 3 0
192.168.0.244 38567 192.168.0.242 18192 6 F............. 1/1 -/- 4 0
192.168.0.242 18192 192.168.0.244 32877 6 F............. 1/1 -/- 5 0
192.168.0.242 53806 192.168.47.45 53 17 F............. 1/1 1/- 3 0
192.168.0.242 18192 192.168.0.244 33558 6 F............. 1/1 -/- 5 0
172.30.168.15 57914 192.168.0.242 22 6 F............. 1/1 -/- 2 0
192.168.0.255 138 192.168.0.88 138 17 F............. 1/1 -/- 0 0
192.168.0.93 257 192.168.0.242 60756 6 F............. 1/1 1/- 4 0
1.1.1.200 18192 1.1.1.100 37964 6 F............. 2/2 -/- 1 0
1.1.1.100 37964 1.1.1.200 18192 6 F............. 2/2 -/- 1 0
192.168.0.244 32877 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
192.168.0.242 18192 192.168.0.244 34773 6 F............. 1/1 -/- 2 0
192.168.0.242 18192 192.168.0.244 35925 6 F............. 1/1 -/- 1 0
192.168.47.45 53 192.168.0.242 53806 17 F............. 1/1 1/- 3 0
192.168.0.244 62714 192.168.0.242 18192 6 F............. 1/1 -/- 1 0

Idx Interface
--- ---------
0 lo
1 eth0
2 eth1

Total number of connections: 30

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1250

 fwaccel dbg

fwaccel dbg
Description
The fwaccel dbg command controls the SecureXL debug. See "SecureXL Debug" on page 1421.

Important - In Cluster, you must configure all the Cluster Members in the same way

Syntax

fwaccel dbg
      -h
      -m <Name of SecureXL Debug Module>
      all
      + <Debug Flags>
      - <Debug Flags>
      reset
      -f {"<5-Tuple Debug Filter>" | reset}
      list
      resetall

Parameters

Parameter Description

-h Shows the applicable built-in help.

-m <Name of SecureXL Specifies the name of the SecureXL debug module.

Debug Module>
To see the list of available debug modules, run:

fwaccel dbg

all Enables all debug flags for the specified debug module.

CLI R80.40 Reference Guide      |      1251

 fwaccel dbg

Parameter Description

+ <Debug Flags> Enables the specified debug flags for the specified debug module:
Syntax:

+ Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the plus
(+) character.

- <Debug Flags> Disables all debug flags for the specified debug module.
Syntax:

- Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the minus
(-) character.

reset Resets all debug flags for the specified debug module to their
default state.

-f "<5-Tuple Debug Configures the debug filter to show only debug messages that
Filter>" contain the specified connection.
The filter is a string of five numbers separated with commas:

"<Source IP Address>,<Source
Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"

Notes:
n You can configure only one debug filter at one
time.
n You can use the asterisk "*" as a wildcard for an
IP Address, Port number, or Protocol number.
n For more information, see IANA Service Name
and Port Number Registry and IANA Protocol
Numbers.

-f reset Resets the current debug filter.

list Shows all enabled debug flags in all debug modules.

resetall Reset all debug flags for all debug modules to their default state.

CLI R80.40 Reference Guide      |      1252

 fwaccel dbg

Example 1 - Default output

[Expert@MyGW:0]# fwaccel dbg

Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
-m <module> - module of debugging
-h - this help message
resetall - reset all debug flags for all modules
reset - reset all debug flags for module
all - set all debug flags for module
list - list all debug flags for all modules
-f reset | "<5-tuple>" - filter debug messages
+ <flags> - set the given debug flags
- <flags> - unset the given debug flags

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf stat
queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: api
err init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_inf
add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl get_state
upd_link_sel

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan pkt
nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl

Module: vpn
err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1253

 fwaccel dbg

Example 2 - Enabling and disabling of debug flags

CLI R80.40 Reference Guide      |      1254

 fwaccel dbg

[Expert@MyGW:0]# fwaccel dbg -m default + err conn

Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

CLI R80.40 Reference Guide      |      1255

 fwaccel dbg

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetall

Debug state was reset to default.
[Expert@MyGW:0]#

Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to 172.16.40.50

[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6

Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<*,*,*,*,*>"

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1256

 fwaccel dos

fwaccel dos
Description
The fwaccel dos and fwaccel6 dos commands control the Rate Limiting for DoS mitigation techniques in
SecureXL on the local Security Gateway, or Cluster Member.

Important:
n On VSX Gateway, first go to the context of an applicable Virtual
System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure all the Cluster Members in the
same way

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos

      blacklist <options>
      config <options>
      pbox <options>
      rate <options>
      stats <options>
      whitelist <options>

Syntax for IPv6

fwaccel6 dos
      blacklist <options>
      config <options>
      rate <options>
      stats <options>

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

blacklist<options> Controls the IP blacklist in SecureXL.

See "fwaccel dos blacklist" on page 1259.

CLI R80.40 Reference Guide      |      1257

 fwaccel dos

Parameter Description

config <options> Controls the DoS mitigation configuration in SecureXL.

See "fwaccel dos config" on page 1261.

pbox <options> Controls the Penalty Box whitelist in SecureXL.

See "fwaccel dos pbox" on page 1267.

rate <options> Shows and installs the Rate Limiting policy in SecureXL.
See "fwaccel dos rate" on page 1272.

stats <options> Shows and clears the DoS real-time statistics in SecureXL.
See "fwaccel dos stats" on page 1274.

whitelist Configures the whitelist for source IP addresses in the SecureXL Penalty
<options> Box.
See "fwaccel dos whitelist" on page 1276.

CLI R80.40 Reference Guide      |      1258

 fwaccel dos blacklist

fwaccel dos blacklist

Description
The fwaccel dos blacklist and fwaccel6 dos blacklist commands control the IP blacklist in SecureXL.
The blacklist blocks all traffic to and from the specified IP addresses.
The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the
packets.

Important:
n On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.
n To enforce the IP blacklist in SecureXL, you must first enable the IP blacklists.
See these commands:
l "fwaccel dos config" on page 1261
l "fw sam_policy" on page 1375 (let you configure more granular rules)

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos blacklist

      -a <IPv4 Address>
      -d <IPv4 Address>
      -F
      -s

Syntax for IPv6

fwaccel6 dos blacklist

      -a <IPv6 Address>
      -d <IPv6 Address>
      -F
      -s

CLI R80.40 Reference Guide      |      1259

 fwaccel dos blacklist

Parameters

Parameter Description

-i <SecureXL Specifies the SecureXL instance ID (for IPv4 only).

ID>

No Parameters Shows the applicable built-in usage.

-a <IP Adds the specified IP address to the blacklist.

Address>
To add more than one IP address, run this command for each applicable IP
address.

-d <IP Removes the specified IP addresses from the blacklist.

Address>
To remove more than one IP address, run this command for each applicable IP
address.

-F Removes (flushes) all IP addresses from the blacklist.

-s Shows the configured blacklist.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos blacklist -s

The blacklist is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos blacklist -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -F
All blacklist entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
The blacklist is empty
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1260

 fwaccel dos config

fwaccel dos config

Description
The fwaccel dos config and fwaccel6 dos config commands control the global configuration
parameters of the Rate Limiting for DoS mitigation in SecureXL.
These global parameters apply to all configured Rate Limiting rules.

Important:
n On VSX Gateway, first go to the context of an applicable Virtual
System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure all the Cluster Members in the
same way

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos config

      get
      set
{--disable-rate-limit | --enable-rate-limit}
{--disable-pbox | --enable-pbox}
{--disable-blacklists | --enable-blacklists}
{--disable-drop-frags | --enable-drop-frags}
{--disable-drop-opts | --enable-drop-opts}
{--disable-internal | --enable-internal}
{--disable-monitor | --enable-monitor}
{--disable-log-drops | --enable-log-drops}
{--disable-log-pbox | --enable-log-pbox}
{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}
{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}
{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

CLI R80.40 Reference Guide      |      1261

 fwaccel dos config

Syntax for IPv6

fwaccel6 dos config

      get
      set
{--disable-rate-limit | --enable-rate-limit}
{--disable-pbox | --enable-pbox}
{--disable-blacklists | --enable-blacklists}
{--disable-drop-frags | --enable-drop-frags}
{--disable-drop-opts | --enable-drop-opts}
{--disable-internal | --enable-internal}
{--disable-monitor | --enable-monitor}
{--disable-log-drops | --enable-log-drops}
{--disable-log-pbox | --enable-log-pbox}
{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}
{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}
{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option Description

-i <SecureXL Specifies the SecureXL instance ID (for IPv4 only).

ID>

No Parameters Shows the applicable built-in usage.

get Shows the configuration parameters.

set <options> Configuration the parameters.

--disable- Disables the IP blacklists.

blacklists
This is the default configuration.

CLI R80.40 Reference Guide      |      1262

 fwaccel dos config

Parameter or Option Description

--disable-drop- Disables the drops of all fragmented packets. This is the default configuration.
frags
Important - This option applies to only VSX, and only for traffic that
arrives at a Virtual System through a Virtual Switch (packets
received through a Warp interface). From R80.20, IP Fragment
reassembly occurs in SecureXL before the Warp-jump from a Virtual
Switch to a Virtual System. To block IP fragments, the Virtual Switch
must be configured with this option. Otherwise, this has no effect,
because the IP fragments would already be reassembled when they
arrive at the Virtual System's Warp interface.

--disable-drop- Disables the drops of all packets with IP options.

opts
This is the default configuration.

--disable- Disables the enforcement on internal interfaces.

internal
This is the default configuration.

--disable-log- Disables the notifications when the DoS module drops a packet due to rate
drops limiting policy.

--disable-log- Disables the notifications when administrator adds an IP address to the

pbox penalty box.

--disable- Disables the acceptance of all packets that otherwise would be dropped.
monitor
This is the default configuration.

--disable-pbox Disables the IP penalty box.

This is the default configuration.
Also, see the "fwaccel dos pbox" on page 1267 command.

--disable-rate- Disables the enforcement of the rate limiting policy.

limit
This is the default configuration.

--enable- Enables IP blacklists.

blacklists
Also, see the "fwaccel dos blacklist" on page 1259 command.

--enable-drop- Enables the drops of all fragmented packets.

frags

--enable-drop- Enables the drops of all packets with IP options.

opts

--enable- Enables the enforcement on internal interfaces.

internal

CLI R80.40 Reference Guide      |      1263

 fwaccel dos config

Parameter or Option Description

--enable-log- Enables the notifications when the DoS module drops a packet due to rate
drops limiting policy.
This is the default configuration.

--enable-log- Enables the notifications when administrator adds an IP address to the penalty
pbox box.
This is the default configuration.

--enable- Enables the acceptance of all packets that otherwise would be dropped.
monitor

--enable-pbox Enables the IP penalty box.

Also, see the "fwaccel dos pbox" on page 1267 command.

--enable-rate- Enables the enforcement of the rate limiting policy.

limit
Important - After you run this command, you must install the Access
Control policy.

-n <NOTIF_RATE> Configures the maximal number of drop notifications per second for each
SecureXL device.
--notif-rate
<NOTIF_RATE> Range: 0 - (232-1)

Default: 100

-p <PBOX_RATE> Configures the minimal number of reported dropped packets before SecureXL
adds a source IPv4 address to the penalty box.
--pbox-rate
<PBOX_RATE> Range: 0 - (232-1)

Default: 500

-t <PBOX_TMO> Configures the number of seconds until SecureXL removes an IP is from the
penalty box.
--pbox-tmo
<PBOX_TMO> Range: 0 - (232-1)

Default: 180

CLI R80.40 Reference Guide      |      1264

 fwaccel dos config

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config get

rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
log blacklist: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: disabled
log pbox: disabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox

OK
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos config get
rate limit: disabled (without policy)
pbox: enabled
blacklists: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1265

 fwaccel dos config

Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set"
commands return to their default values during each reboot. To make these settings persistent, add the
applicable commands to these configuration files:

File Description

$FWDIR/conf/fwaccel_dos_ This shell script for IPv4 must contain only the fwaccel
rate_on_install dos config set commands:

#!/bin/bash
fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_dos_ This shell script for IPv6 must contain only the fwaccel6
rate_on_install dos config set commands:

#!/bin/bash
fwaccel6 dos config set <options>

Important - Do not include the "fw sam_policy" on page 1375 commands in these

configuration files. The configured Rate Limiting policy survives reboot. If you add the
fw sam_policy commands, the rate policy installer runs in an infinite loop.

Notes:
n To create or edit these files, log in to the Expert mode.
n If these files do not already exist, create them with one of these commands:
l touch $FWDIR/conf/<Name of File>
l vi $FWDIR/conf/<Name of File>
n On VSX Gateway, before you create these files, go to the context of an
applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>
n These files must start with the "#!/bin/bash" line.
n These files must end with a new empty line.
n After you create these files, you must assign the execute permission to them:
chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox

CLI R80.40 Reference Guide      |      1266

 fwaccel dos pbox

fwaccel dos pbox

Description
The fwaccel dos pbox command controls the Penalty Box whitelist in SecureXL.
The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from
suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high
traffic load, possibly caused by a DoS/DDoS attack.
The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, and
clients that violate the IPS protections. If the SecureXL Penalty Box detects a specific client frequently, it
puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked
source IP address.
The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL
Penalty Box never blocks.

Important:
n This command supports only IPv4.
n On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.
n To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.
See these commands:
l "fwaccel dos config" on page 1261
l "fwaccel dos whitelist" on page 1276
l "fwaccel synatk whitelist" on page 1347

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos pbox

      flush
      whitelist
            -a <IPv4 Address>[/<Subnet Prefix>]
            -d <IPv4 Address>[/<Subnet Prefix>]
            -F
            -l /<Path>/<Name of File>
            -L
            -s

CLI R80.40 Reference Guide      |      1267

 fwaccel dos pbox

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

flush Removes (flushes) all source IP addresses from the Penalty Box.

whitelist <options> Configures the whitelist for source IP addresses in the SecureXL
Penalty Box.

Important - This whitelist overrides which packet the

SecureXL Penalty Box drops. Before you use a 3rd-party or
automatic blacklists, add trusted networks and hosts to the
whitelist to avoid outages.

Note - This command is similar to the "fwaccel dos

whitelist" on page 1276 command.

-a <IPv4 Address> Adds the specified IP address to the Penalty Box whitelist.
[/<Subnet Prefix>]
n <IPv4 Address> - Can be an IP address of a network or a
host.
n <Subnet Prefix> - Must specify the length of the subnet
mask in the format /<bits>.
Optional for a host IP address.
Mandatory for a network IP address.
Range - from /1 to /32.

Important - If you do not specify the subnet prefix

explicitly, this command uses the subnet prefix /32.

Examples:
n For a host:
192.168.20.30
192.168.20.30/32
n For a network:
192.168.20.0/24

CLI R80.40 Reference Guide      |      1268

 fwaccel dos pbox

Parameter Description

-d <IPv4 Address> Removes the specified IP address from the Penalty Box whitelist.
[/<Subnet Prefix>]
n <IPv4 Address> - Can be an IP address of a network or a
host.
n <Subnet Prefix> - Optional. Must specify the length of the
subnet mask in the format /<bits>.
Optional for a host IP address.
Mandatory for a network IP address.
Range - from /1 to /32.

Important - If you do not specify the subnet prefix

explicitly, this command uses the subnet prefix /32.

-F Removes (flushes) all entries from the Penalty Box whitelist.

-l /<Path>/<Name of Loads the Penalty Box whitelist entries from the specified plain-text
File> file.

Important:
n You must manually create and configure this file with
the touch or vi command.
n You must assign at least the read permission to this
file with the chmod +x command.

n Each entry in this file must be on a separate line.

n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start
with the # character in this file.

CLI R80.40 Reference Guide      |      1269

 fwaccel dos pbox

Parameter Description

-L Loads the Penalty Box whitelist entries from the plain-text file with a
predefined name:
$FWDIR/conf/pbox-whitelist-v4.conf
Security Gateway automatically runs this command fwaccel dos
pbox whitelist -L during each boot.

Important:
n This file does not exist by default.
n You must manually create and configure this file with
the touch or vi command.
n You must assign at least the read permission to this
file with the chmod +x command..
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start
with the # character in this file.

-s Shows the current Penalty Box whitelist entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1270

 fwaccel dos pbox

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.0/24[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos pbox whitelist -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1271

 fwaccel dos rate

fwaccel dos rate

Description
The fwaccel dos rate and fwaccel6 dos rate commands show and install the Rate Limiting policy in
SecureXL.

Important:
n On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos rate

      get '<Rule UID>'
      install

Syntax for IPv6

fwaccel6 dos rate

      get '<Rule UID>'
      install

CLI R80.40 Reference Guide      |      1272

 fwaccel dos rate

Parameters

Parameter Description

-i <SecureXL Specifies the SecureXL instance ID (for IPv4 only).

ID>

No Parameters Shows the applicable built-in usage.

get '<Rule Shows information about the rule specified by its Rule UID or its zero-based rule
UID>' index.
The quote marks and angle brackets ('<...>') are mandatory.

install Installs a new rate limiting policy.

Important - This command requires input from the stdin.

To use this command, run:

fw sam_policy get -l -k req_type -t in -v

quota | fwaccel dos rate install

For more information about the fw sam_policy command, see "fw sam_
policy" on page 1375.

Notes
n If you install a new rate limiting policy with more than one rule, it automatically enables the rate
limiting feature.
To disable the rate limiting feature manually, run this command (see "fwaccel dos config" on
page 1261):

fwaccel dos config set --disable-rate-limit

n To delete the current rate limiting policy, install a new policy with zero rules.

CLI R80.40 Reference Guide      |      1273

 fwaccel dos stats

fwaccel dos stats

Description
The fwaccel dos stats and fwaccel6 dos stats commands show and clear the DoS real-time statistics in
SecureXL.

Important:
n On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] stats

      clear
      get

Syntax for IPv6

fwaccel6 dos stats

      clear
      get

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

clear Clears the real-time statistics counters.

get Shows the real-time statistics counters.

CLI R80.40 Reference Guide      |      1274

 fwaccel dos stats

Example - Get the current DoS statistics

[Expert@MyGW:0]# fwaccel dos stats get

Firewall:
Number of Elements in Tables:
Penalty Box Violating IPs: 0 (size: 8192)
Blacklist Notification Handlers: 0 (size: 1024)
SXL Device 0:
Total Active Connections: 0
Total New Connections/Second: 0
Total Packets/Second: 0
Total Bytes/Second: 0
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0 (size: 0)
Non-Empty Blacklists: 0 (size: 0)
Blacklisted IPs: 0 (size: 0)
Rate Limit Matches: 0 (size: 0)
Rate Limit Source Only Tracks: 0 (size: 0)
Rate Limit Source and Service Tracks: 0 (size: 0)
SXL Devices in Aggregate:
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0
Non-Empty Blacklists: 0
Blacklisted IPs: 0
Rate Limit Matches: 0
Rate Limit Source Only Tracks: 0
Rate Limit Source and Service Tracks: 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1275

 fwaccel dos whitelist

fwaccel dos whitelist

Description
The fwaccel dos whitelist command configures the whitelist for source IP addresses in the SecureXL
Penalty Box.
This whitelist overrides which packet the SecureXL Penalty Box drops.

Notes:
n This command supports only IPv4.
n On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.
n This whitelist overrides entries in the blacklist. Before you use a 3rd-party or
automatic blacklists, add trusted networks and hosts to the whitelist to avoid
outages.
n This whitelist unblocks IP Options and IP fragments from trusted sources when
you explicitly configure one these SecureXL features:
l --enable-drop-opts
l --enable-drop-frags
See the "fwaccel dos config" on page 1261 command.
n To whitelist the Rate Limiting policy, refer to the bypass action of the fw samp
command. For example, fw samp -a b ...

For more information about the fw sam_policy command, see the R80.40
Performance Tuning Administration Guide - Section Rate Limiting for DoS
Mitigation - Section 'fw sam_policy' and 'fw6 sam_policy'.
n This command is similar to the "fwaccel dos pbox whitelist"
command (see "fwaccel dos pbox" on page 1267).
n Also, see the "fwaccel synatk whitelist" on page 1347 command.

CLI R80.40 Reference Guide      |      1276

 fwaccel dos whitelist

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos whitelist

      -a <IPv4 Address>[/<Subnet Prefix>]
      -d <IPv4 Address>[/<Subnet Prefix>]
      -F
      -l /<Path>/<Name of File>
      -L
      -s

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

-a <IPv4 Address> Adds the specified IP address to the Penalty Box whitelist.
[/<Subnet Prefix>]
n <IPv4 Address> - Can be an IPv4 address of a network or a
host.
n <Subnet Prefix> - Must specify the length of the subnet mask
in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix explicitly, this
command uses the subnet prefix /32.
Examples:
n For a host:
192.168.20.30
192.168.20.30/32
n For a network:
192.168.20.0/24

CLI R80.40 Reference Guide      |      1277

 fwaccel dos whitelist

Parameter Description

-d <IPv4 Address> Removes the specified IPv4 address from the Penalty Box whitelist.
[/<Subnet Prefix>]
n <IPv4 Address> - Can be an IPv4 address of a network or a
host.
n <Subnet Prefix> - Optional. Must specify the length of the
subnet mask in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix explicitly, this
command uses the subnet prefix /32.

-F Removes (flushes) all entries from the Penalty Box whitelist.

-l /<Path>/<Name Loads the Penalty Box whitelist entries from the specified plain-text file.
of File>
Note - To replace the current whitelist with the contents of a new file, use
both the -F and -l parameters on the same command line.

Important:
n You must manually create and configure this file with the touch or
vi command.
n You must assign at least the read permission to this file with the
chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with the #
character in this file.

CLI R80.40 Reference Guide      |      1278

 fwaccel dos whitelist

Parameter Description

-L Loads the Penalty Box whitelist entries from the plain-text file with a
predefined name:
$FWDIR/conf/pbox-whitelist-v4.conf
Security Gateway automatically runs this command fwaccel dos
pbox whitelist -L during each boot.
Note - To replace the current whitelist with the contents of a new file, use
both the -F and -L parameters on the same command line.

Important:
n This file does not exist by default.
n You must manually create and configure this file with the touch or
vi command.
n You must assign at least the read permission to this file with the
chmod +x command..
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with the #
character in this file.

-s Shows the current Penalty Box whitelist entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40/32[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1279

 fwaccel dos whitelist

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.0/24[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40/32[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos whitelist -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1280

 fwaccel feature

fwaccel feature
Description
The fwaccel feature and fwaccel6 feature commands enable and disable the specified SecureXL features.

Important:
n If you disable a SecureXL feature, SecureXL does not accelerate the applicable traffic
anymore.
n This change does not survive reboot.
n In VSX Gateway, this change is global and applies to all Virtual Systems.
n In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] feature <Name of Feature>

      get
      off
      on

Syntax for IPv6

fwaccel6 feature <Name of Feature>

      get
      off
      on

CLI R80.40 Reference Guide      |      1281

 fwaccel feature

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

<Name of Specifies the SecureXL feature.

Feature>
R80.40 SecureXL supports only this feature:
n Name: sctp
n Description: Stream Control Transmission Protocol (SCTP) - see
sk35113

get Shows the current state of the specified SecureXL feature.

off Disables the specified SecureXL feature.

This means that SecureXL does not accelerate the applicable traffic
anymore.

on Enables the specified SecureXL feature.

This means that SecureXL accelerates the applicable traffic again.

Disabling the 'sctp' feature permanently

See "Working with Kernel Parameters on Security Gateway" on page 1769.

1. Add this line to the $FWDIR/modules/fwkern.conf file:
sim_sctp_disable_by_default=1
2. Reboot.

Example 1 - Default output

[Expert@MyGW:0]# fwaccel feature

Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1282

 fwaccel feature

Example 2 - Disabling and enabling a feature

[Expert@MyGW:0]# fwaccel feature sctp get

sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp off
Set operation succeeded
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp on
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1283

 fwaccel off

fwaccel off
Description
The fwaccel off and fwaccel6 off commands stop the SecureXL on-the-fly.
Starting from R80.20, you can stop the SecureXL only temporarily. The SecureXL starts automatically
when you start Check Point services (with the "cpstart" on page 911 command), or reboot the Security
Gateway.

Important:
n Disable the SecureXL only for debug purposes, if Check Point Support explicitly
instructs you to do so.
n If you disable the SecureXL, this change does not survive reboot.
SecureXL remains disabled until you enable it again on-the-fly, or reboot the
Security Gateway.
n If you disable the SecureXL, this change applies only to new connections that
arrive after you disable the acceleration.
SecureXL continues to accelerate the connections that are already accelerated.
Other non-connection oriented processing continues to function (for example,
virtual defragmentation, VPN decrypt).
n On VSX Gateway:
l If you wish to stop the acceleration only for a specific Virtual System, go to
the context of that Virtual System.
In Gaia Clish, run: set virtual-system <VSID>

In Expert mode, run: vsenv <VSID>

l If you wish to stop the acceleration for all Virtual Systems, you must use
the -a parameter.
In this case, it does not matter from which Virtual System context you run
this command.
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] off [-a] [-q]

Syntax for IPv6

fwaccel6 off [-a] [-q]

CLI R80.40 Reference Guide      |      1284

 fwaccel off

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

-a On VSX Gateway, stops acceleration on all Virtual Systems.

-q Suppresses the output (does not show a returned output).

Possible returned output

n SecureXL device disabled
n SecureXL device is not active
n Failed to disable SecureXL device
n fwaccel_off: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel off

SecureXL device disabled.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1285

 fwaccel off

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type &amp; Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------+--------------------------+---------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel off

SecureXL device disabled. (Virtual ID 1)
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

CLI R80.40 Reference Guide      |      1286

 fwaccel off

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type &amp; Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------+--------------------------+---------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel off -a
SecureXL device disabled. (Virtual ID 0)
SecureXL device disabled. (Virtual ID 1)
SecureXL device disabled. (Virtual ID 2)
[Expert@MyVSXGW:1]#

CLI R80.40 Reference Guide      |      1287

 fwaccel on

fwaccel on
Description
The fwaccel on and fwaccel6 on commands start the acceleration on-the-fly, if it was previously stopped
with the fwaccel off or fwaccel6 off command (see "fwaccel off" on page 1284).

Important:
n On VSX Gateway:
l If you wish to start the acceleration only for a specific Virtual System, go to
the context of that Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
l If you wish to start the acceleration for all Virtual Systems, you must use
the -a parameter.
In this case, it does not matter from which Virtual System context you run
this command.
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] on [-a] [-q]

Syntax for IPv6

fwaccel6 on [-a] [-q]

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

-a On VSX Gateway, starts the acceleration on all Virtual Systems.

-q Suppresses the output (does not show a returned output).

Possible returned output

n SecureXL device is enabled.
n Failed to start SecureXL.
n No license for SecureXL.
n SecureXL is disabled by the firewall. Please try again later.

CLI R80.40 Reference Guide      |      1288

 fwaccel on

n The installed SecureXL device is not compatible with the installed

firewall (version mismatch).
n The SecureXL device is in the process of being stopped. Please try
again later.
n SecureXL cannot be started while "flows" are active.
n SecureXL is already started.
n SecureXL will be started after a policy is loaded.
n fwaccel: Failed to check FloodGate-1 status. Acceleration will not
be started.
n FW-1: SecureXL acceleration cannot be started while QoS is running
in express mode.
Please disable FloodGate-1 express mode or SecureXL.
n FW-1: SecureXL acceleration cannot be started while QoS is running
with citrix printing rule.
Please remove the citrix printing rule to enable SecureXL.
n FW-1: SecureXL acceleration cannot be started while QoS is running
with UAS rule.
Please remove the UAS rule to enable SecureXL.
n FW-1: SecureXL acceleration cannot be started while QoS is running.
Please remove the QoS blade to enable SecureXL.
n Failed to enable SecureXL device
n fwaccel_on: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel on
SecureXL device is enabled.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1289

 fwaccel on

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type &amp; Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------+--------------------------+---------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel on
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

CLI R80.40 Reference Guide      |      1290

 fwaccel on

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type &amp; Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------+--------------------------+---------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel on -a
[Expert@MyVSXGW:1]#

CLI R80.40 Reference Guide      |      1291

 fwaccel ranges

fwaccel ranges
Description
The fwaccel ranges and fwaccel6 ranges commands show the SecureXL loaded ranges:
n Ranges of Rule Base source IP addresses
n Ranges of Rule Base destination IP addresses
n Ranges of Rule Base destination ports and protocols
The Security Gateway creates these ranges during the policy installation. The Firewall creates and
offloads ranges to SecureXL when any of these feature is enabled:
n Rulebase ranges for Drop Templates
n Anti-Spoofing enforcement ranges on per-interface basis
n NAT64 ranges
n NAT46 ranges
These ranges are related to matching of connections to SecureXL Drop Templates. These ranges
represent the Source, Destination and Service columns of the Rule Base.
These ranges are not exactly the same as the Rule Base, because as there are objects that cannot be
represented as real (deterministic) IP addresses. For example, Domain objects and Dynamic objects. The
Security Gateway converts such non-deterministic objects to "Any" IP address.
In addition, implied rules are represented in these ranges, except for some specific implied rules.
You can use these commands for troubleshooting.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] ranges

      -h
      -a
      -l
      -p <Range ID>
      -s <Range ID>

CLI R80.40 Reference Guide      |      1292

 fwaccel ranges

Syntax for IPv6

fwaccel6 ranges
      -h
      -a
      -l
      -p <Range ID>
      -s <Range ID>

Parameters

Parameter Description

-i Specifies the SecureXL instance ID (for IPv4 only).

<
SecureXL
ID>

-h Shows the applicable built-in usage.

-a Shows the full information for all loaded ranges.

or Note - In the list of SecureXL Drop Templates (output of the "fwaccel templates" on
page 1356 command), each Drop Template is assembled from ranges indexes. To see
No mapping between range index and the range itself, run this command fwaccel
Parameters
ranges -a. This lets you understand better the practical ranges for Drop Templates
and when it is appropriate to use them.

-l Shows the list of loaded ranges:

n 0 - Ranges of Rule Base source IP addresses
n 1 - Ranges of Rule Base destination IP addresses
n 2 - Ranges of Rule Base destination ports and protocols

-p Shows the full information for the specified range.

<Range
ID>

-s Shows the summary information for the specified range.

<Range
ID>

CLI R80.40 Reference Guide      |      1293

 fwaccel ranges

Examples

Example 1 - Show the list of ranges from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel ranges -l
SecureXL device 0:
0 Rule base source ranges (ip):
1 Rule base destination ranges (ip):
2 Rule base dport ranges (port, proto):
[Expert@MyGW:0]#

Example 2 - Show the full information for all loaded ranges from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges
SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1294

 fwaccel ranges

Example 3 - Show the full information for the specified range from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges -p 0
SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 1
SecureXL device 0:
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 2
SecureXL device 0:
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

Example 4 - Show the summary information for the specified range from a non-VSX
Gateway
[Expert@MyGW:0]# fwaccel ranges -s 0
SecureXL device 0:
List name "Rule base source ranges (ip):", ID 0, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 1
SecureXL device 0:
List name "Rule base destination ranges (ip):", ID 1, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 2
SecureXL device 0:
List name "Rule base dport ranges (port, proto):", ID 2, Number of ranges 11
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1295

 fwaccel ranges

Example 5 - Show the list of ranges from a VSX Gateway

[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth0:
1 Anti spoofing ranges eth1:
[Expert@MyVSXGW:0]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth3:
1 Anti spoofing ranges eth2.52:
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth4:
1 Anti spoofing ranges eth2.53:
[Expert@MyVSXGW:2]#

Example 6 - Show the full information for all loaded ranges from a VSX Gateway
[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth0:
(0) 0.0.0.0 - 10.20.29.255
(1) 10.20.31.0 - 126.255.255.255
(2) 128.0.0.0 - 192.168.2.255
(3) 192.168.3.1 - 192.168.3.241
(4) 192.168.3.243 - 192.168.3.254
(5) 192.168.4.0 - 223.255.255.255
(6) 240.0.0.0 - 255.255.255.254
Anti spoofing ranges eth1:
(0) 10.20.30.1 - 10.20.30.241
(1) 10.20.30.243 - 10.20.30.254
[Expert@MyVSXGW:0]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth3:
(0) 40.50.60.0 - 40.50.60.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.52:
(0) 70.80.90.0 - 70.80.90.255
(1) 192.168.196.1 - 192.168.196.1
(2) 192.168.196.3 - 192.168.196.14
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth4:
(0) 100.100.100.0 - 100.100.100.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.53:
(0) 192.168.196.1 - 192.168.196.1
(1) 192.168.196.3 - 192.168.196.14
(2) 200.200.200.0 - 200.200.200.255
[Expert@MyVSXGW:2]#

CLI R80.40 Reference Guide      |      1296

 fwaccel ranges

Example 7 - Show the summary information for the specified range from a VSX Gateway
[Expert@MyVSXGW:2]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth3:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.52:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth4:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.53:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:2]#

CLI R80.40 Reference Guide      |      1297

 fwaccel stat

fwaccel stat
Description
The fwaccel stat and fwaccel6 stat commands show the SecureXL status, the list of the accelerated
interfaces and the list of the accelerated features on the local Security Gateway, or Cluster Member.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] stat [-a] [-t] [-v]

Syntax for IPv6

fwaccel6 stat [-a] [-t] [-v]

CLI R80.40 Reference Guide      |      1298

 fwaccel stat

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows this information:

n SecureXL instance ID
n SecureXL instance role
n SecureXL status
n Accelerated interfaces
n Accelerated features
In addition, also shows:
n More information about the Cryptography feature
n The status of Accept Templates
n The status of Drop Templates
n The status of NAT Templates

-a On VSX Gateway, shows the information for all Virtual Systems.

-t Shows this information only:

n SecureXL instance ID
n SecureXL instance role
n SecureXL status
n Accelerated interfaces
n Accelerated features

-v On VSX Gateway, shows the information for all Virtual Systems.

The same as the "-a" parameter.

CLI R80.40 Reference Guide      |      1299

 fwaccel stat

Example 1 - Full output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel stat

+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,|
| | | |eth5,eth6 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall

Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyGW:0]#

Example 2 - Brief output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel stat -t

+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,|
| | | |eth5,eth6,eth7 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1300

 fwaccel stat

Example 3 - Full output from a VSX Gateway

CLI R80.40 Reference Guide      |      1301

 fwaccel stat

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at |

Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------
+--------------------------+---------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 |
<No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 |
<No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat
+---------------------------------------------------------------------
--------+
|Id|Name |Status |Interfaces |Features
|
+---------------------------------------------------------------------
--------+
|0 |SND |enabled |eth1,eth2,eth3
|Acceleration,Cryptography |
| | | | |Crypto:
Tunnel,UDPEncap,MD5, |
| | | |
|SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-
256,ESP, |
| | | |
|LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-
XCBC,SHA256 |
+---------------------------------------------------------------------
--------+

CLI R80.40 Reference Guide      |      1302

 fwaccel stat

Accept Templates : disabled by Firewall

Layer VS1_Policy Network disables template offloads
from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer VS1_Policy Network disables template offloads
from rule #1
Throughput acceleration still enabled.
[Expert@MyVSXGW:1]#

CLI R80.40 Reference Guide      |      1303

 fwaccel stats

fwaccel stats
Description
The fwaccel stats and fwaccel6 stats commands show acceleration statistics for IPv4 on the local Security
Gateway, or Cluster Member.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] stats

[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

Syntax for IPv6

fwaccel6 stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

CLI R80.40 Reference Guide      |      1304

 fwaccel stats

Parameters

Parameter Description

-i <SecureXL Specifies the SecureXL instance ID (for IPv4 only).

ID>

-c Shows the statistics for Cluster Correction.

-d Shows the statistics for drops from device.

-l Shows the statistics in legacy mode - as one table.

-m Shows the statistics for multicast traffic.

-n Shows the statistics for Identity Awareness (NAC).

-o Shows the statistics for Reorder Infrastructure.

-p Shows the statistics for SecureXL violations (F2F packets).

-q Shows the statistics notifications the SecureXL sent to the Firewall.

-r Resets all the counters.

-s Shows the statistics summary only.

-x Shows the statistics for PXL.

Note - PXL is the technology name for combination of SecureXL and PSL (Passive
Streaming Library).

In addition, see:
n "Description of the Statistics Counters in the "fwaccel stats" Output" on page 1306
n "Example Outputs on the "fwaccel stats" Commands" on page 1312

CLI R80.40 Reference Guide      |      1305

 Description of the Statistics Counters in the "fwaccel stats" Output

Description of the Statistics Counters in the "fwaccel stats" Output

The Accelerated Path section

Counter Description

accel packets Number of accelerated packets.

accel bytes Number of accelerated bytes.

outbound packets Number of outbound packets.

outbound bytes Number of outbound bytes.

conns created Number of connections the SecureXL created.

conns deleted Number of connections the SecureXL deleted.

C total conns Total number of connections the SecureXL currently handles.

C templates Not in use

Total number of SecureXL templates the SecureXL currently handles.

C TCP conns Number of TCP connections the SecureXL currently handles.

C non TCP conns Number of non-TCP connections the SecureXL currently handles.

conns from Not in use

templates
Number of connections the SecureXL created from SecureXL
templates.

nat conns Number of NAT connections.

dropped packets Number of packets the SecureXL dropped.

dropped bytes Number of bytes the SecureXL dropped.

nat templates Not in use

port alloc Not in use

templates

conns from nat tmpl Not in use

port alloc conns Not in use

fragments received Number of received fragments.

fragments transmit Number of transmitted fragments.

fragments dropped Number of dropped fragments.

CLI R80.40 Reference Guide      |      1306

 Description of the Statistics Counters in the "fwaccel stats" Output

Counter Description

fragments expired Number of expired fragments.

IP options stripped Number of packets, from SecureXL stripped IP options.

IP options restored Number of packets, in which SecureXL restored IP options.

IP options dropped Number of packets with IP options that SecureXL dropped.

corrs created Number of corrections the SecureXL made.

corrs deleted Number of corrections the SecureXL deleted.

C corrections Number of corrections the SecureXL currently handles.

corrected packets Number of corrected packets.

corrected bytes Number of corrected bytes.

The Accelerated VPN Path section

Counter Description

C crypt conns Number of encrypted connections the SecureXL currently handles.

enc bytes Number of encrypted traffic bytes.

dec bytes Number of decrypted traffic bytes.

ESP enc pkts Number of ESP encrypted packets.

ESP enc err Number of ESP encryption errors.

ESP dec pkts Number of ESP decrypted packets.

ESP dec err Number of ESP decryption errors.

ESP other err Number of ESP general errors.

espudp enc pkts Not in use

espudp enc err Not in use

espudp dec pkts Not in use

espudp dec err Not in use

espudp other err Not in use

CLI R80.40 Reference Guide      |      1307

 Description of the Statistics Counters in the "fwaccel stats" Output

The Medium Streaming Path section

Counter Description

PXL Number of PXL packets.

packets
PXL is combination of SecureXL and Passive Streaming Library (PSL), which is an
IPS infrastructure that transparently listens to TCP traffic as network packets, and
rebuilds the TCP stream out of these packets. Passive Streaming can listen to all
TCP traffic, but process only the data packets, which belong to a previously
registered connection.

PXL async Number of PXL packets the SecureXL handled asynchronously.

packets

PXL bytes Number of PXL bytes.

C PXL Number of PXL connections the SecureXL currently handles.

conns

C PXL Not in use

templates
Number of PXL templates.

PXL FF Number of PXL Fast Forward connections.

conns

PXL FF Number of PXL Fast Forward packets.

packets

PXL FF Number of PXL Fast Forward bytes.

bytes

PXL FF Number of PXL Fast Forward acknowledgments.

acks

The Inline Streaming Path section

Counter Description

PSL Inline packets Number of accelerated PSL packets.

PSL Inline bytes Number of accelerated PSL bytes.

CPAS Inline packets Number of accelerated CPAS packets.

CPAS Inline bytes Number of accelerated CPAS bytes.

CLI R80.40 Reference Guide      |      1308

 Description of the Statistics Counters in the "fwaccel stats" Output

The QoS General Information section

Counter Description

Total QoS Conns Total number of QoS connections.

QoS Classify Conns Number of classified QoS connections.

QoS Classify flow Number of classified QoS flows.

Reclassify QoS polic Number of reclassify QoS requests.

The Firewall QoS Path section

Counter Description

Enqueued IN packets Number of waiting packets in Firewall QoS inbound queue.

Enqueued OUT packets Number of waiting packets in Firewall QoS outbound queue.

Dequeued IN packets Number of processed packets in Firewall QoS inbound queue.

Dequeued OUT packets Number of processed packets in Firewall QoS outbound queue.

Enqueued IN bytes Number of waiting bytes in Firewall QoS inbound queue.

Enqueued OUT bytes Number of waiting bytes in Firewall QoS outbound queue.

Dequeued IN bytes Number of processed bytes in Firewall QoS inbound queue.

Dequeued OUT bytes Number of processed bytes in Firewall QoS outbound queue.

The Accelerated QoS Path section

Counter Description

Enqueued IN packets Number of waiting packets in SecureXL QoS inbound queue.

Enqueued OUT packets Number of waiting packets in SecureXL QoS outbound queue.

Dequeued IN packets Number of processed packets in SecureXL QoS inbound queue.

Dequeued OUT packets Number of processed packets in SecureXL QoS outbound queue.

Enqueued IN bytes Number of waiting bytes in SecureXL QoS inbound queue.

Enqueued OUT bytes Number of waiting bytes in SecureXL QoS outbound queue.

Dequeued IN bytes Number of processed bytes in SecureXL QoS inbound queue.

Dequeued OUT bytes Number of processed bytes in SecureXL QoS outbound queue.

CLI R80.40 Reference Guide      |      1309

 Description of the Statistics Counters in the "fwaccel stats" Output

The Firewall Path section

Counter Description

F2F packets Number of packets that SecureXL forwarded to the Firewall kernel in Slow
Path.

F2F bytes Number of bytes that SecureXL forwarded to the Firewall kernel in Slow Path.

TCP Number of packets, which are in violation of the TCP state.

violations

C Number of anticipated connections SecureXL currently handles.

anticipated
conns

port alloc Not in use

f2f

F2V conn Number of packets that matched a SecureXL connection and SecureXL
match pkts forwarded to the Firewall kernel.

F2V packets Number of packets that SecureXL forwarded to the Firewall kernel and the
Firewall re-injected back to SecureXL.

F2V bytes Number of bytes that SecureXL forwarded to the Firewall kernel and the
Firewall re-injected back to the SecureXL.

The GTP section

Counter Description

gtp tunnels Number of created GTP tunnels.

created

gtp tunnels Number of GTP tunnels the SecureXL currently handles.

gtp accel pkts Number of accelerated GTP packets.

gtp f2f pkts Number of GTP packets the SecureXL forwarded to the Firewall
kernel.

gtp spoofed pkts Number of spoofed GTP packets.

gtp in gtp pkts Number of GTP-in-GTP packets.

gtp signaling pkts Number of signaling GTP packets.

gtp tcpopt pkts Number of GTP packets with TCP Options.

gtp apn err pkts Number of GTP packets with APN errors.

CLI R80.40 Reference Guide      |      1310

 Description of the Statistics Counters in the "fwaccel stats" Output

The General section

Counter Description

memory used Not in use

free memory Not in use

C used templates Not in use

pxl tmpl conns Not in use

C conns from Not in use

tmpl
Number of current connections that SecureXL created from SecureXL
Templates.

C tcp handshake Number of current TCP connections that are not yet established.
conn

C tcp Number of established TCP connections the SecureXL currently

established co handles.

C tcp closed Number of closed TCP connections the SecureXL currently handles.
conns

C tcp pxl Number of not yet established PXL TCP connections the SecureXL
handshake currently handles.

C tcp pxl Number of established PXL TCP connections the SecureXL currently
establishe handles.

C tcp pxl closed Number of closed PXL TCP connections the SecureXL currently handles.
con

outbound pxl Not in use

packets

CLI R80.40 Reference Guide      |      1311

 Example Outputs on the "fwaccel stats" Commands

Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -s

Example of statistics summary:

Accelerated conns/Total conns : 0/0 (0%)

Accelerated pkts/Total pkts : 0/8 (0%)
F2Fed pkts/Total pkts : 8/8 (100%)
F2V pkts/Total pkts : 0/8 (0%)
CPASXL pkts/Total pkts : 0/8 (0%)
PSLXL pkts/Total pkts : 0/8 (0%)
QOS inbound pkts/Total pkts : 0/8 (0%)
QOS outbound pkts/Total pkts : 0/8 (0%)
Corrected pkts/Total pkts : 0/8 (0%)

Example: fwaccel stats

Example of the default output:

CLI R80.40 Reference Guide      |      1312

 Example Outputs on the "fwaccel stats" Commands

Name Value Name

Value
---------------------------- ------------ ------------------------
---- ------------

Accelerated Path
--------------------------------------------------------------------
------------------
accel packets 0 accel bytes
0
outbound packets 0 outbound bytes
0
conns created 0 conns deleted
0
C total conns 0 C TCP conns
0
C non TCP conns 0 nat conns
0
dropped packets 0 dropped bytes
0
fragments received 0 fragments transmit
0
fragments dropped 0 fragments expired
0
IP options stripped 0 IP options restored
0
IP options dropped 0 corrs created
0
corrs deleted 0 C corrections
0
corrected packets 0 corrected bytes
0

Accelerated VPN Path

--------------------------------------------------------------------
------------------
C crypt conns 0 enc bytes
0
dec bytes 0 ESP enc pkts
0
ESP enc err 0 ESP dec pkts
0
ESP dec err 0 ESP other err
0
espudp enc pkts 0 espudp enc err
0
espudp dec pkts 0 espudp dec err
0
espudp other err 0

Medium Streaming Path

--------------------------------------------------------------------
------------------
CPASXL packets 0 PSLXL packets

CLI R80.40 Reference Guide      |      1313

 Example Outputs on the "fwaccel stats" Commands

0
CPASXL async packets 0 PSLXL async packets
0
CPASXL bytes 0 PSLXL bytes
0
C CPASXL conns 0 C PSLXL conns
0
CPASXL conns created 0 PSLXL conns created
0
PXL FF conns 0 PXL FF packets
0
PXL FF bytes 0 PXL FF acks
0
PXL no conn drops 0

Inline Streaming Path

--------------------------------------------------------------------
------------------
PSL Inline packets 0 PSL Inline bytes
0
CPAS Inline packets 0 CPAS Inline bytes
0

QoS Paths
--------------------------------------------------------------------
------------------
QoS General Information:
------------------------
Total QoS Conns 0 QoS Classify Conns
0
QoS Classify flow 0 Reclassify QoS policy
0

FireWall QoS Path:

------------------
Enqueued IN packets 0 Enqueued OUT packets
0
Dequeued IN packets 0 Dequeued OUT packets
0
Enqueued IN bytes 0 Enqueued OUT bytes
0
Dequeued IN bytes 0 Dequeued OUT bytes
0

Accelerated QoS Path:

---------------------
Enqueued IN packets 0 Enqueued OUT packets
0
Dequeued IN packets 0 Dequeued OUT packets
0
Enqueued IN bytes 0 Enqueued OUT bytes
0
Dequeued IN bytes 0 Dequeued OUT bytes
0

CLI R80.40 Reference Guide      |      1314

 Example Outputs on the "fwaccel stats" Commands

Firewall Path
--------------------------------------------------------------------
------------------
F2F packets 35324 F2F bytes
1797781
TCP violations 0 F2V conn match pkts
0
F2V packets 0 F2V bytes
0

GTP
--------------------------------------------------------------------
------------------
gtp tunnels created 0 gtp tunnels
0
gtp accel pkts 0 gtp f2f pkts
0
gtp spoofed pkts 0 gtp in gtp pkts
0
gtp signaling pkts 0 gtp tcpopt pkts
0
gtp apn err pkts 0

General
--------------------------------------------------------------------
------------------
memory used 38798784 C tcp handshake conns
0
C tcp established conns 0 C tcp closed conns
0
C tcp pxl handshake conns 0 C tcp pxl established
conns 0
C tcp pxl closed conns 0 outbound cpasxl
packets 0
outbound pslxl packets 0 outbound cpasxl bytes
0
outbound pslxl bytes 0 DNS DoR stats
0

(*) Statistics marked with C refer to current value, others refer to

total value

CLI R80.40 Reference Guide      |      1315

 Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -c

Example of statistics for Cluster Correction:

Cluster Correction stats:

Name Value Name

Value
----------------------- ------------ ----------------------- --
----------
Sent pkts (total) 0 Sent with metadata
0
Received pkts (total) 0 Received with metadata
0
Sent bytes 0 Received bytes
0
Send errors 0 Receive errors
0

Example: fwaccel stats -d

Example of statistics for drops from device:

Reason Value Reason Value

-------------------- --------------- -------------------- -----
----------
general reason 0 CPASXL decision
0
PSLXL decision 0 clr pkt on vpn
0
encrypt failed 0 drop template
0
decrypt failed 0 interface down
0
cluster error 0 XMT error
0
anti spoofing 0 local spoofing
0
sanity error 0 monitored spoofed
0
QOS decision 0 C2S violation
0
S2C violation 0 Loop prevention
0
DOS Fragments 0 DOS IP Options
0
DOS Blacklists 0 DOS Penalty Box
0
DOS Rate Limiting 0 Syn Attack
0
Reorder 0 Expired Fragments
0

CLI R80.40 Reference Guide      |      1316

 Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -l

Example of the output in legacy mode (as one table):

CLI R80.40 Reference Guide      |      1317

 Example Outputs on the "fwaccel stats" Commands

Name Value Name

Value
---------------------------- ------------ ------------------------
---- ------------
- 0 accel packets
0
accel bytes 0 outbound packets
0
outbound bytes 0 conns created
0
conns deleted 0 C total conns
0
C TCP conns 0 C non TCP conns
0
nat conns 0 dropped packets
0
dropped bytes 0 fragments received
0
fragments transmit 0 fragments dropped
0
fragments expired 0 IP options stripped
0
IP options restored 0 IP options dropped
0
corrs created 0 corrs deleted
0
C corrections 0 corrected packets
0
corrected bytes 0 C crypt conns
0
enc bytes 0 dec bytes
0
ESP enc pkts 0 ESP enc err
0
ESP dec pkts 0 ESP dec err
0
ESP other err 0 espudp enc pkts
0
espudp enc err 0 espudp dec pkts
0
espudp dec err 0 espudp other err
0
acct update interval 3600 CPASXL packets
0
PSLXL packets 0 CPASXL async packets
0
PSLXL async packets 0 CPASXL bytes
0
PSLXL bytes 0 C CPASXL conns
0
C PSLXL conns 0 CPASXL conns created
0
PSLXL conns created 0 PXL FF conns

CLI R80.40 Reference Guide      |      1318

 Example Outputs on the "fwaccel stats" Commands

0
PXL FF packets 0 PXL FF bytes
0
PXL FF acks 0 PXL no conn drops
0
PSL Inline packets 0 PSL Inline bytes
0
CPAS Inline packets 0 CPAS Inline bytes
0
Total QoS Conns 0 QoS Classify Conns
0
QoS Classify flow 0 Reclassify QoS policy
0
Enqueued IN packets 0 Enqueued OUT packets
0
Dequeued IN packets 0 Dequeued OUT packets
0
Enqueued IN bytes 0 Enqueued OUT bytes
0
Dequeued IN bytes 0 Dequeued OUT bytes
0
Enqueued IN packets 0 Enqueued OUT packets
0
Dequeued IN packets 0 Dequeued OUT packets
0
Enqueued IN bytes 0 Enqueued OUT bytes
0
Dequeued IN bytes 0 Dequeued OUT bytes
0
F2F packets 35383 F2F bytes
1801493
TCP violations 0 F2V conn match pkts
0
F2V packets 0 F2V bytes
0
gtp tunnels created 0 gtp tunnels
0
gtp accel pkts 0 gtp f2f pkts
0
gtp spoofed pkts 0 gtp in gtp pkts
0
gtp signaling pkts 0 gtp tcpopt pkts
0
gtp apn err pkts 0 memory used
38798784
C tcp handshake conns 0 C tcp established conns
0
C tcp closed conns 0 C tcp pxl handshake
conns 0
C tcp pxl established conns 0 C tcp pxl closed conns
0
outbound cpasxl packets 0 outbound pslxl packets
0

CLI R80.40 Reference Guide      |      1319

 Example Outputs on the "fwaccel stats" Commands

outbound cpasxl bytes 0 outbound pslxl bytes

0
DNS DoR stats 0
(*) Statistics marked with C refer to current value, others refer to
total value

Example: fwaccel stats -m

Example of statistics for multicast traffic:

Name Value Name Value

-------------------- --------------- -------------------- -----
----------
in packets 0 out packets
0
if restricted 0 conns with down if
0
f2f packets 0 f2f bytes
0
dropped packets 0 dropped bytes
0
accel packets 0 accel bytes
0
mcast conns 0

Example: fwaccel stats -n

Example of statistics for Identity Awareness (NAC):

Name Value Name Value

-------------------- --------------- -------------------- -----
----------
NAC packets 0 NAC bytes
0
NAC connections 0 complience failure
0

Example: fwaccel stats -o

Example of statistics for Reorder Infrastructure:

CLI R80.40 Reference Guide      |      1320

 Example Outputs on the "fwaccel stats" Commands

Appliaction: F2V
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: Route
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: New connection

Statistic Value
----------------------------------- --------------------

CLI R80.40 Reference Guide      |      1321

 Example Outputs on the "fwaccel stats" Commands

Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: F2P
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

CLI R80.40 Reference Guide      |      1322

 Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -p

Example of statistics for SecureXL violations (F2F packets):

F2F packets:
--------------
Violation Packets Violation
Packets
-------------------- --------------- -------------------- -----
----------
pkt has IP options 0 ICMP miss conn
3036
TCP-SYN miss conn 8 TCP-other miss conn
32224
UDP miss conn 3772 other miss conn
0
VPN returned F2F 0 uni-directional viol
0
possible spoof viol 0 TCP state viol
0
out if not def/accl 0 bridge, src=dst
0
routing decision err 0 sanity checks failed
0
fwd to non-pivot 0 broadcast/multicast
0
cluster message 0 cluster forward
0
chain forwarding 0 F2V conn match pkts
0
general reason 0 route changes
0

CLI R80.40 Reference Guide      |      1323

 Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -q

Example of statistics for notifications the SecureXL sent to the Firewall:

CLI R80.40 Reference Guide      |      1324

 Example Outputs on the "fwaccel stats" Commands

Notification Packets Notification

Packets
--------------------- -------------- --------------------- ----
----------
ntSAAboutToExpire 0 ntSAExpired
0
ntMSPIError 0 ntNoInboundSA
0
ntNoOutboundSA 0 ntDataIntegrityFailed
0
ntPossibleReplay 0 ntReplay
0
ntNextProtocolError 0 ntCPIError
0
ntClearTextPacket 0 ntFragmentation
0
ntUpdateUdpEncTable 0 ntSASync
0
ntReplayOutOfWindow 0 ntVPNTrafficReport
0
ntConnDeleted 0 ntConnUpdate
0
ntPacketDropped 0 ntSendLog
0
ntRefreshGTPTunnel 0 ntMcastDrop
0
ntAccounting 0 ntAsyncIndex
0
ntACkReordering 0 ntAccelAckInfo
0
ntMonitorPacket 0 ntPacketCapture
0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject
0
ntSeqVerifyDrop 0 ntPacketForwardBefore
0
ntICMPMessage 0 ntQoSReclassifyPacket
0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure
0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange
0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange
0
ntMuxSimToFw 0 ntPSLEventLog
0
ntSendCPHWDStats 14871 ntPacketTaggingViolat
0
ntDosNotify 28 ntSynatkNotify
0
ntSynatkStats 0 ntQoSEventLog
0
ntPrintGetParam 0

CLI R80.40 Reference Guide      |      1325

 Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -x

Example of statistics for PXL:

PXL Release Context statistics:

Name Value Name

Value
----------------------- ------------ ----------------------- --
----------
End Handler 0 Post Sync
0
Stop Stream 0 kbuf fail
0
Set field failure 0 Notif set field fail
0
Non SYN seq fail 0 Tmpl kbuf fail
0
Tmpl set field fail 0 Segment Injection
0
Init app fail 0 Expiration
0
Newconn set field fail 0 Newconn fail
0
CPHWD dec 0 No PSL policy
0

PXL Exception statistics:

Name Value Name

Value
----------------------- ------------ ----------------------- --
----------
urgent packets 0 invalid SYN retrans
0
SYN seq not init 0 old pkts out win
0
old pkts out win trunc 0 old pkts out win strip
0
new pkts out win 0 incorrect retrans
0
TCP pkts with bad csum 0 ACK unprocessed data
0
old ACK out win 0 Max segments reached
0
No resources 0 Hold timeout
0

CLI R80.40 Reference Guide      |      1326

 fwaccel synatk

fwaccel synatk
Description
The fwaccel synatk and fwaccel6 synatk commands control the Accelerated SYN Defender on the local
Security Gateway, or Cluster Member.

Important - See sk120476 for information about the 'SYN Attack' protection in SmartConsole.

Syntax for IPv4

fwaccel synatk
      -a
      -c <options>
      -d
      -e
      -g
      -m
      -t <options>
      config
      monitor <options>
      state <options>
      whitelist <options>

CLI R80.40 Reference Guide      |      1327

 fwaccel synatk

Syntax for IPv6

fwaccel6 synatk
      -a
      -c <options>
      -d
      -e
      -g
      -m
      -t <options>
      config
      monitor <options>
      state <options>
      whitelist <options>

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

-a Applies the configuration from the default file.

See "fwaccel synatk -a" on page 1330.

-c <options> Applies the configuration from the specified file.

See "fwaccel synatk -c <Configuration File>" on page 1331.

-d Disables the Accelerated SYN Defender on all interfaces.

See "fwaccel synatk -d" on page 1332.

-e Enables the Accelerated SYN Defender on interfaces with topology "External".

Enables the Accelerated SYN Defender in Monitor (Detect only) mode on
interfaces with topology "Internal".
See "fwaccel synatk -e" on page 1333.

-g Enables the Accelerated SYN Defender on all interfaces.

See "fwaccel synatk -g" on page 1334.

CLI R80.40 Reference Guide      |      1328

 fwaccel synatk

Parameter Description

-m Enables the Accelerated SYN Defender in Monitor (Detect only) mode on all
interfaces.
In this state, the Accelerated SYN Defender only sends a log when it recognizes a
TCP SYN Flood attack.
See "fwaccel synatk -m" on page 1335.

-t <options> Configures the threshold numbers of half-opened TCP connections that trigger
the Accelerated SYN Defender.
See "fwaccel synatk -t <Threshold>" on page 1336.

config Shows the current Accelerated SYN Defender configuration.

See "fwaccel synatk config" on page 1337.

monitor Shows the Accelerated SYN Defender status.

<options>
See "fwaccel synatk monitor" on page 1340.

state Controls the Accelerated SYN Defender states.

<options>
See "fwaccel synatk state" on page 1345.

whitelist Controls the Accelerated SYN Defender whitelist.

<options>
See "fwaccel synatk whitelist" on page 1347.

CLI R80.40 Reference Guide      |      1329

 fwaccel synatk -a

fwaccel synatk -a

Description
The fwaccel synatk -a and fwaccel6 synatk -a commands apply the Accelerated SYN Defender
configuration from the default $FWDIR/conf/synatk.conf file.

Notes:
n Both IPv4 and IPv6 use the same configuration file.
n Interface specific state settings that you define in the configuration file, override
the settings that you define with these commands:
l "fwaccel synatk -d" on page 1332
l "fwaccel synatk -e" on page 1333
l "fwaccel synatk -g" on page 1334
l "fwaccel synatk -m" on page 1335

Syntax for IPv4

fwaccel synatk -a

Syntax for IPv6

fwaccel6 synatk -a

CLI R80.40 Reference Guide      |      1330

 fwaccel synatk -c <Configuration File>

fwaccel synatk -c <Configuration File>

Description
The fwaccel synatk -c <Configuration File> and fwaccel6 synatk -c <Configuration File> commands apply
the Accelerated SYN Defender configuration from the specified file.

Important - If you use this parameter, then it must be the first parameter in the syntax.

Notes:
n Both IPv4 and IPv6 use the same configuration file.
n Interface specific state settings that you define in the configuration file, override
the settings that you define with these commands:
l "fwaccel synatk -d" on page 1332
l "fwaccel synatk -e" on page 1333
l "fwaccel synatk -g" on page 1334
l "fwaccel synatk -m" on page 1335

Syntax for IPv4

fwaccel synatk -c <Configuration File>

Syntax for IPv6

fwaccel6 synatk -c <Configuration File>

Parameters

Parameter Description

<Configuration File> Specifies the full path and the name of the file.
For reference, see the default file:
$FWDIR/conf/synatk.conf

CLI R80.40 Reference Guide      |      1331

 fwaccel synatk -d

fwaccel synatk -d

Description
The fwaccel synatk -d and fwaccel6 synatk -d commands disable the Accelerated SYN Defender on all
interfaces.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the -c parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1340 command shows:
l Configuration: Disabled
l Enforce: Disable
l State: Disable
n Output of the "fwaccel synatk config" on page 1337 command shows:
l enabled 0
l enforce 0

Syntax for IPv4

fwaccel synatk -d

Syntax for IPv6

fwaccel6 synatk -d

CLI R80.40 Reference Guide      |      1332

 fwaccel synatk -e

fwaccel synatk -e

Description
The fwaccel synatk -e and fwaccel6 synatk -e commands:
n Enable the Accelerated SYN Defender on interfaces with topology "External".
n Enable the Accelerated SYN Defender in Monitor (Detect only) mode on interfaces with topology
"Internal".

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the -c parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1340 command shows for
"External" interfaces:
l Configuration: Enforcing
l Enforce: Prevent
l State: Ready (may change later depending on what the SYN Defender
detects)
n Output of the "fwaccel synatk monitor" on page 1340 command shows for
"Internal" interfaces:
l Configuration: Enforcing

l Enforce: Detect
l State: Monitor
n Output of the "fwaccel synatk config" on page 1337 command shows:
l enabled 1
l enforce 1

Syntax for IPv4

fwaccel synatk -e

Syntax for IPv6

fwaccel6 synatk -e

CLI R80.40 Reference Guide      |      1333

 fwaccel synatk -g

fwaccel synatk -g

Description
The fwaccel synatk -g and fwaccel6 synatk -g commands enable the Accelerated SYN Defender on all
interfaces.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the -c parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1340 command shows for
"External" interfaces:
l Configuration: Enforcing
l Enforce: Prevent
l State: Ready (may change later depending on what the SYN Defender
detects)
n Output of the "fwaccel synatk monitor" on page 1340 command shows for
"Internal" interfaces:
l Configuration: Enforcing
l Enforce: Detect
l State: Monitor

n Output of the "fwaccel synatk config" on page 1337 command shows:

l enabled 1
l enforce 2

Syntax for IPv4

fwaccel synatk -g

Syntax for IPv6

fwaccel6 synatk -g

CLI R80.40 Reference Guide      |      1334

 fwaccel synatk -m

fwaccel synatk -m

Description
The fwaccel synatk -m and fwaccel6 synatk -m commands enable the Accelerated SYN Defender in
Monitor (Detect only) mode on all interfaces.
In this state, the Accelerated SYN Defender only sends a log when it recognizes a TCP SYN Flood attack.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the -c parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1340 command shows:
l Configuration: Monitoring
l Enforce: Detect
l State: Monitor
n Outputs of the 'fwaccel synatk config' and 'fwaccel6 synatk
config' commands show:
Output of the "fwaccel synatk config" on page 1337 command shows:
l enabled 1
l enforce 0

Syntax for IPv4

fwaccel synatk -m

Syntax for IPv6

fwaccel6 synatk -m

CLI R80.40 Reference Guide      |      1335

 fwaccel synatk -t <Threshold>

fwaccel synatk -t <Threshold>

Description
The fwaccel synatk -t <Threshold> and fwaccel6 synatk -t <Threshold> commands configure the
threshold numbers of half-opened TCP connections that trigger the Accelerated SYN Defender.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the -c parameter.
2. Loads the modified file.
n Threshold values are independent for IPv4 and IPv6.

Syntax for IPv4

fwaccel synatk -t <Threshold>

Syntax for IPv6

fwaccel6 synatk -t <Threshold>

Thresholds
n The Global high attack threshold number is configured to the specified value <Threshold>.
This is the number of half-open TCP connections on all interfaces required for the Accelerated SYN
Defender to engage.
l Valid values: 100 and greater
l Default: 10000
n The High attack threshold number is configured to 1/2 of the specified value <Threshold>.
This is the high number of half-open TCP connections on an interface required for the Accelerated
SYN Defender to engage.
l Valid values: (Low attack threshold) < (High attack threshold) <= (Global high attack
threshold)
l Default: 5000
n The Low attack threshold number is configured to 1/10 of the specified value <Threshold>.
This is the low number of half-open TCP connections on an interface required for the Accelerated
SYN Defender to engage.
l Valid values: 10 and greater
l Default: 1000

CLI R80.40 Reference Guide      |      1336

 fwaccel synatk config

fwaccel synatk config

Description
The fwaccel synatk config and fwaccel6 synatk config commands show the current Accelerated SYN
Defender configuration.

Syntax for IPv4

fwaccel synatk config

Syntax for IPv6

fwaccel6 synatk config

Example

[Expert@MyGW:0]# fwaccel synatk config

enabled 0
enforce 1
global_high_threshold 10000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 5000
low_threshold 1000
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1337

 fwaccel synatk config

Description of Configuration Parameters

Parameter Description

enabled Shows if the Accelerated SYN Defender is enabled or disabled.

n Valid values: 0 (disabled), 1 (enabled)
n Default: 0

enforce When the Accelerated SYN Defender is enabled, shows it enforces the protection.
Valid values:
n 0 - The Accelerated SYN Defender is in Monitor (Detect only) mode on all
interfaces.
n 1 - The Accelerated SYN Defender is engaged only on external interfaces
when the number of half-open TCP connections exceeds the threshold.
n 2 - The Accelerated SYN Defender is engaged on both external and internal
interfaces when the number of half-open TCP connections exceeds the
threshold.

global_high_ Global high attack threshold number.

threshold
See the "fwaccel synatk -t <Threshold>" on page 1336 command.

periodic_ For internal Check Point use only.

updates
n Valid values: 0 (disabled), 1 (enabled)
n Default: 1

cookie_ For internal Check Point use only.

resolution_
n Valid values: 1-7
shift
n Default: 6

min_frag_sz During the TCP SYN Flood attack, the Accelerated SYN Defender prevents TCP
fragments smaller than this minimal size value.
n Valid values: 80 and greater
n Default: 80

high_ High attack threshold number.

threshold
See the "fwaccel synatk -t <Threshold>" on page 1336 command.

low_ Low attack threshold number.

threshold
See the "fwaccel synatk -t <Threshold>" on page 1336 command.

score_alpha For internal Check Point use only.

n Valid values: 1-127
n Default: 100

CLI R80.40 Reference Guide      |      1338

 fwaccel synatk config

Parameter Description

monitor_log_ Interval, in milliseconds, between successive warning logs in the Monitor (Detect
interval only) mode.
(msec)
n Valid values: 1000 and greater
n Default: 60000

grace_ Maximal time, in milliseconds, to stay in the Grace state (which is a transitional
timeout state between Ready and Active ).
(msec)
In the Grace state, the Accelerated SYN Defender stops challenging Clients for
TCP SYN Cookie, but continues to validate TCP SYN Cookies it receives from
Clients.
n Valid values: 10000 and greater
n Default: 30000

min_time_in_ Minimal time, in milliseconds, to stay in the Active mode.

active
In the Active mode, the Accelerated SYN Defender is actively challenging TPC
(msec)
SYN packets with SYN Cookies.
n Valid values: 10000 and greater
n Default: 60000

CLI R80.40 Reference Guide      |      1339

 fwaccel synatk monitor

fwaccel synatk monitor

Description
The fwaccel synatk monitor and fwaccel6 synatk monitor commands show the Accelerated SYN Defender
status.

Important - To enable the Accelerated SYN Defender in Monitor (Detect only) mode on
all interfaces, you must run the "fwaccel synatk -m" on page 1335 command.

Syntax for IPv4

fwaccel synatk monitor

[-p]
[-p] -a
[-p] -s
[-p] -v

Syntax for IPv6

fwaccel6 synatk monitor

[-p]
[-p] -a
[-p] -s
[-p] -v

Parameters

Important - You can specify only one of these options: -a, -s, or -v.

Parameter Description

-p Shows the Accelerated SYN Defender status for each SecureXL instance ("PPAK ID:
0" is the Host Security Appliance).

[-p] -a Shows the Accelerated SYN Defender statistics for all interfaces (for each SecureXL
instance).

[-p] -s Shows the attack state in short form (for each SecureXL instance).

[-p] -v Shows the attack state in verbose form (for each SecureXL instance).

CLI R80.40 Reference Guide      |      1340

 fwaccel synatk monitor

Examples

Example 1 - Default output before and after enabling the Accelerated SYN Defender
[Expert@MyGW:0]# fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Disabled |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Disable | Disable | N/A | N/A |
| eth1 | Internal | Disable | Disable | N/A | N/A |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk -m
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Monitoring |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Detect | Monitor | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1341

 fwaccel synatk monitor

Example 2 - Showing the Accelerated SYN Defender status for each SecureXL instance
[Expert@MyGW:0]# fwaccel synatk monitor -p
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Monitoring |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Detect | Monitor | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+

PPAK ID: 0
----------
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Monitoring |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Detect | Monitor | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1342

 fwaccel synatk monitor

Example 3 - Showing the Accelerated SYN Defender statistics for all interfaces and for
each SecureXL instance.
[Expert@MyGW:0]# fwaccel synatk monitor -p -a
Global:
status attached
nr_active 0

Firewall
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0

PPAK ID: 0
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0
[Expert@MyGW:0]#

Example 4 - Showing the attack state in short form (for each SecureXL instance)
[Expert@MyGW:0]# fwaccel synatk monitor -p -s
M,N,0,0

PPAK ID: 0
----------
M,N,0,0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1343

 fwaccel synatk monitor

Example 5 - Showing the attack state in verbose form (for each SecureXL instance)
[Expert@MyGW:0]# fwaccel synatk monitor -p -v
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+
 PPAK ID: 0
----------
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1344

 fwaccel synatk state

fwaccel synatk state

Description
The fwaccel synatk state and fwaccel6 synatk state commands control the Accelerated SYN Defender
states.
The states are independent for IPv4 and IPv6.

Important - This command is not intended for end-user usage. State transitions
(between Ready, Grace and Active) occur automatically. This command provides a
way to force temporarily a state transition on an interface or group of interfaces.

Syntax for IPv4

fwaccel synatk state

      -h
      -a
      -d
      -g
      -i {all | external | internal | <Name of Interface>}
      -m
      -r

Syntax for IPv6

fwaccel6 synatk state

      -h
      -a
      -d
      -g
      -i {all | external | internal | <Name of Interface>}
      -m
      -r

CLI R80.40 Reference Guide      |      1345

 fwaccel synatk state

Parameters

Important - You can specify only one of these parameters: -a, -d, -g, -m, or -r.

Parameter Description

-h Shows the applicable built-in usage.

-a Sets the state to Active.

-d Sets the state to Disabled.

-g Sets the state to Grace.

-i all Applies the change to all interfaces (this is the default).

-i external Applies the change only to external interfaces.

-i internal Applies the change only to internal interfaces.

-i <Name of Interface> Applies the change to the specified interface.

-m Sets the state to Monitor (Detect only) mode.

-r Sets the state to Ready.

CLI R80.40 Reference Guide      |      1346

 fwaccel synatk whitelist

fwaccel synatk whitelist

Description
The fwaccel synatk whitelist and fwaccel6 synatk whitelist commands control the Accelerated SYN
Defender whitelist.

Notes:
n This whitelist overrides which packet the Accelerated SYN Defender drops.
Before you use a 3rd-party or automatic blacklists, add trusted networks and
hosts to the whitelist to avoid outages.
n Also, see the "fwaccel dos whitelist" on page 1276 command.

Important - In Cluster, you must configure the Rate Limiting in the same way on all the
Cluster Members.

Syntax for IPv4

fwaccel synatk whitelist

      -a <IPv4 Address>[/<Subnet Prefix>]
      -d <IPv4 Address>[/<Subnet Prefix>]
      -F
      -l /<Path>/<Name of File>
      -L
      -s

Syntax for IPv6

fwaccel6 synatk whitelist

      -a <IPv6 Address>[/<Subnet Prefix>]
      -d <IPv6 Address>[/<Subnet Prefix>]
      -F
      -l /<Path>/<Name of File>
      -L
      -s

CLI R80.40 Reference Guide      |      1347

 fwaccel synatk whitelist

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

-a <IPv4 Address> Adds the specified IPv4 address to the Accelerated SYN Defender
[/<Subnet Prefix>] whitelist.
n <IPv4 Address> - Can be an IPv4 address of a network or a
host.
n <Subnet Prefix> - Must specify the length of the subnet mask
in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.

Important - If you do not specify the subnet prefix

explicitly, this command uses the subnet prefix /32.

Examples:
n For a host:
192.168.20.30
192.168.20.30/32
n For a network:
192.168.20.0/24

CLI R80.40 Reference Guide      |      1348

 fwaccel synatk whitelist

Parameter Description

-a <IPv6 Address> Adds the specified IPv6 address to the Accelerated SYN Defender
[/<Subnet Prefix>] whitelist.
n <IPv6 Address> - Can be an IPv6 address of a network or a
host.
n <Subnet Prefix> - Must specify the length of the subnet mask
in the format /<bits>.
Optional for a host IPv6 address.
Mandatory for a network IPv6 address.
Range - from /1 to /128.

Important - If you do not specify the subnet prefix

explicitly, this command uses the subnet prefix /128.

Examples:
n For a host:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:0db8:85a3:0000:0000:8a2e:0370:7334/128
n For a network:
2001:cdba:9abc:5678::/64

-d <IPv4 Address> Removes the specified IPv4 address from the Accelerated SYN
[/<Subnet Prefix>] Defender whitelist.
n <IPv4 Address> - Can be an IPv4 address of a network or a
host.
n <Subnet Prefix> - Optional. Must specify the length of the
subnet mask in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.

Important - If you do not specify the subnet prefix

explicitly, this command uses the subnet prefix /32.

CLI R80.40 Reference Guide      |      1349

 fwaccel synatk whitelist

Parameter Description

-d <IPv6 Address> Removes the specified IPv6 address from the Accelerated SYN
[/<Subnet Prefix>] Defender whitelist.
n <IPv6 Address> - Can be an IPv6 address of a network or a
host.
n <Subnet Prefix> - Optional. Must specify the length of the
subnet mask in the format /<bits>.
Optional for a host IPv6 address.
Mandatory for a network IPv6 address.
Range - from /1 to /128.

Important - If you do not specify the subnet prefix

explicitly, this command uses the subnet prefix /128.

-F Removes (flushes) all entries from the Accelerated SYN Defender

whitelist.

-l /<Path>/<Name of Loads the Accelerated SYN Defender whitelist entries from the specified
File> plain-text file.

Note - To replace the current whitelist with the contents of a

new file, use both the -F and -l parameters on the same
command line.

Important:
n You must manually create and configure this file with the
touch or vi command.
n You must assign at least the read permission to this file
with the chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with
the # character in this file.

CLI R80.40 Reference Guide      |      1350

 fwaccel synatk whitelist

Parameter Description

-L Loads the Accelerated SYN Defender whitelist entries from the plain-text
file with a predefined name:
$FWDIR/conf/synatk-whitelist-v4.conf
Security Gateway automatically runs these commands {fwaccel |
fwaccel6} synatk whitelist -L during each boot.

Note - To replace the current whitelist with the contents of a

new file, use both the -F and -L parameters on the same
command line.

Important:
n This file does not exist by default.
n You must manually create and configure this file with the
touch or vi command.
n You must assign at least the read permission to this file
with the chmod +x command..
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with
the # character in this file.

-s Shows the current Accelerated SYN Defender whitelist entries.

Example

[Expert@MyGW:0]# fwaccel synatk whitelist -a 192.168.20.0/24

[Expert@MyGW:0]# fwaccel synatk whitelist -s
192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk whitelist -d 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk whitelist -a 192.168.40.55
[Expert@MyGW:0]# fwaccel synatk whitelist -s
192.168.40.55/32
[Expert@MyGW:0]# fwaccel synatk whitelist -d 192.168.40.55

CLI R80.40 Reference Guide      |      1351

 fwaccel tab

fwaccel tab
Description
The fwaccel tab and fwaccel6 tab commands show the contents of the specified SecureXL kernel table.

Notes:
n Dynamic tables, such as the connections table can change while this
command prints their contents.
This may cause some values to be missed or reported twice.
n For some tables, the command prints their contents on the screen.
n For some tables, the command prints their contents to the
/var/log/messages file.
n Also, see the "fw tab" on page 1093 command.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] tab [-f] [-m <Number of Rows>] -t <Name of
Kernel Table>

fwaccel [-i <SecureXL ID>] tab -s -t <Name of Kernel Table>

Syntax for IPv6

fwaccel6 tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>

fwaccel6 tab -s -t <Name of Kernel Table>

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

-f Formats the output.

We recommend to always use this parameter.

-m <Number of Rows> Specifies how many rows to show from the kernel table.
Note - The command counts from the top of the table.
Default : 1000

-s Shows summary information only.

CLI R80.40 Reference Guide      |      1352

 fwaccel tab

Parameter Description

-t <Name of Kernel Table> Specifies the kernel table.

This command supports only these kernel tables:
n connections
n dos_ip_blacklists
n dos_pbox
n dos_pbox_violating_ips
n dos_rate_matches
n dos_rate_track_src
n dos_rate_track_src_svc
n drop_templates
n frag_table
n gtp_apns
n gtp_tunnels
n if_by_name
n inbound_SAs
n invalid_replay_counter
n ipsec_mtu_icmp
n mcast_drop_conns
n outbound_SAs
n PMTU_table
n <Profile>
n reset_table
n vpn_link_selection
n vpn_trusted_ifs

Examples
[Expert@MyGW:0]# fwaccel tab -f -m 200 -t connections
Table connections is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t inbound_SAs

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t outbound_SAs

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1353

 fwaccel tab

[Expert@MyGW:0]# fwaccel tab -t vpn_link_selection

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t drop_templates

Table drop_templates is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t vpn_trusted_ifs

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t profile

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t mcast_drop_conns

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t invalid_replay_counter

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t ipsec_mtu_icmp

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t gtp_tunnels

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t gtp_apns

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t if_by_name

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t PMTU_table

Table PMTU_table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t frag_table

Table frag_table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t reset_table

Table reset_table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_ip_blacklists

Table dos_ip_blacklists is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_pbox

Table dos_pbox is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_rate_matches

Table dos_rate_matches is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src

Table dos_rate_track_src is not active for SecureXL device 0.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1354

 fwaccel tab

[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src_svc

Table dos_rate_track_src_svc is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_pbox_violating_ips

Table dos_pbox_violating_ips is not active for SecureXL device 0.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1355

 fwaccel templates

fwaccel templates
Description
The fwaccel templates and fwaccel6 templates commands show the contents of the SecureXL templates
tables:
n Accept Templates
n Drop Templates

Important - Based on the number of current templates, these commands can consume
memory at very high level.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] templates

[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

Syntax for IPv6

fwaccel6 templates
[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

CLI R80.40 Reference Guide      |      1356

 fwaccel templates

Parameters

Parameter Description

-i <SecureXL Specifies the SecureXL instance ID (for IPv4 only).

ID>

No Parameters Shows the contents of the SecureXL Accept Templates table (Table Name -
cphwd_tmpl, Table ID - 8111).

-h Shows the applicable built-in usage.

-d Shows the contents of the SecureXL Drop Templates table.

-m <Number of Specifies how many rows to show from the templates table.
Rows>
Note - The command counts from the top of the table.
Default : 1000

-s Shows the summary of SecureXL Connections Templates (number of

templates)

-S Shows statistics for the SecureXL Connections Templates.

CLI R80.40 Reference Guide      |      1357

 fwaccel templates

Accept Templates flags

One or more of these flags appears in the output:

Flag Description

A Connection is accounted (SecureXL counts the number of packets and bytes).

B Connection is created for a rule that contains an Identity Awareness object, or for a rule below
that rule.

D Connection is created for a rule that contains a Domain object, or for a rule below that rule.

I Identity Awareness (NAC) is enabled for this connection.

N Connection is NATed.

O Connection is created for a rule that contains a Dynamic object, or for a rule below that rule.

Q QoS is enabled for this connection.

R Connection is created for a rule that contains a Traceroute object, or for a rule below that rule.

S PXL (combination of SecureXL and PSL (Passive Streaming Library)) is enabled for this
connection.

T Connection is created for a rule that contains a Time object, or for a rule below that rule.

U Connection is unidirectional.

Z Connection is created for a rule that contains a Security Zone object, or for a rule below that rule.

Drop Templates flags

One or more of these flags appears in the output:

Flag Description

D Drop template exists for this connection.

L Log and Drop action for this connection.

Examples

Example 1 - Default output

[Expert@MyGW:0]# fwaccel templates
Source SPort Destination DPort PR Flags LCT DLY C2S i/f S2C i/f
--------------- ----- --------------- ----- -- ------------ ---- --- ------- -------
192.168.10.20 * 192.168.10.50 80 6 0 0 0 eth5/eth1 eth1/eth5
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1358

 fwaccel templates

Example 2 - Drop Templates

[Expert@MyGW:0]# fwaccel templates -d
The SecureXL drop templates table is empty
[Expert@MyGW:0]#

Example 3 - Summary of SecureXL Connections Templates

[Expert@MyGW:0]# fwaccel templates -s
Total number of templates: 1
[Expert@MyGW:0]#

Example 4 - Templates statistics

[Expert@MyGW:0]# fwaccel templates -S

Templates stats:

Name Value Name Value

-------------------- ------------ -------------------- ------------
C templates 0 conns from templates 0
nat templates 0 conns from nat tmpl 0
C CPASXL templates 0 C PSLXL templates 0
C used templates 0 cpasxl tmpl conns 0
pslxl tmpl conns 0 C conns from tmpl 0

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1359

 fwaccel ver

fwaccel ver
Description
Shows this information:
n Firewall Version and Build
n Accelerator Version
n Firewall API version
n Accelerator API version

Syntax

fwaccel ver

Example

Expert@MyGW:0]# fwaccel ver

Firewall version: R80.40 - Build 123
Acceleration Device: Performance Pack
Accelerator Version 2.1
Firewall API version: 3.0NG (19/11/2015)
Accelerator API version: 3.0NG (19/11/2015)
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1360

 'sim' and 'sim6'

'sim' and 'sim6'

Description
The sim command controls the SecureXL device (infrastructure) for IPv4 traffic while a Security Gateway
is running.
The sim6 command controls the SecureXL device (infrastructure) for IPv6 traffic while a Security Gateway
is running.

Syntax for IPv4

sim [-i <SecureXL ID>]

      affinity <options>
      affinityload
      ctl get <options>
      ctl set <options>
      enable_aesni
      if
      nonaccel <options>
      ver <options>

Syntax for IPv6

sim6
      affinity <options>
      affinityload
      ctl get <options>
      ctl set <options>
      enable_aesni
      if
      nonaccel <options>
      ver <options>

Parameters

Parameter Description

No Parameters Shows the built-in usage.

help

CLI R80.40 Reference Guide      |      1361

 'sim' and 'sim6'

Parameter Description

-i <SecureXL Specifies the SecureXL instance ID (for IPv4 only).

ID>

affinity Controls the affinity settings of network interfaces to CPU cores.

<options>
See "sim affinity" on page 1363.

affinityload Applies the SecureXL SIM Affinity in the 'Automatic' mode.

See "sim affinityload" on page 1366.

ctl get To get a value of a kernel parameter, follow "Working with Kernel Parameters on
<options> Security Gateway" on page 1769.

ctl set To set a value of a kernel parameter, follow "Working with Kernel Parameters on
<options> Security Gateway" on page 1769.

enable_aesni Enables AES-NI (if this computer supports this feature).

See "sim enable_aesni" on page 1367.

if Shows the list of interfaces that SecureXL uses.

See "sim if" on page 1368.

nonaccel Sets the specified interface(s) as non-accelerated.

<options>
Clears the specified interface(s) from non-accelerated state.
See "sim nonaccel" on page 1372.

ver Shows this information:

<options>
n SecureXL (Performance Pack) version
n Kernel version

See "sim ver" on page 1374.

CLI R80.40 Reference Guide      |      1362

 sim affinity

sim affinity
Description
Controls the SecureXL affinity settings of network interfaces to CPU cores.

Important - SecureXL can affine network interfaces only to CPU cores that run as
CoreXL SND. For more information, see sk98737 - ATRG: CoreXL.

Syntax for IPv4

sim [-i <SecureXL ID>] affinity

      -a
      -h
      -l
      -s

Syntax for IPv6

sim6 affinity
      -a
      -h
      -l
      -s

CLI R80.40 Reference Guide      |      1363

 sim affinity

Parameters

Parameter Description

-i < Specifies the SecureXL instance ID (for IPv4 only).

SecureXL
ID>

-a Configures the affinity in 'Automatic' mode.

SecureXL periodically examines the load on the CPU cores and the amount of traffic on
the interfaces. Based on the results, SecureXL can reassign interfaces to other CPU
cores to distribute their load better..

-h Shows the applicable built-in usage.

-l Shows the current affinity settings.

-s Configures the affinity in 'Static' ('Manual') mode.

SecureXL does not reassign interfaces to other CPU cores to distribute their load better.

Example 1 - Default output

[Expert@MyGW:0]# sim affinity

Usage: sim affinity <options>

Options:
-l -
-s - set affinity settings manually
-a - set affinity settings automatically
-h - this help message

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1364

 sim affinity

Example 2 - SIM Affinity is in Automatic mode

[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor

processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 3 | 21
1 | Yes | 2 | 6 | 13
2 | Yes | 1 | 5 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# sim affinity -l
eth6 : 0
eth0 : 0
eth3 : 0
eth1 : 0
eth4 : 0
eth2 : 0
eth5 : 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1365

 sim affinityload

sim affinityload
Description
Configures the SecureXL affinity settings of network interfaces to CPU cores in 'Automatic' mode.
This command is the same as the "sim affinity" on page 1363 command.

Syntax for IPv4

sim [-i <SecureXL ID>] affinityload

Syntax for IPv6

sim6 affinityload

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

Example

[Expert@MyGW:0]# sim affinityload

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1366

 sim enable_aesni

sim enable_aesni
Description
Enables SecureXL support for AES Instruction Set (AES-NI), if this computer supports it.

Syntax for IPv4

sim [-i <SecureXL ID>] enable_aesni

Syntax for IPv6

sim6 enable_aesni

Possible command outputs

n sim_aesni_enable: Enabled AES-NI, but machine does not have this
feature
n sim_aesni_enable: Enabled AES-NI, and the machine supports this
feature
n sim_aesni_enable: Failed to enable AES-NI. RC=-1

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

Example

[Expert@MyGW:0]# sim enable_aesni

ioctl 33 to the sim device failed (ppak_id=0, rc=-1, errno=1)
sim_aesni_enable: Failed to enable AES-NI. RC=-1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1367

 sim if

sim if
Description
Shows the list of interfaces that SecureXL uses.

Syntax for IPv4

sim [-i <SecureXL ID>] if

Syntax for IPv6

sim6 if

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

Example

[Expert@MyGW:0]# sim if
Name | Address | Netmask | CXL Address | CXL Netmask | MTU | F | SIM F | IRQ |
IFN:FWN:DVN | Dev
-----------------------------------------------------------------------------------------------------------
-------------------------
eth0 | 192.168.3.242 | 0.0.0.0 | 192.168.3.243 | 255.255.255.0 | 1500 | 039 | 00080 | 67 |
2: 1: 2 | 0x0x3e836000
eth1 | 10.20.30.242 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 029 | 00088 | 75 |
3: 2: 3 | 0x0x3d508000
eth2 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 001 | 00080 | 59 |
4: 3: 4 | 0x0x3d6b4000
eth3 | 192.168.196.18 | 0.0.0.0 | 40.50.60.52 | 0.0.0.0 | 1500 | 029 | 00080 | 67 |
5: 4: 5 | 0x0x3dbc1000
eth4 | 192.168.196.18 | 0.0.0.0 | 100.100.100.53 | 0.0.0.0 | 1500 | 029 | 00080 | 83 |
6: 5: 6 | 0x0x3d678000
eth5 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 001 | 00080 | 75 |
7: 6: 7 | 0x0x3c6ba000
eth6 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 001 | 00080 | 59 |
8: 7: 8 | 0x0x3e370000
eth2.53 | 192.168.196.2 | 0.0.0.0 | 200.200.200.53 | 0.0.0.0 | 1500 | 029 | 00580 | 0 |
11: 10: 11 | 0x0x2ca90000
eth2.52 | 192.168.196.2 | 0.0.0.0 | 70.80.90.52 | 0.0.0.0 | 1500 | 029 | 00580 | 0 |
12: 11: 12 | 0x0x2c980000
[Expert@MyGW:0]#

Explanation about the configuration flags in the "F" and "SIM F" columns
The "F" column shows the internal configuration flags that Firewall set on these interfaces.
The "SIM F" column shows the internal configuration flags that SecureXL set on these interfaces.

CLI R80.40 Reference Guide      |      1368

 sim if

Flag Description

0x001 If this flag is set, the SecureXL drops the packet at the end of the inbound inspection, if the
packet is a "cut-through" packet. In outbound, SecureXL forwards all the packets to the
network.

0x002 If this flag is set, the SecureXL sends an appropriate notification whenever a TCP state
change occurs (connection is established / torn down).

0x004 If this flag is set, the SecureXL it sets the UDP header's checksum field correctly when the
SecureXL encapsulates an encrypted packet (UDP encapsulation).
If this flag is not set, SecureXL sets the UDP header's checksum field to zero. It is safe to
ignore this flag, if it is set to 0 (SecureXL still calculates the UDP packet's checksum).

0x008 If this flag is set, the SecureXL does not create new connections that match a template, and
SecureXL drops the packet that matches the template, when the Connections Table reaches
the specified limit.
If this flag is not set, the SecureXL forwards the packet to the Firewall.

0x010 If this flag is set, the SecureXL forwards fragments to the Firewall.

0x020 If this flag is set, the SecureXL does not create connections from TCP templates anymore.
The Firewall can still offload connections to SecureXL.
This flag only disables only the creation of TCP templates.

0x040 If this flag is set, the SecureXL periodically notifies the Firewall, so it refreshes the
accelerated connections in the Firewall kernel tables.

0x080 If this flag is set, the SecureXL does not create connections from non-TCP templates
anymore.
The Firewall can still offload connections to SecureXL.
This flag only disables only the creation of non-TCP templates.

0x100 If this flag is set, the SecureXL allows sequence verification violations for connections that did
not complete the TCP 3-way handshake process (otherwise, SecureXL must forward the
violating packets to the Firewall).

0x200 If this flag is set, the SecureXL allows sequence verification violations for connections that
completed the TCP 3-way handshake process (otherwise, SecureXL must forward the
violating packets to the Firewall).

0x400 If this flag is set, the SecureXL forwards TCP [RST] packets to the Firewall.

0x0001 If this flag is set, the SecureXL notifies the Firewall about HitCount data.

0x0002 If this flag is set, the VSX Virtual System acts as a junction, rather than a normal Virtual
System (only the local Virtual System flag is applicable).

0x0004 If this flag is set, the SecureXL disables the reply counter of inbound encrypted traffic.
This makes SecureXL kernel module act in the same way as the VPN kernel module does.

CLI R80.40 Reference Guide      |      1369

 sim if

Flag Description

0x0008 If this flag is set, the SecureXL enables the MSS Clamping.
Refer to the kernel parameters 'fw_clamp_tcp_mss' and 'fw_clamp_vpn_mss' in
sk101219.

0x0010 If this flag is set, the SecureXL disables the "No Match Ranges" (NMR) Templates (see
sk117755).

0x0020 If this flag is set, the SecureXL disables the "No Match Time" (NMT) Templates (see
sk117755).

0x0040 If this flag is set, the SecureXL does not send Drop Templates notifications (about dropped
packets) to the Firewall (to maintain the drop counters).
For example, if you set the value of the kernel parameter 'activate_optimize_drops_
support_now' to 1, it disables the Drop Templates notifications.

0x0080 If this flag is set, the SecureXL enables the MultiCore support for IPsec VPN (see sk118097).

0x0100 If this flag is set, the SecureXL enables the support for CoreXL Dynamic Dispatcher (see
sk105261).

0x0800 If this flag is set, the SecureXL does not enforce the Path MTU Discovery for IP multicast
packets.

0x1000 If this flag is set, the SecureXL disables the SIM "drop_templates" feature.

0x2000 If this flag is set, it indicates that an administrator enabled the Link Selection Load Sharing
feature.

0x4000 If this flag is set, the SecureXL disables the asynchronous notification feature.

0x8000 If this flag is set, it indicates that the Firewall Connections Table capacity is unlimited.

CLI R80.40 Reference Guide      |      1370

 sim if

Examples:

Value Description

0x039 Means the sum of these flags:

n 0x001
n 0x008
n 0x010
n 0x020

0x00008a16 Means the sum of these flags:

n 0x0002
n 0x0004
n 0x0010
n 0x0200
n 0x0800
n 0x8000

0x00009a16 Means the sum of these flags:

n 0x0002
n 0x0004
n 0x0010
n 0x0200
n 0x0800
n 0x1000
n 0x8000

CLI R80.40 Reference Guide      |      1371

 sim nonaccel

sim nonaccel
Description
n Sets the specified interfaces as non-accelerated.
n Clears the specified interfaces from non-accelerated state.

Syntax for IPv4

sim [-i <SecureXL ID>] nonaccel

      -c <Name of Interface 1> [<Name of Interface 2> ... <Name of
Interface N>]
      -s <Name of Interface 1> [<Name of Interface 2> ... <Name of
Interface N>]

Syntax for IPv6

sim6 nonaccel
      -c <Name of Interface 1> [<Name of Interface 2> ... <Name of
Interface N>]
      -s <Name of Interface 1> [<Name of Interface 2> ... <Name of
Interface N>]

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

-c Sets the specified interfaces as non-accelerated.

-s Clears the specified interfaces from non-accelerated state.

<Name of Interface> Specifies the interface.

CLI R80.40 Reference Guide      |      1372

 sim nonaccel

Example

[Expert@MyGW:0]# sim nonaccel -s eth0

Interface eth0 set as non-accelerated.

Note: Changes will not take affect until the next time acceleration
is started or the relevant interface(s) are restarted.
[Expert@MyGW:0]#

[Expert@MyGW:0]# sim nonaccel -c eth0

Interface eth0 set as accelerated.

Note: Changes will not take affect until the next time acceleration
is started or the relevant interface(s) are restarted.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1373

 sim ver

sim ver
Description
Shows this information:
n SecureXL (Performance Pack) version
n Kernel version

Syntax for IPv4

sim ver [-k]

Syntax for IPv6

sim6 ver [-k]

Parameters

Parameter Description

No Parameter Shows only the SecureXL (Performance Pack) version

-k Shows this information:

n SecureXL (Performance Pack) version
n Kernel version

Example

[Expert@MyGW:0]# sim ver

This is Check Point Performance Pack version: R80.40 - Build 123
Kernel version: R80.40 - Build 456
[Expert@MyGW:0]#
[Expert@MyGW:0]# sim ver -k
This is Check Point Performance Pack version: R80.40 - Build 123
Kernel version: R80.40 - Build 456
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1374

 fw sam_policy

fw sam_policy
Description
Manages the Suspicious Activity Policy editor that lets you work with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 370
Notes:
n You can run these commands interchangeably: 'fw sam_policy' and 'fw
samp'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>
n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

CLI R80.40 Reference Guide      |      1375

 fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
      add <options>
      batch
      del <options>
      get <options>

fw [-d] samp
      add <options>
      batch
      del <options>
      get <options>

Syntax for IPv6

fw6 [-d] sam_policy

      add <options>
      batch
      del <options>
      get <options>

fw6 [-d] samp

      add <options>
      batch
      del <options>
      get <options>

CLI R80.40 Reference Guide      |      1376

 fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

CLI R80.40 Reference Guide      |      1377

 fw sam_policy add

fw sam_policy add
Description
The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy add' and
'fw samp add'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

CLI R80.40 Reference Guide      |      1378

 fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f
<Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file,
or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b}
Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against the policy
rules.
Note - Rules with action set to Bypass cannot have a log or limit specification.
Bypassed packets and connections do not count towards overall number of
packets and connection for limit enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that matches:
n -r - Generate a regular log
n -a - Generate an alert log

CLI R80.40 Reference Guide      |      1379

 fw sam_policy add

Parameter Description

-t Optional.
<Timeout>
Specifies the time period (in seconds), during which the rule will be enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be enforced on
all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the rule should
be enforced only on this Security Gateway or Cluster object (the object name
must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be enforced on all
Security Gateways that are members of this Group object (the object name
must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>"
Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "<Rule Optional.
Comment>"
Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

CLI R80.40 Reference Guide      |      1380

 fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator
Specifies the name of the originator for this rule.
>"
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must write a
backslash (\) character. Example:

"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter
Arguments> Configures the Suspicious Activity Monitoring (SAM) rule.
Specifies the IP Filter Arguments for the SAM rule (you must use at least one of
these options):

[-C] [-s <Source IP>] [-m <Source Mask>] [-d

<Destination IP>] [-M <Destination Mask>] [-p <Port>]
[-r <Protocol>]

See the explanations below.

CLI R80.40 Reference Guide      |      1381

 fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota
Filter Configures the Rate Limiting rule.
Arguments> Specifies the Quota Filter Arguments for the Rate Limiting rule (see the explanations
below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service <Protocol
and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2
Value>] ...[<LimitN Name> <LimitN Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from the
SAM policy database immediately, add "flush true" in the fw
samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general), when
a rule's limit is violated, the Security Gateway also drops all packets
that match the rule.
The Security Gateway computes new connection rates on a per-
second basis.
At the start of the 1-second timer, the Security Gateway allows all
packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too many
new connections, then the Security Gateway blocks all remaining
packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are reset, and
the process starts over - the Security Gateway allows packets to
pass again up to the point, where the rule’s limit is violated.

CLI R80.40 Reference Guide      |      1382

 fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format - x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port Number
Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

CLI R80.40 Reference Guide      |      1383

 fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the source
IP addresses assigned to this country, based on
the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that are
assigned to this organization, based on the Geo
IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

CLI R80.40 Reference Guide      |      1384

 fw sam_policy add

Argument Description

[destination-negated {true | Specifies the destination type and its value:

false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)
l Specified IPv6 addresses
(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32
l IPv6 address with Prefix from 0 to 128
n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO 3166-1
alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses that
are assigned to this organization, based on the
Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.

Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the specified
type

CLI R80.40 Reference Guide      |      1385


Argument
[service-negated {true |
false}] service <Protocol and
Port numbers>
fw sam_policy add
Description
Specifies the Protocol number (see IANA Protocol
Numbers) and Port number (see IANA Service Name
and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port End>
IP protocol number and range of TCP/UDP port
numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process all
traffic except the traffic with the specified
protocols and ports
CLI R80.40 Reference Guide      |      1386

Argument
[<Limit 1 Name> <Limit 1
Value>] [<Limit 2 Name> <Limit
2 Value>] ... [<Limit N Name>
<Limit N Value>]
fw sam_policy add
Description
Specifies quota limits and their values.
Note - Separate multiple quota limits with spaces.
n concurrent-conns <Value>
Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the concurrent-
conns value to the total number of active
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n pkt-rate <Value>
Specifies the maximum number of packets per
second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate value
to the rate of all connections through the Security
Gateway, expressed in parts per 65536 (formula:
N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes per
second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate value
to the bytes per second rate of all connections
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
n new-conn-rate <Value>
Specifies the maximal number of connections per
second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-rate
value to the rate of all connections per second
through the Security Gateway, expressed in parts
per 65536 (formula: N / 65536).
CLI R80.40 Reference Guide      |      1387
 fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not cumulatively
for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific IP
protocol and destination port, and not
cumulatively for this rule.

Examples

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this rule,
including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second (new-conn-
rate 5) for any traffic (service any) from the source IP addresses in the range 172.16.7.11
- 172.16.7.13 (source range:172.16.7.11-172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the fwaccel dos
config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the Suspicious
Activity Monitoring (SAM) policy database immediately, because this rule includes the "flush
true" parameter.

CLI R80.40 Reference Guide      |      1388

 fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all packets except (service-negated true) the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the country with
specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).

n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:
[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:
n This rule bypasses (-a b) all packets that match this rule.

Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).

CLI R80.40 Reference Guide      |      1389

 fw sam_policy add

n This rule applies to packets sent to TCP port 80 (service 6/80).

n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete
it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP addresses that
are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to 655/65536=~1%
(concurrent-conns-ratio 655) for any traffic (service any) except (service-
negated true) the connections from the source IP addresses that are assigned to the country
with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that match this rule,
and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the "flush true" parameter.

CLI R80.40 Reference Guide      |      1390

 fw sam_policy batch

fw sam_policy batch
Description
The 'fw sam_policy batch' and 'fw6 sam_policy batch' commands let you:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy batch'
and 'fw samp batch'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all of the
Cluster Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Procedure

1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

2. Enter the applicable commands

CLI R80.40 Reference Guide      |      1391

 fw sam_policy batch

n Enter one "add" or "del" command on each line, on as many lines as necessary.
Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l fw sam_policy add
l fw sam_policy del
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source
range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

CLI R80.40 Reference Guide      |      1392

 fw sam_policy del

fw sam_policy del
Description
The 'fw sam_policy del' and 'fw6 sam_policy del' commands let you:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n You can run these commands interchangeably: 'fw sam_policy del' and
'fw samp del'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

CLI R80.40 Reference Guide      |      1393

 fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.

Important:
n The quote marks and angle
brackets ('<...>') are
mandatory.
n To see the Rule UID, run the
"fw sam_policy get"
command.

Procedure

1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\
Doe src_ip_addr=1.1.1.1 req_tpe=ip

CLI R80.40 Reference Guide      |      1394

 fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The fw samp del and fw6 samp del commands only remove a rule from the persistent
database. The Security Gateway continues to enforce the deleted rule until the next time you
compiled and load a policy. To force the rule deletion immediately, you must enter a flush-only
add rule right after the fw samp del and fw6 samp del command. This flush-only add rule
immediately deletes the rule you specified in the previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

CLI R80.40 Reference Guide      |      1395

 fw sam_policy get

fw sam_policy get
Description
The 'fw sam_policy get' and 'fw6 sam_policy get' commands let you:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n You can run these commands interchangeably: 'fw sam_policy get' and
'fw samp get'.
n You can run these commands in Gaia Clish, or Expert mode.
n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n The SAM Policy management file is $FWDIR/database/sam_policy.mng.

Important:
n Configuration you make with these commands, survives reboot.
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Policy configured in SmartView Monitor. See sk79700.
n On VSX Gateway, you must run these commands from the context of an
applicable Virtual System:
l In Gaia Clish, run: set virtual-system <VSID>
l In Expert mode, run: vsenv <VSID>

n In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the SAM Policy rules that you need. If you confirm that
an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+
{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type>
[+{-v '<Value>'}] [-n]]

CLI R80.40 Reference Guide      |      1396

 fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on a
separate line.
n In the list format (with "-l"), the output shows each parameter of a rule on
a separate line.
n See the "fw sam_policy add" command.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>'
The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'}
The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples

Example 1 - Output in the default format

[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log

name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      1397

 fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify log=log
name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1
req_tpe=ip

CLI R80.40 Reference Guide      |      1398

 fw sam_policy get

Example 4 - Printing rules that match the specified filters

[Expert@HostName:0]# fw samp get
no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-
172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ concurrent-
conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@HostName:0]#

CLI R80.40 Reference Guide      |      1399

 The /proc/ppk/ and /proc/ppk6/ entries

The /proc/ppk/ and /proc/ppk6/ entries

Description
SecureXL supports Linux /proc entries. The read-only entries in the /proc/ppk/ and /proc/ppk6/ contain
various data about SecureXL.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/<Name of File>

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/<Name of File>

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/<Name of File>

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/<Name of File>

Files

File Description

affinity Contains status and the thresholds for SecureXL New Affinity mechanism.
See "/proc/ppk/affinity" on page 1402.

conf Contains the SecureXL configuration and basic statistics.

See "/proc/ppk/conf" on page 1403.

conns Contains the list of the SecureXL connections.

See "/proc/ppk/conns" on page 1404.

cpls Contains SecureXL configuration for ClusterXL Load Sharing (CPLS).

See "/proc/ppk/cpls" on page 1405.

cqstats Contains statistics for SecureXL connections queue.

See "/proc/ppk/cqstats" on page 1406.

drop_ Contains SecureXL statistics for dropped packets.

statistics
See "/proc/ppk/drop_statistics" on page 1407.

CLI R80.40 Reference Guide      |      1400

 The /proc/ppk/ and /proc/ppk6/ entries

File Description

ifs Contains the list of interfaces that SecureXL uses.

See "/proc/ppk/ifs" on page 1408.

mcast_ Contains SecureXL statistics for multicast traffic.

statistics
See "/proc/ppk/mcast_statistics" on page 1412.

nac Contains SecureXL statistics for Identity Awareness Network Access Control
(NAC) traffic.
See "/proc/ppk/nac" on page 1413.

notify_ Contains SecureXL statistics for notifications SecureXL sent to Firewall about
statistics accelerated connections.
See "/proc/ppk/notify_statistics" on page 1414.

profile_cpu_ Contains IDs of the CPU cores and status of Traffic Profiling
stat
See "/proc/ppk/profile_cpu_stat" on page 1415.

rlc Contains SecureXL statistics for drops due to Rate Limiting for DoS Mitigation.
See "/proc/ppk/rlc" on page 1416.

statistics Contains SecureXL overall statistics.

See "/proc/ppk/statistics" on page 1417.

stats Contains the IRQ numbers and names of interfaces the SecureXL uses.
See "/proc/ppk/stats" on page 1419.

viol_ Contains SecureXL statistics for violations - packets SecureXL forwarded (F2F)
statistics to the Firewall.
See "/proc/ppk/viol_statistics" on page 1420.

CLI R80.40 Reference Guide      |      1401

 /proc/ppk/affinity

/proc/ppk/affinity
Description
Contains the number of accelerated packets per second and rate of encrypted bytes.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/affinity

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/affinity

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/affinity

Current accelerated PPS : 0
Current enc. bytes rate : 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1402

 /proc/ppk/conf

/proc/ppk/conf
Description
Contains the SecureXL configuration and basic statistics.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conf

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conf

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conf

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conf

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/conf

Flags : 0x00000592
Accounting Update Interval : 3600
Conn Refresh Interval : 512
SA Sync Notification Interval : 200000
UDP Encapsulation Port : 2746
Min TCP MSS : 0
TCP End Timeout : 5
Connection Limit : 18446744073709551615

Total Number of conns : 0

Number of Crypt conns : 0
Number of TCP conns : 0
Number of Non-TCP conns : 0
Total Number of corrs : 0

Debug flags :
0 : 0x1
1 : 0x1
2 : 0x1
3 : 0x1
4 : 0x1
5 : 0x1
6 : 0x1
7 : 0x1
8 : 0x100
9 : 0x8
10 : 0x1
11 : 0x10
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1403

 /proc/ppk/conns

/proc/ppk/conns
Description
Contains the list of the SecureXL connections.

Important - This file is for future use. Refer to the "fwaccel conns" on page 1247 command.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conns

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conns

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conns

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conns

CLI R80.40 Reference Guide      |      1404

 /proc/ppk/cpls

/proc/ppk/cpls
Description
Contains SecureXL configuration for ClusterXL Load Sharing (CPLS).

Important - This file is for future use. Refer to the "fwaccel cfg -h" command (see
"fwaccel cfg" on page 1244).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cpls

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cpls

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/cpls

fwha_conf_flags: 638
fwha_df_type: 0
fwha_member_id: 0
fwha_port: 8116
FWHAP MAC magic: 0
Forwarding MAC magic: 0
My state: ACTIVE
udp_enc_port: 0
selection table size: 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1405

 /proc/ppk/cqstats

/proc/ppk/cqstats
Description
Contains statistics for SecureXL connections queue.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cqstats

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/cqstats

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cqstats

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/cqstats

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/cqstats

Name Value Name Value
-------------------- --------------- -------------------- ---------------
Queued pkts 0 Queue fail 0
Dequeue & f2f 0 Dequeue & drop 0
Dequeue & resume 0 Async index req 0
Err Async index req 0 Async index cb 0
Err Async index cb 0 Queue alloc fail 0
Queue empty err 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1406

 /proc/ppk/drop_statistics

/proc/ppk/drop_statistics
Description
Contains SecureXL statistics for dropped packets.

Note - This is the same information that the "fwaccel stats -d" command shows
(see "fwaccel stats" on page 1304).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/drop_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/drop_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics

Reason Packets Reason Packets
-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 0 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Defrag timeout 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1407

 /proc/ppk/ifs

/proc/ppk/ifs
Description
Contains the list of interfaces that SecureXL uses.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/ifs

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/ifs

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/ifs

No | Interface | Address | IRQ | F | SIM F | Dev | Output Func | Features
-----------------------------------------------------------------------------------------------------------
--
2 | eth0 | 192.168.3.52 | 67 | 1 | 480 | 0xffff81023e5df000 | 0x000013a0
3 | eth1 | 10.20.30.52 | 83 | 1 | 488 | 0xffff81023dd0c000 | 0x000013a0
4 | eth2 | 40.50.60.52 | 59 | 1 | 480 | 0xffff810237f88000 | 0x000013a0
5 | eth3 | 0.0.0.0 | 67 | 1 | 80 | 0xffff810239b3d000 | 0x000013a0
6 | eth4 | 0.0.0.0 | 91 | 1 | 80 | 0xffff81023841f000 | 0x000013a0
7 | eth5 | 0.0.0.0 | 83 | 1 | 480 | 0xffff8102396fe000 | 0x000013a0
8 | eth6 | 0.0.0.0 | 59 | 1 | 480 | 0xffff810239a4d000 | 0x000013a0
10 | bond0 | 70.80.90.52 | 0 | 1 | 280 | 0xffff8101f1a0e000 | 0x000013a0
[Expert@MyGW:0]#

Example for IPv6

[Expert@MyGW:0]# cat /proc/ppk6/ifs

No | Interface | Address | IRQ | F | SIM F | Dev | Output Func | Features
-----------------------------------------------------------------------------------------------------------
--
2 | eth0 | fe80:0:0:0:250:56ff:fea3:1807 | 67 | 1 | 480 | 0xffff81023e5df000 |
0x000013a0
3 | eth1 | fe80:0:0:0:250:56ff:fea3:15a4 | 83 | 1 | 480 | 0xffff81023dd0c000 |
0x000013a0
4 | eth2 | fe80:0:0:0:250:56ff:fea3:2f50 | 59 | 1 | 480 | 0xffff810237f88000 |
0x000013a0
5 | eth3 | 0:0:0:0:0:0:0:0 | 67 | 1 | 80 | 0xffff810239b3d000 |
0x000013a0
6 | eth4 | 0:0:0:0:0:0:0:0 | 91 | 1 | 80 | 0xffff81023841f000 |
0x000013a0
7 | eth5 | fe80:0:0:0:250:56ff:fea3:75a9 | 83 | 1 | 480 | 0xffff8102396fe000 |
0x000013a0
8 | eth6 | fe80:0:0:0:250:56ff:fea3:5d4c | 59 | 1 | 480 | 0xffff810239a4d000 |
0x000013a0
10 | bond0 | fe80:0:0:0:250:56ff:fea3:287b | 0 | 1 | 280 | 0xffff8101f1a0e000 |
0x000013a0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1408

 /proc/ppk/ifs

Explanation about the configuration flags in the "F" and "SIM F" columns
The "F" column shows the internal configuration flags that Firewall set on these interfaces.
The "SIM F" column shows the internal configuration flags that SecureXL set on these interfaces.

Flag Description

0x001 If this flag is set, the SecureXL drops the packet at the end of the inbound inspection, if the
packet is a "cut-through" packet. In outbound, SecureXL forwards all the packets to the
network.

0x002 If this flag is set, the SecureXL sends an appropriate notification whenever a TCP state
change occurs (connection is established / torn down).

0x004 If this flag is set, the SecureXL it sets the UDP header's checksum field correctly when the
SecureXL encapsulates an encrypted packet (UDP encapsulation).
If this flag is not set, SecureXL sets the UDP header's checksum field to zero. It is safe to
ignore this flag, if it is set to 0 (SecureXL still calculates the UDP packet's checksum).

0x008 If this flag is set, the SecureXL does not create new connections that match a template, and
SecureXL drops the packet that matches the template, when the Connections Table reaches
the specified limit.
If this flag is not set, the SecureXL forwards the packet to the Firewall.

0x010 If this flag is set, the SecureXL forwards fragments to the Firewall.

0x020 If this flag is set, the SecureXL does not create connections from TCP templates anymore.
The Firewall can still offload connections to SecureXL.
This flag only disables only the creation of TCP templates.

0x040 If this flag is set, the SecureXL periodically notifies the Firewall, so it refreshes the
accelerated connections in the Firewall kernel tables.

0x080 If this flag is set, the SecureXL does not create connections from non-TCP templates
anymore.
The Firewall can still offload connections to SecureXL.
This flag only disables only the creation of non-TCP templates.

0x100 If this flag is set, the SecureXL allows sequence verification violations for connections that did
not complete the TCP 3-way handshake process (otherwise, SecureXL must forward the
violating packets to the Firewall).

0x200 If this flag is set, the SecureXL allows sequence verification violations for connections that
completed the TCP 3-way handshake process (otherwise, SecureXL must forward the
violating packets to the Firewall).

0x400 If this flag is set, the SecureXL forwards TCP [RST] packets to the Firewall.

0x0001 If this flag is set, the SecureXL notifies the Firewall about HitCount data.

CLI R80.40 Reference Guide      |      1409

 /proc/ppk/ifs

Flag Description

0x0002 If this flag is set, the VSX Virtual System acts as a junction, rather than a normal Virtual
System (only the local Virtual System flag is applicable).

0x0004 If this flag is set, the SecureXL disables the reply counter of inbound encrypted traffic.
This makes SecureXL kernel module act in the same way as the VPN kernel module does.

0x0008 If this flag is set, the SecureXL enables the MSS Clamping.
Refer to the kernel parameters 'fw_clamp_tcp_mss' and 'fw_clamp_vpn_mss' in
sk101219.

0x0010 If this flag is set, the SecureXL disables the "No Match Ranges" (NMR) Templates (see
sk117755).

0x0020 If this flag is set, the SecureXL disables the "No Match Time" (NMT) Templates (see
sk117755).

0x0040 If this flag is set, the SecureXL does not send Drop Templates notifications (about dropped
packets) to the Firewall (to maintain the drop counters).
For example, if you set the value of the kernel parameter 'activate_optimize_drops_
support_now' to 1, it disables the Drop Templates notifications.

0x0080 If this flag is set, the SecureXL enables the MultiCore support for IPsec VPN (see sk118097).

0x0100 If this flag is set, the SecureXL enables the support for CoreXL Dynamic Dispatcher (see
sk105261).

0x0800 If this flag is set, the SecureXL does not enforce the Path MTU Discovery for IP multicast
packets.

0x1000 If this flag is set, the SecureXL disables the SIM "drop_templates" feature.

0x2000 If this flag is set, it indicates that an administrator enabled the Link Selection Load Sharing
feature.

0x4000 If this flag is set, the SecureXL disables the asynchronous notification feature.

0x8000 If this flag is set, it indicates that the Firewall Connections Table capacity is unlimited.

CLI R80.40 Reference Guide      |      1410

 /proc/ppk/ifs

Examples:

Value Description

0x039 Means the sum of these flags:

n 0x001
n 0x008
n 0x010
n 0x020

0x00008a16 Means the sum of these flags:

n 0x0002
n 0x0004
n 0x0010
n 0x0200
n 0x0800
n 0x8000

0x00009a16 Means the sum of these flags:

n 0x0002
n 0x0004
n 0x0010
n 0x0200
n 0x0800
n 0x1000
n 0x8000

CLI R80.40 Reference Guide      |      1411

 /proc/ppk/mcast_statistics

/proc/ppk/mcast_statistics
Description
Contains SecureXL statistics for multicast traffic.

Note - This is the same information that the "fwaccel stats -m" command shows
(see "fwaccel stats" on page 1304).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/mcast_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/mcast_

statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics

Name Value Name Value
-------------------- --------------- -------------------- ---------------
in packets 10100 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1412

 /proc/ppk/nac

/proc/ppk/nac
Description
Contains SecureXL statistics for Identity Awareness Network Access Control (NAC) traffic.

Note - This is the same information that the "fwaccel stats -n" command shows
(see "fwaccel stats" on page 1304).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/nac

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/nac

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/nac

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/nac

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/nac

Name Value Name Value
-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1413

 /proc/ppk/notify_statistics

/proc/ppk/notify_statistics
Description
Contains SecureXL statistics for notifications SecureXL sent to Firewall about accelerated connections.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/notify_

statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/notify_

statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics

Notification Packets Notification Packets
--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 0 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 39375 ntPacketTaggingViolat 0
ntDosNotify 0 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1414

 /proc/ppk/profile_cpu_stat

/proc/ppk/profile_cpu_stat
Description
This file is for Check Point use only.
Contains IDs of the CPU cores and status of Traffic Profiling:
n The first column shows the IDs of the CPU cores.
n The second column shows the status of Traffic Profiling for the applicable CPU core.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/profile_cpu_stat

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/profile_cpu_

stat

Example for IPv4 from a Security Gateway with 4 CPU cores

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat

0 0
1 0
2 0
3 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1415

 /proc/ppk/rlc

/proc/ppk/rlc
Description
Contains SecureXL statistics for drops due to Rate Limiting for DoS Mitigation.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/rlc

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/rlc

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/rlc

Total drop packets : 0
Total drop bytes : 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1416

 /proc/ppk/statistics

/proc/ppk/statistics
Description
Contains SecureXL overall statistics.
To see these statistics in a better way, run the "fwaccel stats" on page 1304 command.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/statistics

CLI R80.40 Reference Guide      |      1417

 /proc/ppk/statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/statistics

Name Value Name Value
-------------------- --------------- -------------------- ---------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
current total conns 0 TCP conns 0
non TCP conns 0 nat conns 0
dropped packets 728 dropped bytes 107978
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0
crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0 acct update interval 3600
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
CPASXL conns 0 PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0 PSL Inline packets 0
PSL Inline bytes 0 CPAS Inline packets 0
CPAS Inline bytes 0 Total QoS conns 0
CLASSIFY 0 CLASSIFY_FLOW 0
RECLASSIFY_POLICY 0 Enq-IN FW pkts 0
Enq-OUT FW pkts 0 Deq-IN FW pkts 0
Deq-OUT FW pkts 0 Enq-IN FW bytes 0
Enq-OUT FW bytes 0 Deq-IN FW bytes 0
Deq-OUT FW bytes 0 Enq-IN AXL pkts 0
Enq-OUT AXL pkts 0 Deq-IN AXL pkts 0
Deq-OUT AXL pkts 0 Enq-IN AXL bytes 0
Enq-OUT AXL bytes 0 Deq-IN AXL bytes 0
Deq-OUT AXL bytes 0 F2F packets 0
F2F bytes 0 TCP violations 0
F2V conn match pkts 0 F2V packets 0
F2V bytes 0 gtp tunnels created 0
gtp tunnels 0 gtp accel pkts 0
gtp f2f pkts 0 gtp spoofed pkts 0
gtp in gtp pkts 0 gtp signaling pkts 0
gtp tcpopt pkts 0 gtp apn err pkts 0
memory used 38799384 C tcp handshake conn 0
C tcp estab. conns 0 C tcp closed conns 0
C tcp pxl hnshk conn 0 C tcp pxl est. conn 0
C tcp pxl closed 0 ob cpasxl packets 0
ob pslxl packets 0 ob cpasxl bytes 0
ob pslxl bytes 0 DNS DoR stats 0
trimmed pkts
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1418

 /proc/ppk/stats

/proc/ppk/stats
Description
Contains the IRQ numbers and names of interfaces the SecureXL uses.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/stats

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/stats

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/stats

IRQ | Interface
---------------------------
18 eth0
16 eth1
17 eth2
18 eth3
19 eth4
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1419

 /proc/ppk/viol_statistics

/proc/ppk/viol_statistics
Description
Contains SecureXL statistics for violations - packets SecureXL forwarded (F2F) to the Firewall.

Note - This is the same information that the "fwaccel stats -p" command shows
(see "fwaccel stats" on page 1304).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/viol_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 4
TCP-SYN miss conn 356 TCP-other miss conn 1386954
UDP miss conn 943355 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 250859051 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1420

 SecureXL Debug

SecureXL Debug
To understand how SecureXL processes the traffic, enable the SecureXL debug while the traffic passes
through the Security Gateway.

Warning - Debug increases the load on Security Gateway's CPU. We recommend you
schedule a maintenance window to debug the SecureXL.

CLI R80.40 Reference Guide      |      1421

 fwaccel dbg

fwaccel dbg
Description
The fwaccel dbg command controls the SecureXL debug. See "SecureXL Debug" on page 1421.

Important - In Cluster, you must configure all the Cluster Members in the same way

Syntax

fwaccel dbg
      -h
      -m <Name of SecureXL Debug Module>
      all
      + <Debug Flags>
      - <Debug Flags>
      reset
      -f {"<5-Tuple Debug Filter>" | reset}
      list
      resetall

Parameters

Parameter Description

-h Shows the applicable built-in help.

-m <Name of SecureXL Specifies the name of the SecureXL debug module.

Debug Module>
To see the list of available debug modules, run:

fwaccel dbg

all Enables all debug flags for the specified debug module.

CLI R80.40 Reference Guide      |      1422

 fwaccel dbg

Parameter Description

+ <Debug Flags> Enables the specified debug flags for the specified debug module:
Syntax:

+ Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the plus
(+) character.

- <Debug Flags> Disables all debug flags for the specified debug module.
Syntax:

- Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the minus
(-) character.

reset Resets all debug flags for the specified debug module to their
default state.

-f "<5-Tuple Debug Configures the debug filter to show only debug messages that
Filter>" contain the specified connection.
The filter is a string of five numbers separated with commas:

"<Source IP Address>,<Source
Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"

Notes:
n You can configure only one debug filter at one
time.
n You can use the asterisk "*" as a wildcard for an
IP Address, Port number, or Protocol number.
n For more information, see IANA Service Name
and Port Number Registry and IANA Protocol
Numbers.

-f reset Resets the current debug filter.

list Shows all enabled debug flags in all debug modules.

resetall Reset all debug flags for all debug modules to their default state.

CLI R80.40 Reference Guide      |      1423

 fwaccel dbg

Example 1 - Default output

[Expert@MyGW:0]# fwaccel dbg

Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
-m <module> - module of debugging
-h - this help message
resetall - reset all debug flags for all modules
reset - reset all debug flags for module
all - set all debug flags for module
list - list all debug flags for all modules
-f reset | "<5-tuple>" - filter debug messages
+ <flags> - set the given debug flags
- <flags> - unset the given debug flags

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf stat
queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: api
err init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_inf
add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl get_state
upd_link_sel

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan pkt
nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl

Module: vpn
err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1424

 fwaccel dbg

Example 2 - Enabling and disabling of debug flags

CLI R80.40 Reference Guide      |      1425

 fwaccel dbg

[Expert@MyGW:0]# fwaccel dbg -m default + err conn

Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

CLI R80.40 Reference Guide      |      1426

 fwaccel dbg

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetall

Debug state was reset to default.
[Expert@MyGW:0]#

Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to 172.16.40.50

[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6

Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<*,*,*,*,*>"

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1427

 SecureXL Debug Procedure

SecureXL Debug Procedure

By default, SecureXL writes the output debug information to the /var/log/messages file.
To collect the applicable SecureXL debug and to make its analysis easier, perform the steps below.

Note - For more information, see the R80.40 Next Generation Security Gateway
Guide - Chapter Kernel Debug on Security Gateway.

Important:
n We strongly recommend to schedule a full maintenance window to minimize the
impact on your production traffic.
n We strongly recommend to connect over serial console to your Security
Gateway.
This is to avoid a possible issue when you cannot work with the CLI because of a
high load on the CPU.
n In cluster, you must collect this debug from all Cluster Members in the same
way.
n Debug the specific SecureXL instance only when you are sure that only that
SecureXL instance processes the traffic.

Procedure

1. Connect to the command line on your Security Gateway

Use an SSH or a console connection.

Best Practice - Use a console connection.

2. Log in to the Expert mode

If the default shell is Gaia Clish, then run:

expert

3. Reset all kernel debug flags in all kernel debug modules

Run:

fw ctl debug 0

4. Reset all the SecureXL debug flags in all SecureXL debug modules

n For all SecureXL instances, run:

fwaccel dbg resetall

CLI R80.40 Reference Guide      |      1428

 SecureXL Debug Procedure

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg resetall

5. Allocate the kernel debug buffer

Run:

fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]

Note - The optional part "-v {"<List of VSIDs>" | all}" is to

specify the applicable Virtual Systems on a VSX Gateway or VSX Cluster
Member.

6. Make sure the Security Gateway allocated the kernel debug buffer

Run:

fw ctl debug | grep buffer

7. Configure the applicable kernel debug modules and kernel debug flags

Run:

fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel

Debug Flags>}

8. Configure the applicable SecureXL debug modules and SecureXL debug flags

n For all SecureXL instances, run:

fwaccel dbg -m <Name of SecureXL Debug Module> {all | +

<SecureXL Debug Flags>}

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg -m <Name of SecureXL Debug

Module> {all | + <SecureXL Debug Flags>}

See "SecureXL Debug Modules and Debug Flags" on page 1432.

9. Examine the kernel debug configuration for kernel debug modules

Run:

fw ctl debug

10. Examine the SecureXL debug configuration for SecureXL debug modules

n For all SecureXL instances, run:

fwaccel dbg list

CLI R80.40 Reference Guide      |      1429

 SecureXL Debug Procedure

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg list

11. Remove all entries from both the Firewall Connections table and SecureXL
Connections table

Run:

fw tab -t connections -x -y

Important:
n This step makes sure that you collect the debug of the real issue that is
not affected by the existing connections.
n This command deletes all existing connections. This interrupts all
connections, including the SSH.
Run this command only if you are connected over a serial console to
your Security Gateway.

12. Remove all entries from the Firewall Templates table

Run:

fw tab -t cphwd_tmpl -x -y

Note - This command does not interrupt the existing connections. This step
makes sure that you collect the debug of the real issue that is not affected by
the existing connection templates.

13. Start the kernel debug

Run:

fw ctl kdebug -T -f > /var/log/kernel_debug.txt

14. Replicate the issue, or wait for the issue to occur

Perform the steps that cause the issue to occur, or wait for it to occur.

15. Stop the kernel debug

Press CTRL+C.

16. Reset all kernel debug flags in all kernel debug modules

Run:

fw ctl debug 0

17. Reset all the SecureXL debug flags in all SecureXL debug modules

CLI R80.40 Reference Guide      |      1430

 SecureXL Debug Procedure

n For all SecureXL instances, run:

fwaccel dbg resetall

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg resetall

18. Examine the kernel debug configuration to make sure it returned to the default

Run:

fw ctl debug

19. Examine the SecureXL debug configuration to make sure it returned to the default

n For all SecureXL instances, run:

fwaccel dbg list

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg list

20. Collect and analyze the debug output file

Path to the debug output file:

/var/log/kernel_debug.txt

Best Practice - Compress this file with the tar -zxvf command and
transfer it from the Security Gateway to your computer. If you transfer to an
FTP server, do so in the binary mode.

CLI R80.40 Reference Guide      |      1431

 SecureXL Debug Modules and Debug Flags

SecureXL Debug Modules and Debug Flags

To see the available SecureXL debug modules and their debug flags, run the "fwaccel dbg" on page 1422
command.

Module "default"

Flag Description

acct Connection accounting information

ant Anticipated connections

conf Configuration of the SecureXL (for example, interfaces)

conn Processing of connections

conn_app Processing of connections

corr Correction layer

cpdrv Currently not in use

del Deletion of connections

drv Driver information

err General errors

gtp Processing of GTP tunnel connections

gtp_pkt Processing of GTP tunnel packets

htab Hash table

infra_ids Allocating IDs for a given range in Identity Awareness

init Initialization

ioctl Changes in the configuration, which were initiated from the user space

iter Connection table iterator

kdrv Driver information

lock Lock initializing and finalizing

nat Processing of NAT connections

offload Offloading of connections from the Firewall to the SecureXL

queue Connections queue

CLI R80.40 Reference Guide      |      1432

 SecureXL Debug Modules and Debug Flags

Flag Description

relations Related connections (such as FTP data connections)

rngs Handling of SecureXL ranges

rngs_ Printing of SecureXL ranges

print

routing Handling of SecureXL routing

stat Handling of SecureXL statistics

svm Registering templates or connections for System Counters in Security Gateway

object in SmartConsole

tag Tags that were added to the packets by the SecureXL before forwarding them to the
Firewall

tcp_sv Verification of sequence in TCP packets

update Updates of connections

util Utilization

Module "pkt" (Packet)

Flag Description

acct Connection accounting information

caf Mirror and Decrypt feature - Mirror only of all traffic

corr Correction layer

cpls ClusterXL Load Sharing

deliver Packet delivery

drop Packets dropped by SecureXL

err General errors

f2f Reason for forwarding a packet to the Firewall

frag Processing of fragments

nat Processing of NAT connections

notif Notifications sent to the Firewall

pkt Processing of packets

CLI R80.40 Reference Guide      |      1433

 SecureXL Debug Modules and Debug Flags

Flag Description

pxl PXL (PacketXL) handling - API between the SecureXL and

PSL (Packet Streaming Layer), which is a TCP Streaming engine that parses
TCP streams

qos QoS acceleration

routing Handling of SecureXL routing

spoof Handling of SecureXL Anti-Spoofing

sv Validation of sequence in TCP packets

tcp_state Validation of TCP state in TCP packets

tcp_state_ Validation of TCP packets

pkt

<Username> Currently not in use

vlan Handling of VLAN tags

wrp Handling of WRP interfaces in VSX

Module "db" (Database)

Flag Description

ant Anticipated connections

del Deleting of data from the SecureXL database

err General errors

get Retrieving of data from the SecureXL database

init Initializing and finalizing of SecureXL database

nmr "No Match Ranges" templates, which allow SecureXL Accept Templates for rules that
contain Dynamic objects or Domain objects (or for rules located below such rules)

nmt "No Match Time" templates, which allow SecureXL Accept Templates for rules that
contain Time objects (or for rules located below such rules)

< Operations on profile table

Profile
>

save Saving of data to the SecureXL database

CLI R80.40 Reference Guide      |      1434

 SecureXL Debug Modules and Debug Flags

Flag Description

tmo Handling of timeouts for SecureXL database entries

tmpl Handling of SecureXL templates database

Module "api" (Application Programmable Interface)

Flag Description

acct Connection accounting information

add Adding of connections

add_sa Offloading of VPN SA to SecureXL

conf Configuration of the SecureXL (for example, interfaces)

del Deletion of connections

del_all_ Deletion of all VPN SAs from SecureXL

sas

del_all_ Deletion of the SecureXL Templates

tmpl

del_sa Deletion of VPN SA from SecureXL

err General errors

get_ Getting features buffer (in SecureXL initialization)

features

get_stat Retrieving of SecureXL statistics

get_state Getting the connection state from SecureXL

get_tab Some extra printouts when processing SecureXL tables

gtp Processing of GTP tunnel connections

infra SecureXL infrastructure

init Enabling and disabling of SecureXL

long_ver Prints additional verbose information about connections

misc Prints additional information about SecureXL internals

notif Notifications sent to the Firewall

CLI R80.40 Reference Guide      |      1435

 SecureXL Debug Modules and Debug Flags

Flag Description

pxl PXL (PacketXL) handling - API between the SecureXL and

PSL (Packet Streaming Layer), which is a TCP Streaming engine that parses TCP
streams

qos QoS acceleration

reset_stat Prints statistics IDs that are reset

stat Handling of SecureXL statistics

sv Validation of sequence in TCP packets

tag Tags that were added to the packets by the SecureXL before forwarding them to
the Firewall

tmpl Handling of SecureXL Templates

tmpl_info Information about SecureXL Templates

upd_conf Update of SecureXL in ClusterXL Load Sharing

upd_if_inf Prints some text that shows if SecureXL updated information about interfaces

upd_link_ Updates of VPN Link Selection

sel

update Updates of connections

vpn Processing of VPN connection

Module "adp"

Reserved for future use.

Module "infras" (Identity Awareness - Identities Infrastructure)

Flag Description

err General errors

pm Pattern Matcher

reorder Reordering of packets in queue

Module "nac" (Identity Awareness - Network Access Control)

Flag Description

db Updating, adding, deleting of identities

CLI R80.40 Reference Guide      |      1436

 SecureXL Debug Modules and Debug Flags

Flag Description

db_get Updating, fetching, searching of identities

err General errors

idnt Identity Tags

ioctl Changes in the configuration, which were initiated from the user space

nac Network Access Control

offload Offloading of connections from the Firewall to the SecureXL

pkt Forwarding of connections to Firewall (when identity is not found or revoked, or NAC
packet tagging verification failed)

pkt_ex NAC packet-tagging verification

signature Signing of packets

Module "vpn" (VPN)

Flag Description

err General errors

linksel VPN Link Selection

routing VPN Encryption routing information

vpn Processing of VPN connections

vpnpkt Processing of VPN packets

Module "cpaq" (Internal Asynchronous Queue)

Flag Description

cbuf Information about queue buffers

client Information about queue clients

error General errors

exp Information about expiration of queue items

init Initializing of queue

opreg Currently not in use

CLI R80.40 Reference Guide      |      1437

 SecureXL Debug Modules and Debug Flags

Flag Description

<Mgmt Server> Information about queue servers

transport Information about sending messages in queue

transport_utils Additional information about sending messages in queue

Module "dos" (Denial of Service Defender)

Flag Description

detailed Detailed tracing of DoS Rate Limiting logic in the packet flow.
Important - This debug flag is not suitable for large traffic volumes because it prints a
large number of messages. This causes high load on the CPU.

drop Dropped packets

err General errors

fw1-cfg Information about DoS Rate Limiting configuration in the Firewall kernel module

fw1-pkt Information about DoS Rate Limiting packet flow in the Firewall kernel module

sim-cfg Information about DoS Rate Limiting configuration in the SecureXL kernel module

sim-pkt Information about DoS Rate Limiting packet flow in the SecureXL kernel module

Module "synatk" (Accelerated SYN Defender)

Flag Description

conf Receiving and updating of Accelerated SYN Defender module's configuration

conn Handling of TCP connections

err General errors

init Initializing of the Accelerated SYN Defender module

log Prints time of the last sent monitor log and interval between the monitor logs

msg Information about internal messages in the Accelerated SYN Defender module

pkt Handling of TCP packets

proxy Currently not in use

state Information about states of the Accelerated SYN Defender module

CLI R80.40 Reference Guide      |      1438

 SecureXL Debug Modules and Debug Flags

Module "tmpl" (Drop Templates)

Flag Description

err General errors

dtmpl_get Getting of Drop Templates

dtmpl_notif Notifications about Drop Templates

tmpl Information about Drop Templates

CLI R80.40 Reference Guide      |      1439

 CoreXL Commands

CoreXL Commands
For more information about CoreXL, see the R80.40 Performance Tuning Administration Guide - Chapter
CoreXL.

CLI R80.40 Reference Guide      |      1440

 cp_conf corexl

cp_conf corexl
Description
Enables or disables CoreXL.
For more information, see the R80.40 Performance Tuning Administration Guide.

Important:
n This command is for Check Point use only.
To configure CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 892
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must reboot it.
n In Custer, you must configure all the Cluster Members in the same way.

Syntax
n To enable CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall instances:

cp_conf corexl [-v] enable [n] [-6 k]

n To disable CoreXL:

cp_conf corexl [-v] disable

The related command is:"fwboot corexl" on page 1116.

Parameters

Parameter Description

-v Leaves the high memory (vmalloc) unchanged.

n Denotes the number of IPv4 CoreXL Firewall instances.

k Denotes the number of IPv6 CoreXL Firewall instances.

CLI R80.40 Reference Guide      |      1441

 cp_conf corexl

Example
Currently, the Security Gateway runs two IP4v CoreXL Firewall instances (KERN_INSTANCE_NUM = 2).
We change the number of IP4v CoreXL Firewall instances to three.

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2 | 7 | 28
1 | Yes | 1 | 0 | 11
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 2
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cp_conf corexl -v enable 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# reboot
.. ... ...
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 7 | 28
1 | Yes | 2 | 0 | 11
2 | Yes | 1 | 4 | 10
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1442

 dynamic_split

dynamic_split
Description
On Check Point Appliances, R80.40 added the ability to change the number of CoreXL Firewall and SND
instances without reboot (Dynamic Split).

Important:
n By default, this feature is disabled.
n We do not recommend manual configuration of CoreXL Firewall and SND
instances, because such configuration disables the CoreXL Dynamic Split.
To enable the CoreXL Dynamic Split again, you must disable it and enable it.
n CoreXL Dynamic Split does not support:
l Check Point Appliances with less than 8 CPU cores.
l Check Point Appliances that run in VSX mode (regardless of the number
of CPU cores).
l Open Servers or Virtual Machines.

The dynamic_split command controls the Dynamic Split of CoreXL Firewall and SND instances on the local
Security Gateway, or Cluster Member.
For more information, see R80.40 Performance Tuning Administration Guide - Chapter CoreXL.

Syntax

dynamic_split
      -o disable
      -o enable
      -o start
      -o stop

Important:
n You must run these commands in the Expert mode.
n In Cluster, you must configure all the Cluster Members in the
same way

Parameters

Parameter Description

No Parameters Shows the applicable built-in help.

CLI R80.40 Reference Guide      |      1443

 dynamic_split

Parameter Description

-o disable Disables the CoreXL Dynamic Split.

Important:
n When you disable this feature, the
CoreXL configuration returns to the
default.
n After you disable this feature, the
Security Gateway requires a reboot.
The command shows the applicable
message.

-o enable Enables the CoreXL Dynamic Split.

Important:
n After you enable this feature, the
Security Gateway requires a reboot.
The command shows the applicable
message.
n After the boot, you can stop and
start this feature without reboot.

-o start Starts the CoreXL Dynamic Split after it was stopped.

Important:
n When you start this feature, the
Security Gateway continues to
change the CoreXL split
configuration automatically based
on the CPU utilization.
n This change survives the reboot.

-o stop Stops the CoreXL Dynamic Split.

Important:
n When you stop this feature, the
Security Gateway uses the last
CoreXL split configuration.
n This change does not survive the
reboot.

CLI R80.40 Reference Guide      |      1444

 fw ctl multik

fw ctl multik
Description
The fw ctl multik and fw6 ctl multik commands control CoreXL for IPv4 and IPv6, respectively.

Syntax for IPv4

fw ctl multik
      add_bypass_port <options>
      del_bypass_port <options>
      dynamic_dispatching <options>
      gconn <options>
      get_instance <options>
      print_heavy_conn
      prioq <options>
      show_bypass_ports
      stat
      start
      stop
      utilize

CLI R80.40 Reference Guide      |      1445

 fw ctl multik

Syntax for IPv6

fw6 ctl multik

      add_bypass_port <options>
      del_bypass_port <options>
      dynamic_dispatching <options>
      gconn <options>
      get_instance <options>
      print_heavy_conn
      prioq <options>
      show_bypass_ports
      stat
      start
      stop
      utilize

Parameters

Parameter Description

add_bypass_port Adds the specified TCP and UDP ports to the CoreXL Dynamic Dispatcher
<options> bypass list.
See "fw ctl multik add_bypass_port" on page 1448.

del_bypass_port Removes the specified TCP and UDP ports from the CoreXL Dynamic
<options> Dispatcher bypass list.
See "fw ctl multik del_bypass_port" on page 1450.

dynamic_ Shows and controls CoreXL Dynamic Dispatcher (see sk105261).

dispatching
<options> See "fw ctl multik dynamic_dispatching" on page 1452.

gconn <options> Shows statistics about CoreXL Global Connections.

See "fw ctl multik gconn" on page 1453.

get_instance Shows CoreXL Firewall instance that processes the specified IPv4
<options> connection.
See "fw ctl multik get_instance" on page 1458.

CLI R80.40 Reference Guide      |      1446

 fw ctl multik

Parameter Description

print_heavy_conn Shows the table with Heavy Connections (that consume the most CPU
resources) in the CoreXL Dynamic Dispatcher.
See "fw ctl multik print_heavy_conn" on page 1460.

prioq <options> Configures the CoreXL Firewall Priority Queues (see sk105762).
See "fw ctl multik prioq" on page 1462.

show_bypass_ports Shows the TCP and UDP ports configured in the bypass port list of the
CoreXL Dynamic Dispatcher.
See "fw ctl multik show_bypass_ports" on page 1463.

stat Shows the CoreXL status.

See "fw ctl multik stat" on page 1464.

start Starts all CoreXL Firewall instances on-the-fly.

See "fw ctl multik add_bypass_port" on page 1448.

stop Stops all CoreXL Firewall instances temporarily.

See "fw ctl multik stop" on page 1467.

utilize Shows the CoreXL queue utilization for each CoreXL Firewall instance.
See "fw ctl multik utilize" on page 1468.

CLI R80.40 Reference Guide      |      1447

 fw ctl multik add_bypass_port

fw ctl multik add_bypass_port

Description
Adds the specified TCP and UDP ports to the bypass port list of the CoreXL Dynamic Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.

Important - This command saves the configuration in the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax

fw ctl multik add_bypass_port <Port Number 1>,<Port Number

2>,...,<Port Number N>

Parameters

Parameter Description

<Port Number> Specifies the numbers of TCP and UDP ports to add to the list.

Important - You can add 10 ports maximum.

CLI R80.40 Reference Guide      |      1448

 fw ctl multik add_bypass_port

Example

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik add_bypass_port 8888
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888,9999)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 2
dynamic_dispatcher_bypass_port_table=8888,9999
[Expert@MyGW:0]

CLI R80.40 Reference Guide      |      1449

 fw ctl multik del_bypass_port

fw ctl multik del_bypass_port

Description
Removes the specified TCP and UDP ports from the bypass port list of the CoreXL Dynamic Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.

Important - This command saves the configuration in the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax

fw ctl multik del_bypass_port <Port Number 1>,<Port Number

2>,...,<Port Number N>

Parameters

Parameter Description

<Port Number> Specifies the numbers of TCP and UDP ports to remove from the list.

CLI R80.40 Reference Guide      |      1450

 fw ctl multik del_bypass_port

Example

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik add_bypass_port 8888
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888,9999)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 2
dynamic_dispatcher_bypass_port_table=8888,9999
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]

CLI R80.40 Reference Guide      |      1451

 fw ctl multik dynamic_dispatching

fw ctl multik dynamic_dispatching

Description
Shows and controls the CoreXL Dynamic Dispatcher that dynamically assigns new connections to a
CoreXL Firewall instances based on the utilization of CPU cores.
For more information, see sk105261.

Syntax for IPv4

fw ctl multik dynamic_dispatching

      get_mode
      off
      on

Syntax for IPv6

fw6 ctl multik dynamic_dispatching

      get_mode
      off
      on

Parameters

Parameter Description

get_mode Shows the current state of the CoreXL Dynamic Dispatcher.

off Disables the CoreXL Dynamic Dispatcher.

on Enables the CoreXL Dynamic Dispatcher.

Example

[Expert@MyGW:0]# fw ctl multik dynamic_dispatching get_mode

Current mode is Off
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik dynamic_dispatching on
New mode is: On
Please reboot the system
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1452

 fw ctl multik gconn

fw ctl multik gconn

Description
Shows statistics about CoreXL Global Connections that Security Gateway stores in the kernel table fw_
multik_ld_gconn_table.
The CoreXL Global Connections table contains information about which CoreXL Firewall instance owns
which connections.

Notes:
n This command does not
support VSX.
n This command does not
support IPv6.

Syntax

fw [-d] ctl multik gconn

      -h
      -p
      -sec
      -seg <Number>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

none Shows the interactive menu for the CoreXL Firewall Priority Queues.

-h Shows the built-in help.

CLI R80.40 Reference Guide      |      1453

 fw ctl multik gconn

Parameter Description

-p Shows the additional information about each CoreXL Firewall instance, including the
information about Firewall Priority Queues:
n I/O (In or Out)
n Inst. ID (CoreXL Firewall instance ID)
n Flags
n Seq (Sequence)
n Hold_ref (Hold reference)
n Prio (Firewall Priority Queues mode)
n last_enq_jiff (Jiffies since last enqueue)
n queue_indx (Queue index number)
n conn_tokens (Connection Tokens)

-s Shows the total number of global connections.

-sec Shows the additional information about each CoreXL Firewall instance:
n I/O (In or Out)
n Inst. ID (CoreXL Firewall instance ID)
n Flags
n Seq (Sequence)
n Hold_ref (Hold reference)

-seg Shows the default information about the specified Global Connections Segment.
<Number>

CLI R80.40 Reference Guide      |      1454

 fw ctl multik gconn

Example 1 - Default information

[Expert@MyGW:0]# fw ctl multik gconn

Default:

===========================================================================================================
===============
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|

===========================================================================================================
===============
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |
| 0 | 192.168.3.52 | 54216 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 54216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15 |
0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15 |
0 | UNDEF |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |

===========================================================================================================
===============
FP - from pool. T - temporary connection. PP - pending pernament.
[Expert@MyGW:0]#

Example 2 - Summary information only

[Expert@MyGW:0]# fw ctl multik gconn -s

Summary:
Total number of global connections: 12
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1455

 fw ctl multik gconn

Example 3 - Additional information about each CoreXL Firewall instance, including the information about
Firewall Priority Queues

[Expert@MyGW:0]# fw ctl multik gconn -p

Instance section prio info:

===========================================================================================================
============================================================================================
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|Inst. Section: I/O|Inst. ID|Flags| Seq | Hold_ref |Prio:|last_enq_jiff|queue_
indx|conn_tokens

===========================================================================================================
============================================================================================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 35883 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 0 | Perm | 494 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 35883 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 0 | Perm | 280 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |Prio:| 0 | -1 | 0 |

===========================================================================================================
============================================================================================
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out - outbound.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1456

 fw ctl multik gconn

Example 4 - Additional information about each CoreXL Firewall instance

[Expert@MyGW:0]# fw ctl multik gconn -sec

Instance section:

===========================================================================================================
===========================================================
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|Inst. Section: I/O|Inst. ID|Flags| Seq | Hold_ref |

===========================================================================================================
===========================================================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 52864 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 2 | 32 | 0 |
0 | UNDEF |Inst. Section: Out | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 60186 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 76 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 0 | Perm | 479 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 52864 | 6 |FP .. ..| No | 0/0 | 2 | 32 | 0 |
0 | UNDEF |Inst. Section: In | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 0 | Perm | 257 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1 |
0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.53 | 60186 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 1 |
0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |

===========================================================================================================
===========================================================
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out - outbound.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1457

 fw ctl multik get_instance

fw ctl multik get_instance

Description
Shows CoreXL Firewall instance that processes the specified IPv4 connection.

Important - This command works only if the CoreXL Dynamic Dispatcher is disabled
(see sk105261).

Syntax
n To show the CoreXL Firewall instance that processes the specified IPv4 connection:

fw ctl multik get_instance sip=<Source IPv4 Address>

dip=<Destination IPv4 Address> proto=<Protocol Number>

n To show the CoreXL Firewall instance that processes the specified range of IPv4 connections:

fw ctl multik get_instance sip=<Source IPv4 Address Start> -

<Source IPv4 Address End> dip=<Destination IPv4 Address Start> -
<Destination IPv4 Address End> proto=<Protocol Number>

Parameters

Parameter Description

<Source IPv4 Address> Source IPv4 address of the specified connection

<Source IPv4 Address Start> First source IPv4 address of the specified range of IPv4
addresses

<Source IPv4 Address End> Last source IPv4 address of the specified range of IPv4
addresses

<Destination IPv4 Address> Destination IPv4 address of the specified connection

<Destination IPv4 Address First destination IPv4 address of the specified range of IPv4
Start> addresses

<Destination IPv4 Address Last destination IPv4 address of the specified range of IPv4
End> addresses

<Protocol Number> See IANA Protocol Numbers.

For example:
n 1 = ICMP
n 6 = TCP
n 17 = UDP

CLI R80.40 Reference Guide      |      1458

 fw ctl multik get_instance

Example for specified IPv4 connection:

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3 dip=172.30.241.66 proto=6

protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
[Expert@MyGW:0]#

Example for specified range of IPv4 connections:

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3-192.168.2.8 dip=172.30.241.66 proto=6

protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
192.168.2.4 -> 172.30.241.66 => 0
192.168.2.5 -> 172.30.241.66 => 3
192.168.2.6 -> 172.30.241.66 => 5
192.168.2.7 -> 172.30.241.66 => 4
192.168.2.8 -> 172.30.241.66 => 5
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1459

 fw ctl multik print_heavy_conn

fw ctl multik print_heavy_conn

Description
Shows the table with Heavy Connections (that consume the most CPU resources) in the CoreXL Dynamic
Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.
CoreXL suspects that a connection is "heavy" if it meets these conditions:
n Security Gateway detected the suspected connection during the last 24 hours
n The suspected connection lasts more than 10 seconds
n CoreXL Firewall instance that processes this connection causes a CPU load of over 60%
n The suspected connection utilizes more than 50% of the total work the applicable CoreXL Firewall
instance does
The output table shows this information about the Heavy Connections:
n Source IP address
n Source Port
n Destination IP address
n Destination Port
n Protocol Number
n CoreXL Firewall instance ID that processes this connection
n CoreXL Firewall instance load on the CPU
n Connection's relative load on the CoreXL Firewall instance

Notes:
n This command shows the suspected heavy connections even if they are already
closed.
n In the "cpview" on page 921 utility, go to CPU > Top-Connections >
InstancesX-Y > InstanceZ. Refer to the Top Connections section.

Syntax

fw [-d] ctl multik print_heavy_conn

CLI R80.40 Reference Guide      |      1460

 fw ctl multik print_heavy_conn

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

Example

[Expert@MyGW:0]# fw ctl multik print_heavy_conn

Source: 192.168.20.31; SPort: 51006; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load 61%;
Connection instance load 100%
Source: 192.168.20.31; SPort: 50994; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load 61%;
Connection instance load 100%
Source: 192.168.20.31; SPort: 50992; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load 61%;
Connection instance load 100%
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1461

 fw ctl multik prioq

fw ctl multik prioq

Description
Configures the CoreXL Firewall Priority Queues. For more information, see sk105762.

Important - This command saves the configuration in the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax for IPv4

fw ctl multik prioq [{0 | 1 | 2}]

Syntax for IPv6

fw6 ctl multik prioq [{0 | 1 | 2}]

Parameters

Parameter Description

No Shows the interactive menu for configuration of the CoreXL Firewall Priority Queues.
Parameters

0 Disables the CoreXL Firewall Priority Queues.

1 Enables the CoreXL Firewall Priority Queues.

2 Enables the CoreXL Firewall Priority Queues in the Eviluator-only mode (evaluation of
"evil" connections).

Example

[Expert@MyGW:0]# fw ctl multik prioq

Current mode is Off

Available modes:
0. Off
1. Eviluator-only
2. On

Choose the desired mode number: (or 3 to Quit)

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1462

 fw ctl multik show_bypass_ports

fw ctl multik show_bypass_ports

Description
Shows the TCP and UDP ports configured in the bypass port list of the CoreXL Dynamic Dispatcher with
the "fw ctl multik add_bypass_port" on page 1448 command.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.

Important - This command reads the configuration from the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax

fw ctl multik show_bypass_ports

Example

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
(9999,8888)
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1463

 fw ctl multik stat

fw ctl multik stat

Description
Shows information for each CoreXL Firewall instance.

Syntax for IPv4

fw [-d] ctl multik stat

Syntax for IPv6

fw6 [-d] ctl multik stat

Information in the output

n The ID number of each CoreXL Firewall instance (numbers starts from zero).
n The state of each CoreXL Firewall instance.
n The ID number of CPU core, on which the CoreXL Firewall instance runs (numbers starts from the
highest available CPU ID).
n The number of concurrent connections the CoreXL Firewall instance currently handles.
n The peak number of concurrent connections the CoreXL Firewall instance handled from the time it
started.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this

parameter, then redirect the output to
a file, or use the script command
to save the entire CLI session.

CLI R80.40 Reference Guide      |      1464

 fw ctl multik stat

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 5 | 21
1 | Yes | 6 | 3 | 23
2 | Yes | 5 | 5 | 25
3 | Yes | 4 | 4 | 21
4 | Yes | 3 | 5 | 21
5 | Yes | 2 | 5 | 20
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw6 ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 0 | 4
1 | Yes | 6 | 0 | 4
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1465

 fw ctl multik start

fw ctl multik start

Description
Starts all CoreXL FW instances on-the-fly, if they were stopped with the "fw ctl multik stop" on page 1467
command.

Syntax for IPv4

fw ctl multik start

Syntax for IPv6

fw6 ctl multik start

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 1 started (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 2 started (3 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
All instances are already active
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1466

 fw ctl multik stop

fw ctl multik stop

Description
Stops all CoreXL Firewall instances on-the-fly.

Important - To start all CoreXL Firewall instances on-the-fly, run the "fw ctl multik start"
on page 1466 command.

Syntax for IPv4

fw ctl multik stop

Syntax for IPv6

fw6 ctl multik stop

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 2 stopped (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 1 stopped (1 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 4 | 13
1 | No | - | 3 | 11
2 | No | - | 7 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
All instances are already inactive
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1467

 fw ctl multik utilize

fw ctl multik utilize

Description
Shows the CoreXL queue utilization for each CoreXL FW instance.

Note - This command does not support VSX.

Syntax for IPv4

fw ctl multik utilize

Syntax for IPv6

fw6 ctl multik utilize

Example

[Expert@MyGW:0]# fw ctl multik utilize

ID | Utilize(%) | Queue Elements
----------------------------------
0 | 1 | 30
1 | 0 | 10
2 | 0 | 17
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik utilize
ID | Utilize(%) | Queue Elements
----------------------------------
0 | 0 | 0
1 | 0 | 0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1468

 fw ctl affinity

fw ctl affinity
The fw ctl affinity command shows and configures the CoreXL affinity settings for:
n Interfaces
n User-space processes
n CoreXL FW instances

CLI R80.40 Reference Guide      |      1469

 Running the 'fw ctl affinity -l' command in Gateway Mode

Running the 'fw ctl affinity -l' command in Gateway Mode

Description
Thefw ctl affinity -l command shows the current CoreXL affinity settings on a Security Gateway
for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Syntax
n To see the built-in help:

fw ctl affinity

n To show all the existing affinities:

fw ctl affinity -l [-a] [-v] [-r] [-q]

n To show the affinity for a specified interface:

fw ctl affinity -l -i <Interface Name>

n To show the affinity for a specified CoreXL Firewall instance:

fw ctl affinity -l -k <CoreXL Firewall instance ID>

n To show the affinity for a specified user-space process by its PID:

fw ctl affinity -l -p <Process ID>

n To show the affinity for a specified user-space process by its name:

fw ctl affinity -l -n <Process Name>

n To show the number of system CPU cores allowed by the installed CoreXL license:

fw -d ctl affinity -corelicnum

CLI R80.40 Reference Guide      |      1470

 Running the 'fw ctl affinity -l' command in Gateway Mode

Parameters

Parameter Description

-i <Interface Name> Shows the affinity for the specified interface.

-k <CoreXL Firewall Shows the affinity for the specified CoreXL Firewall instance.
instance ID>

-p <Process ID> Shows the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its PID.

-n <Process Name> Shows the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its name.

all Shows the affinity for all CPU cores (numbers start from zero).

<CPU ID0> ... <CPU Shows the affinity for the specified CPU cores (numbers start from
IDn> zero).

-a Shows all current CoreXL affinities.

-v Shows verbose output with IRQ numbers of interfaces.

-r Shows the CoreXL affinities in reverse order.

-q Suppresses the errors in the output.

Example 1

[Expert@MyGW:0]# fw ctl affinity -l

eth0: CPU 0
eth1: CPU 0
eth2: CPU 0
eth3: CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1471

 Running the 'fw ctl affinity -l' command in Gateway Mode

Example 2

[Expert@MyGW:0]# fw ctl affinity -l -a -v

Interface eth0 (irq 67): CPU 0
Interface eth1 (irq 75): CPU 0
Interface eth2 (irq 83): CPU 0
Interface eth3 (irq 59): CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Example 3

[Expert@MyGW:0]# fw ctl affinity -l -a -v -r

CPU 0: eth0 (irq 67) eth1 (irq 75) eth2 (irq 83) eth3 (irq 59)
CPU 1:
CPU 2: fw_5
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid cpd
CPU 3: fw_4
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid cpd
CPU 4: fw_3
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid cpd
CPU 5: fw_2
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid cpd
CPU 6: fw_1
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid cpd
CPU 7: fw_0
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid cpd
All:
[Expert@MyGW:0]#

Example 4
[Expert@MyGW:0]# fw ctl affinity -l -i eth0

eth0: CPU 0

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1472

 Running the 'fw ctl affinity -l' command in Gateway Mode

Example 5

[Expert@MyGW:0]# ps -ef | grep -v grep | egrep "PID|fwd"

UID PID PPID C STIME TTY TIME CMD
admin 26641 26452 0 Mar27 ? 00:06:56 fwd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -p 26641
Process 26641: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -n fwd
fwd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Example 6

[Expert@MyGW:0]# fw ctl affinity -l -k 1

fw_1: CPU 6
[Expert@MyGW:0]#

Example 7

[Expert@MyGW:0]# fw -d ctl affinity -corelicnum

[5363 4134733584]@MyGW[4 Apr 18:11:03] Number of system CPUs 8
[5363 4134733584]@MyGW[4 Apr 18:11:03] cplic_get_navailable_cpus: fw_get_allowed_cpus_num returned invalid
value (100000) - all cpus considered as allowed!!!
4
[5363 4134733584]@MyGW[4 Apr 18:11:03] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1473

 Running the 'fw ctl affinity -l' command in VSX Mode

Running the 'fw ctl affinity -l' command in VSX Mode

Description
Thefw ctl affinity -l command shows the CoreXL affinity settings on a VSX Gateway for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Note - Before running the fw ctl affinity -l -x commands, you must go to

the context of the applicable Virtual System or Virtual Router with the Gaia Clish
command set virtual-system <VSID>.

Syntax
n To show the affinities in VSX mode (you can combine the optional parameters):

fw ctl affinity -l -x
[-vsid <VSID ranges>]
[-cpu <CPU ID ranges>]
[-flags {e | k | t | n | h | o}]

n To show the number of system CPU cores allowed by the installed CoreXL license:

fw -d ctl affinity -corelicnum

CLI R80.40 Reference Guide      |      1474

 Running the 'fw ctl affinity -l' command in VSX Mode

Parameters

Parameter Description

-vsid <VSID ranges> Shows the affinity for:

n The specified single Virtual System (for example, -vsid
7)
n The specified several Virtual Systems (for example, -
vsid 0-2 4)

Important - If you omit the -vsid parameter, the

command runs in the current virtual context.

<CPU ID ranges> Shows the affinity for:

n The specified single CPU (for example, -cpu 7)
n The specified several CPU cores (for example, -cpu
0-2 4)

-flags {e | k | t | n | h The -flags parameter requires at least one of these

| o} arguments:
n e - Do not print the exception processes
n k - Do not print the kernel threads
n t - Print all process threads
n n - Print the process name instead of the /proc/<PID>
/cmdline
n h - Print the CPU mask in Hex format
n o - Print the output into the file called
/tmp/affinity_list_output

Important - You must specify multiple arguments

together. For example: -flags tn

CLI R80.40 Reference Guide      |      1475

 Running the 'fw ctl affinity -l' command in VSX Mode

Example 1

[Expert@VSX_GW:0]# fw ctl affinity -l -x -cpu 0

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 2 | 0 | 0 | | | K | |
| 3 | 0 | 0 | | | K | |
| 4 | 0 | 0 | | | K | |
| 14 | 0 | 0 | | | K | |
| 99 | 0 | 0 | | | K | |
| 278 | 0 | 0 | | | K | |
| 382 | 0 | 0 | | | K | |
| 674 | 0 | 0 | | | K | |
| 2195 | 0 | 0 | | | K | |
| 6348 | 0 | 0 | | | K | |
| 6378 | 0 | 0 | | | K | |
---------------------------------------------------------------------
PID - represents the pid of the process
VSID - represents the virtual device id
CPU - represents the CPUs assigned to the specific process
SRC - represents the source configuration file of the process - (V)SID / (I)nstance / (P)rocess
V - represents validity,star means that the actual affinity is different than the configured affinity
KT - represents whether the process is a kernel thread
EXC - represents whether the process belongs to the process exception list (vsaffinity_exception.conf)
[Expert@VSX_GW:0]#

Example 2

[Expert@VSX_GW:0]# fw ctl affinity -l -x -vsid 1

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 3593 | 1 | 1 2 3 | | | | | httpd
| 10997 | 1 | 1 2 3 | | | | | cvpn_rotatelogs
| 11005 | 1 | 1 2 3 | | | | | httpd
| 22294 | 1 | 1 2 3 | | | | | routed
| 22328 | 1 | 1 2 3 | | | | | fwk_wd
| 22333 | 1 | 1 2 3 | P | | | | fwk
| 22488 | 1 | 1 2 3 | | | | | cpd
| 22492 | 1 | 1 2 3 | | | | | fwd
| 22504 | 1 | 1 2 3 | | | | | cpviewd
| 22525 | 1 | 1 2 3 | | | | | mpdaemon
| 22527 | 1 | 1 2 3 | | | | | ci_http_server
| 30629 | 1 | 1 2 3 | | | | | vpnd
| 30631 | 1 | 1 2 3 | | | | | pdpd
| 30632 | 1 | 1 2 3 | | | | | pepd
| 30635 | 1 | 1 2 3 | | | | | fwpushd
| 30743 | 1 | 1 2 3 | | | | | dbwriter
| 30748 | 1 | 1 2 3 | | | | | cvpnproc
| 30752 | 1 | 1 2 3 | | | | | MoveFileServer
| 30756 | 1 | 1 2 3 | | | | | CvpnUMD
| 30760 | 1 | 1 2 3 | | | | | Pinger
| 30764 | 1 | 1 2 3 | | | | | IdlePinger
| 30770 | 1 | 1 2 3 | | | | | cvpnd
---------------------------------------------------------------------
[Expert@VSX_GW:0]#

CLI R80.40 Reference Guide      |      1476

 Running the 'fw ctl affinity -s' command in Gateway Mode

Running the 'fw ctl affinity -s' command in Gateway Mode

Description
Thefw ctl affinity -s command configures the CoreXL affinity settings on a Security Gateway for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Notes:
n Changes you make with this command do not survive the Security Gateway
reboot.
If you want the settings to survive reboot, do one of these:
l Manually edit the $FWDIR/conf/fwaffinity.conf configuration
file.
l Run the sim affinity -s command (configures the affinity for
interfaces only).
n The fw ctl affinity -s command cannot configure affinity for interfaces,
if you already configured affinity for interfaces with the SecureXL sim
affinity command (in Automatic or Static mode).

CLI R80.40 Reference Guide      |      1477

 Running the 'fw ctl affinity -s' command in Gateway Mode

Syntax
n To see the built-in help:

fw ctl affinity

n To configure the affinity for a specified interface by its name:

fw ctl affinity -s -i <Interface Name>

      all
      <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

n To configure the affinity for a specified CoreXL Firewall instance:

fw ctl affinity -s -k <CoreXL Firewall instance ID>

      all
      <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

n To configure the affinity for a specified user-space process by its PID:

fw ctl affinity -s -p <Process ID>

      all
      <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

n To configure the affinity for a specified user-space process by its name:

fw ctl affinity -s -n <Process Name>

      all
      <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

CLI R80.40 Reference Guide      |      1478

 Running the 'fw ctl affinity -s' command in Gateway Mode

Parameters

Parameter Description

-i <Interface Name> Configures the affinity for the specified interface.

-k <CoreXL Firewall Configures the affinity for the specified CoreXL Firewall instance.
instance ID>

-p <Process ID> Configures the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its PID.

-n <Process Name> Configures the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its name.

Important - The process name is case-sensitive.

all Configures the affinity for all CPU cores (numbers start from zero).

<CPU ID0> ... <CPU Configures the affinity for the specified CPU cores (numbers start from
IDn> zero).

Example 1 - Affine the interface eth1 to the CPU core #1

[Expert@MyGW:0]# fw ctl affinity -s -i eth1 1

eth1: CPU 1 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the CoreXL Firewall instance #1 to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -k 1 2

fw_1: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 3 - Affine the process CPD by its PID to the CPU core #2

[Expert@MyGW:0]# cpwd_admin list | egrep "PID|cpd"

APP PID STAT #START START_TIME MON COMMAND
CPD 6080 E 1 [13:46:27] 17/9/2018 Y cpd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -s -p 6080 2
Process 6080: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1479

 Running the 'fw ctl affinity -s' command in Gateway Mode

Example 4 - Affine the process CPD by its name to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -n cpd 2

cpd: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1480

 Running the 'fw ctl affinity -s' command in VSX Mode

Running the 'fw ctl affinity -s' command in VSX Mode

Description
The fw ctl affinity -s command configures the CoreXL affinity settings on a VSX Gateway for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Syntax
n To see the built-in help:

fw ctl affinity

n To configure the affinities of Virtual Systems:

fw ctl affinity -s -d [-vsid <VSID ranges> ] -cpu <CPU ID ranges>

n To configure the affinities of a specified user-space process:

fw ctl affinity -s -d -pname <Process Name> [-vsid <VSID ranges>]

      -cpu all
      -cpu <CPU ID ranges>

n To configure the affinities of specified FWK daemon instances (user-space Firewall):

fw ctl affinity -s -d -inst <Instances Ranges> -cpu <CPU ID

ranges>

n To configure the affinities of all FWK instances (user-space Firewalls):

fw ctl affinity -s -d -fwkall <Number of CPUs>

n To reset the affinities to defaults:

fw ctl affinity
      -vsx_factory_defaults
      -vsx_factory_defaults_no_prompt

CLI R80.40 Reference Guide      |      1481

 Running the 'fw ctl affinity -s' command in VSX Mode

Important
n These settings do not survive a reboot of the VSX Gateway.
To make these settings permanent, manually edit the $FWDIR/conf/fwaffinity.conf configuration
file.
n When you configure affinity of an interface, it automatically configures the affinities of all other
interfaces that share the same IRQ to the same CPU core.

Parameters

Parameter Description

-vsid <VSID Configures the affinity for:

ranges>
n One specified Virtual System.
For example: -vsid 7
n Several specified Virtual Systems.
For example: -vsid 0-2 4

Note - If you omit the -vsid parameter, the command uses

the current virtual context.

<CPU ID ranges> Configures the affinity to:

n One specified CPU core.
For example: -cpu 7

n Several specified CPU cores.

For example: -cpu 0-2 4

Important - Numbers of CPU cores start from zero.

-pname <Process Configures the affinity for the Check Point daemon specified by its name
Name> (for example: fwd, vpnd).

Important - The process name is case-sensitive.

CLI R80.40 Reference Guide      |      1482

 Running the 'fw ctl affinity -s' command in VSX Mode

Parameter Description

-inst <Instances Configures the affinity for:

Ranges>
n One specified FWK daemon instance.
For example: -inst 7
n Several specified FWK daemon instances.
For example: -inst 0 2 4

-fwkall <Number of Configures the affinity for all running FWK daemon instances to the
CPUs> specified number of CPU cores.
If you need to affine all running FWK daemon instances to all CPU cores,
enter the number of all available CPU cores.

-vsx_factory_ Deletes all existing affinity settings and creates the default affinity
defaults settings during the next reboot.

Important - Before this operation, the command prompts the

user whether to proceed. You must reboot to complete the
operation.

-vsx_factory_ Deletes all current affinity settings and creates the default affinity settings
defaults_no_prompt during the next reboot.

Important - Before this operation, the command does not

prompt the user whether to proceed. You must reboot to
complete the operation.

Example 1 - Affine the Virtual Devices #0,1,2,4,7,8 to the CPU cores #0,1,2,4

[Expert@MyGW:0]# fw ctl affinity -s -d -vsid 0-2 4 6-8 -cpu 0-2 4

VDevice 0-2 4 6-8 : CPU 0 1 2 4 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the process CPD by its name for Virtual Devices #0-12 to the CPU core #7

[Expert@MyGW:0]# fw ctl affinity -s -d -pname cpd -vsid 0-12 -cpu 7

VDevice 0-12 : CPU 7 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
Warning: some of the VSIDs did not exist
[Expert@MyGW:0]#

Example 3 - Affine the FWK daemon instances #0,2,4 to the CPU core #5

[Expert@MyGW:0]# fw ctl affinity -s -d -inst 0 2 4 -cpu 5

VDevice 0 2 4: CPU 5 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1483

 Running the 'fw ctl affinity -s' command in VSX Mode

Example 4 - Affine all FWK daemon instances to the last two CPU cores

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 2

VDevice 0-2 : CPU 2 3 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 5 - Affine all FWK daemon instances to all CPU cores

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 4

There are configured processes/FWK instances
(y) will override all currently configured affinity and erase the configuration files
(n) will set affinity only for unconfigured processes/threads
Do you want to override existing configurations (y/n) ? y
VDevice 0-2 : CPU all - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1484

 fw -i

fw -i
Description
By default, the "fw" on page 954 commands apply to the entire Security Gateway.
The fw commands show aggregated information for all CoreXL Firewall instances.
The fw -i commands apply to the specified CoreXL Firewall instance.

Syntax

fw -i <ID of CoreXL Firewall instance> <Command>

Parameters

Parameter Description

<ID of CoreXL Specifies the ID of the CoreXL Firewall instance.

Firewall instance>
To see the available IDs, run the "fw ctl multik stat" on page 1464
command.

<Command> Only these commands support the fw -i syntax:

n fw -i <ID> conntab ...
n fw -i <ID> ctl get ...
n fw -i <ID> ctl leak ...
n fw -i <ID> ctl pstat ...
n fw -i <ID> ctl set ...
n fw -i <ID> monitor ...
n fw -i <ID> tab ...

For details and additional parameters for any of these commands, refer
to the corresponding entry for each command.

Example 1 - Show the Connections table for CoreXL Firewall instance #1

fw -i 1 tab -t connections

Example 2 - Show various internal statistics for CoreXL Firewall instance #1

fw -i 1 ctl pstat

CLI R80.40 Reference Guide      |      1485

 fwboot bootconf

fwboot bootconf
Description
Configures boot security options.

Notes:
n You must run this command from the Expert mode.
n The settings are saved in the
$FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the

$FWDIR/boot/boot.conf file manually.
Edit the file only with this command.

n Refer to these related commands:

l "fwboot corexl" on page 1116
l "control_bootsec" on page 874
n Refer to these related commands:
l fwboot corexl

Syntax to show the current boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

      get_corexl
      get_core_override
      get_def
      get_ipf
      get_ipv6
      get_kernnum
      get_kern6num

CLI R80.40 Reference Guide      |      1486

 fwboot bootconf

Syntax to configure the boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

      set_corexl {0 | 1}
      set_core_override <number>
      set_def [</path/filename>]
      set_ipf {0 | 1}
      set_ipv6 {0 | 1}
      set_kernnum <number>
      set_kern6num <number>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

get_corexl Shows if the CoreXL is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the COREXL_INSTALLED.

get_core_ Shows the number of overriding CPU cores.

override
The SMT (HyperThreading) feature (sk93000) uses this configuration to set
the number of CPU cores after reboot.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CORE_OVERRIDE.

get_def Shows the configured path and the name of the Default Filter policy file
(default is $FWDIR/boot/default.bin).

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the DEFAULT_FILTER_PATH.

CLI R80.40 Reference Guide      |      1487

 fwboot bootconf

Parameter Description

get_ipf Shows if the IP Forwarding during boot is enabled or disabled:

n 0 - disabled (Security Gateway does not forward traffic between its
interfaces during boot)
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CTL_IPFORWARDING.

get_ipv6 Shows if the IPv6 support is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the IPV6_INSTALLED.

get_kernnum Shows the configured number of IPv4 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the KERN_INSTANCE_NUM.

get_kern6num Shows the configured number of IPv6 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the KERN6_INSTANCE_NUM.

set_corexl {0 | Enables or disables CoreXL:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the COREXL_INSTALLED.
n To configure CoreXL, use the "cpconfig" on page 892
menu.

CLI R80.40 Reference Guide      |      1488

 fwboot bootconf

Parameter Description

set_core_ Configures the number of overriding CPU cores.

override
The SMT (HyperThreading) feature (sk93000) uses this configuration to set
<number>
the number of CPU cores after reboot.

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CORE_OVERRIDE.

set_def Configures the path and the name of the Default Filter policy file (default is
[< $FWDIR/boot/default.bin).
/path/filename>]
Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the DEFAULT_FILTER_PATH.
n If you do not specify the path and the name explicitly, then
the value of the DEFAULT_FILTER_PATH is set to 0.
As a result, Security Gateway does not load a Default Filter
during boot.

Best Practice - The best location for this file is the

$FWDIR/boot/ directory.

set_ipf {0 | 1} Configures the IP forwarding during boot:

n 0 - disables (forbids the Security Gateway to forward traffic between
its interfaces during boot)
n 1 - enables

Note - In the $FWDIR/boot/boot.conf file, refer to the value

of the CTL_IPFORWARDING.

set_ipv6 {0 | 1} Enables or disables the IPv6 Support:

n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the IPV6_INSTALLED.
n Configure the IPv6 Support in Gaia Portal, or Gaia Clish.
See the R80.40 Gaia Administration Guide.

CLI R80.40 Reference Guide      |      1489

 fwboot bootconf

Parameter Description

set_kernnum Configures the number of IPv4 CoreXL Firewall instances.

<number>
Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 892
menu.

set_kern6num Configures the number of IPv6 CoreXL Firewall instances.

<number>
Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN6_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 892
menu.

CLI R80.40 Reference Guide      |      1490

 fwboot corexl

fwboot corexl
Description
Configures and monitors the CoreXL.

Note - The settings are saved in the $FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the $FWDIR/boot/boot.conf file manually.

Edit the file only with this command.

Syntax to show CoreXL configuration

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

      core_count
      curr_instance4_count
      curr_instance6_count
      def_instance4_count
      def_instance6_count
      eligible
      installed
      max_instance4_count
      max_instances4_32bit
      max_instances4_64bit
      max_instance6_count
      max_instances_count
      max_instances_32bit
      max_instances_64bit
      min_instance_count
      unsupported_features

CLI R80.40 Reference Guide      |      1491

 fwboot corexl

Syntax to configure CoreXL

Important:
n The configuration commands are for Check Point use only. To configure
CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 892
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must
reboot it.
n In Cluster, you must configure all the Cluster Members in the same way

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

      def_by_allowed [n]
      default
[-v] disable
[-v] enable [n] [-6 k]
      vmalloc_recalculate

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

core_count Returns the number of CPU cores on this computer.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl core_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1492

 fwboot corexl

Parameter Description

curr_ Returns the current configured number of IPv4 CoreXL Firewall instances.
instance4_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

curr_ Returns the current configured number of IPv6 CoreXL Firewall instances.
instance6_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
[Expert@MyGW:0]#

def_by_ Sets the default configuration for CoreXL according to the specified allowed number
allowed of CPU cores.
[n]

default Sets the default configuration for CoreXL.

def_ Returns the default number of IPv4 CoreXL Firewall instances for this Security
instance4_ Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1493

 fwboot corexl

Parameter Description

def_ Returns the default number of IPv4 CoreXL Firewall instances for this Security
instance6_ Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

[-v] Disables CoreXL.

disable
n -v - Leaves the high memory (vmalloc) unchanged.

See the "cp_conf corexl" on page 883 command.

eligible Returns whether CoreXL can be enabled on this Security Gateway.

n 0 - CoreXL cannot be enabled
n 1 - CoreXL can be enabled

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl eligible
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

[-v] Enables CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall
enable [n] instances.
[-6 k]
n -v - Leaves the high memory (vmalloc) unchanged.
n n - Denotes the number of IPv4 CoreXL Firewall instances.
n k - Denotes the number of IPv6 CoreXL Firewall instances.

See the "cp_conf corexl" on page 883 command.

installed Returns whether CoreXL is installed (enabled) on this Security Gateway.

n 0 - CoreXL is not enabled
n 1 - CoreXL is enabled

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl installed
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1494

 fwboot corexl

Parameter Description

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for this
instance4_ Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance4_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for a
instances Security Gateway that runs Gaia with 32-bit kernel.
4_32bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_32bit
[Expert@MyGW:0]# echo $?
14
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances for a
instances Security Gateway that runs Gaia with 64-bit kernel.
4_64bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_64bit
[Expert@MyGW:0]# echo $?
38
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv6 CoreXL Firewall instances for this
instance6_ Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance6_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1495

 fwboot corexl

Parameter Description

max_ Returns the total maximal allowed number of CoreXL Firewall instances (IPv4 and
instances_ IPv6) for this Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_count
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances for a Security
instances_ Gateway that runs Gaia with 32-bit kernel.
32bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_32bit
[Expert@MyGW:0]# echo $?
16
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances for a Security
instances_ Gateway that runs Gaia with 64-bit kernel.
64bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_64bit
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

min_ Returns the minimal allowed number of IPv4 CoreXL Firewall instances.
instance_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl min_
instance_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

vmalloc_ Updates the value of the vmalloc parameter in the /boot/grub/grub.conf

recalculat file.
e

CLI R80.40 Reference Guide      |      1496

 fwboot corexl

Parameter Description

unsupporte Returns 1 if at least one feature is configured, which CoreXL does not support.
d_features
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
unsupported_features
corexl unsupported feature: QoS is configured.
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1497

 fwboot cpuid

fwboot cpuid
Description
Shows the number of available CPUs and CPU cores on this Security Gateway.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot cpuid

{-h | -help | --help}
      -c
      --full
      ht_aware
      -n
      --possible

Parameters

Parameter Description

No Parameters Shows the IDs of the available CPU cores on this Security Gateway.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid
3 2 1 0
[Expert@MyGW:0]#

-c Counts the number of available CPU cores on this Security Gateway.

The command stores the returned number as its exit code.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -c
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1498

 fwboot cpuid

Parameter Description

--full Shows a full map of the available CPUs and CPU cores on this Security Gateway.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --full
cpuid phys_id core_id thread_id
0 0 0 0
1 2 0 0
2 4 0 0
3 6 0 0
[Expert@MyGW:0]#

ht_aware Shows the CPU cores in the order of their awareness of Hyper-Threading.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid ht_aware
3 2 1 0
[Expert@MyGW:0]#

-n Counts the number of available CPUs on this Security Gateway.

The command stores the returned number as its exit code.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

--possible Counts the number of possible CPU cores.

The command stores the returned number as its exit code.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --
possible
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1499

 fwboot ht

fwboot ht
Description
Shows and configures the boot options for the SMT (HyperThreading) feature (sk93000).

Important - This command is for Check Point use only. To configure SMT
(HyperThreading) feature, follow sk93000.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ht
      --core_override [<number>]
      --disable
      --eligible
      --enable
      --enabled
      --supported

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

--core_override Shows or configures the number of overriding CPU cores.

[<number>]
The SMT feature uses this configuration to set the number of CPU
cores after reboot.

--disable Disables the SMT feature.

CLI R80.40 Reference Guide      |      1500

 fwboot ht

Parameter Description

--eligible Returns a number that shows if this system is eligible for the SMT
feature. Run:

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
eligible
[Expert@MyGW:0]# echo $?

n If you get 1 - The system is eligible for the SMT.

n If you get 0 - The system is not eligible for the SMT.
The possible causes are:
l The system is not a Check Point appliance.
l The system does not support the SMT.
l The system does not run Gaia OS.
l The appliance runs Gaia OS with 32-bit kernel and has
more than 4 CPU cores.

--enable Enables the SMT feature.

--enabled Returns a number that shows if SMT feature is enabled on this

system. Run:

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
enabled
[Expert@MyGW:0]# echo $?

n If you get 1 - The SMT is enabled.

n If you get 0 - The SMT is disabled.
The possible causes are:
l The system does not run Gaia OS.
l The SMT is disabled in software.

CLI R80.40 Reference Guide      |      1501

 fwboot ht

Parameter Description

--supported Returns a number that shows if this system supports the SMT feature.
Run:

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --
supported
[Expert@MyGW:0]# echo $?

n If you get 1 - System supports the SMT.

n If you get 0 - System does not support the SMT.
The possible causes are:
l The system's CPU does not support the SMT.
l The SMT is disabled in the system's BIOS.
l The SMT is disabled in software.

CLI R80.40 Reference Guide      |      1502

 fwboot multik_reg

fwboot multik_reg
Description
Shows the internal memory address of the registration function for the specified CoreXL Firewall instance.

Important - This command is for Check Point use only.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of CoreXL

Firewall instance> {ipv4 | ipv6} [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

ipv4 Specifies to work with IPv4 CoreXL Firewall

instances.

ipv6 Specifies to work with IPv6 CoreXL Firewall

instances.

-d Shows the decimal 64-bit address of the hook

function.

CLI R80.40 Reference Guide      |      1503

 fwboot multik_reg

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 0 ipv4

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 1 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 2 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1504

 fwboot post_drv

fwboot post_drv
Description
Loads the Firewall driver for CoreXL during boot.

Important:
n This command is for Check Point use only.
n If you run this command, Security Gateway can block all traffic. In such case, you
must connect to the Security Gateway over a console and restart Check Point
services with the "cpstop" on page 920 and "cpstart" on page 911 commands.
Alternatively, you can reboot the Security Gateway.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot post_drv {ipv4 | ipv6}

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

ipv4 Loads the IPv4 Firewall driver for CoreXL.

ipv6 Loads the IPv6 Firewall driver for CoreXL.

CLI R80.40 Reference Guide      |      1505

 Multi-Queue Commands

Multi-Queue Commands
For more information about Multi-Queue, see the R80.40 Performance Tuning Administration Guide -
Chapter Multi-Queue.

CLI R80.40 Reference Guide      |      1506

 mq_mng

mq_mng
Description
The mq_mng utility shows and configures the Multi-Queue on supported interfaces.
Multi-Queue only supports interfaces that use these drives:
n igb
n ixgbe
n i40e
n mlx5_core

Syntax
n To see the built-in help

mq_mng {-h | --help}

n To show the existing Multi-Queue configuration:

mq_mng {-o | --show} [{-v | -vv}] [-a]

n To configure the Multi-Queue for the specified driver:

Important - You must reboot the Security Gateway after all changes in the Multi-
Queue configuration.

mq_mng {-s | --set-mode}

      auto
      manual
{-i | --interface} <Names of Interfaces>
{-c | --core} <IDs of CPU Cores that run CoreXL SND
Instances>
      off
[{-i | --interface} <Names of Interfaces>]

n To apply the existing Multi-Queue policy:

mq_mng {-r | --reconf}

CLI R80.40 Reference Guide      |      1507

 mq_mng

Parameters

Parameter Description

-h | -- Shows built-in help.

help

-o | -- Shows the existing Multi-Queue configuration.

show

-v | - Verbose output.
vv

-a Shows all interfaces in the output.

-s | -- Configures the Multi-Queue mode:

set-
mode n auto - Automatic mode (this is the default). Multi-Queue automatically configures
the affinity of all supported interfaces to CPU cores that run CoreXL SND Instances.
n manual - Manual mode. Administrator configures the affinity of interfaces to
CPU cores that run CoreXL SND Instances. In this mode, you can specify
interfaces, CPU cores, or both.
n off - Disables the Multi-Queue on all or specified supported interfaces.

Important - Change in the Multi-Queue mode may cause short packet loss.

CLI R80.40 Reference Guide      |      1508

 mq_mng

Parameter Description

Notes:
n To specify interfaces:
l Use this syntax:
{-i | --interface} <Names of Interfaces>
l If you do not specify interfaces, then the configuration applies to all
supported interfaces.
l To specify a specific interface, enter its name (for example: -i
eth2).
l To specify several interfaces, enter their names separates with
spaces (for example: -i eth2 eth4).
n To specify CPU cores:
l Use this syntax:
{-c | --core} <IDs of CPU Cores that run
CoreXL SND Instances>
l To specify a specific CPU core, enter its ID number (for example: -
c 1).
l To specify several nonconsecutive CPU cores, enter their
ID numbers separated with spaces (for example: -c 1 3) or
commas (for example: -c 1,3).
l To specify several consecutive CPU cores, enter their first and last
ID numbers separated with a hyphen (for example: -c 3-6).

n To see the current CoreXL affinity configuration, run the "fw ctl affinity" on
page 1469 command (with applicable parameters).
n To see the CoreXL Firewall Instances and which CPU cores they use, run
the "fw ctl multik stat" on page 1464 command.
n To see all available CPU cores, run:

cat /proc/cpuinfo | grep processor

-r | -- Applies the existing Multi-Queue policy.

reconf

CLI R80.40 Reference Guide      |      1509

 Identity Awareness Commands

Identity Awareness Commands

For more information about Identity Awareness, see the R80.40 Identity Awareness Administration Guide.
These terms are used in the CLI commands:

Term Description

PDP Identity AwarenessPolicy Decision Point.

This is an Identity AwarenessSecurity Gateway, which is responsible to collect and share
identities.

PEP Identity AwarenessPolicy Enforcement Point.

This is an Identity AwarenessSecurity Gateway, which is responsible to enforce network
access restrictions.
It makes its decisions based on identity data it collected from the PDP.

ADLOG The module responsible for the acquisition of identities of entities (users or computers) from
the Active Directory.
The adlog runs on:

n An Identity AwarenessSecurity Gateway, for which you enabled the AD Query.

The AD Query serves the Identity AwarenessSoftware Blade, which enforces the
policy and logs identities.
n A Log Server. The adlog logs identities.

The adlog is the command line process used to control and monitor the ADLOG feature.

The command line tool helps control users' statuses, as well as troubleshoot and monitor
the system.

The PEP and PDP processes are key components of the system. Through them, administrators control
user access and network protection.

CLI R80.40 Reference Guide      |      1510

 adlog

adlog
Description
Provides commands to control and monitor the AD Query process.

Syntax
n When the adlog runs on a Security Gateway, the AD Query serves the Identity Awareness
Software Blade, which enforces policy and logs identities.
In this case, the command syntax is:

adlog a <parameter> [<option>]

n When the adlog runs on a Log Server, it logs identities.

In this case, the command syntax is:

adlog l <parameter> [<option>]

Note - Parameters for the "adlog a" and "adlog l" commands are identical.

Parameters

Parameter Description

No Parameters Displays available options for this command and exits.

a Sets the working mode:

or n adlog a- If you use the AD Query for Identity Awareness.

l n adlog l - If you use a Log Server (Identity Logging).

control <parameter> Sends control commands to the AD Query.

<option>
See "adlog control" on page 1513.

dc Shows the status of a connection to the AD domain controller.

See "adlog dc" on page 1515.

debug <parameter> Enables and disables the adlog debug output.

See "adlog debug" on page 1516.

query <parameter> Shows the database of identities acquired by the AD Query,

<option> according to the specified filter.
See "adlog query" on page 1517.

CLI R80.40 Reference Guide      |      1511

 adlog

Parameter Description

statistics Shows statistics about NT Event logs received by adlog, for each IP
address and total.
Also shows the number of identified IP addresses.
See "adlog statistics" on page 1518.

CLI R80.40 Reference Guide      |      1512

 adlog control

adlog control
Description
Sends control commands to the AD Query.

Syntax

adlog {a | l} control
      muh <options>
      reconf
      srv_accounts <options>
      stop

Parameters

Parameter Description

muh Manages the list of Multi-User Hosts.

<
The available <options> are:
options>
n Show all known Multi-User Hosts:

adlog {a | l} control muh show

n Add an IP address as a Multi-User Host:

adlog {a | l} control muh mark

n Removes an IP address from the list of Multi-User Hosts:

adlog {a | l} control muh unmark

reconf Sends a reconfiguration command to the AD Query.

Resets the policy configuration to the one defined in SmartConsole.

CLI R80.40 Reference Guide      |      1513

 adlog control

Parameter Description

srv_ Manages service accounts.

accounts
Service accounts are accounts that do not belong to actual users, rather they belong to
<
services that run on a computer. Service accounts are suspected, if they are logged in
options>
more than a certain number of times.
The available <options> are:

n Show all known service accounts:

adlog {a | l} control srv_accounts show

n Clear all the accounts from the list of service accounts:

adlog {a | l} control srv_accounts clear

n Manually update the list of service accounts:

adlog {a | l} control srv_accounts find

n Remove an account name from the list of service accounts:

adlog {a | l} control srv_accounts unmark

stop Stops the AD Query.

Security Gateway does not acquire new identities with the AD Query anymore.

CLI R80.40 Reference Guide      |      1514

 adlog dc

adlog dc
Description
Shows the status of a connection to the AD domain controller.

Syntax

adlog a dc

adlog l dc

CLI R80.40 Reference Guide      |      1515

 adlog debug

adlog debug
Description
Enables and disables the adlog debug output.

Feature Output Debug File

Identity Awareness on a Security Gateway $FWDIR/log/pdpd.elg

Identity Logging on a Log Server $FWDIR/log/fwd.elg

Syntax

adlog {a | l} debug
      extended
      mode
      off
      on

Parameters

Parameter Description

extended Turns on the debug and adds extended debug topics.

mode Shows the debug status ("on", or "off").

off Turns off the debug.

on Turns on the debug.

CLI R80.40 Reference Guide      |      1516

 adlog query

adlog query
Description
Shows the database of identities acquired by the AD Query, according to the specified filter.

Syntax

adlog {a | l} query
      all
      ip <IP Address>
      machine <Computer Name>
      string <String>
      user <Username>

Parameters

Parameter Description

all No filter. Shows the entire identity database.

ip <IP Address> Filters identities that relate to the specified IP address.

machine <Computer Name> Filters identity mappings based on the specified computer name.

string <String> Filters identity mappings based on the specified text string.

user <Username> Filters identity mappings based on the specified user.

Example - Show the entry that contains the string "jo" in the user name

adlog a query user jo

CLI R80.40 Reference Guide      |      1517

 adlog statistics

adlog statistics
Description
Shows statistics about NT Event logs received by adlog, for each IP address and total.
Also shows the number of identified IP addresses.

Syntax

adlog a statistics

adlog l statistics

CLI R80.40 Reference Guide      |      1518

 pdp

pdp
Description
These commands control and monitor the pdpd process.

Syntax

pdp <command> [<parameter> [<option>]]

Commands

Parameter Description

No Parameters Shows available options for this command and exits.

ad <parameter> For the AD Query, adds (or removes) an identity to the Identity
<option> Awareness database on the Security Gateway.
See "pdp ad" on page 1521.

auth <parameter> Shows authentication or authorization options.

<option>
See "pdp auth" on page 1523.

broker <parameter> Controls the PDP Identity Broker.

<option>
See "pdp broker" on page 1527.

conciliation Controls the session conciliation mechanism.

<parameter> <option>
See "pdp conciliation" on page 1531.

connections Shows the PDP connections with the PEP gateways, Terminal
<parameter> Servers, and Identity Collectors.
See "pdp connections" on page 1533.

control <parameter> Controls the PDP parameters.

<option>
See "pdp control" on page 1534.

debug <parameter> Controls the PDP debug.

<option>
See "pdp debug" on page 1535.

idc <parameter> Operations related to Identity Collector.

<option>
See "pdp idc" on page 1538.

idp <parameter> Operations related to SAML-based authentication.

<option>
See "pdp idp" on page 1540.

CLI R80.40 Reference Guide      |      1519

 pdp

Parameter Description

ifmap <parameter> Controls the Interface to Metadata Access Points (IF-MAP) sessions.

<option>
See "pdp ifmap" on page 1541.

monitor <parameter> Monitors the status of connected PDP sessions.

<option>
See "pdp monitor" on page 1543.

muh <parameter> Shows Multi-User Hosts (MUHs).

<option>
See "pdp muh" on page 1545.

nested_groups Shows LDAP Nested groups configuration.

<parameter>
See "pdp nested_groups" on page 1546.

network <parameter> Shows information about network related features.

See "pdp network" on page 1547.

radius <parameter> Shows and configures the RADIUS accounting options.

<option>
See "pdp radius" on page 1548.

status <parameter> Shows PDP status information, such as start time or configuration
time.
See "pdp status" on page 1552.

tasks_manager Shows the status of the PDP tasks.

<parameter>
See "pdp tasks_manager" on page 1553.

timers <parameter> Shows PDP timers information for each session.

See "pdp timers" on page 1554.

topology_map Shows topology of all PDP and PEP addresses.

See "pdp topology_map" on page 1555.

tracker <parameter> Adds the TRACKER topic to the PDP logs.

See "pdp tracker" on page 1556.

update <parameter> Recalculates users and computers group membership.

See "pdp update" on page 1557.

vpn <parameter> Shows connected VPN gateways that send identity data from VPN
Remote Access Clients.
See "pdp vpn" on page 1558.

CLI R80.40 Reference Guide      |      1520

 pdp ad

pdp ad
General Syntax

pdp ad
      associate <options>
      disassociate <options>

The 'pdp ad associate' command

Description
For the AD Query, adds an identity to the Identity Awareness database on the Security Gateway.
The group data must be in the AD.

Syntax

pdp ad associate ip <IP Address> u <Username> d <Domain> [m <Computer

Name>] [t <Timeout>] [s]

Parameters

Parameter Description

ip <IP Address> Specifies the IP address for the identity.

u <Username> Specifies the username for the identity.

m <Computer Specifies the computer that is defined for the identity.

Name>

d <Domain> Specifies the Domain of the ID server.

t <Timeout> Specifies the timeout for the AD Query.

Default timeout is 5 hours.

s Associates the "u <Username>" and the "m <Computer>" parameters

sequentially.
First, adds the "<Computer>" and then adds the "<Username>" to the
database.

CLI R80.40 Reference Guide      |      1521

 pdp ad

The 'pdp ad disassociate' command

Description
For the AD Query, removes the identity from the Identity Awareness database on the Security Gateway.
Identity Awareness does not authenticate a user that is removed.

Syntax

pdp ad disassociate ip <IP Address> {u <Username> | m <Computer Name>}

[r {override | probed | timeout}]

Parameters

Parameter Description

ip <IP Address> Specifies the IP address for the identity.

u <Username> Specifies the username for the identity.

m <Computer Name> Specifies the computer that is defined for the identity.

r {override | probed | Specifies the reason to show in SmartConsole on the Logs &
timeout} Monitor > Logs tab.

CLI R80.40 Reference Guide      |      1522

 pdp auth

pdp auth
Description
Configures authentication/authorization options for PDP.

Syntax

pdp auth
      allow_empty_result <options>
      count_in_non_ldap_group <options>
      fetch_by_sid <options>
      force_domain <options>
      kerberos_any_domain <options>
      kerberos_encryption <options>
      reauth_agents_after_policy <options>
      recovery_interval <options>
      username_password <options>

Parameters

Parameter Description

allow_empty_ Shows the current configuration of fetching of local groups from the AD
result <options> server based on SID.
Configures that the fetching of local groups from the AD server based on
SID should succeed, even if all SIDs are foreign.
The available <options> are:

n Disable the fetching of local groups:

pdp auth allow_empty_result disable

n Enable the fetching of local groups:

pdp auth allow_empty_result enable

n Show the current configuration:

pdp auth allow_empty_result status

CLI R80.40 Reference Guide      |      1523

 pdp auth

Parameter Description

count_in_non_ Shows and configures the identification of membership to individual users

ldap_group that are selected in the user picker and LDAP branch groups in
<options> SmartConsole.
The available <options> are:

n Disable the identification of membership:

pdp auth count_in_non_ldap_group disable

n Enable the identification of membership:

pdp auth count_in_non_ldap_group enable

n Show the current configuration:

pdp auth count_in_non_ldap_group status

fetch_by_sid Shows and configures the fetching of local groups from the AD server
<options> based on SID.
The available <options> are:

n Disable the fetching of local groups:

pdp auth fetch_by_sid disable

n Enable the fetching of local groups:

pdp auth fetch_by_sid enable

n Show the current configuration:

pdp auth fetch_by_sid status

force_domain Shows and configures the PDP to match the identity's source, based on the
<options> reported domain and authorization domain.
The available <options> are:

n Disable the match the identity's source:

pdp auth force_domain disable

n Enable the match the identity's source:

pdp auth force_domain enable

n Show the current configuration:

pdp auth force_domain status

CLI R80.40 Reference Guide      |      1524

 pdp auth

Parameter Description

kerberos_any_ Shows and configures the use of all available Kerberos principles.
domain <options>
The available <options> are:

n Disable the use of all available Kerberos principles:

pdp auth kerberos_any_domain disable

n Enable the use of all available Kerberos principles:

pdp auth kerberos_any_domain enable

n Show the current configuration:

pdp auth kerberos_any_domain status

kerberos_ Shows and configures the Kerberos encryption type.

encryption
<options> Note - In SmartConsole, go to Objects menu > Object Explorer
> Servers > open the LDAP Account Unit object > go to General
tab > click Active Directory SSO Configuration).

The available <options> are:

n Configure the Kerberos encryption type:

pdp auth kerberos_encryption set

n Show the current configuration:

pdp auth kerberos_encryption get

reauth_agents_ Shows and configures the automatic reauthentication of Identity Agents

after_policy after policy installation.
<options>
The available <options> are:

n Disable the automatic reauthentication:

pdp auth reauth_agents_after_policy disable

n Enable the automatic reauthentication:

pdp auth reauth_agents_after_policy enable

n Show the current configuration:

pdp auth reauth_agents_after_policy status

CLI R80.40 Reference Guide      |      1525

 pdp auth

Parameter Description

recovery_interval Shows and configures the frequency of attempts to connect back to the
<options> higher-priority PDP gateway.
The available <options> are:

n Disable the reconnect attemtps:

pdp auth recovery_interval disable

n Enable the reconnect attemtps:

pdp auth recovery_interval enable

n Configure the frequency or reconnect attempts:

pdp auth recovery_interval set <Number of

Seconds>

n Show the current configuration:

pdp auth recovery_interval show

username_password Shows and configures the username and password authentication.

<options>
The available <options> are:

n Disable the username and password authentication:

pdp auth username_password disable

n Enable the username and password authentication:

pdp auth username_password enable

n Show the current configuration:

pdp auth username_password status

CLI R80.40 Reference Guide      |      1526

 pdp broker

pdp broker
Description
These commands control the PDP Identity Broker.

Syntax

pdp broker
      debug {set | unset} <options>
      discard <options>
      reconnect <options>
      status [-e]
      sync <options>

Parameters

Parameter Description

debug set Controls the debug of the PDP Identity Broker.

<options>
The available <options> are:
debug unset
<options>

n Print the logs related to remote Publisher PDPs:

pdp broker debug set pub <IP Address of

Publisher PDP>

n Disable the logs related to remote Publisher PDPs:

pdp broker debug unset pub <IP Address of

Publisher PDP>

n Print the extended logs related to remote Publisher PDPs:

pdp broker debug set pub_ext <IP Address of

Publisher PDP>

n Disable the extended logs related to remote Publisher PDPs:

pdp broker debug unset pub_ext <IP Address

of Publisher PDP>

CLI R80.40 Reference Guide      |      1527

 pdp broker

Parameter Description

n Print the logs related to communication with remote Publisher

PDPs:

pdp broker debug set pub_transport <IP

Address of Publisher PDP>

Enable this debug on the Subscriber PDP side to observe the

Publisher PDP's JSON requests in these cases:
l To monitor networking issues in case the message was not
received.
l To monitor the JSON requests from the Publisher PDPs and
related message-parsing issues.
l To monitor if the content of the JSON does not meet the
requirements (for example: Sharing ID).
n Disable the logs related to communication with remote Publisher
PDPs:

pdp broker debug unset pub_transport <IP

Address of Publisher PDP>

n Print the logs related to remote Subscriber PDPs:

pdp broker debug set sub <IP Address of

Subscriber PDP>

n Disable the logs related to remote Subscriber PDPs:

pdp broker debug unset sub <IP Address of

Subscriber PDP>

n Print the extended logs related to remote Subscriber PDPs:

pdp broker debug set sub_ext <IP Address of

Subscriber PDP>

n Disable the extended logs related to remote Subscriber PDPs:

pdp broker debug unset sub_ext <IP Address

of Subscriber PDP>

CLI R80.40 Reference Guide      |      1528

 pdp broker

Parameter Description

n Print the logs related to communication with remote Subscriber

PDPs:

pdp broker debug set sub_transport <IP

Address of Subscriber PDP>

n Disable the logs related to communication with remote Subscriber

PDPs:

pdp broker debug unset sub_transport <IP

Address of Subscriber PDP>

Notes:
n For more information about the debug, see "pdp debug"
on page 1535.
n To see the HTTP related issues, run this command to
enable the debug on the Publisher PDP side:

pdp debug set HttpClient all

To see more information for some errors, run this

command:

pdp broker status [-e]

discard <option> Controls the timeout for discarding sessions received from the specified
Publisher PDP during a disconnection.
The available <options> are:

n Show the current timeout:

pdp broker discard show_timeout <IP Address

of Publisher PDP>

n Configure the new timeout (in seconds):

pdp broker discard set_timeout <IP Address

of Publisher PDP> <Timeout>

reconnect <IP Forces the reconnection to the specified Subscriber PDP immediately.

Address of
If you run this command, the PDP ignores the keep-alive intervals and
Subscriber PDP>
exponential backoff timeouts, and sends the handshake / keep-alive
immediately.

Best Practice - You can use this command when a long time
passed since the PDP disconnected, and you need to establish
the connection again immediately.

CLI R80.40 Reference Guide      |      1529

 pdp broker

Parameter Description

status [-e] Shows the status of remote Publisher PDPs and Subscriber PDPs.
The option "-e" flag adds more information (Subscriber PDP port and the
last error time and description).

sync <option> Synchronizes identities with the specified Publisher PDPs or Subscriber
PDPs.
The available <options> are:

n Send the synchronization request (in the next broker message) to

the specified remote Publisher PDP:

pdp broker sync pub <IP Address of

Publisher PDP>

n Send the synchronization request (in the next broker message) to

all remote Publisher PDPs:

pdp broker sync pub all

n Control the schedule for synchronization with remote Publisher

PDPs:

pdp broker sync schedule {add <option> |

remove <option>| show <option>}

l To add new synchronization time:

pdp broker sync schedule add <IP

Address of Publisher PDP> "<HH:MM>"

l To remove the current schedule:

pdp broker sync schedule remove <IP

Address of Publisher PDP> "<HH:MM>"

l To show the current schedule:

pdp broker sync schedule show [<IP

Address of Publisher PDP>]

n Initiate the synchronization with the specified remote Subscriber

PDP:

pdp broker sync sub <IP Address of

Subscriber PDP>

n Initiate the synchronization with all remote Subscriber PDPs:

pdp broker sync sub all

CLI R80.40 Reference Guide      |      1530

 pdp conciliation

pdp conciliation
Description
Controls the session conciliation mechanism.

Syntax

pdp conciliation
      adq_single_user <option>
      api_multiple_users <option>
      idc_multiple_users <option>
      rad_multiple_users <option>

Parameters

Parameter Description

adq_single_user Shows and controls the assumption that single AD Query user is
<option> connected on each computer.
The available <options> are:

n Disable this behavior:

pdp conciliation adq_single_user disable

n Enable this behavior:

pdp conciliation adq_single_user enable

n Show the current status (enabled or disabled):

pdp conciliation adq_single_user stat

CLI R80.40 Reference Guide      |      1531

 pdp conciliation

Parameter Description

api_multiple_users Shows and controls the assumption that multiple Web-API users are
<option> connected on each computer.
The available <options> are:

n Disable this behavior:

pdp conciliation api_multiple_users disable

n Enable this behavior:

pdp conciliation api_multiple_users enable

n Show the current status (enabled or disabled):

pdp conciliation api_multiple_users stat

idc_multiple_users Shows and controls the assumption that multiple Identity Collector users
<option> are connected on each computer.
The available <options> are:

n Disable this behavior:

pdp conciliation idc_multiple_users disable

n Enable this behavior:

pdp conciliation idc_multiple_users enable

n Show the current status (enabled or disabled):

pdp conciliation idc_multiple_users stat

rad_multiple_users Shows and controls the assumption that multiple RADIUS users are
<option> connected on each computer.
The available <options> are:

n Disable this behavior:

pdp conciliation rad_multiple_users disable

n Enable this behavior:

pdp conciliation rad_multiple_users enable

n Show the current status (enabled or disabled):

pdp conciliation rad_multiple_users stat

CLI R80.40 Reference Guide      |      1532

 pdp connections

pdp connections
Description
Shows the PDP connections with PEP gateways, Terminal Servers, and Identity Collectors.

Syntax

pdp connections
      idc
      pep
      ts

Parameters

Parameter Description

idc Shows a list of connected Identity Collectors.

pep Shows the connection status of all the PEPs, which the current PDP should update.

ts Shows a list of all connected Terminal Servers.

CLI R80.40 Reference Guide      |      1533

 pdp control

pdp control
Description
Provides commands to control the PDP.

Syntax

pdp control
      revoke_ip <IP address>
      sync

Parameters

Parameter Description

revoke_ip <IP Logs out the session that is related to the specified IP address.
address>

sync Forces an initiated synchronization operation between the PDPs and the PEPs.
When you run this command, the PDP informs its related PEPs of the up-to-date
information of all connected sessions.
At the end of this operation, the PDP and the PEPs contain the same and latest
session information.

CLI R80.40 Reference Guide      |      1534

 pdp debug

pdp debug
Description
Controls the debug of the PDP.

Syntax

pdp debug
      async1
      ccc {off | on}
      memory
      off
      on
      reset
      rotate
      set <Topic Name> <Severity>
      spaces [<0 - 5>]
      stat
      unset <Topic Name>

Parameters

Parameter Description

async1 Tests the async command line with the echo command for 30
seconds.

ccc {off | on} Configures whether to write the CCC debug logs into the PDP log file -
$FWDIR/log/pdpd.elg

n on - Writes the CCC debug logs

n off - Does not write the CCC debug logs

memory Shows the memory consumption by the pdpd daemon.

off Disables the PDP debug.

on Enables the PDP debug.

Important - After you run this command "pdp debug on",

you must run the command "pdp debug set ..." to
configure the required filter.

CLI R80.40 Reference Guide      |      1535

 pdp debug

Parameter Description

reset Resets the PDP debug options for Debug Topic and Severity.

Important - After you run this command "pdp debug

reset", you must run the command "pdp debug off" to
turn off the debug.

rotate Rotates the PDP log files - increases the index of each log file:
1. $FWDIR/log/pdpd.elg becomes
$FWDIR/log/pdpd.elg.0
2. $FWDIR/log/pdpd.elg.0 becomes
$FWDIR/log/pdpd.elg.1
3. And so on.

set <Topic Name> Filters which debug logs PDP writes to the log file based on the specified
<Severity> Debug Topics and Severity:
The available Debug Topics are:
n all
n Check Point Support provides more specific topics, based on the
reported issue
The available Severities are:
n all
n critical
n events
n important
n surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:

pdp debug set all all

spaces [<0 - 5>] Shows and configures the number of indentation spaces in the
$FWDIR/log/pdpd.elg file.
You can specify the number of spaces:

n 0 (this is the default)

n 1
n 2
n 3
n 4
n 5

stat Shows the PDP current debug status.

CLI R80.40 Reference Guide      |      1536

 pdp debug

Parameter Description

unset <Topic Name> Unsets the specified Debug Topic(s).

Important - When you enable the debug, it affects the performance of the pdpd
daemon. Make sure to disable the debug after you complete your troubleshooting.

CLI R80.40 Reference Guide      |      1537

 pdp idc

pdp idc
Description
Operations related to Identity Collector.

Syntax

pdp idc
      groups_consolidation <options>
      muh <options>
      service_accounts
      status

Parameters

Parameter Description

groups_consolidation Shows and configures the consolidation of external groups with

<options> fetched groups.
The available <options> are:

n Enable the consolidation (this is the default):

pdp idc groups_consolidation enable

n Disable the consolidation:

pdp idc groups_consolidation disable

n Show the current status:

pdp idc groups_consolidation status

muh <options> Shows and configures the Multi-User Host detection.

The available <options> are:

n Mark an IP address as a Multi-User Host:

pdp idc muh mark

n Show known Multi-User Host machines:

pdp idc muh show

n Unmark an IP address as a Multi-User Host:

pdp idc muh unmark

CLI R80.40 Reference Guide      |      1538

 pdp idc

Parameter Description

service_accounts Shows the suspected service accounts.

status Shows the status of configured identity sources (Identity

Collectors).

CLI R80.40 Reference Guide      |      1539

 pdp idp

pdp idp
Description
Operations related to SAML-based authentication.

Syntax

pdp idp groups <options>

Parameters

Parameter Description

groups Shows and configures the consolidation of external groups with the fetched groups.
<
The available <options> are:
options
> n Configure the authorization behavior for user groups:

pdp idp groups set {only | prefer | union | ignore}

l only - Considers only groups the Identity Provider sends. Ignore groups
received from configured User Directories.
l prefer -Prefers groups the Identity Provider sends. Considers groups
received from configured User Directories only if the Identity Provider sends
no group. This is the default.
l union - Considers both groups received from configured User Directories
and groups the Identity Provider sends.
l ignore - Considers only groups received from configured User Directories.
Ignores groups the Identity Provider sends.
n Shows the configured behavior:

pdp idp groups status

CLI R80.40 Reference Guide      |      1540

 pdp ifmap

pdp ifmap
Description
Controls the Interface to Metadata Access Points (IF-MAP) sessions.

Syntax

pdp ifmap
      connect <options>
      disconnect <options>
      revoke <options>
      status <options>

Parameters

Parameter Description

connect <options> Initiates connections to disconnected IF-MAP sessions.

The available <options> are:

n Initiate connections to all disconnected IF-MAP sessions:

pdp ifmap connect all

n Initiate connections to the specified disconnected IF-MAP

session:

pdp ifmap connect <Session Number>

disconnect <options> Disconnects an IF-MAP session.

The available <options> are:

n Disconnect all IF-MAP session:

pdp ifmap disconnect all

n Disconnects the specified IF-MAP session:

pdp ifmap disconnect <Session Number>

CLI R80.40 Reference Guide      |      1541

 pdp ifmap

Parameter Description

revoke <options> Revokes IP addresses of an IF-MAP session.

The available <options> are:

n Revoke IP addresses of all IF-MAP sessions:

pdp ifmap revoke all

n Revoke IP addresses of the specified IF-MAP session:

pdp ifmap revoke <Session Number>

status <options> Shows the current IF-MAP status.

The available <options> are:

n Show detailed information:

pdp ifmap status <Session Number>

CLI R80.40 Reference Guide      |      1542

 pdp monitor

pdp monitor
Description
Monitors the status of connected PDP sessions.
You can run different queries with the commands below to get the output, in which you are interested.

Syntax

pdp monitor
      all
      client_type <Client Type>
      cv_ge <Version>
      cv_le <Version>
      groups <Group Name>
      ip <IP address>
      machine <Computer Name>
      machine_exact
      mad
      network
      s_port
      summary
      user <Username>
      user_exact

Parameters

Parameter Description

all Shows information for all connected sessions.

client_type Shows all sessions that connect through the specified client type.
<Client Type>
Possible client types are:

n "AD Query" - User was identified by the AD Query.

n "Identity Agent" - User or computer was identified by an
Identity Awareness Agent.
n portal - User was identified by the Captive Portal.
n unknown - User was identified by an unknown source.

CLI R80.40 Reference Guide      |      1543

 pdp monitor

Parameter Description

cv_ge <Version> Shows all sessions that are connected with a client version that is higher than
(or equal to) the specified version.

cv_le <Version> Shows all sessions that are connected through a client version that is lower
than (or equal to) the specified version.

groups <Group Shows all sessions of users or computers that are members of the specified
Name> group.

ip <IP address> Shows session information for the specified IP address.

machine Shows session information for the specified computer name.

<Computer Name>

machine_exact Shows sessions filtered by the exact computer name.

mad Shows all sessions that relate to a managed asset.

For example, all sessions that successfully performed computer
authentication.

network Shows sessions filtered by a network wildcard.

For example: 192.168.72.*

s_port Shows sessions filtered by the assigned source port (MUH sessions only).

summary Shows the summary monitoring data.

user <Username> Shows session information for the specified user name.

user_exact Shows sessions filtered by the exact user.

Example - Show the connected user behind the IP address 192.0.2.1

pdp monitor ip 192.0.2.1

Note - The last field "Published" indicates whether the session information was
already published to the Gateway PEPs, whose IP addresses are listed.

CLI R80.40 Reference Guide      |      1544

 pdp muh

pdp muh
Description
Shows Multi-User Hosts (MUHs).

Syntax

pdp muh status

CLI R80.40 Reference Guide      |      1545

 pdp nested_groups

pdp nested_groups
Description
Defines and shows LDAP Nested groups configuration.

Syntax

pdp nested_groups
      clear
      depth <options>
      disable
      enable
      show
      status
      __set_state <options>

Parameters

Parameter Description

clear Clears the list of users, for which the depth was not enough.

depth <1 - 40> Sets the nested groups depth (between 1 and 40).

disable Disables the nested groups.

enable Enables the nested groups.

show Shows a list of users, for which the depth was not enough.

status Shows the configuration status of nested groups.

__set_state {1 | 2 | 3} Sets the nested groups state:

n 1 - Recursive (like it was in R77.X versions)
n 2 - Per-user
n 3 - Multi per-group

CLI R80.40 Reference Guide      |      1546

 pdp network

pdp network
Description
Shows information about network related features.

Syntax

pdp network {info | registered}

Parameters

Parameter Description

info Shows a list of networks known by the PDP.

registered Shows the mapping of a network address to the registered gateways (PEP module).

CLI R80.40 Reference Guide      |      1547

 pdp radius

pdp radius
Description
Shows and configures the RADIUS accounting options.

Syntax

pdp radius
      ip
            reset
            set <options>
      groups
            fetch <options>
            reset
            set <options>
      parser
            reset
            set <options>
      roles
            fetch <options>
            reset
            set <options>
      status

CLI R80.40 Reference Guide      |      1548

 pdp radius

Parameters

Parameter Description

ip <options Configures the secondary IP options.

The available <options> are:

n Set the secondary IP index:

pdp radius ip set <attribute

index> [-a <vendor specific
attribute index>] [-c <vendor
code>]

n Reset the secondary IP settings:

pdp radius ip reset

CLI R80.40 Reference Guide      |      1549

 pdp radius

Parameter Description

groups <options Configures the options for user groups.

The available <options> are:

n Control whether to fetch groups from RADIUS

messages:

pdp radius groups fetch {off |

on}

l off - Do not fetch.

l on - Fetch.
n Reset user groups options:

pdp radius groups reset

n Set group index:

pdp radius groups set <options>

l To set group index for machines:

pdp radius groups set -m

<attribute index> [-a
<vendor specific attribute
index>] [-c <vendor code>]
[-d <delimiter>]

l To set group index for users:

pdp radius groups set -u

<attribute index> [-a
<vendor specific attribute
index>] [-c <vendor code>]
[-d <delimiter>]

parser <options Configures the parsing options.

The available <options> are:

n Reset parsing options:

pdp radius parser reset

n Set parsing options for attributes:

pdp radius parser set <attribute

index> [-c <vendor code> -a
<vendor specific attribute
index>] -p <prefix> -s <suffix>

CLI R80.40 Reference Guide      |      1550

 pdp radius

Parameter Description

roles <options> Configures how to obtain roles from RADIUS messages.

The available <options> are:

n Control whether to fetch roles from RADIUS

messages:

pdp radius roles fetch {off |

on}

l off - Do not fetch.

l on - Fetch.
n Reset role fetch options:

pdp radius roles reset

n Set role index:

pdp radius roles set <options>

l Set role index for machines:

pdp radius roles set -m

<attribute index> [-a
<vendor specific attribute
index>] [-c <vendor code>]
[-d <delimiter>]

l Set role index for users:

pdp radius roles set -u

<attribute index> [-a
<vendor specific attribute
index>] [-c <vendor code>]
[-d <delimiter>]

status Shows the current status.

CLI R80.40 Reference Guide      |      1551

 pdp status

pdp status
Description
Shows PDP status information, such as start time or configuration time.

Syntax

pdp status show

Parameters

Parameter Description

show Shows PDP information.

CLI R80.40 Reference Guide      |      1552

 pdp tasks_manager

pdp tasks_manager
Description
Shows the status of the PDP tasks (current running, previous, and pending tasks).

Syntax

pdp tasks_manager status

Parameters

Parameter Description

status Shows the status of the PDP tasks.

CLI R80.40 Reference Guide      |      1553

 pdp timers

pdp timers
Description
Shows PDP timers information for each PDP session.

Syntax

pdp timers show

Parameters

Parameter Description

show Shows PDP timers information for each PDP session:

n User Auth Timer
n Machine Auth Timer
n Pep Cache Timer
n Compliance Timer
n Keep Alive Timer
n Ldap Fetch Timer

CLI R80.40 Reference Guide      |      1554

 pdp topology_map

pdp topology_map
Description
Shows topology of all PDP and PEP addresses.

Syntax

pdp topology_map

CLI R80.40 Reference Guide      |      1555

 pdp tracker

pdp tracker
Description
During the PDP debug, adds the TRACKER debug topic to the PDP logs (this is enabled by default).
This is very useful when you monitor the PDP-to-PEP identity sharing and other communication in
distributed environments.
You can set this manually if you add the TRACKER topic to the PDP debug.

Syntax

pdp tracker {off | on}

Parameters

Parameter Description

off Disables the logging of TRACKER events in the PDP log.

on Enables the logging of TRACKER events in the PDP log.

CLI R80.40 Reference Guide      |      1556

 pdp update

pdp update
Description
Initiates a recalculation of group membership for all users and computers.

Important - This command does not update deleted accounts.

Syntax

pdp update {all | specific}

Parameters

Parameter Description

all Recalculates group membership for all users and computers.

specific Recalculates group membership for a specified user or a computer.

CLI R80.40 Reference Guide      |      1557

 pdp vpn

pdp vpn
Description
Shows the connected VPN gateways that send VPN Remote Access Client identity data.

Syntax

pdp vpn
      show

Parameters

Parameter Description

show Shows the connected VPN gateways.

CLI R80.40 Reference Guide      |      1558

 pep

pep
Description
Provides commands to control and monitor the PEPD process (see below for options).

Syntax

pep <command> [<parameter> [<option>]]

Commands

Command Description

control <parameter> Controls the PEP parameters.

<option>
See "pep control" on page 1560.

debug <parameter> Controls the PEP debug.

<option>
See "pep debug" on page 1561.

show <parameter> <option> Shows PEP information.

See "pep show" on page 1563.

tracker <parameter> During the PEP debug, adds the TRACKER debug topic to the
PEP logs.
See "pep tracker" on page 1566.

CLI R80.40 Reference Guide      |      1559

 pep control

pep control
Description
Provides commands to control the PEP.

Syntax

pep control
      extended_info_storage <options>
      portal_dual_stack <options>
      tasks_manager status <options>

Parameters

Parameter Description

extended_info_storage Controls whether PEP stores the extended identities information

<options> for debug.
The available <options> are:

n disable - PEP does not store the information.

n enable - PEP stores the information.

portal_dual_stack Controls the support for portal dual stack (IPv4 and IPv6).
<options>
The available <options> are:

n disable - Disables the support.

n enable - Enables the support.

tasks_manager <options> Shows the status of the PEP tasks (current running, previous,
and pending tasks).
The available <options> are:

n status - Shows the status.

CLI R80.40 Reference Guide      |      1560

 pep debug

pep debug
Description
Controls the debug of the PEP.

Syntax

pep debug
      memory
      off
      on
      reset
      rotate
      set <options>
      spaces [<options>]
      stat
      unset <options>

Parameters

Parameter Description

memory Displays the memory consumption by the pepd daemon.

off Disables the PEP debug.

on Enables the PEP debug.

Important - After you run this command "pep debug on",

you must run the command "pep debug set ..." to
determine the required filter.

reset Resets the PEP debug options for Debug Topics and Severities.

Important - After you run this command "pep debug

reset ...", you must run the command "pep debug
off" to turn off the debug.

CLI R80.40 Reference Guide      |      1561

 pep debug

Parameter Description

rotate Rotates the PEP log files - increases the index of each log file:
n $FWDIR/log/pepd.elg becomes
$FWDIR/log/pepd.elg.0,
n $FWDIR/log/pepd.elg.0 becomes
$FWDIR/log/pepd.elg.1
n And so on.

set <Topic Name> Filters which debug logs PEP writes to the log file based on the
<Severity> specified Debug Topics and Severity.
Available Debug Topics are:
n all
n Check Point Support provides more specific topics, based on the
reported issue
Available Severities are:
n all
n critical
n events
n important
n surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:

pep debug set all all

spaces Displays and sets the number of indentation spaces in the

$FWDIR/log/pepd.elg file.
[0 | 1 | 2 | 3
| 4 | 5] The default is 0 spaces.

stat Shows the PEP current debug status.

unset <Topic Name> Unsets the specified Debug Topic(s).

Important - When you enable the debug, it affects the performance of the pepd
daemon. Make sure to turn off the debug after you complete your troubleshooting.

CLI R80.40 Reference Guide      |      1562

 pep show

pep show
Description
Shows information about PEP.

Syntax

pep show
    conciliation_clashes
        all
        clear
        ip <Session IP Address>
    network
        pdp
        registration
    pdp
        all
        id <ID of PDP>
    stat
    topology_map
    user
        all
        query
                cid <IP[,ID]>
                cmp <Compliance>
                mchn <Computer Name>
                mgrp <Group>
                pdp <IP[,ID]>
                role <Identity Role>
                ugrp <Group>
                uid <UID String>
                usr <Username>

CLI R80.40 Reference Guide      |      1563

 pep show

Parameters

Parameter Description

conciliation_ Shows session conciliation clashes.

clashes <options>
The available <options> are:

n all - Show all conciliation clashes.

n clear - Clears all session clashes.
n ip <Session IP Address> - Show all conciliation clashes
filtered by the specified session IP address.

network <options> Shows network related information.

The available <options> are:

n pdp - Shows the Network-to-PDP mapping table.

n registration - Shows the networks registration table.

pdp <options> Shows the communication channel between the PEP and the PDP.
Available <options> are:

n all - Shows all connected PDPs.

n id - Shows the information for the specified PDP.

stat Shows the last time the pepd daemon was started and the last time a
policy was received.

Important - Each time the pepd daemon starts, it loads the

policy and the two timers. The times between the pepd
daemon start and when it fetched the policy are very close.

topology_map Shows topology of all PDP and PEP addresses.

CLI R80.40 Reference Guide      |      1564

 pep show

Parameter Description

user <options> Shows the status of sessions that PEP knows.

You can perform various queries to get the applicable output (see
below).
The available <options> are:

n all - Shows the list of all clients.

n query - Queries the list of users based on the specified filters:
l cid <IP[,ID]> - Matches entries of clients with the
specified Client ID.
l cmp <Compliance> - Matches entries with the specified
compliance.
l mchn <Computer Name> - Matches entries with the
specified computer name.
l mgrp <Group> - Matches entries with the specified
machine group.
l pdp <IP[,ID]> - Matches entries, which the specified
PDP updated.
l role <Identity Role> - Matches entries with the
specified identity role.
l ugrp <Group> - Matches entries with the specified user
group.
l uid <UID String> - Matches entries with the specified
full or partial UID.
l usr <Username> - Matches entries with the specified
username.

Note - You can use multiple query filters at the same

time to create a logical AND correlation between them.
For example, to show all users that have a sub-string of
"jo" AND are part of the user group "Employees" you
can use this query syntax:

# pep show user query usr jo ugrp

Employees

CLI R80.40 Reference Guide      |      1565

 pep tracker

pep tracker
Description
During the PEP debug, adds the TRACKER debug topic to the PEP logs (this is enabled by default).
This is very useful when you monitor the PDP-to-PEP identity sharing and other communication in
distributed environments.
You can set this manually if you add the TRACKER topic to the PEP debug.

Syntax

pep tracker {off | on}

Parameters

Parameter Description

off Disables the logging of TRACKER events in the PEP log.

on Enables the logging of TRACKER events in the PEP log.

CLI R80.40 Reference Guide      |      1566

 test_ad_connectivity

test_ad_connectivity
Description
This utility runs connectivity tests from the Security Gateway to an AD domain controller.
You can define the parameters for this utility in one of these ways:
n In the command line as specified below
n In the $FWDIR/conf/test_ad_connectivity.conf configuration file.
Parameters you define in the $FWDIR/conf/test_ad_connectivity.conf file cannot
contain white spaces and cannot be within quotation marks.

Important:
n Parameters you define in the command line override the parameters you define
in the configuration file.
n This utility saves its output in the file you specify with the -o parameter.
In addition, examine the $FWDIR/log/test_ad_connectivity.elg file.

Syntax

[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity -h

[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity <Parameter_1

Value_1> <Parameter Value_2> ... <Parameter_N Value_N> ...<Parameters
And Options>

Parameters

Mandatory /
Parameter Description
Optional

-h Optional Shows the built-in help.

-a Mandatory Prompts the user for the password on the screen.

Use only one of
these options:
n -a
n -c
n -p

-b <LDAP Search Optional Specifies the LDAP Search Base String.

Base String>

CLI R80.40 Reference Guide      |      1567

 test_ad_connectivity

Mandatory /
Parameter Description
Optional

-c <Password in Mandatory Specifies the user's password in clear text.

Clear Text>
Use only one of
these options:
n -a
n -c
n -p

-d <Domain Mandatory Specifies the domain name of the AD (for example,

Name> ad.mycompany.com).

-D <User DN> Mandatory Overrides the LDAP user DN (the utility does not try to figure
out the DN automatically).

-f <AD Optional Specifies the AD fingerprint for LDAPS.

Fingerprint for
LDAPS>

-i <IPv4 Mandatory Specifies the IPv4 address of the AD domain controller to

address of DC> tested.

-I <IPv6 Mandatory Specifies the IPv6 address of the AD domain controller to

address of DC> test.

-o <File Name> Mandatory Specifies the name of the output file.

This utility always saves the output file in the
$FWDIR/tmp/ directory.

-p <Obfuscated Mandatory Specifies the user's password in obfuscated text.

Password>
Use only one of
these options:
n -a
n -c
n -p

-l Optional Runs LDAP connectivity test only (no WMI test).

-L <Timeout> Optional Specifies the timeout (in milliseconds) for the LDAP test
only.
If this timeout expires, and the LDAP test still runs, then both
LDAP connectivity and WMI connectivity tests fail.

-M Optional Run the utility in demo mode.

CLI R80.40 Reference Guide      |      1568

 test_ad_connectivity

Mandatory /
Parameter Description
Optional

-r <Port Optional Specifies the LDAP or LDAPS connection port number.

Number>
The default ports are:
n LDAP - 389
n LDAPS - 636

-s Optional Specifies that LDAP connection must be over SSL.

-t <Timeout> Optional Specifies the total timeout (in milliseconds) for both LDAP
connectivity and WMI connectivity tests.

-u <Username> Mandatory Specifies the administrator user name on the AD.

-v Optional Prints the full path to the specified output file.

-x <Domain Mandatory Specifies the domain name of the AD (for example,

Name> ad.mycompany.com).
Utility prompts the user for the password.

-w Optional Runs WMI connectivity test only (no LDAP test).

Example

IPv4 of AD 192.168.230.240
DC

Domain mydc.local

Username Administrator

Password aaaa

Syntax [Expert@GW:0]# $FWDIR/bin/test_ad_connectivity -u

"Administrator" -c "aaaa" -D
"CN=Administrator,CN=Users,DC=mydc,DC=local" -d mydc.local -i
192.168.230.240 -b "DC=mydc,DC=local" -o test.txt
[Expert@GW:0]#

Output [Expert@GW:0]# cat $FWDIR/tmp/test.txt

(
:status (SUCCESS_LDAP_WMI)
:err_msg ("WMI_SUCCESS;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (WMI_SUCCESS)
:timestamp ("Mon Feb 26 10:17:41 2018")
)
[Expert@GW:0]#

CLI R80.40 Reference Guide      |      1569

 test_ad_connectivity

Note - In order to know the output is authentic, pay attention that the timestamp is the
same as the local time.

CLI R80.40 Reference Guide      |      1570

 VPN Commands

VPN Commands
VPN commands generate status information regarding VPN processes, or are used to stop and start
specific VPN services.
All VPN commands are executed on the Security Gateway and Cluster Members.
For more information about VPN, see the:
n R80.40 Site to Site VPN Administration Guide.
n R80.40 Remote Access VPN Administration Guide.

CLI R80.40 Reference Guide      |      1571

 vpn

vpn
Description
Configures VPN settings.
Shows VPN information.

CLI R80.40 Reference Guide      |      1572

 vpn

Syntax

vpn
      check_ttm
      compreset
      compstat
      crl_zap
      crlview
      debug
      dll
      drv
      dump_psk
      ipafile_check
      ipafile_users_capacity
      macutil
      mep_refresh
      neo_proto
      nssm_topology
      overlap_encdom
      rim_cleanup
      rll
      set_slim_server
      set_snx_encdom_groups
      set_trac
      shell
      show_tcpt
      sw_topology
{tunnelutil | tu}
      ver

Parameters

Parameter Description

check_ttm Makes sure the specified TTM file is valid.

See "vpn check_ttm" on page 1576.

CLI R80.40 Reference Guide      |      1573

 vpn

Parameter Description

compreset Resets compression and decompression statistics counters.

See "vpn compreset" on page 1577.

compstat Shows compression and decompression statistics counters.

See "vpn compstat" on page 1578.

crl_zap Erases all Certificate Revocation Lists (CRLs) from the cache.
See "vpn crl_zap" on page 1579.

crlview Retrieves the Certificate Revocation List (CRL) from various distribution
points and shows it for the user.
See "vpn crlview" on page 1580.

debug Controls the debug of vpnd daemon and IKE.

See "vpn debug" on page 1582.

dll Works with DNS Lookup Layer.

See "vpn dll" on page 1586.

drv Controls the VPN kernel module.

See "vpn drv" on page 1587.

dump_psk Shows hash (SHA256) of peers' pre-shared-keys.

See "vpn dump_psk" on page 1588.

ipafile_check Verifies a candidate for the $FWDIR/conf/ipassignment.conf file.

See "vpn ipafile_check" on page 1589.

ipafile_users_ Shows and configures the capacity in the

capacity $FWDIR/conf/ipassignment.conf file.
See "vpn ipafile_users_capacity" on page 1590.

macutil Shows a generated MAC address for each user name when you use Remote
Access VPN with Office Mode.
See "vpn macutil" on page 1591.

mep_refresh Initiates MEP re-decision.

See "vpn mep_refresh" on page 1592.

neo_proto Controls the NEO client protocol.

See "vpn neo_proto" on page 1593.

CLI R80.40 Reference Guide      |      1574

 vpn

Parameter Description

nssm_topology Generates and uploads a topology in NSSM format to an NSSM server.

See "vpn nssm_toplogy" on page 1594.

overlap_encdom Shows all overlapping VPN domains.

See "vpn overlap_encdom" on page 1595.

rim_cleanup Cleans RIM routes.

See "vpn rim_cleanup" on page 1596.

rll Works with Route Lookup Layer.

See "vpn rll" on page 1597.

set_slim_server Deprecated.
See "vpn set_slim_server" on page 1598.

set_snx_encdom_ Controls the encryption domain per usergroup feature for SSL Network
groups Extender.
See "vpn set_snx_encdom_groups" on page 1599.

set_trac Controls the TRAC server.

See "vpn set_trac" on page 1600.

shell VPN Command Line Interface.

See "vpn shell" on page 1601.

show_tcpt Shows Visitor Mode users.

See "vpn show_tcpt" on page 1608.

sw_topology Downloads the topology for a UTM-1 Edge or Safe@Office device.

Note - R80.40 does not support UTM-1 Edge and Safe@Office

devices. The information about this command is provided only to
describe the existing syntax option until it is removed completely.

See "vpn sw_topology" on page 1609.

tunnelutil | tu Launches the TunnelUtil tool, which is used to control VPN tunnels.

See "vpn tu" on page 1610.

ver Shows the major version number and build number of the VPN kernel module.
See "vpn ver" on page 1620.

CLI R80.40 Reference Guide      |      1575

 vpn check_ttm

vpn check_ttm
Description
Makes sure the specified TTM file contains valid syntax.

Syntax

vpn check_ttm <Path to TTM file>

Parameters

Parameter Description

<Path to TTM file> Specifies the full path and name of the TTM file.

Example

[Expert@MyGW:0]# find / -name \*.ttm -type f

find: /proc/64899: No such file or directory
/var/opt/CPsuite-R80.40/fw1/conf/fw_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/nemo_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/neo_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/iphone_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/topology_trans_tmpl.ttm
/var/opt/CPsuite-R80.40/fw1/conf/vpn_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/trac_client_1.ttm
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# vpn check_ttm /var/opt/CPsuite-R80.40/fw1/conf/trac_client_1.ttm

Summary for the file: trac_client_1.ttm

result: the file passed the check without any problems

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1576

 vpn compreset

vpn compreset
Description
Resets compression and decompression statistics counters.

Syntax

vpn compreset

Example

[Expert@MyGW:0]# vpn compreset

Compression statistics were reset.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1577

 vpn compstat

vpn compstat
Description
Shows compression and decompression statistics counters.

Syntax

vpn compstat

Example

[Expert@MyGW:0]# vpn compstat

Compression: sum of all instances :

Compression:
============
Bytes before compression : 0
Bytes after compression : 0
Compression overhead (bytes) : 0
Bytes that were not compressed : 0
Compressed packets : 0
Packets that were not compressed : 0
Compression errors : 0

Pure compression ratio : 0.000000

Effective compression ratio : 0.000000

Decompression:
==============
Bytes before decompression : 0
Bytes after decompression : 0
Decompression overhead (bytes) : 0
Decompressed packets : 0
Decompression errors : 0
Pure decompression ratio : 0.000000
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1578

 vpn crl_zap

vpn crl_zap
Description
Erases all Certificate Revocation Lists (CRLs) from the cache.

Syntax

vpn crl_zap

Return Values
n 0 (zero) for success
n any other value for failure

CLI R80.40 Reference Guide      |      1579

 vpn crlview

vpn crlview
Description
Retrieves the Certificate Revocation List (CRL) from various distribution points and shows it for the user.

Syntax

vpn crlview [-d]

      -obj <Network Object Name> -cert <Certificate Object Name>
      -f <Certificate File>
      -view

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter,

then redirect the output to a file, or use the
script command to save the entire CLI
session.

-obj <Network Object Name> Specifies the name of the CA network object.

-cert <Certificate Object Name> Specifies the name of the certificate object.

-f <Certificate File> Specifies the path and the name of the certificate file.

-view Shows the CRL.

Return Values
n 0 (zero) for success
n any other value for failure

CLI R80.40 Reference Guide      |      1580

 vpn crlview

Example 1
vpn crlview -obj <MyCA> -cert <MyCert>

1. The VPN daemon contacts the Certificate Authority called MyCA and locates the certificate called
MyCert.
2. The VPN daemon extracts the certificate distribution point from the certificate.
3. The VPN daemon goes to the distribution point and retrieves the CRL. The distribution point can be
an LDAP or HTTP server.
4. The VPN daemon shows it to the standard output.

Example 2
vpn crlview -f /var/log/MyCert

1. The VPN daemon extracts the certificate distribution point from the certificate file called MyCert.
2. The VPN daemon goes to the distribution point and retrieves the CRL. The distribution point can be
an LDAP or HTTP server.
3. The VPN daemon shows the CRL to the standard output.

Example 3
vpn crlview -view <Lastest CRL>

If the CRL was retrieved in the past, this command instructs the VPN daemon to show the contents to the
standard output.

CLI R80.40 Reference Guide      |      1581

 vpn debug

vpn debug
Description
Instructs the VPN daemon vpnd to write debug messages to the $FWDIR/log/vpnd.elg* and
$FWDIR/log/ike.elg* log files.
Debugging of the VPN daemon takes place according to Debug Topics and Debug Levels:
n A Debug Topic is a specific area, on which to perform debugging. For example, if the Debug Topic is
LDAP, all traffic between the VPN daemon and the LDAP server is written to the log file.
We recommend to debug all available topics - use TDERROR_ALL_ALL.
Check Point Support provides the specific Debug Topics when needed.
n Debug Levels range from 1 (least informative) to 5 (most informative - write all debug messages).
For more information, see sk89940: How to debug VPND daemon.

Syntax

vpn debug
      on [<Debug_Topic>=<Debug_Level>]
      off
      ikeon [-s <Size_in_MB>]
      ikeoff
      trunc [<Debug_Topic>=<Debug_Level>]
      truncon [<Debug_Topic>=<Debug_Level>]
      truncoff
      timeon [<Seconds>]
      timeoff
      ikefail [-s <Size_in_MB>]
      mon
      moff
      say ["String"]
      tunnel [<Level>]

Parameters

Parameter Description

No Parameters Shows the built-in usage.

CLI R80.40 Reference Guide      |      1582

 vpn debug

Parameter Description

on Turns on high level VPN debug.

Information is written in the $FWDIR/log/vpnd.elg* files.

<Debug_ Specifies the Debug Topic and the Debug Level.

Topic
Check Point Support provides these.
>=<Debug_
Level> Best Practice - Run this command to start the debug:

vpn debug trunc ALL=5

off Turns off all VPN debug.

Best Practice - Run one of these commands to stop the VPND debug:

vpn debug off

vpn debug truncoff

ikeon [-s Turns on the IKE debug.

<Size_in_MB>]
Information is written in the $FWDIR/log/ike.elg* files.
You can specify the size of the $FWDIR/log/ike.elg file, when to perform
the log rotation (close the current active file, rename it, open a new active file).

ikeoff Turns off IKE debug.

Run this command to stop the IKE debug:

vpn debug ikeoff

trunc This command:

or 1. Rotates the $FWDIR/log/vpnd.elg file

truncon 2. Truncates the $FWDIR/log/ike.elg file
3. Starts the VPND daemon debug
4. Starts the IKE debug

Run this command to start the debug:

vpn debug trunc ALL=5

truncoff Stops the VPND daemon debug.

Run one of these commands to stop the VPND debug:

vpn debug truncoff

vpn debug off

CLI R80.40 Reference Guide      |      1583

 vpn debug

Parameter Description

timeon Enables the timestamp in the log files.

[<Seconds>]
Prints one timestamp after the specified number of seconds.
By default, prints the timestamp every 10 seconds.

timeoff Disables the timestamp in the log files every number of seconds.

ikefail [-s Logs failed IKE negotiations.

<Size_in_MB>]
You can specify the size of the $FWDIR/log/ike.elg file, when to perform
the log rotation (close the current active file, rename it, open a new active file).

mon Enables the IKE Monitor.

Saves the IKE packets in the $FWDIR/log/ikemonitor.snoop file.

Warning - The output file may contain user X-Auth passwords. Make
sure the file is protected.

moff Disables the IKE Monitor.

say "String" Saves the specified text string in the $FWDIR/log/vpnd.elg file.
For example, run: vpn debug say "BEGIN TEST"

Notes:
n Run this command after you start the VPN debug (with one of
these commands: "vpn debug on", "vpn debug trunc",
or "vpn debug truncon").
n The length of the string is limited to 255 characters.

tunnel This command:

[<Debug_
1. Rotates the $FWDIR/log/vpnd.elg file
Level>]
2. Truncates the $FWDIR/log/ike.elg file
3. Starts the VPND daemon debug with these two Debug Topics:
tunnel
ikev2
If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug Topic:
CRLCache
4. Starts the IKE debug

CLI R80.40 Reference Guide      |      1584

 vpn debug

Return Values
n 0 (zero) for success
n any other value for failure (typically, -1 or 1)

CLI R80.40 Reference Guide      |      1585

 vpn dll

vpn dll
Description
Works with VPN DNS Lookup Layer:
n Save the DNS Lookup Layer information to the specified file.
n Resolve the specified hostname.

Syntax

vpn dll
      dump <File>
      resolve <HostName>

Parameters

Parameter Description

dump <File> Saves the DNS Lookup Layer information (DNS Names and IP Addresses) to
the specified file.

resolve Resolves the specified hostname.

<HostName>
The command saves the last specified hostname in this file:
$FWDIR/tmp/vpnd_cmd.tmp

CLI R80.40 Reference Guide      |      1586

 vpn drv

vpn drv
Description
Controls the VPN kernel module.

Syntax

vpn drv {off | on | stat}

Parameters

Parameter Description

off Stops the VPN kernel module

on Starts the VPN kernel module

stat Shows the current status of the VPN kernel module

Example

[Expert@MyGW:0]# vpn drv stat

VPN-1 module active
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1587

 vpn dump_psk

vpn dump_psk
Description
Shows hash (SHA256) of peers' pre-shared-keys.

Syntax

vpn dump_psk

CLI R80.40 Reference Guide      |      1588

 vpn ipafile_check

vpn ipafile_check
Description
Verifies a candidate for the $FWDIR/conf/ipassignment.conf file.

Syntax

vpn ipafile_check <File> [{err | warn | detail}] [verify_group_names]

Parameters

Parameter Description

<File> Specifies the full path and name of the candidate file.

{err | warn | detail} Specifies the how much information to show about the candidate file:
n err - Only errors
n warn - Only warnings
n detail - All details

verify_group_names Examines the group names.

CLI R80.40 Reference Guide      |      1589

 vpn ipafile_users_capacity

vpn ipafile_users_capacity
Description
n Shows the current capacity in the $FWDIR/conf/ipassignment.conf file.
n Configures the new capacity in the $FWDIR/conf/ipassignment.conf file.

Syntax

vpn ipafile_users_capacity get

vpn ipafile_users_capacity set <128-32768>

Parameters

Parameter Description

get Shows the current capacity.

set <128-32768> Configures the new capacity to the specified number of users.

Notes:
n The default is 1024 entries.
n This command configures the amount of
memory reserved to store usernames.

Example

[Expert@MyGW:0]# vpn ipafile_users_capacity get

The gateway can currently read 1024 users from the ipassignment.conf file
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1590

 vpn macutil

vpn macutil
Description
Shows a generated MAC address for each user name when you use Remote Access VPN with Office
Mode.
This command is applicable only when allocating IP addresses through DHCP.
Remote Access VPN users in Office Mode receive an IP address, which is mapped to a hardware or MAC
address.

Syntax

vpn macutil <username>

Example
# vpn macutil John
20-0C-EB-26-80-7D, "John"

CLI R80.40 Reference Guide      |      1591

 vpn mep_refresh

vpn mep_refresh
Description
Initiates MEP re-decision.
Used in "backup stickiness" configuration to initiate MEP re-decision (fail back to primary Security
Gateway, if possible).

Syntax

vpn mep_refresh

CLI R80.40 Reference Guide      |      1592

 vpn neo_proto

vpn neo_proto
Description
Controls the NEO client protocol.

Important - This command is for Check Point use only.

Syntax

vpn neo_proto {off | on}

Parameters

Parameter Description

off Disables the NEO client protocol.

on Enables the NEO client protocol.

CLI R80.40 Reference Guide      |      1593

 vpn nssm_toplogy

vpn nssm_toplogy
Description
Generates and uploads a topology in NSSM format to an NSSM server.

Syntax

vpn nssm_topology -url <"url"> -dn <"dn"> -name <"name"> -pass

<"password"> [-action {bypass | drop}] [-print_xml]

Parameters

Parameter Description

-url <"url"> URL of the NSSM server.

-dn <"dn"> Distinguished Name of the NSSM server (needed to establish an SSL
connection).

-name <"name"> Valid login name for the NSSM server.

-pass Valid password for the NSSM server.

<"password">

-action Specifies the action that the Symbian client should take, if the packet is not
{bypass | destined for an IP address in the VPN domain.
drop}
Bypass is the default.

-print_xml Writes the topology to a file in XML format.

CLI R80.40 Reference Guide      |      1594

 vpn overlap_encdom

vpn overlap_encdom
Description
Shows all overlapping VPN domains.
Some IP addresses might belong to two or more VPN domains.
The command alerts for overlapping encryption domains if one or both of the following conditions exist:
n The same VPN domain is defined for both Security Gateways.
n If the Security Gateway has multiple interfaces, and one or more of the interfaces has the same IP
address and netmask.

Syntax

vpn overlap_encdom [communities | traditional]

Parameters

Parameter Description

communities Shows all pairs of objects with overlapping VPN domains, only if the objects (that
represent VPN sites) are included in the same VPN community.
This parameter is also used, if the same destination IP can be reached through more
than one VPN community.

traditional Default parameter.

Shows all pairs of objects with overlapping VPN domains.

Example

# vpn overlap_encdom communities

The objects Paris and London have overlapping encryption domains.
The overlapping domain is:
10.8.8.1 - 10.8.8.1
10.10.8.0 - 10.10.9.255
- This overlapping encryption domain generates a multiple entry points configuration in MyIntranet and
RemoteAccess communities.
- Same destination address can be reached in more than one community (Meshed, Star). This configuration is
not supported.

The objects Paris and Chicago have overlapping encryption domains. The overlapping domain is:
10.8.8.1 - 10.8.8.1
- Same destination address can be reached in more than one community (MyIntranet, NewStar). This
configuration is not supported.

The objects Washington and Tokyo have overlapping encryption domains.

The overlapping domain is:
10.12.10.68 - 10.12.10.68
10.12.12.0 - 10.12.12.127
10.12.14.0 - 10.12.14.255
- This overlapping encryption domain generates a multiple entry points configuration in Meshed, Star and
NewStar communities.

CLI R80.40 Reference Guide      |      1595

 vpn rim_cleanup

vpn rim_cleanup
Description
Cleans RIM routes.

Syntax

vpn rim_cleanup

CLI R80.40 Reference Guide      |      1596

 vpn rll

vpn rll
Description
Controls the VPN Route Lookup Layer:
n Saves the Route Lookup Layer information to the specified file.
n Synchronizes the routing table.

Syntax

vpn rll
      dump <File>
      sync

Parameters

Parameter Description

dump <File> Saves the Route Lookup Layer information to the specified file:
n ISP Redundancy Default Routes (Next Hop, Interface,
Metric)
n Route Shadow (Interface and Metric, IP/Mask, Next
Hop)
n Monitored IP Addresses (Data, IP/Mask)

sync Synchronizes the routing table.

CLI R80.40 Reference Guide      |      1597

 vpn set_slim_server

vpn set_slim_server
Description
This command is deprecated.
Delete the $FWDIR/conf/slim.conf file and use the Management Server to configure SSL Network
Extender.
As long as the $FWDIR/conf/slim.conf file exists, it overrides the settings you configure on the
Management Server.

CLI R80.40 Reference Guide      |      1598

 vpn set_snx_encdom_groups

vpn set_snx_encdom_groups
Description
Controls the encryption domain per usergroup feature for SSL Network Extender.

Syntax

vpn set_snx_encdom_groups
      off
      on

Parameters

Parameter Description

off Disables the encryption domain per usergroup feature.

on Enables the encryption domain per usergroup feature.

CLI R80.40 Reference Guide      |      1599

 vpn set_trac

vpn set_trac
Description
Controls the TRAC server.

Syntax

vpn set_trac
      disable
      enable

Parameters

Parameter Description

disable Disables the TRAC server.

enable Enables the TRAC server.

Example

[Expert@MyGW:0]# vpn set_trac enable

Trac client enabled, Install Policy for this change to take effect
[Expert@MyGW:0]#

[Expert@MyGW:0]# vpn set_trac disable

Trac client disabled, Install Policy for this change to take effect
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1600

 vpn shell

vpn shell
Description
VPN Command Line Interface.

Syntax for IPv4

vpn shell

Syntax for IPv6

vpn6 shell

Menu Options

[Expert@MyGW:0]# vpn shell

? - This help
.. - Go up one level
quit - Quit
[interface ] - Manipulate tunnel interfaces
[show ] - Show internal data
[tunnels ] - Manipulate tunnel data
[license ] - Display SCM licenses
VPN shell:[/] >

CLI R80.40 Reference Guide      |      1601

 vpn shell

Menu Sub-Options

interface
add
modify
delete
show
show
interface
tunnels
IKE
all
peer <Internal Peer IP>
IPsec
all
peer <Internal Peer IP>
tunnels
show
IKE
all
peer <Internal Peer IP>
IPsec
all
peer <Internal Peer IP>
delete
IKE
peer <Security Gateway>
user <Username>
all
IPsec
peer <Security Gateway>
user <Username>
all
all
IKE
IPsec
license
scm
status
list

CLI R80.40 Reference Guide      |      1602

 vpn shell

Description of Options and Sub-Options

Option Description

? Shows the available advanced commands in the current menu level.

.. Goes up one level in the menu.

quit Quits the VPN shell (available only in the main level).

interfac These commands are deprecated on Gaia OS.

e
Use the applicable options in Gaia Portal or the applicable commands in Gaia Clish.
See the R80.40 Gaia Administration Guide.

show Shows internal data.

The available options are:
n Show and configure tunnel interfaces:

show > interface

These commands are deprecated on Gaia OS.

Use the applicable options in Gaia Portal or the applicable commands in Gaia
Clish.
See the R80.40 Gaia Administration Guide.

CLI R80.40 Reference Guide      |      1603

 vpn shell

Option Description

n Show Security Associations (SAs):

show > tunnels

The available sub-options are:

l Show all IKE SAs

show > tunnels > IKE > all

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (3)
List all IKE SAs for a given peer (GW).
o The "vpn tu [-w] list ike" command (see "vpn tu
list" on page 1615).
l Show all IKE SAs for a specified VPN peer:

show > tunnels > IKE > peer <Internal Peer IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (1)
List all IKE SAs .
o The "vpn tu [-w] list peer_ike <IP
Address>" command (see "vpn tu list" on page 1615).
l Show all IPsec SAs

show > tunnels > IPsec > all

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (2)
List all IPsec SAs .
o The "vpn tu [-w] list ipsec" command (see
"vpn tu list" on page 1615).
l Show all IPsec SAs for a specified VPN peer:

show > tunnels > IPsec > peer <Internal Peer IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (4)
List all IPsec SAs for a given peer (GW).
o The "vpn tu [-w] list peer_ipsec <IP
Address>" command (see "vpn tu list" on page 1615).

CLI R80.40 Reference Guide      |      1604

 vpn shell

Option Description

tunnels Shows and deletes Security Associations (SAs).

The available options are:
n Show Security Associations (SAs):

tunnels > show

The available sub-options are:

l Show all IKE SAs:

tunnels > show > IKE > all

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (1)
List all IKE SAs .
o The "vpn tu [-w] list ike" command (see "vpn tu
list" on page 1615).
l Show all IKE SAs for a specified VPN peer:

tunnels > show > IKE > peer <Internal Peer IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (3)
List all IKE SAs for a given peer (GW).
o The "vpn tu [-w] list peer_ike <IP
Address>" command (see "vpn tu list" on page 1615).
l Show all IPsec SAs:

tunnels > show > IPsec > all

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (2)
List all IPsec SAs .
o The "vpn tu [-w] list ipsec" command (see
"vpn tu list" on page 1615).
l Show all IPsec SAs for a specified VPN peer:

tunnels > show > IPsec > peer <Internal Peer IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (4)
List all IPsec SAs for a given peer (GW).
o The "vpn tu [-w] list peer_ipsec <IP
Address>" command (see "vpn tu list" on page 1615).

CLI R80.40 Reference Guide      |      1605

 vpn shell

Option Description

n Delete Security Associations (SAs):

tunnels > delete

The available sub-options are:

l Delete all IKE for a specified VPN peer:

tunnels > delete > IKE > peer <Internal Peer IP>

l Delete all IKE for a specified user:

tunnels > delete > IKE > user <Username>

l Delete all IKE SAs for all VPN peers and users:

tunnels > delete > IKE > all

tunnels > delete > all > IKE

l Delete all IPsec SAs for a specified VPN peer:

tunnels > delete > IPsec > peer <Internal Peer

IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (5)
Delete all IPsec SAs for a given peer (GW).
o The "vpn tu [-w] del ipsec <IP Address>"
command (see "vpn tu del" on page 1612).

l Delete all IPsec SAs for a specified user:

tunnels > delete > IPsec > user <Username>

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (6)
Delete all IPsec SAs for a given User (Client).
o The "vpn tu [-w] del ipsec <IP Address>
<Username>" command (see "vpn tu del" on
page 1612).

CLI R80.40 Reference Guide      |      1606

 vpn shell

Option Description

l Delete all IPsec SAs for all VPN peers and users:

tunnels > delete > IPsec > all

tunnels > delete > all > IPsec

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1610 menu, the option (9)
Delete all IPsec SAs for ALL peers and users .
o The "vpn tu [-w] del ipsec all" command (see
"vpn tu del" on page 1612).

license Shows the SecureClient Mobile (SCM) licenses.

The available sub-options are:
n Show the current status of SCM licenses:

license > scm > status

n Show the list of SCM licensed devices:

license > scm > list

CLI R80.40 Reference Guide      |      1607

 vpn show_tcpt

vpn show_tcpt
Description
Shows users connected in Visitor Mode.

Syntax

vpn show_tcpt

CLI R80.40 Reference Guide      |      1608

 vpn sw_topology

vpn sw_topology
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax option
until it is removed completely.

Description
Downloads the topology for a UTM-1 Edge or Safe@Office device.

Syntax

vpn [-d] sw_toplogy -dir <directory> -name <name> -profile <profile>

[-filename <filename>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the

output to a file, or use the script command to save the entire
CLI session.

-dir <directory> Output directory for file.

-name <name> Nickname of site, which appears in remote client.

-profile Name of the UTM-1 Edge or Safe@Office profile, for which the topology is
<profile> created.

-filename Name of the output file.

<filename>

CLI R80.40 Reference Guide      |      1609

 vpn tu

vpn tu
Description
Launches the TunnelUtil tool, which is used to control VPN tunnels.

General Syntax

vpn tu

vpn tunnelutil

Menu Options

[Expert@MyGW:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs

(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW)
(4) * List all IPsec SAs for a given peer (GW)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers
(0) Delete all IPsec+IKE SAs for ALL peers

* To list data for a specific CoreXL instance, append "-i <instance

number>" to your selection.

(Q) Quit

*******************************************

Note - When you view Security Associations for a specific VPN peer, you must specify
the IP address in dotted decimal notation.

CLI R80.40 Reference Guide      |      1610

 vpn tu

Advanced Syntax

vpn tu
      help
      del <options>
      list <options>
      mstats
      tlist <options>

Parameters

Parameter Description

help Shows the available advanced commands.

del <options> Deletes IPsec and IKE SAs.

See "vpn tu del" on page 1612.

list <options> Shows IPsec and IKE SAs.

See "vpn tu list" on page 1615.

mstats Shows distribution of VPN tunnels (SPIs) between CoreXL Firewall instances.
See "vpn tu mstats" on page 1617.

tlist <options> Shows information about VPN tunnels.

See "vpn tu tlist" on page 1618.

CLI R80.40 Reference Guide      |      1611

 vpn tu del

vpn tu del

Description
Deletes IPsec Security Associations (SAs) and IKE Security Associations (SAs).

Syntax for IPv4

vpn tu [-w] del

      all
      ipsec
            all
            <IPv4 Address>
            <IPv4 Address> <Username>
      <IPv4 Address>
      <IPv4 Address> <Username>

Syntax for IPv6

vpn tu [-w] del

      all
      ipsec
            all
            <IPv6 Address>
      <IPv6 Address>
      <IPv6 Address> <Username>

Parameters

Parameter Description

-w Shows various warnings on the screen.

all Deletes all IPsec SAs and IKE SAs for all VPN peers and users.

Note - This command is the same as:

n In the main "vpn tu" on page 1610 menu, the option (0)
Delete all IPsec+IKE SAs for ALL peers and users .
n In the "vpn shell" on page 1601 menu, the option
tunnels > delete > all > IKE and the option tunnels >
delete > all > IPsec ..

CLI R80.40 Reference Guide      |      1612

 vpn tu del

Parameter Description

ipsec <options> Deletes the specified IPsec SAs.

The available <options> are:

n Delete all IPsec SAs for all peers and users:

vpn tu [-w] del ipsec all

Note - This command is the same as:

l In the main "vpn tu" on page 1610 menu, the
option (9) Delete all IPsec SAs for ALL peers
and users .
l In the "vpn shell" on page 1601 menu, the option
tunnels > delete > all > IPsec .

n Delete all IPsec SAs for the specified VPN peer:

vpn tu [-w] del ipsec <IP Address>

Note - This command is the same as:

l In the main "vpn tu" on page 1610 menu, the
option (5) Delete all IPsec SAs for a given
peer (GW).
l In the "vpn shell" on page 1601 menu, the option
tunnels > delete > IPsec > peer < Internal Peer
IP>.

n Delete all IPsec SAs for the specified VPN peer and the specified
user:

vpn tu [-w] del ipsec <IPv4 Address>

<Username>

Notes:
l This command is the same as:
o In the main "vpn tu" on page 1610 menu,
the option (6) Delete all IPsec SAs for a
given User (Client).
o In the "vpn shell" on page 1601 menu, the
option tunnels > delete > IPsec > user
< Username> .
l This command does not support IPv6 addresses.

CLI R80.40 Reference Guide      |      1613

 vpn tu del

Parameter Description

<IP Address> Deletes all IPsec SAs and IKE SAs for the specified VPN peer.

Note - This command is the same as the option (7) Delete all
IPsec+IKE SAs for a given peer (GW) in the main "vpn tu"
on page 1610 menu.

<IP Address> Deletes all IPsec SAs and IKE SAs for the specified VPN peer and the
<Username> specified user.

Note - This command is the same as the option (8) Delete all
IPsec+IKE SAs for a given User (Client) in the main "vpn
tu" on page 1610 menu.

CLI R80.40 Reference Guide      |      1614

 vpn tu list

vpn tu list

Description
Shows IPsec SAs and IKE SAs.

Syntax for IPv4 and IPv6

vpn tu [-w] list

      ike
      ipsec
      peer_ike <IP Address>
      peer_ipsec <IP Address>
      tunnels

Parameters

Parameter Description

-w Shows various warnings on the screen.

ike Shows all IKE SAs.

Note - This command is the same as:

n In the main "vpn tu" on page 1610
menu, the option (1) List all IKE SAs .
n In the "vpn shell" on page 1601 menu,
the option show > tunnels > IKE > all
or the option tunnels > show > IKE >
all .

ipsec Shows all IPsec SAs.

Note - This command is the same as:

n In the main "vpn tu" on page 1610
menu, the option (2) List all IPsec
SAs .
n In the "vpn shell" on page 1601 menu,
the option show > tunnels > IPsec >
all or the option tunnels > show >
IPsec > all .

CLI R80.40 Reference Guide      |      1615

 vpn tu list

Parameter Description

peer_ike <IP Address> Shows all IKE SAs for the specified VPN peer.

Note - This command is the same as:

n In the main "vpn tu" on page 1610
menu, the option (3) List all IKE SAs
for a given peer (GW).
n In the "vpn shell" on page 1601 menu,
the option show > tunnels > IKE >
peer < Internal Peer IP> or the option
tunnels > show > IKE > peer < Internal
Peer IP>.

peer_ipsec <IP Address> Shows all IPsec SAs for the specified VPN peer.

Note - This command is the same as:

n In the main "vpn tu" on page 1610
menu, the option (4) List all IPsec SAs
for a given peer (GW).
n In the "vpn shell" on page 1601 menu,
the option show > tunnels > IPsec >
peer < Internal Peer IP> or the option
tunnels > show > IPsec > peer
< Internal Peer IP> .

tunnels Shows information about VPN tunnels.

In addition, see the "vpn tu tlist" on page 1618 command.

CLI R80.40 Reference Guide      |      1616

 vpn tu mstats

vpn tu mstats

Description
Shows the distribution of VPN traffic between CoreXL Firewall instances.
For more information, see sk118097 - MultiCore Support for IPsec VPN in R80.10 and above.

Syntax for IPv4

vpn tu [-w] mstats

Syntax for IPv6

vpn6 tu [-w] mstats

Parameters

Item Description

-w Shows various warnings on the screen.

Example for IPv4

[Expert@MyGW:0]# vpn tu mstats

Instance# # of inSPIs # of outSPIs

0 182 170
1 184 176
2 191 174
3 215 197
4 237 227
5 191 176
6 180 170
7 190 166
8 171 160
9 199 187
-----------------------------------------
Summary: 1940 1803

[Expert@MyGW:0]#

Example for IPv6

[Expert@MyGW:0]# vpn6 tu mstats

Instance# # of inSPIs # of outSPIs

0 238 228
1 224 214
-----------------------------------------
Summary: 462 442

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1617

 vpn tu tlist

vpn tu tlist

Description
Shows information about VPN tunnels.

Syntax for IPv4

vpn tu [-w] tlist

{-h | -help}
[clear]
[start]
[state]
[stop]
[<Sort Options>]

Syntax for IPv6

vpn6 tu [-w] tlist

{-h | -help}
[clear]
[start]
[state]
[stop]
[<Sort Options>]

Parameters

Parameter Description

-w Shows various warnings on the screen.

-h | - Shows the built-in usage.

help

clear Clears the Tunnel List volume statistics.

start Turns on the Tunnel List volume statistics.

state Shows the current Tunnel List volume statistics state.

stop Turns off the Tunnel List volume statistics.

CLI R80.40 Reference Guide      |      1618

 vpn tu tlist

Parameter Description

<Sort The available sort options are:

Options>
n -b - Sorts by total (encrypted + decrypted) bytes.
n -d - Sorts by inbound (decrypted) bytes.
n -e - Sorts by outbound (encrypted) bytes.
n -i - Combines list rows for each CoreXL Firewall instance with accumulated
traffic. Default order is descending by total bytes.
n -m - Sorts by MSPI.
n -n - Sorts by VPN peer name.
n -p <IP Address> - Shows tunnels only for a VPN peer with the specified IP
address.
n -r - Sorts in reverse order.
n -s - Sorts by SPI.
n -t - Combines list rows for each VPN peer with accumulated traffic. Default
order is descending by total bytes.
n -v - Verbose mode, prints a header message for each option.

If you specify more than one sort option, you can:

n Separate the options with spaces:

... -<option1> -<option2> -<option3>

For example: -v -t -b -r
n Write the options together:

... -<option1><option2><option3>

For example: -vtbr

Example for IPv4

[Expert@MyGW:0]# vpn tu tlist

+-----------------------------------------+-----------------------+---------------------+
| Peer: 172.29.7.134 (b61cef72a222a909) | MSA: ffffc20020e34530 | i: 2 ref: 11 |
| Methods: ESP Tunnel AES-128 SHA1 | | i: 5 ref: 2 |
| My TS: 0.0.0.0/0 | | |
| Peer TS: 172.29.7.134 | | |
| User: user3 | | |
| MSPI: b7 (i: 5) | Out SPI: c95d172c | |
+-----------------------------------------+-----------------------+---------------------+
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1619

 vpn ver

vpn ver
Description
Shows the major version number and build number of the VPN kernel module.

Syntax

vpn ver [-k] [-f <filename>]

Parameters

Parameter Description

-k Shows the version name and build number and the kernel build number.

-f Saves the information to the specified text file.

Example

[Expert@MyGW:0]# vpn ver -k

This is Check Point VPN-1(TM) R80.40 - Build 123
kernel: R80.40 - Build 456
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1620

 mcc

mcc
Description
The VPN Multi-Certificate CA (MCC) commands let you manage certificates and Certificate Authorities on
a Security Management Server or Domain Management Server:
n Shows Certificate Authorities
n Shows certificates
n Adds certificates
n Deletes certificates

Important:
n Before you run this command, you must close all SmartConsole clients,
GuiDBedit Tool clients (see sk13009), and "dbedit" clients (see skI3301) to
prevent a lock of the management database. The only exceptions are the "mcc
lca" and "mcc show" commands.
n The mcc commands require the cpca process to be up and running. Run this
command:

ps auxw | egrep "cpca|COMMAND"

n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management

Server>

Syntax

mcc
      -h
      add <options>
      add2main <options>
      del <options>
      lca
      main2add <options>
      show <options>

CLI R80.40 Reference Guide      |      1621

 mcc

Parameters

Parameter Description

-h Shows the built-in usage.

add <options> Adds certificates.

See "mcc add" on page 1623.

add2main <options> Promotes an additional certificate to be the main certificate.

See "mcc add2main" on page 1624.

del <options> Deletes certificates.

See "mcc del" on page 1625.

lca Shows Certificate Authorities.

See "mcc lca" on page 1626.

main2add <options> Adds main certificate to additional certificates.

See "mcc main2add" on page 1627.

show <options> Shows certificates.

See "mcc show" on page 1628.

CLI R80.40 Reference Guide      |      1622

 mcc add

mcc add
Description
Adds a certificate stored in DER format in a specified file, as an additional certificate to the specified CA.
The new certificate receives an index number higher by one than the highest existing certificate index
number.
The new certificate receives an index number higher by one than the highest existing certificate index
number.

Syntax

mcc add <CA Name> <Certificate File>

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Important - Before you run this command, you must close all SmartConsole clients,
GuiDBedit Tool clients (see sk13009), and "dbedit" clients (see skI3301) to prevent a
lock of the management database.

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server
database.

<Certificate Specifies the path and the name of the certificate file.
File>
To show the main certificate of a CA, omit this parameter.

Example - Add the certificate stored in the /var/log/Mycert.cer file to the CA called "MyCA"

mcc add MyCA /var/log/Mycert.cer

CLI R80.40 Reference Guide      |      1623

 mcc add2main

mcc add2main
Description
Copies the additional certificate of the specified index number of the specified CA to the main position and
overwrites the previous main certificate.

Syntax

mcc add2main <CA Name> <Certificate Index Number>

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Important - Before you run this command, you must close all SmartConsole clients,
GuiDBedit Tool clients (see sk13009), and "dbedit" clients (see skI3301) to prevent a
lock of the management database.

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server
database.

<Certificate Index Specifies the certificate index number.

Number>

Example - Copy certificate #1 of a CA called "MyCA" to the main position

mcc add2main MyCA 1

CLI R80.40 Reference Guide      |      1624

 mcc del

mcc del
Description
Removes the additional certificate of the specified index number from the specified CA.
Greater index numbers (of other additional certificates) are reduced by one.

Syntax

mcc del <CA Name> <Certificate Index Number>

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Important - Before you run this command, you must close all SmartConsole clients,
GuiDBedit Tool clients (see sk13009), and "dbedit" clients (see skI3301) to prevent a
lock of the management database.

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server
database.

<Certificate Index Specifies the certificate index number.

Number>

Example - Remove certificate #1 of a CA called "MyCA"

mcc del MyCA 1

CLI R80.40 Reference Guide      |      1625

 mcc lca

mcc lca
Description
Shows all Certificate Authorities (CAs) defined in the Management Server database, with the number of
additional CA certificates for each CA.

Syntax

mcc lca

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Example

[Expert@MGMT:0]# mcc lca

MCC: Here is a list of the CAs, with the number of additional CA certificates
1. internal_ca (0)
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1626

 mcc main2add

mcc main2add
Description
Copies the main certificate of the specified CA to an additional position.
The copied certificate receives an index number higher by one than the highest existing certificate index
number.

Syntax

mcc main2add <CA Name>

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Important - Before you run this command, you must close all SmartConsole clients,
GuiDBedit Tool clients (see sk13009), and "dbedit" clients (see skI3301) to prevent a
lock of the management database.

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server database.

Example
The CA called "MyCA" has a main certificate and one additional certificate.
If you run this command, then the CA will have two additional certificates, and additional certificate #2 will
be identical to the main certificate:
mcc main2add MyCA

CLI R80.40 Reference Guide      |      1627

 mcc show

mcc show
Description
Shows details for a specified certificate of a specified CA.

Syntax

mcc show <CA Name> [<Certificate Index Number>]

Note
On a Multi-Domain Server, you must run this command in the context of the applicable
Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server
database.

<Certificate Index Optional.

Number>
Specifies the certificate index number.
To show the main certificate of a CA, omit this parameter.

Example 1 - Show certificate #1 of a CA called MyCA

mcc show MyCA 1

CLI R80.40 Reference Guide      |      1628

 mcc show

Example 2 - Show certificate of a CA called "internal_ca"

[Expert@MGMT:0]# mcc lca

MCC: Here is a list of the CAs, with the number of additional CA certificates
1. internal_ca (0)
[Expert@MGMT:0]#

[Expert@MGMT:0]# mcc show internal_ca

PubKey:
Modulus:
ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45 f1 00 04 bc
3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be db 75 cc c8
... ... ...
a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50 01 0f 86 9d
55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
Exponent: 65537 (0x10001)

X509 Certificate Version 3

refCount: 1
Serial Number: 1
Issuer: O=MyServer.checkpoint.com.s6t98x
Subject: O=MyServer.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1629

 Mobile Access Commands

Mobile Access Commands

For more information about Mobile Access, see the R80.40 Mobile Access Administration Guide.

CLI R80.40 Reference Guide      |      1630

 admin_wizard

admin_wizard
Description
Runs the administration client wizard to test connectivity to websites, Exchange server services, or
LDAP server.

Note - This wizard saves its log messages in these files:

n $CVPNDIR/log/AdminWizardLog.elg
n $CVPNDIR/log/wizard.elg
n $CVPNDIR/log/wizardDns
n $CVPNDIR/log/wizardEstimation
n $CVPNDIR/log/wizardLdap
n $CVPNDIR/log/wizardProxy

Syntax

admin_wizard
      cancel
      estimation
      exchange_wizard <Exchange Server Address> <User Name> <Password>
[<Options>]
      ldap <LDAP server>
      wizard <Web Site Address>

Parameters

Parameter Description

No Parameters Shows the built-in help.

cancel Kills the administration client wizard that already

runs.

estimation Estimates how many seconds the wizard will run.

CLI R80.40 Reference Guide      |      1631

 admin_wizard

Parameter Description

exchange_wizard <Exchange Server Tests the response from an Exchange server:

Address> <User Name> <Password>
n Finds the address protocol (HTTP or HTTPS)
[<Options>]
and authentication method (Basic or NTLM) of
the Exchange server services.
n Checks accessibility of Mobile Access
ActiveSync and EWS services for users.
n For Web command, checks access to the URL.
n For OWA command, returns the URL to the
outlook web access.

The parameters are:

n <Exchange Server Address> -
Specifies the Exchange server by its IP
address or hostname.
n <User Name> - Specifies the user name on
the Exchange Server.
n <Password> - Specifies the password on the
Exchange Server.
n <Options> - Specifies the test options.

CLI R80.40 Reference Guide      |      1632

 admin_wizard

Parameter Description

The available test options are:

n -t {as | ews | owa | all} -
Specifies the services to test on the Exchange
server:
Note - To specify more than one service,
separate them with a comma. For example:
as,ews
l all - Tests all of the services (default)
l as - Tests ActiveSync
l ews -Tests Exchange Web Services
l owa - Searches for the Outlook Web
Application (OWA) address of the
Exchange server
n -d <DNS Servers> - Specifies the DNS
servers.
n -x <Proxy Servers> - Specifies the
Proxy servers.
n -c <Username>:<Password> - Specifies
the user name and password for Proxy server
authentication.
n -n - Allows only NTLM authentication instead
of Basic and NTLM.
n -m <Domain Name> - Specifies the user
domain name.
n -s <ActiveSync Path> - Tests a
specified ActiveSync service path (Default:
/Microsoft-Server-ActiveSync).
n -e <EWS Path> - Tests a specified
Exchange Web Services service path (Default:
/EWS/Exchange.asmx).
n -f <File Name> - Writes the test results to
the specified file
n -r - Sends a request with the configured
Proxy, DNS, HTTP protocol, and
authentication method.
l If you also specify the "-n" option, then
the NTLM authentication method is
used.
l If you do not specify the "-n" option,
then only the Basic authentication
method is used.

CLI R80.40 Reference Guide      |      1633

 admin_wizard

Parameter Description

n -v - Makes the HTTP requests verbose. The

verbose result files are saved in the
$CVPNDIR/log/trace_log/ directory.
n -p - Validates the SSL certificate of the web
server.

ldap <LDAP server> Tests connectivity to the specified LDAP server.

You can specify the LDAP server by its IP address or
hostname.

wizard <Web Site Address> Tests connectivity to the specified URL.

Example 1 - Check URL accessibility of 'www.checkpoint.com'

admin_wizard wizard www.checkpoint.com

Example 2 - Check accessibility to the LDAP server 192.168.0.55

admin_wizard ldap 192.168.0.55

Example 3 - Check accessibility for username 'user1' to ActiveSync and EWS on the Exchange server
'exchange.example.com'

admin_wizard exchange_wizard exchange.example.com username user1 -t

as,ews

CLI R80.40 Reference Guide      |      1634

 cvpnd_admin

cvpnd_admin
Description
Changes the behavior of the Mobile Access cvpnd process.

Syntax

cvpnd_admin
      appMonitor status
      clear_kernel_tables
      clear_portal_cache
      debug <options>
      ics_update
      isEnabled
      license <options>
      policy [{graceful | hard}]
      revoke <Certificate Serial Number>

Parameters

Parameter Description

appMonitor Controls the Application Monitor.

<options>
The Application Monitor is a software component that monitors internal
servers to track their up time.
If problems are found, a system alert log is created.
The available <options> are:

n restart - Restarts the Application Monitor.

n start - Start the Application Monitor.
n status - Shows the status of the Application Monitor feature, the
applications monitored by the Application Monitor and their status.
n stop - Stops the Application Monitor.

clear_kernel_ Clears all Mobile Access kernel tables.

tables

clear_portal_cache Clears the cache for the applications presented in the Mobile Access
Portal for all open sessions.

CLI R80.40 Reference Guide      |      1635

 cvpnd_admin

Parameter Description

debug set TDERROR_ Enables all cvpnd debug output for the running cvpnd process.
ALL_ALL=5
The output is in the $CVPNDIR/log/cvpnd.elg file.

Note - When you enable all debug topics, it might impact the
performance. Debug topics are provided by Check Point
Support.

debug off Disables all cvpnd debug output.

debug trace on The TraceLogger feature generates full captures of incoming and
outgoing authenticated Mobile Access traffic.
debug trace
users=<Username> The output is saved in the $CVPNDIR/log/trace_log/ directory.

n debug trace on - Enables the TraceLogger feature for all

users.
n debug trace users=<Username> - Enables the
TraceLogger feature for a specified username

Important:
n The TraceLogger feature has a major effect on
performance, because all traffic is saved as files.
n The TraceLogger feature uses a lot of disk space,
because all traffic is saved as files. After a maximum
number of files is saved, the oldest files are removed
from the disk, which also has a performance cost.
n The TraceLogger feature creates a security concern:
end-user passwords that are sent to internal resources
might appear in the capture files.

ics_update Updates the Mobile Access services after you published a new ICS
update.

isEnabled Checks if Mobile Access is enabled by policy.

license <options> Shows Mobile Access license count and status:

n all - Shows information about the MOB and MOBMAIL licenses.
n mob - Shows information about the MOB license.
n mobmail - Shows information about the MOBMAIL license.

CLI R80.40 Reference Guide      |      1636

 cvpnd_admin

Parameter Description

policy [{graceful Updates the Mobile Access services according to the current policy:
| hard}]
n policy - For Apache services, each httpd process waits until its
current request is finished, then exits.
n policy graceful - For Apache services, each httpd process
waits until its current request is finished, then exits.
n policy hard - For Apache services, all httpd processes exit
immediately, terminating all current http requests.

revoke Notifies about revocation of a certificate with a given serial number.

<Certificate
Serial Number>

CLI R80.40 Reference Guide      |      1637

 cvpnd_settings

cvpnd_settings
Description
Changes a Mobile Access Gateway local configuration file $CVPNDIR/conf/cvpnd.C.
The cvpnd_settings commands allow to get attribute values or set them in order to configure the
cvpnd process.

Important - Changes made by with the cvpnd_settings command are not saved
during the Mobile Access Gateway upgrade. Keep a backup of your
$CVPNDIR/conf/cvpnd.C file after you make manual changes.

Warning - The cvpnd process may not start, if you make a mistake in the syntax -
attribute names or their values.

General Syntax

cvpnd_settings [<Configuration File>] {get | set | add | listAdd |

listRemove | internal} <Attribute-Name> [<Attribute-Value>]

Syntax for DynamicID Resend

cvpnd_settings [<Configuration File>] {set | get} smsMaxResendRetries

[<Number>]

Syntax for Kerberos Authentication

cvpnd_settings [<Configuration File>] {set | get} useKerberos {true |

false}

cvpnd_settings [<Configuration File>] {listAdd | listRemove}

kerberosRealms [<Your AD Name>]

Parameters
Run this command to see the full explanation of the parameters: cvpnd_settings -h

Parameter Description

-h Shows built-in help with full explanation of the parameters.

< Specifies the path and the name of configuration file to change.
Configuration
File>

get Gets the value of an existing attribute, or values of a list.

CLI R80.40 Reference Guide      |      1638

 cvpnd_settings

Parameter Description

set Sets the value of an attribute.

If the specified attribute does not exist in the configuration file, then the command
adds it.

add Adds a new attribute.

If the specified attribute already exists in the configuration file, then the command
does not change it.

listAdd Adds the specified attribute to a list.

listRemove Removes the specified attribute from a list.

internal Specifies that the command must change the $CVPNDIR/conf/cvpnd_

internal_settings.C file instead of the $CVPNDIR/conf/cvpnd.C file.

<Attribute- Specifies the attribute name.

Name>

<Attribute- Specifies the attribute value.

Value>

<Number> Specifies the number of SMS resend attempts.

<Your AD Specifies the Active Directory name.

Name>

Examples 1 - Set the value of the attribute 'myFlag' to 1

cvpnd_settings set myFlag 1

Examples 2 - See the current value of the attribute 'myFlag'

cvpnd_settings get myFlag

Examples 3 - Empty the value of the attribute 'myFlag', or create a new attribute/list 'myFlag'
cvpnd_settings set myFlag

Examples 4 - Add the attribute 'myFlag' with the value 'a.example.com' to a list
cvpnd_settings listAdd myFlag a.example.com

CLI R80.40 Reference Guide      |      1639

 cvpn_ver

cvpn_ver
Description
Shows the version of the Mobile Access Software Blade.

Best Practice - Run the "fw ver -k" command to get all version details (see "fw
ver" on page 1107).

Syntax

cvpn_ver

Example

[Expert@MyGW:0]# cvpn_ver
This is Check Point Mobile Access R80.40 - Build 123
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1640

 cvpnrestart

cvpnrestart
Description
Restarts all Mobile Access blade services.

Warning - While this command does not terminate sessions, it closes all TCP
connections. End-users might lose their work.

Syntax

cvpnrestart [--with-pinger]

Parameters

Parameter Description

--with- Restarts the Pinger service, responsible for ActiveSync and Outlook Web Access
pinger push mail notifications.

CLI R80.40 Reference Guide      |      1641

 cvpnstart

cvpnstart
Description
Starts all Mobile Access blade services, after you stopped them with the "cvpnstop" on page 1643
command.

Syntax

cvpnstart

CLI R80.40 Reference Guide      |      1642

 cvpnstop

cvpnstop
Description
Stops all Mobile Access blade services.

Warning - While this command does not terminate sessions, it closes all TCP
connections. End-users might lose their work.

Syntax

cvpnstop

CLI R80.40 Reference Guide      |      1643

 deleteUserSettings

deleteUserSettings
Description
Deletes all persistent settings (favorites, cookies, credentials) of one or more end-users.

Syntax

deleteUserSettings [-s] <Username1> [<Username2> ...]

Parameters

Parameter Description

-s Runs in silent mode with no output to the end-user's screen.

<Username> Specifies the user name, whose settings to delete.

Notes:
n When you refer to an internal user, use its
username.
n When you refer to an LDAP user, use the
full DN according to your LDAP settings.

Example 1 - Delete an internal user named 'user1

deleteUserSettings [-s] user1

Example 2 - Delete an LDAP user named 'user1', whose DN is

'CN=user1,OU=users,DC=example,DC=com':
deleteUserSettings [-s] CN=user1,OU=users,DC=example,DC=com

CLI R80.40 Reference Guide      |      1644

 fwpush

fwpush
Description
Sends command interrupts to the fwpushd process on the Mobile Access Gateway.

Note - Users get the push notifications only while they are logged in.

Syntax

fwpush
      debug <options>
      del <options>
      info
      print
      send <options>
      unsub <options>

Parameters

Parameter Description

debug {off | on | reset | set all all Controls the debug of the Mobile Access
| stat} Push Notifications daemon.
For more information, see sk109039.

del {-token <Token> | -uid <User-UID>} Deletes a specified token, or all tokens
for a specified user.
The available options are:
n Delete the specified token for all
users:

fwpush del -token

<Token>

n Delete all tokens for a specified

user:

fwpush del -uid

<User-UID>

CLI R80.40 Reference Guide      |      1645

 fwpush

Parameter Description

info Gets data on notifications in the push

queue:
n Number of items in queues
n Number of seconds the oldest
item is in the queue
n Number of seconds the newest
item is in the queue
n Number of seconds a batch waits
in the queue
n Number of seconds to the
sending of the next batch
n Number of batch errors and
authentication request timeouts

print Shows the push notifications queue and

the pending batches.

send -token <Token> -os {iPhone | Sends an on-demand push notification

Android} -msg "<Notification Message>" message from a command line.

send {-user <Username> | -uid <User-UID>} Important - Before you use

-msg "<Notification Message>" the "fwpush send"
command, make sure the
user is: (A) registered on the
Exchange Server,
(B) connected.

CLI R80.40 Reference Guide      |      1646

 fwpush

Parameter Description

unsub {<Token> | -user <Username> | -uid Unsubscribes a user from push

<User-UID> | -all} notifications.
The available options are:
n Unsubscribe all users from the
specified token:

fwpush unsub <Token>

n Unsubscribe the specified user

from all tokens:

fwpush unsub -user

<Username>

or

fwpush unsub -uid

<User-UID>

n Unsubscribe all users from all

tokens:

fwpush unsub -all

Viewing the details of connected users

UserSettingsUtil show_exchange_registered_users

Example output:

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users

User Name: CN=JohnD,OU=USERS,OU=RND,OU=PO,OU=USA,DC=AD,DC=CHECKPOINT,DC=COM User Settings id:
c4b6c6fbb0c4xxxxxxxx265e93e0e372
Push Token: xxxxxxxxxxxxx65b48e424023ebxxxxxxxxca22ea788cfb3cxxxxxxxxxx Device id:
46c5XXXXcc1d10b4e18cf5a1xxxxxxxx
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1647

 fwpush

Notes:
n To use the "<Token>" parameter in the "fwpush" commands, use the value of the
Push Token attribute.
In the above example:
xxxxxxxxxxxxx65b48e424023ebxxxxxxxxca22ea788cfb3cxxxxxxxxxx
n To use the "<Username>" parameter in the "fwpush" commands, use the value of
the CN attribute.
In the above example: JohnD
n To use the "<User-UID>" parameter in the "fwpush" commands, use the value of
the User Settings id attribute.
In the above example: c4b6c6fbb0c4xxxxxxxx265e93e0e372

Example
[Expert@MyGW:0]# fwpush send -uid JohnD -msg "Hello - push"

CLI R80.40 Reference Guide      |      1648

 ics_updates_script

ics_updates_script
Description
Manually starts an Endpoint Security on Demand (ESOD) update on the Mobile Access Gateway.
For more information, see the contents of the $CVPNDIR/bin/ics_updates_script file.

Syntax

$CVPNDIR/bin/ics_updates_script <Path to ICS Updates Package>

Parameters

Parameter Description

<Path to ICS Updates Package> Specifies the full path of the ICS Updates package.
Do not specify the name of the ICS Updates package.

Notes
n Usually, it is not necessary to run this command, and you start the ESOD updates from
SmartConsole:
1. In SmartConsole, from the left navigation panel, click Manage & Settings .
2. In the Mobile Access section, click Configure in SmartDashboard.
3. The SmartDashboard opens on the Mobile Access tab.
4. From the left tree, click Endpoint Security on Demand > Endpoint Compliance Updates .
5. Click Update Database Now.
6. Enter the applicable User Center credentials.
7. Click Next.
8. Select the applicable Mobile Access Gateways.
9. Click Finish.
10. Close the SmartDashboard.
n Make sure to run only one instance of this command at a time.

CLI R80.40 Reference Guide      |      1649

 listusers

listusers
Description
Shows a list of end-users connected to the Mobile Access Gateway, along with their source IP addresses.

Syntax

listusers

Example

[Expert@MyGW:0]# listusers
------------------------------
UserName | IP
------------------------------
Tom , 192.168.0.51
John , 192.168.0.130
Jane , 192.168.0.7
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1650

 rehash_ca_bundle

rehash_ca_bundle
Description
Imports all of the Certificate Authority (CA) files from the $CVPNDIR/var/ssl/ca-bundle/ directory
into the Mobile Access trusted CA bundle.
The trusted CA bundle is used when the Mobile Access Gateway accesses an internal server (such as
OWA) through HTTPS.
If the SSL server certificate of the internal server is not trusted by the Mobile Access Gateway, the Mobile
Access Gateway responds based on the settings for the Internal Web Server Verification feature. The
default setting is Monitor.
To accept certificates from a specified server, add its server certificate CA to the CA bundle.

Syntax

rehash_ca_bundle

Example

[Expert@MyGW:0]# rehash_ca_bundle
Doing /opt/CPcvpn-R80.40/var/ssl/ca-bundle/
AC_Ra__z_Certic__mara_S.A..pem => 6f2c1157.0
AOL_Time_Warner_Root_Certification_Authority_1.pem => ed9bb25c.0
... ... ...
beTRUSTed_Root_CA_-_RSA_Implementation.pem => 16b3fe3c.0
thawte_Primary_Root_CA.pem => 2e4eed3c.0
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1651

 UserSettingsUtil

UserSettingsUtil
Description
Shows details of users connected to the Mobile Access Gateway.

Syntax

UserSettingsUtil show_exchange_registered_users [<Username>]

Parameters

Parameter Description

<Username> Specifies the user name.

Notes:
n When you
refer to an
internal
user, use
its
username.
n When you
refer to an
LDAP
user, use
the full DN
according
to your
LDAP
settings.

Example 1 - To show all users

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users

User Name: CN=JohnD,OU=USERS,OU=RND,OU=PO,OU=USA,DC=AD,DC=CHECKPOINT,DC=COM User Settings id:
c4b6c6fbb0c4xxxxxxxx265e93e0e372
Push Token: xxxxxxxxxxxxx65b48e424023ebxxxxxxxxca22ea788cfb3cxxxxxxxxxx Device id:
46c5XXXXcc1d10b4e18cf5a1xxxxxxxx
[Expert@MyGW:0]#

Example 2 - To show an internal user named 'user1'

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users user1

CLI R80.40 Reference Guide      |      1652

 UserSettingsUtil

Example 3 - To show an LDAP user named 'user1', whose DN is

'CN=user1,OU=users,DC=example,DC=com'
[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users CN=user1,OU=users,DC=example,DC=com

CLI R80.40 Reference Guide      |      1653

 Data Loss Prevention Commands

Data Loss Prevention Commands

For more information about Data Loss Prevention, see the .R80.40 Data Loss Prevention Administration
Guide

CLI R80.40 Reference Guide      |      1654

 dlpcmd

dlpcmd
Description
Control the Data Loss Prevention Engine on Security Gateway.

Syntax on a Security Gateway

dlpcmd [-s]
      action_by_admin <options>
      getquarantined
      getquarantinedcount
      getquarantinedsize
      ramdisk <options>

CLI R80.40 Reference Guide      |      1655

 dlpcmd

Parameters

Parameter Description

-s Silent mode - does not print failure messages on the screen.

action_by_admin Sends or deletes the specified quarantined email by its public GUID
<options> from quarantine.
The available options are:
n Send (Release) the specified quarantined email:

dlpcmd action_by_admin 1 {Public GUID of

the Quarantined Email} ["Justification
for Sending or Deleting"] ["Administrator
Name"]

n Delete (Discard) the specified quarantined email:

dlpcmd action_by_admin 2 {Public GUID of

the Quarantined Email} ["Justification
for Sending or Deleting"] ["Administrator
Name"]

Notes:
n You must enclose the email ID in curly brackets {}.
n You can see this action in Audit Logs in
SmartConsole. For example, see sk117753.

getquarantined Shows the list of all quarantined emails.

getquarantinedcount Shows the number of all quarantined emails.

getquarantinedsize Shows the total size of all emails in quarantine.

ramdisk <options> Shows and controls the DLP RAM Disk.

The available options are:
n off - Disables the DLP RAM Disk
n on - Enables the DLP RAM Disk
n size <Size in MBytes> - Configures the size of the DLP
RAM Disk
n status - Shows the DLP RAM Disk information

Important - All operations except "status" require a restart

of all services ("cpstop" on page 920 and "cpstart" on
page 911).

CLI R80.40 Reference Guide      |      1656

 dlpcmd

Example

[Expert@MyGW:0]# dlpcmd getquarantined

Printing quarantined mails:
Mail GUID: {8698E6EC-340C-9115-0AB6-F6CA9986147F}; Arrival date: Sun Dec 1 13:38:32 2019; exp date: Sun
Dec 8 13:38:32 2019; sender: dataowner-JOHNDOE;
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# dlpcmd action_by_admin 1 {8698E6EC-340C-9115-0AB6-F6CA9986147F} "Released an Email" "Main
Admin"
[Expert@MyGW:0]#
[Expert@MyGW:0]# dlpcmd getquarantined
No quarantined mails
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1657

 VSX Commands

VSX Commands
For more information about VSX, see the R80.40 VSX Administration Guide.

CLI R80.40 Reference Guide      |      1658

 cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool lets you configure specific settings for the installed Check Point products.

Important - In Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this Security
Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Secure Internal Communication
Manages SIC on the Security Gateway or Cluster Member.
This change requires a restart of Check Point services on the
Security Gateway or Cluster Member.
For more information, see:
n The R80.40 Security Management Administration Guide.
n sk65764: How to reset SIC.

CLI R80.40 Reference Guide      |      1659


Menu Option
Enable cluster membership for
this gateway
Disable cluster membership for
this gateway
Enable Check Point Per Virtual
System State
Disable Check Point Per Virtual
System State
Enable Check Point ClusterXL
for Bridge Active/Standby
Disable Check Point ClusterXL
for Bridge Active/Standby
Check Point CoreXL
cpconfig
Description
Enables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Disables the cluster membership on the Security Gateway.
This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Enables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R80.40 VSX Administration Guide.
Disables Virtual System Load Sharing on the VSX Cluster
Member.
For more information, see the R80.40 VSX Administration Guide.
Enables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Disables Check Point ClusterXL for Bridge mode.
This change requires a reboot of the Cluster Member.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.
Manages CoreXL on the Security Gateway or Cluster Member.
After all changes in CoreXL configuration, you must reboot the
Security Gateway or Cluster Member.
For more information, see the R80.40 Performance Tuning
Administration Guide.
CLI R80.40 Reference Guide      |      1660
 cpconfig

Menu Option Description

Automatic start of Check Point Shows and controls which of the installed Check Point products
Products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Check Point CoreXL
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

CLI R80.40 Reference Guide      |      1661

 vsenv

vsenv
Description
Changes the shell's current context to the specified Virtual Device.

Syntax

vsenv [{<VSID> | <Name of Virtual Device>}]

Parameters

Parameter Description

No Parameters Changes the context to the default Virtual Device 0.

<VSID> Specifies the Virtual Device by its ID.

<Name of Virtual Device> Specifies the Virtual Device by its Name.

Note - To see the configured Virtual Devices, run the "vsx stat -v" command.

Example 1 - Changing the context to the default Virtual Device 0

[Expert@MyVsxGW:0]# vsenv
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVsxGW:0]#

Example 2 - Changing the context to the specific Virtual Device

[Expert@MyVsxGW:0]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVsxGW:2]#

CLI R80.40 Reference Guide      |      1662

 vsx

vsx
Description
n Shows VSX configuration.
n Fetches VSX configuration.
n Shows and configures CPU Resource Control.
n Shows and configures Memory Resource Control.

Syntax

vsx
      fetch <options>
      fetch_all_cluster_policies
      fetchvs <options>
      get
      initmsg <options>
      mstat <options>
      resctrl <options>
      showncs <options>
      sicreset
      stat <options>
      unloadall
      vspurge

Note - The fw6 vsx commands are not supported.

Parameters

Parameter Description

fetch <options> Fetches configuration for VSX Gateway.

See "vsx fetch" on page 1665.

fetch_all_cluster_ Fetches security policy for all Virtual Systems and Virtual Routers
policies from cluster peers.
See "vsx fetch_all_cluster_policies" on page 1667.

CLI R80.40 Reference Guide      |      1663

 vsx

Parameter Description

fetchvs <options> Fetches configuration for a Virtual System.

See "vsx fetchvs" on page 1668.

get Shows the information about the current VSX context.

See "vsx get" on page 1669.

initmsg <options> Sends VSX initialization message.

See "vsx initmsg" on page 1670.

mstat <options> Shows and configures Memory Resource Control.

See "vsx mstat" on page 1671.

resctrl <options> Shows and configures CPU Resource Control.

See "vsx resctrl" on page 1675.

showncs <options> Shows Check Point Network Configuration Script (NCS) for Virtual
Device.
See "vsx showncs" on page 1678.

sicreset Resets SIC for Virtual System or Virtual Router in the current VSX
context.
See "vsx sicreset" on page 1679.

stat <options> Shows status information for VSX Gateway.

See "vsx stat" on page 1680.

unloadall Unloads security policy for all Virtual Systems and Virtual Routers.
See "vsx unloadall" on page 1682.

vspurge Cleans unused entries for Virtual Devices.

Fetches configuration file for Virtual Devices.
See "vsx vspurge" on page 1683.

CLI R80.40 Reference Guide      |      1664

 vsx fetch

vsx fetch
Description
Fetches the most current configuration files from the Security Management Server or Main Domain
Management Server, and applies it to the VSX Gateway.

Syntax

vsx fetch [-v] [-q] [-s] local

vsx fetch [-v | -q | -s] [-f <Configuration File>]

vsx fetch [-v | -q] -C "NCS Command"

vsx fetch [-v | -q | -c | -n | -s] [<Management Server>]

Parameters

Parameter Description

-c Specifies that this is a VSX Cluster.

-n Specifies not to apply the local.vsall, if VSX configuration, as fetched from

Management Server, is up-to-date.

-q Specifies to run in quiet mode - shows only summary information.

-s Specifies to fetch concurrently for multi-processor environment.

-v Specifies to run in verbose mode - shows detailed information.

local Reads the configuration file $FWDIR/state/local/VSX/local.vsall

and executes the Network Configuration Script (NCS).

-f Fetches the specified configuration with NCS commands file instead of the
< default local.vsall file.
Configuration
File>

-C Executes the specified NCS command.

"NCS Command"

<Management Fetches the local.vsall from the specified Management Server (by
Server> resolvable hostname, or IP address), replaces and runs it.

Note - If you do not specify the Management Server explicitly, the

command takes it from the $FWDIR/conf/masters file on the VSX
Gateway.

CLI R80.40 Reference Guide      |      1665

 vsx fetch

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example

[Expert@MyVsxGW:0]# vsx fetch

Fetching VSX Configuration From: 192.168.30.40

Local VSX Configuration is Up-To-Date.

Cleaning un-used Virtual Systems entries (local.vskeep).

Purge operation succeeded.

Fetching Virtual Systems configuration file (local.vsall).

SecureXL device has been enabled for vsid 1

SecureXL device has been enabled for vsid 2
SecureXL device has been enabled for vsid 3
Virtual Systems configuration file installed successfully
[Expert@MyVsxGW:0]#

CLI R80.40 Reference Guide      |      1666

 vsx fetch_all_cluster_policies

vsx fetch_all_cluster_policies
Description
Fetches security policy for all Virtual Systems and Virtual Routers from cluster peers.

Syntax

vsx fetch_all_cluster_policies [-v]

Parameters

Parameter Description

-v Specifies to run in verbose mode - shows detailed information.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

CLI R80.40 Reference Guide      |      1667

 vsx fetchvs

vsx fetchvs
Description
Fetches configuration file for the specified Virtual Device based on information stored locally on the VSX
Gateway.

Syntax

vsx fetchvs [-v | -q] [{<VSID> | <Name of Virtual Device>}]

Parameters

Parameter Description

-q Specifies to run in quiet mode - shows only summary information.

-v Specifies to run in verbose mode - shows detailed information.

<Name of Virtual Device> Specifies the name of the Virtual Device.

<VSID> Specifies the ID of the Virtual Device.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example
[Expert@MyVsxGW:0]# vsx fetchvs 2

CLI R80.40 Reference Guide      |      1668

 vsx get

vsx get
Description
Shows the information about the current VSX context.

Syntax

vsx get

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example

[Expert@MyVsxGW:0]# vsx get

Current context is VSX Gateway MyVsxGW (ID 2).
[Expert@MyVsxGW:0]#

CLI R80.40 Reference Guide      |      1669

 vsx initmsg

vsx initmsg
Description
Sends VSX initialization message - to initialize the CPD messaging in Virtual Systems.

Syntax

vsx initmsg [-q | -v]

Parameters

Parameter Description

-q Specifies to run in quiet mode - shows only summary information.

-v Specifies to run in verbose mode - shows detailed information.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example

[Expert@MyVsxGW:2]# vsx initmsg -v

Sending VSX initialization message.
VSX initialization operation succeeded.
[Expert@MyVsxGW:2]#

CLI R80.40 Reference Guide      |      1670

 vsx mstat

vsx mstat
Description
Shows and configures Memory Resource Control.
Output shows these global memory resources:

Resource Description

Memory Total Total physical memory on the VSX Gateway.

Memory Free Available physical memory.

Swap Total Total of swap memory.

Swap Free Available swap memory.

Swap-in rate Total memory swaps per second.

Syntax

vsx mstat help

vsx mstat
[-vs <VSID>] [unit <Unit>] [sort {<Number> | all}]
      debug
      disable
      enable
      status
      swap <Minutes>

Parameters

Parameter Description

help Shows the built-in usage.

No Parameters Shows the total memory consumption for each Virtual System.

CLI R80.40 Reference Guide      |      1671

 vsx mstat

Parameter Description

-vs <VSID> Specifies the Virtual Systems by their IDs.

You can specify:
n One Virtual System.
Example: -vs 1
n Many individual Virtual Systems (separate their IDs with spaces).
Example: -vs 2 3
n A range of Virtual Systems.
Example: -vs 4-6

Note - You can combine all the available options (separate them with
spaces). Example: -vs 1 4-6

unit <Unit> Specifies the memory measurement unit shown in the command output:
n B - bytes
n K - kilobytes
n M - megabytes (default)
n G - gigabytes

sort Sorts the Virtual Systems in the output by their memory size.
{<Number> |
Specifies the number of Virtual Systems shown in the command output.
all}
Use all to show all Virtual Systems.
If you do not specify this flag, the Virtual Systems in the output are sorted by their
VSID.

debug Shows memory consumption debug information for each Virtual System by fields,
which are defined in the configuration file.

disable Disables the Memory Resource Control.

Note - This change applies immediately and does not require a reboot.

enable Enables the Memory Resource Control.

Note - This change requires a reboot.

status Shows the current Memory Resource Control status.

CLI R80.40 Reference Guide      |      1672

 vsx mstat

Parameter Description

swap Specifies the swap-in sample rate in minutes.

<Minutes>
Enter the number of minutes that the system measures memory swaps to
determine the swap-in rate.
Only integers are valid values.
The default swap-in sample rate is 10.

Notes:
n Swap-in sample rate is a system-wide Linux setting.
When you change the value for memory monitoring, all the
swap-in rates are calculated according to the new value.
n When you enable the monitoring memory resources feature, the
swap-in rate setting is saved.
When you disable the feature, the system restores the saved
setting.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example 1

[Expert@MyVsxGW:0]# vsx mstat unit M sort all

VSX Memory Status

=================
Memory Total: 7753.95 MB
Memory Free: 7168.71 MB
Swap Total: 3992.71 MB
Swap Free: 3992.71 MB
Swap-in rate: 8796093022208.00 MB

VSID | Memory Consumption

======+====================
0 | 260.79 MB
1 | 0.00 MB

[Expert@MyVsxGW:0]#

CLI R80.40 Reference Guide      |      1673

 vsx mstat

Example 2

[Expert@MyVsxGW:0]# vsx mstat -vs 0 unit G

VSX Memory Status

=================
Memory Total: 7.572 GB
Memory Free: 7.001 GB
Swap Total: 3.899 GB
Swap Free: 3.899 GB
Swap-in rate: 8589934592.000 GB

VSID | Memory Consumption

======+====================
0 | 0.255 GB

[Expert@MyVsxGW:0]#

Example 3

[Expert@MyVsxGW:0]# vsx mstat debug

VSX Memory Status

=================
Memory Total: 7940048.00 KB
Memory Free: 7339864.00 KB
Swap Total: 4088532.00 KB
Swap Free: 4088532.00 KB
Swap-in rate: 9007199254740992.00 KB

VSID | Private_Clean | Private_Dirty | DispatcherGConn | DispatcherHTab | SecureXL | DispatcherGConn6 |

DispatcherHTab6 | SecureXL6

======+===============+===============+=================+================+=============+==================+
=================+===========
0 | 34456.00 KB | 182104.00 KB | 6.09 KB | 0.00 KB | 51071.91 KB | 0.00 KB |
0.00 KB | 0.00 KB
1 | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB |
0.00 KB | 0.00 KB

Note: To add a field to memory table please uncomment the required field (delete the leading '#')
To remove a field from memory table please comment out the required field (add a leading '#')
Configuration is done in the file /opt/CPsuite-R80.30/fw1/conf/memoryinfo.conf

[Expert@MyVsxGW:0]#

CLI R80.40 Reference Guide      |      1674

 vsx resctrl

vsx resctrl
Description
Shows and configures the CPU Resource Control.

Note - You must enable VSX Resource Control Monitoring (vsx resctrl
monitor enable) to see data about CPU usage for each Virtual System over
SNMP.

Syntax

vsx resctrl --help

vsx resctrl
      -d stat
      -d -q stat
      -u stat
      load_configuration
      monitor <options>
      reset
      stop

Parameters

Parameter Description

--help Shows the built-in usage.

-d stat Shows CPU consumption for each Virtual Device - raw information including CPU
ticks (but only after 24 hours of active monitoring)

-d -q stat Shows CPU consumption for each Virtual Device - raw information without header
line (but only after 24 hours of active monitoring).

-u stat Shows CPU consumption for each Virtual Device - for each CPU core.

load_ Initializes Resource Control from the $FWDIR/conf/resctrl file.

configuration

CLI R80.40 Reference Guide      |      1675

 vsx resctrl

Parameter Description

monitor Manages the Resource Control Monitor.

<options>
The available options are:
n disable - Disables the Resource Control Monitor.
n enable - Enables the Resource Control Monitor.
n show - Shows the current Resource Control Monitor status.

reset Resets the Resource Control Monitor statistics.

stop Stops the Resource Control Monitor.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Notes
n For systems with more than one CPU, time is an average for all CPUs.
To see the usage for each Virtual Device per CPU, run the "vsx resctrl -u" stat command.
n Total Virtual System CPU Usage includes the total for all Virtual Devices: Virtual Routers, Virtual
Switches, Virtual Systems, and the VSX Gateway.

Example 1

[Expert@MyVsxGW:0]# vsx resctrl -d stat

This option will be active only after 24 hours of monitoring
Monitoring active time: 2 minutes 11 seconds
[Expert@MyVsxGW:0]#

CLI R80.40 Reference Guide      |      1676

 vsx resctrl

Example 2

[Expert@MyVsxGW:0]# vsx resctrl -u stat

Virtual Systems CPU Usage Statistics [%]

========================================

Number of CPUs: 4
Monitoring active time: 2m 32s

ID Name | CPU | 1sec 10sec 1min 1hr* 24hr*

=============================+======+==========================
0 VSX1 | 0 | 4.90 1.82 1.43 0.00 0.00
| 1 | 0.00 0.19 1.44 0.00 0.00
| 2 | 0.00 0.06 0.13 0.00 0.00
| 3 | 4.50 0.74 0.55 0.00 0.00
| Avg. | 2.35 0.70 0.89 0.00 0.00
-----------------------------+------+--------------------------
1 VS1 | 0 | 0.00 0.02 0.01 0.00 0.00
| 1 | 0.00 0.14 0.08 0.00 0.00
| 2 | 0.00 0.03 0.10 0.00 0.00
| 3 | 0.00 0.01 0.03 0.00 0.00
| Avg. | 0.00 0.05 0.06 0.00 0.00
=============================+======+==========================
Total Virtual Devices CPU Use| 0 | 4.90 1.84 1.44 0.00 0.00
| 1 | 0.00 0.33 1.52 0.00 0.00
| 2 | 0.00 0.09 0.23 0.00 0.00
| 3 | 4.50 0.75 0.58 0.00 0.00
| Avg. | 2.35 0.75 0.94 0.00 0.00
=============================+======+==========================

Notes: - Monitoring has been active for less than 1 hour.

Statistics are calculated only for monitoring active time.

[Expert@MyVsxGW:0]#

CLI R80.40 Reference Guide      |      1677

 vsx showncs

vsx showncs
Description
Shows Check Point Network Configuration Script (NCS) for a Virtual Device.

Syntax

vsx showncs {<VSID> | <Name of Virtual Device>}

Parameters

Parameter Description

<Name of Virtual Device> Specifies the name of the Virtual Device.

<VSID> Specifies the ID of the Virtual Device.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

CLI R80.40 Reference Guide      |      1678

 vsx sicreset

vsx sicreset
Description
Resets SIC for Virtual System or Virtual Router in the current VSX context.

Notes:
n This operation is not supported for the context of VSX Gateway itself (VS0).
n On the Management Server, run the cpca_client revoke_cert command to
cancel the old certificate.
n In SmartConsole, open the Virtual System object and immediately click OK.
This action creates a new certificate, and transfers the certificate to the VSX
Gateway.

Syntax

vsenv {<VSID> | <Name of Virtual Device>}

vsx sicreset {<VSID> | <Name of Virtual Device>}

Parameters

Parameter Description

<Name of Virtual Device> Specifies the name of the Virtual Device.

<VSID> Specifies the ID of the Virtual Device.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

CLI R80.40 Reference Guide      |      1679

 vsx stat

vsx stat
Description
Shows status information for VSX Gateway.

Syntax

vsx stat [-l] [-v] [<VSID>]

Parameters

Parameter Description

-l Shows a list of all Virtual Devices and their applicable information.

-v Shows a summary table with all Virtual Devices.

<VSID> Specifies a Virtual Device by its ID.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example 1 - Show a summary table with all Virtual Devices.

[Expert@MyVsxGW:2]# vsx stat -v

VSX Gateway Status
==================
Name: VSX1_192.168.3.241
Access Control Policy: VSX_Cluster_VSX
Installed at: 20Sep2019 22:06:33
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 5 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat
-----+-------------+-----------------------+-----------------+--------------------------+---------
1 | S VS1 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust
2 | S VS2 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVsxGW:2]#

CLI R80.40 Reference Guide      |      1680

 vsx stat

Example 2 - Show a list of all Virtual Devices and their applicable information.

[Expert@MyVsxGW:2]# vsx stat -l

VSID: 0
VRID: 0
Type: VSX Gateway
Name: VSX1_192.168.3.241
Security Policy: VSX_Cluster_VSX
Installed at: 20Sep2019 22:06:33
SIC Status: Trust
Connections number: 5
Connections peak: 43
Connections limit: 14900

VSID: 1
VRID: 1
Type: Virtual System
Name: VS1
Security Policy: VS_Policy
Installed at: 20Sep2019 22:07:03
SIC Status: Trust
Connections number: 0
Connections peak: 3
Connections limit: 14900

VSID: 2
VRID: 2
Type: Virtual System
Name: VS2
Security Policy: VS_Policy
Installed at: 20Sep2019 22:07:01
SIC Status: Trust
Connections number: 0
Connections peak: 2
Connections limit: 14900
[Expert@MyVsxGW:2]#

Example 3 - Shows the information for the specified Virtual Device

[Expert@MyVsxGW:2]# vsx stat 2

VSID: 2
VRID: 2
Type: Virtual System
Name: VS2
Security Policy: VS_Policy
Installed at: 20Sep2019 22:07:01
SIC Status: Trust
Connections number: 0
Connections peak: 2
Connections limit: 14900
[Expert@MyVsxGW:2]#

CLI R80.40 Reference Guide      |      1681

 vsx unloadall

vsx unloadall
Description
Unloads security policy for all Virtual Systems and Virtual Routers.
See sk33065: Unloading policy from a VSX Security Gateway.

Syntax

vsx unloadall

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

CLI R80.40 Reference Guide      |      1682

 vsx vspurge

vsx vspurge
Description
Removes Virtual Devices that are no longer defined in the management database, but were not removed
from the VSX Gateway, because the VSX Gateway was down or disconnected when the management
server pushed the updated VSX configuration.
This command cleans all unused Virtual Devices entries (from the NCS local.vskeep) and fetches the
VSX configuration file (NCS local.vskeep) again.

Syntax

vsx vspurge [-q | -v] [-f <purge_file>]

Parameters

Parameter Description

-q Specifies to run in quiet mode - shows only summary information.

-v Specifies to run in verbose mode - shows detailed information.

-f <purge_ Specifies the path and the name of the file, in which the command saves the
file> purged information.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

CLI R80.40 Reference Guide      |      1683

 vsx_util

vsx_util
Description
Performs various VSX maintenance tasks.
You run this command from the Expert mode on the Management Server (Security Management Server,
or a Main Domain Management Server on Multi-Domain Server).

Important - Before you run the vsx_util commands:

n Back up the VSX environment. See sk100395: How to backup and restore VSX
gateway.
n You must close all SmartConsole clients. Failure to do so may result in a database
lock error.

Syntax

vsx_util -h

vsx_util <Command> [-s <Mgmt Server>] [-u <UserName>] [-c <Name of VSX
Object>] [-m <Name of VSX Cluster Member>]

Parameters

Parameter Description

-h Shows the built-in usage.

<Command> Specifies the vsx_util sub-command. See the table below.

-s <Mgmt Server> Specifies the IP address or resolvable hostname of the Security

Management Server, or Main Domain Management Server.

-u <UserName> Specifies the administrator username.

-c <Name of VSX Specifies the name of the VSX Gateway or VSX Cluster object.
Object>

-m <Name of VSX Specifies the name of the VSX Gateway or VSX Cluster Member object.
Cluster Member>

Important - The vsx_util command requires you to enter this information:

n IP address or Hostname of the Security Management Server, or Main Domain
Management Server.
n Management Server Administrator user name and password.
n The applicable VSX object, on which the command operates.
n Most of the vsx_util sub-commands are interactive and require additional
user input.

CLI R80.40 Reference Guide      |      1684

 vsx_util

The 'vsx_util' sub-commands

Sub-command Description

vsx_util add_ Adds a new Cluster Member to a VSX Cluster and pushes the VSX Cluster
member configuration to the new VSX Cluster Member.
See "vsx_util add_member" on page 1687.

vsx_util Automatically replaces designated existing interfaces with new interfaces on

change_ all Virtual Devices, to which the existing interfaces connect.
interfaces
See "vsx_util change_interfaces" on page 1689.

vsx_util Changes the VSX Management IP address (within the same subnet) of a VSX
change_mgmt_ip Gateway or VSX Cluster Member.
See "vsx_util change_mgmt_ip" on page 1692.

vsx_util Changes (or adds) the VSX Management IP address of a VSX Gateway or
change_mgmt_ VSX Cluster Member to a new subnet.
subnet
See "vsx_util change_mgmt_subnet" on page 1693.

vsx_util Changes the IP address of the Internal Communication Network in a VSX

change_private_ Cluster.
net
See "vsx_util change_private_net" on page 1694.

vsx_util Converts the VSX Cluster mode between High Availability (default) and Virtual
convert_cluster System Load Sharing.
See "vsx_util convert_cluster" on page 1695.

vsx_util Restores VSX configuration on a VSX Gateway or VSX Cluster Member.

reconfigure
See "vsx_util reconfigure" on page 1696.

vsx_util Removes a Cluster Member from a VSX Cluster.

remove_member
See "vsx_util remove_member" on page 1701.

vsx_util show_ Shows configuration of selected interfaces - interface types, connections to

interfaces Virtual Devices, and IP addresses.
See "vsx_util show_interfaces" on page 1702.

vsx_util Upgrades the version of a VSX Gateway or VSX Cluster in the management
upgrade database.
See "vsx_util upgrade" on page 1704.

vsx_util view_ Shows configuration of a Virtual Device on the Management Server versus the
vs_conf VSX Gateway or VSX Cluster.
See "vsx_util view_vs_conf" on page 1705.

CLI R80.40 Reference Guide      |      1685

 vsx_util

Sub-command Description

vsx_util vsls Shows the configuration menu for Virtual System Load Sharing - see status,
redistribute, export and import configuration.
See "vsx_util vsls" on page 1708.

Notes
n This command writes its messages to the vsx_util_YYYYMMDD_HH_MM.log file on the
Management Server:
l On a Security Management Server:

$FWDIR/log/vsx_util_YYYYMMDD_HH_MM.log

l On a Multi-Domain Server - if executed the command in the MDS context:

/opt/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

l On a Multi-Domain Server - if executed the command in the context of a Domain

Management Server:

/opt/CPmds-R80.40/customers/<Name of Domain Management

Server>/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

n If you need to exit from the vsx_util command's menu, press the CTRL C keys.

Important - Do not press these keys, it this command already started to perform
a change. If you press these keys during the operation, the command does not
save its log file.

CLI R80.40 Reference Guide      |      1686

 vsx_util add_member

vsx_util add_member
Description
Adds a new Cluster Member to a VSX Cluster and pushes the VSX Cluster configuration to the new VSX
Cluster Member.

Syntax

vsx_util add_member

Required Input
n The applicable VSX Cluster object.
n Name of the new VSX Cluster Member.
n IP address for the management interface.
n IP address for the synchronization interface.
n The one-time Activation Key (SIC activation key)

CLI R80.40 Reference Guide      |      1687

 vsx_util add_member

Comments
n Execute the command and follow the instructions on the screen.
n After the command adds a new Cluster Member to the management database, the command
prompts you to reconfigure the new VSX Cluster Member (to push the VSX Cluster configuration to
it).
l If you enter "y " to reconfigure the new VSX Cluster Member at this time, then the "vsx_util
reconfigure" on page 1696 operation starts automatically on the new VSX Cluster Member.

Important - You must reboot the new VSX Cluster Member after the
reconfigure operation finishes.

l If you enter "n" to cancel the reconfigure operation on the new VSX Cluster Member at this
time, then later you must manually run the "vsx_util reconfigure" on page 1696 command for
the new VSX Cluster Member.

CLI R80.40 Reference Guide      |      1688

 vsx_util change_interfaces

vsx_util change_interfaces
Description
Automatically replaces designated existing interfaces with new interfaces on all Virtual Devices, to which
the existing interfaces connect.
This command is useful when converting a deployment to use Link Aggregation, especially where VLANs
connect to many Virtual Devices.

Syntax

vsx_util change_interfaces

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n Where to apply the change (Management Server only, or Management Server and VSX Gateway /
VSX Cluster Members).
n Name of the interface to be replaced.
n Name of the new (replacement) interface.

Comments
n Execute the command and follow the instructions on the screen.
n This command supports the resume feature.
n You can use this command to migrate a VSX deployment from an Open Server to a Check Point
appliance by using the Management Only mode.
n Refer to the Notes section below for additional information.

Procedure

Step Description

1 Close all SmartConsole clients that are connected to the Security Management Server or
Domain Management Servers.

2 Connect to the command line on the Management Server.

3 Log in to the Expert mode.

4 On Multi-Domain Server, go to the context of the Main Domain Management Server that
manages the applicable VSX Gateway (VSX Cluster) object:

mdsenv <IP address or Name of Domain Management Server>

CLI R80.40 Reference Guide      |      1689

 vsx_util change_interfaces

Step Description

5 Run:

vsx_util change_interfaces

6 Enter the IP address of the Security Management Server or Main Domain Management Server.

7 Enter the Management Server administrator username and password.

8 Select the VSX Gateway (VSX Cluster) object.

9 When prompted, select one of the following options:

n Apply changes to the management database and to the VSX Gateway/Cluster
members immediately
Changes the interface on the Management Server and on the VSX Gateway (each VSX
Cluster Member).
n Apply changes to the management database only
Changes the interface on the Management Server only.
You must run the "vsx_util reconfigure" on page 1696 command to push the updated VSX
configuration to VSX Gateways (each VSX Cluster Member).

10 Select the interface to be replaced.

11 Select the new (replacement) interface.

a. You can optionally add a new interface, if you select the A new interface name option.
This interface must physically exist on the VSX Gateway (all VSX Cluster Members).
Otherwise, the operation fails.
b. At the prompt, enter the new interface name.
If the new interface is a Bond interface, the interface name must match the name of the
configured Bond interface exactly.

12 The command prompts you:

Would you like to change another interface? (y|n) [n]:

n To replace additional interfaces, enter y .

n To complete the process, enter n.

13 If you selected the option Apply changes to the management database only , you can remove
the old (replaced) interfaces from the management database.
When prompted, enter y :

Would you like to remove the old interfaces from the database?
(y|n) [n]: y

CLI R80.40 Reference Guide      |      1690

 vsx_util change_interfaces

Step Description

14 Reboot the VSX Gateway (all VSX Cluster Members).

Notes
n The option "Apply changes to the management database and to the VSX Gateway/Cluster
members immediately " verifies connectivity between the Management Server and the VSX
Gateway or VSX Cluster Members. In the event of a connectivity failure one of the following actions
occur:
1. If all of the newly changed interfaces fail to establish connectivity, the process terminates
unsuccessfully.
2. If one or more interfaces successfully establish connectivity, while one or more other
interfaces fail, you may optionally continue the process.
In this case, those interfaces for which connectivity was established successfully will be
changed.
For those interfaces that failed, you must then resolve the issue and then run the "vsx_util
reconfigure" on page 1696 command to complete the process.
n If you select the option "Apply changes to the management database only ", you can select one of
these:
l Another interface from list (if any are available).
l Option to add a new interface.

CLI R80.40 Reference Guide      |      1691

 vsx_util change_mgmt_ip

vsx_util change_mgmt_ip
Description
Changes the VSX Management IP address of a VSX Gateway or VSX Cluster Member.
This command changes the Management IP address within the same subnet.
For more information, see sk92425.

Syntax

vsx_util change_mgmt_ip

Required Input
n The applicable VSX Cluster object.
n The applicable VSX Cluster Member object.
n New management IP address.

Comments
n Execute the command and follow the instructions on the screen.

CLI R80.40 Reference Guide      |      1692

 vsx_util change_mgmt_subnet

vsx_util change_mgmt_subnet
Description
Changes the VSX Management IP address of a VSX Gateway or VSX Cluster Member.
This command changes the Management IP address from the current subnet to a different subnet.
For more information, see sk92425.

Syntax

vsx_util change_mgmt_subnet

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n New management IPv4 address.
n New management IPv4 netmask.
n New management IPv6 address.
n New management IPv6 prefix.
n New IPv4 default gateway.
n New IPv6 default gateway.

Comments
n Execute the command and follow the instructions on the screen.
n This command updated only routes that were automatically generate.
You must remove and/or change all manually created routes that use the previous management
subnet.
n You must reboot the VSX Gateway (all VSX Cluster Members) after the command finishes.

CLI R80.40 Reference Guide      |      1693

 vsx_util change_private_net

vsx_util change_private_net
Description
Changes the IP address of the Internal Communication Network in a VSX Cluster (cluster private network).

Syntax

vsx_util change_private_net

Required Input
n The applicable VSX Cluster object.
n New IPv4 address for the cluster private network.
n New IPv4 netmask for the cluster private network.
n New IPv6 address and prefix for the cluster private network.

Comments
n Run the command and follow the instructions on the screen.
n The IP address of the Internal Communication Network must be unique.
This IP address must not be used anywhere in your environment, including the Virtual Devices on
this VSX Cluster.
n The illegal IPv4 addresses are: 0.0.0.0, 127.0.0.0, and 255.255.255.255
n For IPv4 address, the network mask must be one of these:
l 255.255.224.0, or /20
l 255.255.240.0, or /21
l 255.255.252.0, or /22 (this is the default)
n For IPv6 address, the new prefix must be /80.

CLI R80.40 Reference Guide      |      1694

 vsx_util convert_cluster

vsx_util convert_cluster
Description
Converts the VSX Cluster mode between High Availability (default) and Virtual System Load Sharing.

Syntax

vsx_util convert_cluster

Required Input
n The applicable VSX Cluster object.
n The ClusterXL mode (case sensitive).

Comments
n Execute the command and follow the instructions on the screen.
n When you convert from Virtual System Load Sharing to High Availability:
l All Virtual Systems are Active on the same VSX Cluster Member by default.
l Peer Virtual Systems are Standby on other VSX Cluster Members.
n When you convert from High Availability to Virtual System Load Sharing:
l All VSX Cluster Members must be in the Check Point Per Virtual System State:
a. Run the "cpconfig" on page 1659 command.
b. Select the option Enable Check Point Per Virtual System State.

CLI R80.40 Reference Guide      |      1695

 vsx_util reconfigure

vsx_util reconfigure
Description
Restores VSX configuration on a VSX Gateway or VSX Cluster Member (for example, after you perform
clean install after a system failure).

Syntax

vsx_util reconfigure

Important - Before you run this command on the Management Server, you must
configure specific settings on the cleanly installed VSX Gateway or VSX Cluster
Member as they were:
n IP address of Gaia management interface
n Enable IPv6 support in Gaia
n Configure the applicable interfaces (Bond, VLAN, and so on)
n Configure kernel parameters and their values:
l $FWDIR/boot/modules/fwkern.conf
l $FWDIR/boot/modules/vpnkern.conf
l $PPKDIR/conf/simkern.conf
n Configure CoreXL:
l Number of CoreXL Firewall instances (for IPv4 and IPv6) in the context of
VS0 (run the cpconfig command and select the option Check Point
CoreXL)
l $FWDIR/conf/fwaffinity.conf

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The one-time Activation Key (SIC activation key).

CLI R80.40 Reference Guide      |      1696

 vsx_util reconfigure

Comments
n Execute the command and follow the instructions on the screen.
n The new VSX Gateway or VSX Cluster Member:
l Must be a new installation.
You cannot use a VSX Gateway or VSX Cluster Member with a previous VSX configuration.
l Must have the same hardware specifications as the original.
Most importantly, it must have at least the same number of interfaces.
l Must have the same Gaia OS configuration as the original.
Most importantly, it must have the same VSX Management IP address.

CLI R80.40 Reference Guide      |      1697

 vsx_util reconfigure

Limitations
The reconfigure process does not restore the local configuration that was performed on VSX Gateway or
VSX cluster member itself (because this configuration is not stored on the Management Server).

Important - After the reconfigure process is complete and you rebooted VSX Gateway
or VSX cluster member, you must manually configure these settings from scratch or
from backed up files.

These settings and files are not restored during the reconfigure process and you must manually configure
them again:
n Any OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).
n Backup files and Gaia snapshots saved in the past on the VSX Gateway or VSX cluster member.
n Any settings manually defined in various configuration files on the VSX Gateway or VSX cluster
member.
n Any Check Point configuration files.

Note - Some of these files do not exist by default. Some files are configured on
each VSX Gateway and VSX cluster member, and some files are configured for
each Virtual System.

List of the most important files

Note - Some of these files do not exist by default. Some files are configured
on each VSX Gateway and VSX Cluster Member, and some files are
configured for each Virtual System.

l $FWDIR/boot/modules/fwkern.conf
l $FWDIR/boot/modules/vpnkern.conf
l $FWDIR/conf/fwaffinity.conf
l $FWDIR/conf/fwauthd.conf
l $FWDIR/conf/local.arp
l $FWDIR/conf/discntd.if
l $FWDIR/conf/cpha_bond_ls_config.conf
l $FWDIR/conf/resctrl
l $FWDIR/conf/vsaffinity_exception.conf
l $FWDIR/database/qos_policy.C
l simkern.conf:
o In R80.20 and higher: $PPKDIR/conf/simkern.conf
o In R80.10 and lower: $PPKDIR/boot/modules/simkern.conf

CLI R80.40 Reference Guide      |      1698

 vsx_util reconfigure

l sim_aff.conf:
o In R80.20 and higher: $PPKDIR/conf/sim_aff.conf
o In R80.10 and lower: $PPKDIR/boot/modules/sim_aff.conf
l /var/ace/sdconf.rec
l /var/ace/sdopts.rec
l /var/ace/sdstatus.12
l /var/ace/securid

CLI R80.40 Reference Guide      |      1699

 vsx_util reconfigure

Example

This example shows how the VSX configuration is restored on a VSX Cluster Member.

[Expert@MDS:0]# vsx_util reconfigure

******************************************************************************************
* Note: the operation you are about to perform changes the information in the management *
* database. Back up the database before continuing. *
******************************************************************************************

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
192.168.3.240
Enter Administrator Name: ******
Enter Administrator Password: ******
Select VSX gateway/cluster object name:
1) VSX_Cluster
Select: 1

Select VSX member name to reconfigure:

1) VSX1_192.168.3.241
2) VSX2_192.168.3.242
Select: 1
You are about to perform reconfigure on VSX gateway/cluster, please read sk97552.
Are you sure you want to continue [y/n]? y
Enter Activation Key:
Retype Activation Key:

1/10 : Certificate Revocation [#######################################] 100% 00:00:01

2/10 : Certificate Replacement [#######################################] 100% 00:00:06
3/10 : Connectivity Check [#######################################] 100% 00:00:05
4/10 : Fetching Configuration [#######################################] 100% 00:00:02
5/10 : Verifying Configuration [#######################################] 100% 00:00:00
6/10 : Installing policy on: VSX_Cluster [#######################################] 100% 00:00:21
7/10 : Converting Gateway to VSX [#######################################] 100% 00:02:13
8/10 : Generating Activation Keys [#######################################] 100% 00:00:00
9/10 : Reconfiguring [#######################################] 100% 00:00:03
10/10 : Pushing Configuration [#######################################] 100% 00:00:44

Database saved successfully.

===================== SUMMARY =====================

---- Reconfigure gateway operation completed successfully

************************************************************
IMPORTANT:
When you are managing a VSX cluster,
make sure that the new reconfigured member has the same number of
IPv4, and IPv6 firewall instances as the other VSX cluster members.
Run cpconfig command to show and edit CoreXL settings.
NOTE:
In case of adding a new cluster member to a VSX Cluster,
while using 'ClusterXL Virtual System Load Sharing'
make sure to run 'vsx_util vsls' after rebooting the
gateway in order for the Virtual Systems to become active
on the newly added VSX cluster member.

IMPORTANT: Please reboot the gateway

************************************************************

Logging details are available at /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/log/vsx_

util_20190917_13_16.log

[Expert@MDS:0]#

CLI R80.40 Reference Guide      |      1700

 vsx_util remove_member

vsx_util remove_member
Description
Removes a Cluster Member from a VSX Cluster.

Syntax

vsx_util remove_member

Required Input
n The applicable VSX Cluster object.
n The applicable VSX Cluster Member object.

Comments
n Before you run this command:
l Make sure to remove (detach) the license from the VSX Cluster Member.
l Make sure to run the cphastop command to avoid unexpected failover from the VSX Cluster
Member.
l Make sure to disconnect the VSX Cluster Member from all networks, except from the
Management Server.
n Execute the command and follow the instructions on the screen.

CLI R80.40 Reference Guide      |      1701

 vsx_util show_interfaces

vsx_util show_interfaces
Description
Shows configuration of selected interfaces - interface types, connections to Virtual Devices, and IP
addresses.
The command shows the information on the screen and also saves it to the interfacesconfig.csv
file in the current working directory.

Syntax

vsx_util show_interfaces

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n Which interfaces to show:

Menu Option Description

1) All Interfaces Shows all interfaces (Physical and Warp).

2) All Physical Interfaces Shows only Physical interfaces.

3) All Warp Interfaces Shows only Warp interfaces.

4) A Specific Interface Prompts you to enter the name of the specific interface to show.

Note - You cannot specify a VLAN tag as a

parameter. You can, however, specify an interface
used as a VLAN (without the tag) to see all VLAN tags
associated with that interface. See the example
below.

CLI R80.40 Reference Guide      |      1702

 vsx_util show_interfaces

Example
[Expert@MGMT:0]# vsx_util show_interfaces
Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW_1
4) VSX_GW_2
Select: 1

Which interface would you like to display?

1) All Interfaces
2) All Physical Interfaces
3) All Warp Interfaces
4) A Specific Interface
Enter your choice: 1

+-------------------+---------------------+----+-----------------------------------------------------+
| Type & Interface | Virtual Device Name |VSID| IP / Mask length |
+-------------------+---------------------+----+-----------------------------------------------------+
|M eth0 |VSX_Cluster_1 |0 |v4 172.16.16.98/24 v6 2001:0DB8::98/64 |
+-------------------+---------------------+----+-----------------------------------------------------+
|S eth1 |VSX_Cluster_1 |0 |v4 10.0.0.0/24 |
+-------------------+---------------------+----+-----------------------------------------------------+
|U eth2 |VS1 |1 |v4 192.0.2.2/24 v6 2001:0DB8:c::1/64 |
+-------------------+---------------------+----+-----------------------------------------------------+
|U eth3 |VS1 |1 |v4 192.168.3.3/24 v6 2001:0DB8:b::1/64 |
+-------------------+---------------------+----+-----------------------------------------------------+
|A eth4 | | | |
+-------------------+---------------------+----+-----------------------------------------------------+
|U eth5 |VS2 |2 |v4 10.10.10.10/24 v6 2001:0DB8:a::1/64 |
+-------------------+---------------------+----+-----------------------------------------------------+
|A eth6 | | | |
+-------------------+---------------------+----+-----------------------------------------------------+

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface
# U - Used Interface A - Available Interface
# X - Unknown Interface E - Error in Interface Properties

Logging details are available at /opt/CPsuite-R80.40/fw1/log/vsx_util_20191025_17_45.log

[Expert@MGMT:0]#
[Expert@MGMT:0]# cat interfacesconfig.csv
Interface Name , Type ,Virtual Device Name , VSID , IPv4 Address , IPv4 mask length, IPv6 Address, IPv6
mask length
eth0,M,VSX_Cluster_1,0,172.16.16.98,24,2001:0DB8::98,64
eth1,S,VSX_Cluster_1,0,10.0.0.0,24,,
eth2,U,VS1,192.0.2.2,24,2001:0DB8:c::1,64
eth3,U,VS1,192.168.3.3,24,2001:0DB8:b::1,64
eth4,A
eth5,U,VS2,10.10.10.10,24,2001:0DB8:a::1,64
eth6,A

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface
# U - Used Interface A - Available Interface
# X - Unknown Interface E - Error in Interface Properties

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1703

 vsx_util upgrade

vsx_util upgrade
Description
Upgrades the version of a VSX Gateway or VSX Cluster in the management database.

Syntax

vsx_util upgrade

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The applicable Check Point version.

Comments
n Execute the command and follow the instructions on the screen.
n After the command finishes, you must run the "vsx_util reconfigure" on page 1696 command.

CLI R80.40 Reference Guide      |      1704

 vsx_util view_vs_conf

vsx_util view_vs_conf
Description
Compares the configuration of all Virtual Devices on the Management Server and the actual configuration
on the VSX Gateway or VSX Cluster Members.

Syntax

vsx_util view_vs_conf

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The applicable Virtual Device object.

CLI R80.40 Reference Guide      |      1705

 vsx_util view_vs_conf

Example
[Expert@MGMT:0]# vsx_util show_interfaces
Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW
4) VSX_GW_2
Select: 1

Select Virtual Device object name:

1) VS1
2) VS2
3) VS3
4) VSX_Cluster
Select: 1

Type: Virtual System

Interfaces configuration table:

+---------------------------------------------------+-----+-------------------+
|Interfaces |Mgmt |VSX GW(s) |
+----------+----------------------------------------+-----+---------+---------+
|Name |IP / Mask length | |mem 1 |mem2 |
+----------+----------------------------------------+-----+---------+---------+
|eth2 |v4 10.0.0.0/24 v6 2001:db8::abc::1/64 | V | V | V |
|eth3 |v4 10.10.10.10/24 v6 2001:db8::3121/64 | V | V | V |
+----------+----------------------------------------+-----+---------+---------+

Interfaces Table Legend:

V - Interface exists on the gateway and matches management information (if defined on the management).
- - Interface does not exist on the gateway.
N/A - Fetching Virtual Device configuration from the gateway failed.
!IP - Interface exists on the gateway, but there is an IP address mismatch.
!MASK - Interface exists on the gateway, but there is a Net Mask mismatch.

Routing table:

+----------------------------------------------------------+-----+-------------+
|Ipv4 Routes |Mgmt |VSX GW(s) |
+--------------------------+--------------------+----------+-----+------+------+
|Destination / Mask Length |Gateway |Interface | |mem1 |mem2 |
+--------------------------+--------------------+----------+-----+------+------+
|2.2.2.0/24 | |eth2 | V | V | V |
|3.3.3.0/24 | |eth3 | V | V | V |
+--------------------------+--------------------+----------+-----+------+------+
+--------------------------+--------------------+----------+-----+------+------+

+----------------------------------------------------------+-----+-------------+
|Ipv6 Routes |Mgmt |VSX GW(s) |
+--------------------------+--------------------+----------+-----+------+------+
|Destination / Mask Length |Gateway |Interface | |mem1 |mem2 |
+--------------------------+--------------------+----------+-----+------+------+
|2001:db8::abc::/64 | |eth2 | V | !NH | !NH |
|2001:db8:0a::/64 | |eth3 | V | !NH | !NH |

CLI R80.40 Reference Guide      |      1706

 vsx_util view_vs_conf

+--------------------------+--------------------+----------+-----+------+------+
|2001:db8::1ffe:0:0:0/112 | |eth2 | - | V | V |
|2001:db8::fd9a:0:1:0/112 | |eth3 | - | V | V |
+--------------------------+--------------------+----------+-----+------+------+

Routing Table Legend:

V - Route exists on the gateway and matches management information (if defined on the management).
- - Route does not exist on the gateway.
N/A - Fetching Virtual Device configuration from the gateway failed.
!NH - Route exists on the gateway, but there is a Next Hop mismatch.

Note: Routes can be created automatically on the gateways by the Operating System.
Therefore, routes that appear on all gateways, but are not defined on the management,
do not necessarily indicate a problem.

Logging details are available at /opt/CPsuite-R80.40/fw1/log/vsx_util_20191025_18_11.log

[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1707

 vsx_util vsls

vsx_util vsls
Description
Shows the configuration menu for Virtual System Load Sharing - status, redistribute, export, and import of
configuration.

Syntax

vsx_util vsls

Required Input
n The applicable VSX Cluster object.
n The applicable redistribution option.

Comments
n Execute the command and follow the instructions on the screen.
n If the command output shows "Operation not allowed. Object is not a Virtual
System Load Sharing cluster.", then run the "vsx_util convert_cluster" on page 1695
command.

Example

Expert@MGMT:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW_1
4) VSX_GW_2
Select: 1

VS Load Sharing - Menu

________________________________
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster member is equally loaded
3. Set all VSes active on one member
4. Manually set priority and weight
5. Import configuration from a file
6. Export configuration to a file
7. Exit

Enter redistribution option (1-7) [1]:

CLI R80.40 Reference Guide      |      1708

 vsx_provisioning_tool

vsx_provisioning_tool
This section describes the VSX Provisioning Tool (the vsx_provisioning_tool command).

Description
This tool allows the VSX administrator to add and remove Virtual Devices (Virtual Systems, Virtual Routers,
Virtual Switches), interfaces and routes from the command line of a Security Management Server or
Domain Management Server.
This allows the automation of the required VSX Provisioning operations in the environment.

Syntax

vsx_provisioning_tool -h

vsx_provisioning_tool [-s <Mgmt Server>] {-u <Username> | -c

<Certificate>} -p <Password>
      -o <Commands> [-a] -L
      -f <Input File> [-l <Line>] [-a] -L

Parameters

Parameter Description

-h Shows the built-in usage.

-s <Mgmt Specifies the Security Management Server or the applicable Domain Management
Server> Server.
Enter the IPv4 or IPv6 address, or the resolvable hostname name.
This parameter is mandatory when you run the utility:
n From a SmartConsole computer
n On a Multi-Domain Server.

-u Specifies the Management Server administrator's user name.

<Username>

-c < Specifies the path and the name for the Management Server administrator's
Certificate certificate file.
>

-p Specifies the password of the:

<Password>
n Management Server administrator
n Certificate file

CLI R80.40 Reference Guide      |      1709

 vsx_provisioning_tool

Parameter Description

-o Executes the commands you enter on the command line.

<Commands>

-f <Input Specifies the path and the name for the file with the commands to execute.
File>
The utility treats all text begins with a hash sign (#) as a comment and ignores it.
This lets you add comments on separate lines, or in-line.

-l <Line> Specifies the line number in <Input File>, from which to start to execute the
commands.
You can use this "-l" parameter only together with the "-f" parameter.

-a Specifies that before the utility executes the specified commands, it must make sure
it can connect to all VSX Gateways.

Note - This does not guarantee that a VSX Gateway can successfully
apply all the specified commands.

-L Specifies local authentication mode.

Exit Codes

Exit
Description
Code

0 The utility successfully applied all changes, on all VSX Cluster Members.

1 The utility successfully applied all changes to the management database, but not to all VSX
Cluster Members.

2 The utility successfully applied all changes, but SIC communication failed to establish with at
least one VSX Cluster Member.

3 Connectivity test failed with at least one VSX Cluster Member (if you used the "-a"
parameter).
The utility did not apply changes to the management database, or to the VSX Cluster
Member.

4 The utility failed to apply changes (due to internal error, syntax error, or another reason).

Note - If commands are executed from a file with multiple transactions, the exit code
refers to the last transaction processed.

CLI R80.40 Reference Guide      |      1710

 vsx_provisioning_tool

Example 1
Run the utility on the Security Management Server.
Execute the commands from the text /var/log/vsx.txt file.

vsx_provisioning_tool -s localhost -u admin -p mypassword -f /var/log/vsx.txt

Example 2
Run the utility on the Multi-Domain Server in the context of the Domain Management Server called
MyDomain.
Create a new Virtual System object called VS1 on the VSX Cluster object called VSXCluster1
In the new Virtual System object, on the interface eth4, add a VLAN interface with VLAN ID 100 and IPv4
address 1.1.1.1/24.
mdsenv MyDomain
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vd name VS1 vsx VSXCluster1, add interface name eth4.100 ip
1.1.1.1/24

CLI R80.40 Reference Guide      |      1711

 Transactions

Transactions
Notes:
n A transaction is a set of operations performed on one Virtual Device.
n The utility commits all operations to the management database together when
the transaction ends.
If the transaction fails, the utility discards all its commands.
n You must specify the name of the Virtual Device with a parameter in the first
command.
You do not need to specify this name again in other commands of the same
transaction.
n You cannot send operations to different Virtual Devices in one transaction.
n You cannot start a new transaction until you exit the one before.
n When you send commands with the "-o" parameter, you can enter multiple
commands (for example: add a Virtual System and then add interfaces and
routes to it).
Separate the commands with a comma ( , ).
All the commands are one transaction.
The "-o" parameter does not support explicit transaction commands.
n When you send commands with the "-f" parameter, you can use explicit
transaction commands (see "vsx_provisioning_tool Commands" on page 1713).
n Commands from a file can be one or more transactions:
l If not inside a transaction, the current line is one transaction, which the
utility automatically commits.
You can write multiple commands in one line (as one transaction),
separated with a comma ( , ).
l If currently inside a transaction, the utility processes the lines, but does
not take action until the transaction ends.

CLI R80.40 Reference Guide      |      1712

 vsx_provisioning_tool Commands

vsx_provisioning_tool Commands
All vsx_provisioning_tool commands are pairs of a key and a value.
The first two words in each command must appear in the correct order.
Other pairs can be written in any order.

CLI R80.40 Reference Guide      |      1713

 Explicit Transaction Commands

Explicit Transaction Commands

Operation Command Syntax

Begin a new transaction transaction begin

End a transaction transaction end

Cancel a transaction transaction cancel

Note - SIC with the Virtual System is established automatically. If it fails, operations
continue, and the transaction returns error code 2.

CLI R80.40 Reference Guide      |      1714

 Adding a VSX Gateway

Adding a VSX Gateway

Description
This command lets you add a new VSX Gateway object.

Syntax

add vsx type gateway name <Object Name> version <Version> main_ip
<Main IPv4 Address> main_ip6 <Main IPv6 Address> sic_otp <Activation
Key> [rule_snmp {enable|disable}] [rule_ssh {enable|disable}] [rule_
ping {enable|disable} [rule_ping6 {enable|disable}] [rule_https
{enable|disable}] [rule_drop {enable|disable}]

Note - In this transaction, you can only add the set physical interface command.

Parameters

type gateway You must use the value "gateway" to add a new VSX
Gateway object.

name <Object Object name Specifies the name of the VSX Gateway object.
Name>
You cannot use spaces of Check Point reserved words.

version Check Point Specifies the Check Point version of the VSX Gateway
<Version> version object.
You must enter the exact version as appears in
SmartConsole (case-sensitive).

main_ip <Main IPv4 Address Specifies the main IPv4 Address of the VSX Gateway
IPv4 Address> object.

main_ip6 <Main IPv6 Address Specifies the main IPv6 Address of the VSX Gateway
IPv6 Address> object.

sic_otp SIC password You must enter the same Activation Key you entered
<Activation Key> during the First Time Configuration Wizard of the VSX
Gateway.

rule_snmp n enable Controls how to process all SNMP packets sent to the VSX
{enable | Gateway:
n disable
disable}
n enable - Allows all SNMP packets
n disable - Drops all SNMP packets (default)

CLI R80.40 Reference Guide      |      1715

 Adding a VSX Gateway

rule_ssh n enable Controls how to process all SSH packets sent to the VSX
{enable | Gateway:
n disable
disable}
n enable - Allows all SSH packets
n disable - Drops all SSH packets (default)

rule_ping n enable Controls how to process all ICMP Echo Request (ping)
{enable | packets sent to the VSX Gateway:
n disable
disable}
n enable - Allows all IPv4 ping packets
n disable - Drops all IPv4 ping packets (default)

rule_ping6 n enable Controls how to process all ICMPv6 Echo Request (ping)
{enable | packets sent to the VSX Gateway:
n disable
disable}
n enable - Allows all IPv6 ping packets
n disable - Drops all IPv6 ping packets (default)

rule_https n enable Controls how to process all HTTPS packets sent to the
{enable | VSX Gateway:
n disable
disable}
n enable - Allows all HTTPS packets
n disable - Drops all HTTPS packets (default)

rule_drop n enable Controls how to process all packets (other than SNMP,
{enable | SSH, ICMP, ICMPv6, HTTPS) sent to the VSX Gateway:
n disable
disable}
n enable - Drops all other packets (default)
n disable - Allows all other packets

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vsx name VSX_GW1 type gateway main_ip 192.168.20.1 version
R80.40 sic_otp ABCDEFG rule_ssh enable rule_ping enable

CLI R80.40 Reference Guide      |      1716

 Adding a VSX Cluster

Adding a VSX Cluster

Description
This command lets you add a new VSX Cluster object.

Syntax

add vsx type cluster name <Object Name> version <Version> main_ip
<Main Virtual IPv4 Address> main_ip6 <Main Virtual IPv6 Address>
cluster_type {vsls|ha|crbm} sync_if_name <Sync Interface Name> sync_
netmask <Sync Interface Netmask> [rule_snmp {enable|disable}] [rule_
snmp {enable|disable}] [rule_ssh {enable|disable}] [rule_ping
{enable|disable} [rule_ping6 {enable|disable}] [rule_http
{enable|disable}] [rule_drop {enable|disable}]

Important - You must run the "add vsx_member" command for each VSX Cluster
Member in the same transaction as the "add vsx" command.

Parameters

Parameter Value Notes

type cluster You must use the value "cluster" to add a new
cluster object.

name <Object Object name Specifies the name of the VSX Cluster object.
Name>
You cannot use spaces of Check Point reserved
words.

version <Version> Check Point Specifies the Check Point version of the VSX Cluster
version object.
You must enter the exact version as appears in
SmartConsole (case-sensitive).

main_ip <Main IPv4 Address Specifies the main IPv4 Virtual Address of the VSX
Virtual IPv4 Cluster object.
Address>

main_ip6 <Main IPv6 Address Specifies the main IPv6 Virtual Address of the VSX
Virtual IPv6 Cluster object.
Address>

CLI R80.40 Reference Guide      |      1717

 Adding a VSX Cluster

Parameter Value Notes

cluster_type Cluster type Specifies the cluster type.

{vsls | ha |
Enter one of these:
crbm}
n vsls - Virtual System Load Sharing mode
n ha - High Availability mode
n crbm - X-Series appliances (former BlueCoat /
Crossbeam)

sync_if_name Sync interface Specifies the name of the Cluster Synchronization

<Sync Interface name interface.
Name>

sync_netmask IPv4 Network Specifies an IPv4 Netmask for the Cluster

<Sync Interface mask Synchronization interface (in a dot-quad format
Netmask> X.X.X.X).

rule_snmp {enable n enable Controls how to process all SNMP packets sent to the
| disable} VSX Cluster Members:
n disable
n enable - Allows all SNMP packets
n disable - Drops all SNMP packets (default)

rule_ssh {enable n enable Controls how to process all SSH packets sent to the
| disable} VSX Cluster Members:
n disable
n enable - Allows all SSH packets
n disable - Drops all SSH packets (default)

rule_ping {enable n enable Controls how to process all ICMP Echo Request (ping)
| disable} packets sent to the VSX Cluster Members:
n disable
n enable - Allows all IPv4 ping packets
n disable - Drops all IPv4 ping packets (default)

rule_ping6 n enable Controls how to process all ICMPv6 Echo Request

{enable | (ping) packets sent to the VSX Cluster Members:
n disable
disable}
n enable - Allows all IPv6 ping packets
n disable - Drops all IPv6 ping packets (default)

rule_https n enable Controls how to process all HTTPS packets sent to the
{enable | VSX Cluster Members:
n disable
disable}
n enable - Allows all HTTPS packets
n disable - Drops all HTTPS packets (default)

CLI R80.40 Reference Guide      |      1718

 Adding a VSX Cluster

Parameter Value Notes

rule_drop {enable n enable Controls how to process all packets (other than SNMP,
| disable} SSH, ICMP, ICMPv6, HTTPS) sent to the VSX Cluster
n disable Members:
n enable - Drops all other packets (default)
n disable - Allows all other packets

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vsx name VSX1 type cluster cluster_type vsls main_ip 192.168.1.1
version R80.40 sync_if_name eth3 sync_netmask 255.255.255.0 rule_ssh enable rule_ping enable

CLI R80.40 Reference Guide      |      1719

 Adding a Virtual Device

Adding a Virtual Device

Description
This command lets you add a new Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Syntax

add vd name <Device Object Name> vsx <VSX GW or Cluster Object Name>
[type {vs|vsbm|vsw|vr}] [vs_mtu <MTU>] [instances <Number of IPv4
CoreXL Firewall instances>] [instances6 <Number of IPv6 CoreXL
Firewall instances>] [main_ip <Main IPv4 Address>] [main_ip6 <Main
IPv6 Address>] [calc_topo_auto {true | false}]

Parameters

Parameter Value Notes

name <Device Object Object name Specifies the name of the Virtual Device object.
Name>
Mandatory parameter, if this is the first
command in a transaction.

vsx <VSX GW or Cluster Parent object Specifies the name of the applicable VSX
Object Name> name Gateway or VSX Cluster object, in which you
create this Virtual Device.
You cannot use spaces or Check Point reserved
words.
Mandatory parameter.

type {vs | vsbm | vsw | Type of Specifies the type of the Virtual Device:
vr} Virtual
Device n vs - Virtual System (default)
n vsbm - Virtual System in Bridge Mode
n vsw - Virtual Switch
n vr - Virtual Router

CLI R80.40 Reference Guide      |      1720

 Adding a Virtual Device

Parameter Value Notes

vs_mtu <MTU> Integer Specifies the Global MTU value for all interfaces.
This parameter is applicable only for a:
n Virtual System in Bridge Mode (type
vsbm)
n Virtual Switch (type vsw)

Default is 1500 bytes.

Note - For a Virtual Switch, if you do

not add a VLAN or physical interface in
the same transaction, the utility
ignores this value.

instances <Number of Integer Specifies the number of IPv4 CoreXL Firewall

IPv4 CoreXL Firewall instances.
instances>
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual System in Bridge Mode (type
vsbm)
Default is 1.
For more information about CoreXL, see R80.40
Performance Tuning Administration Guide.

instances6 <Number of Integer Specifies the number of IPv6 CoreXL Firewall

IPv6 CoreXL Firewall instances.
instances>
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual System in Bridge Mode (type
vsbm)
Default is 1.
For more information about CoreXL, see R80.40
Performance Tuning Administration Guide.

main_ip <Main IPv4 IPv4 Address Specifies the main IPv4 Address of the Virtual
Address> Device object.
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual Router (type vr)

Note - If you do not specify this value

explicitly, the utility uses the IPv4
address of the first interface added to
the new device.

CLI R80.40 Reference Guide      |      1721

 Adding a Virtual Device

Parameter Value Notes

main_ip6 <Main IPv6 IPv6 Address Specifies the main IPv6 Address of the Virtual
Address> Device object.
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual Router (type vr)

Note - If you do not specify this value

explicitly, the utility uses the IPv6
address of the first interface added to
the new device.

calc_topo_auto {true | n true Specifies how to calculate topology based on

false} routes:
n false
n true - Automatically calculate topology
based on routes (default)
n false - Does not calculate topology
based on routes
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual Router (type vr)

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vd name VirtSwitch1 vsx VSX_GW1 type vsw

CLI R80.40 Reference Guide      |      1722

 Deleting a Virtual Device

Deleting a Virtual Device

Description
This command lets you delete a Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router
You cannot delete a Virtual Device if:
n It is referenced by a policy rule.
n It is referenced by other objects.
n It is enabled for global use in a Multi-Domain Security Management environment.

Important - After you delete a Virtual Device, you cannot have more commands in the
same transaction.

Syntax

remove vd name <Device Object Name>

Parameters

Parameter Value Notes

name <Device Object Object Specifies the name of the Virtual Device object.
Name> name
Mandatory parameter, if this is the first command in a
transaction.

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove vd name VirtSwitch1

CLI R80.40 Reference Guide      |      1723

 Modifying Settings of a Virtual Device

Modifying Settings of a Virtual Device

Description
This command lets you modify settings of an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Syntax

set vd name <Device Object Name> [vs_mtu <MTU>] [instances <Number of

IPv4 CoreXL Firewall instances>] [instances6 <Number of IPv6 CoreXL
Firewall instances>] [main_ip <Main IPv4 Address>] [main_ip6 <Main
IPv6 Address>] [calc_topo_auto {true | false}]

Parameters

Parameter Value Notes

name <Device Object Name> Object name Specifies the name of the Virtual Device
object.
Mandatory parameter, if this is the first
command in a transaction.

vs_mtu <MTU> Integer Specifies the Global MTU value for all
interfaces.
This parameter is applicable only for a:
n Virtual System in Bridge Mode
n Virtual Switch
Default is 1500 bytes.

instances <Number of IPv4 Integer Specifies the number of IPv4 CoreXL

CoreXL Firewall instances> Firewall instances.
This parameter is applicable only for a:
n Virtual System
n Virtual System in Bridge Mode
Default is 1.
For more information about CoreXL, see
R80.40 Performance Tuning Administration
Guide.

CLI R80.40 Reference Guide      |      1724


Parameter
instances6 <Number of IPv6
CoreXL Firewall instances>
main_ip <Main IPv4 Address>
main_ip6 <Main IPv6
Address>
calc_topo_auto {true |
false}
Modifying Settings of a Virtual Device
Value Notes
Integer Specifies the number of IPv6 CoreXL
Firewall instances.
This parameter is applicable only for a:
n Virtual System
n Virtual System in Bridge Mode
Default is 1.
For more information about CoreXL, see
R80.40 Performance Tuning Administration
Guide.
IPv4 Address Specifies the main IPv4 Address of the
Virtual Device object.
This parameter is applicable only for a:
n Virtual System
n Virtual Router
Note - To remove the current IPv4
address, set the value to
"empty". For example: set vd
name VS1 main_ip empty
IPv6 Address Specifies the main IPv6 Address of the
Virtual Device object.
This parameter is applicable only for a:
n Virtual System
n Virtual Router
Note - To remove the current IPv6
address, set the value to empty.
For example: set vd name
VS1 main_ip6 empty
n true Specifies how to calculate topology based
on routes:
n false
n true - Automatically calculate
topology based on routes (default)
n false - Does not calculate topology
based on routes
This parameter is applicable only for a:
n Virtual System
n Virtual Router
CLI R80.40 Reference Guide      |      1725
 Modifying Settings of a Virtual Device

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o set vd name VS1 instances 8 main_ip 192.0.2.6 calc_topo_auto false

CLI R80.40 Reference Guide      |      1726

 Adding an Interface to a Virtual Device

Adding an Interface to a Virtual Device

Description
This command lets you add an interface to an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Syntax

add interface vd <Device Object Name> {name <Interface> | leads_to

<VSW or VR Object Name>} ip <IPv4 Address>{/<IPv4 Prefix Length> |
netmask <IPv4 Netmask> | prefix <IPv4 Prefix>} ip6 <IPv6 Address>
{/<IPv6 Prefix Length> | netmask6 <IPv6 Netmask> | prefix6 <IPv6
Prefix>} [propagate {true | false}] [propagate6 {true | false}]
[topology {external | internal_undefined | internal_this_network |
internal_specific [specific_group <Network Group Object Name>}] [mtu
<MTU>]

Parameters

Parameter Value Notes

vd <Device Object name Specifies the name of the Virtual Device object.
Object Name>
Mandatory parameter, if this is the first command in a
transaction.

name Interface name Specifies the name of the physical or VLAN interface.
<Interface>
Note - You must use the "name" or "leads_
to" parameter, but not both.

leads_to <VSW Object name Specifies the name of the Virtual Switch or Virtual Router
or VR Object object, to which this interface connects.
Name>
This parameter is applicable only for a Virtual System.

Note - You must use the "name" or "leads_

to" parameter, but not both.

CLI R80.40 Reference Guide      |      1727

 Adding an Interface to a Virtual Device

Parameter Value Notes

ip <IPv4 IPv4 configuration Specifies the IPv4 settings:

Address>
{/<IPv4 n <IPv4 Address> - IPv4 address
Prefix> | n <IPv4 Prefix> - Integer between 1 and 32
netmask <IPv4
Netmask> | n <IPv4 Netmask> - Number in a format X.X.X.X
prefix <IPv4 This parameter is applicable only for a:
Prefix>}
n Virtual System
n Virtual Router
For interfaces on a Virtual System that connect to a
Virtual Router, you must use the possible maximum for
the IPv4 address family:
n Netmask 255.255.255.255
n Prefix 32

ip6 <IPv6 IPv6 configuration Specifies the IPv6 settings:

Address>
{/<IPv6 n <IPv6 Address> - IPv6 address
Prefix> | n <IPv6 Prefix> - Integer between 64 and 128
netmask6 <IPv6
Netmask> | n <IPv6 Netmask> - Number in a format
prefix6 <IPv6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
Prefix>} This parameter is applicable only for a:
n Virtual System
n Virtual Router
For interfaces on a Virtual System that connect to a
Virtual Router, you must use the possible maximum for
the IPv6 address family:
n Netmask
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
n Prefix 128

propagate n true Controls how to propagate the IPv4 routes to adjacent

{true | false} Virtual Devices:
n false
n true - Propagate the IPv4 routes
n false - Do not propagate the IPv4 routes
(default)

Note - This parameter is applicable only for a

Virtual System with VLAN or physical
interfaces.

CLI R80.40 Reference Guide      |      1728

 Adding an Interface to a Virtual Device

Parameter Value Notes

propagate6 n true Controls how to propagate the IPv6 routes to adjacent

{true | false} Virtual Devices:
n false
n true - Propagate the IPv6 routes
n false - Do not propagate the IPv6 routes
(default)

Note - This parameter is applicable only for a

Virtual System with VLAN or physical
interfaces.

topology n external Specifies the Topology configuration of the interface:

{external |
internal_
n internal_ n external - External interface.
undefined
undefined | n internal_undefined - Internal interface with
internal_this_ n internal_ undefined topology. This is the default for a Virtual
network | this_ System in Bridge Mode.
internal_ network
specific } n internal_this_network - Internal interface.
n internal_ This is the default for a Virtual System and Virtual
specific Router. Virtual System in Bridge Mode does not
support this topology.
n internal_specific - Internal interface with
topology defined by the specified Network Group
object.
This parameter is applicable only for a:

n Virtual System
n Virtual System in Bridge Mode
n Virtual Router

specific_group Name of Network If you specified the "topology internal_

<Network Group Group Object specific" parameter, then specify the name of the
Object Name> Network Group object that contains the applicable
Network objects.
This parameter is applicable only if you disable the
automatic topology calculation.

mtu <MTU> Integer Specifies the MTU value for this interface.
Default is 1500 bytes.
This parameter is applicable only for a:
n Virtual System
n Virtual Router

CLI R80.40 Reference Guide      |      1729

 Adding an Interface to a Virtual Device

Example - Add VLAN interface eth4.100 with IPv4 1.1.1.1/24 to the Virtual System 'VirtSystem1'
vsx_provisioning_tool-s localhost -u admin -p mypassword -o add interface vd VirtSystem1 name eth4.100 ip 1.1.1.1/24

CLI R80.40 Reference Guide      |      1730

 Removing an Interface from a Virtual Device

Removing an Interface from a Virtual Device

Description
This command lets you remove an interface from an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Important - If the interface you remove leads to a Virtual Router, all routes through that
interface are removed automatically.

Note - If there are routes that have a next-hop IP address, which would become
inaccessible without this interface, the transaction fails.

Syntax

remove interface vd <Device Object Name> {name <Interface> | leads_to

<VSW or VR Object Name>}

CLI R80.40 Reference Guide      |      1731

 Removing an Interface from a Virtual Device

Parameters

Parameter Value Notes

vd <Device Object Object Specifies the name of the Virtual Device object.
Name> name
Mandatory parameter, if this is the first command in a
transaction.

name <Interface> Interface Specifies the name of the physical or VLAN interface.
name
Note - You must use the "name" or "leads_to"
parameter, but not both.

leads_to <VSW or VR Object Specifies the name of the Virtual Switch or Virtual Router
Object Name> name object, to which this interface connects.
This parameter is applicable only for a Virtual System.

Note - You must use the "name" or "leads_to"

parameter, but not both.

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove interface vd VS1 name eth4.100

CLI R80.40 Reference Guide      |      1732

 Modifying Settings of an Interface

Modifying Settings of an Interface

Description
This command lets you modify the settings of an interface that belongs to an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Note - You cannot change or remove the IP address or netmask of an existing

interface with this command. You can remove the interface and add a new interface
with a different IP address, but not all the previous interface settings are kept.

Syntax

set interface vd <Device Object Name> {name <Interface> [new_name

<Interface>] | leads_to <VSW or VR Object Name> [new_leads_to <VSW or
VR Object Name>]} [propagate {true|false}] [propagate6 {true|false}]
[topology {external | internal_undefined | internal_this_network |
internal_specific [specific_group <Network Group Object Name>>]}] [mtu
<MTU>]

Parameters

Parameter Value Notes

vd <Device Object Name> Object name Specifies the name of the Virtual Device
object.
Mandatory parameter, if this is the first
command in a transaction.

name <Interface> Interface name Specifies the name of the physical or VLAN
interface.

Note - You must use the "name"

or "leads_to" parameter, but
not both.

new_name <Interface> Interface name You can change the name, but not the type
of interface.

Note - You can change a VLAN

or physical interface only to a
VLAN or physical interface.

CLI R80.40 Reference Guide      |      1733


Parameter Value
leads_to <VSW or VR Object name
Object Name>
new_leads_to <VSW or VR Object name
Object Name>
propagate {true | false}
propagate6 {true |
false}
Modifying Settings of an Interface
Notes
Specifies the name of the Virtual Switch or
Virtual Router object, to which this
interface connects.
This parameter is applicable only for a
Virtual System.
Note - You must use the "name"
or "leads_to" parameter, but
not both.
You can where the interface leads:
n You can change an interface that
leads to a Virtual Switch only to lead
to a different Virtual Switch.
n You can change an interface that
leads to a Virtual Router only to lead
to a different Virtual Router.
n true Controls how to propagate the IPv4 routes
to adjacent Virtual Devices:
n false
n true - Propagate the IPv4 routes
n false - Do not propagate the IPv4
routes (default)
Note - This parameter is
applicable only for a Virtual
System with VLAN or physical
interfaces.
n true Controls how to propagate the IPv6 routes
to adjacent Virtual Devices:
n false
n true - Propagate the IPv6 routes
n false - Do not propagate the IPv6
routes (default)
Note - This parameter is
applicable only for a Virtual
System with VLAN or physical
interfaces.
CLI R80.40 Reference Guide      |      1734
 Modifying Settings of an Interface

Parameter Value Notes

topology {external | n external Specifies the Topology configuration of the

internal_undefined | interface:
n internal_
internal_this_network |
undefined n external - External interface.
internal_specific }
n internal_ n internal_undefined - Internal
this_ interface with undefined topology.
network This is the default for Virtual System
in Bridge Mode.
n internal_
specific n internal_this_network -
Internal interface. This is the default
for Virtual System and Virtual
Router. Virtual System in Bridge
Mode does not support this
topology.
n internal_specific - Internal
interface with topology defined by
the specified Network Group object.
This parameter is applicable only for a:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Router

specific_group <Network Name of Network If you specified the "topology

Group Object Name> Group Object internal_specific" parameter, then
specify the name of the Network Group
object that contains the applicable Network
objects
This parameter is applicable only if you
disable the automatic topology calculation.

mtu <MTU> Integer Specifies the MTU value for this interface.
Default is 1500 bytes.
This parameter is applicable only for:
n Virtual System
n Virtual Router

Example - On a Virtual System VS1, change the VLAN interface eth4.10 to the physical interface eth5
vsx_provisioning_tool -s localhost -u admin -p mypassword -o set interface vd VS1 name eth4.100 new_name eth5 propagate true
topology internal_specific specific_group NYGWs

CLI R80.40 Reference Guide      |      1735

 Adding a Route

Adding a Route

Description
This command lets you add an IPv4 or IPv6 route to an existing Virtual System or Virtual Router object.

Note - This command detects IPv4 and IPv6 automatically.

Syntax

add route vd <Device Object Name> destination {<IP Address>[/<IP

Prefix>] | default | default6} [{netmask <IP Netmask> | prefix <IP
Prefix>}] {next_hop <Next Hop IP Address> | leads_to <VS or VR Object
Name>} [propagate {true | false}]

Parameters

Parameter Value Notes

vd <Device Object Object name Specifies the name of the Virtual System or Virtual Router
Name> object.
Mandatory parameter, if this is the first command in a
transaction.

destination {<IP See the Specifies the route destination settings:

Address>[/<IP Notes
Prefix>] | default column on n <IP Address> - IPv4 or IPv6 address
| default6} the right n <IP Prefix> -
l For IPv4 - Integer between 1 and 32
l For IPv6 - Integer between 64 and 128
n default - Use the default IPv4 route
n default6 - Use the default IPv6 route

netmask <IP Number Specifies an IP Netmask:

Netmask>
n For IPv4 - Number in a format X.X.X.X
n For IPv6 - Number in a format
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

prefix <IP Prefix> Integer Specifies the IP address prefix length:

n For IPv4 - Integer between 1 and 32
n For IPv6 - Integer between 64 and 128

CLI R80.40 Reference Guide      |      1736

 Adding a Route

Parameter Value Notes

next_hop <Next Hop IP Address Specifies the IP address of the next hop of the route.
IP Address>
Notes:
n This IP address must be on a subnet of
an existing interface.
n You must use the "next_hop" or
"leads_to" parameter, but not both.

leads_to <VS or VR Object name Specifies the name of the Virtual System or Virtual Router
Object Name> object, which is the next hop for the configured route.

Note - You must use the "next_hop" or

"leads_to" parameter, but not both.

propagate {true | n true Controls how to propagate the IP routes to adjacent

false} Virtual Devices:
n false
n true - Propagate the IP routes
n false - Do not propagate the IP routes (default)

Note - The "propagate" parameter is

applicable only if you specified the "next_
hop" parameter.

Example - Add route on a Virtual System VS1 that uses the default IPv4 route as a destination and Virtual
Router VR3 as a next hop
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add route vd VS1 destination default leads_to VR3

CLI R80.40 Reference Guide      |      1737

 Removing a Route

Removing a Route

Description
This command lets you remove an IPv4 or IPv6 route from an existing Virtual System or Virtual Router
object.

Note - This command detects IPv4 and IPv6 automatically.

Syntax

remove route vd <Device Object Name> destination {<IP Address>[/<IP

Prefix>] | default | default6} [{netmask <IP Netmask> | prefix <IP
Prefix>]

Parameters

Parameter Value Notes

vd <Device Object Object Specifies the name of the Virtual System or Virtual Router
Name> name object.
Mandatory parameter, if this is the first command in a
transaction.

destination {<IP See the Specifies the route destination settings:

Address>[/<IP Notes
Prefix>] | default column on n <IP Address> - IPv4 or IPv6 address
| default6} the right n <IP Prefix> -
l For IPv4 - Integer between 1 and 32
l For IPv6 - Integer between 64 and 128
n default - Use the default IPv4 route
n default6 - Use the default IPv6 route

netmask <IP Number Specifies an IP Netmask:

Netmask>
n For IPv4 - Number in a format X.X.X.X
n For IPv6 - Number in a format
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

prefix <IP Prefix> Integer Specifies the IP address prefix length:

n For IPv4 - Integer between 1 and 32
n For IPv6 - Integer between 64 and 128

CLI R80.40 Reference Guide      |      1738

 Removing a Route

Example - Remove a route from a Virtual System VS1 that uses the default IPv6 route as a destination
vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove route vd VS1 destination default6

CLI R80.40 Reference Guide      |      1739

 Showing Virtual Device Data

Showing Virtual Device Data

Description
This command lets you show the information about an existing Virtual Device object.

Syntax

show vd <Device Object Name>

Parameters

Parameter Value Notes

vd <Device Object Name of the Virtual Specifies the name of the Virtual Device
Name> Device object.
Mandatory parameter.

Comments
n The command shows only non-automatic routes.
n The command does not show routes that are created automatically with route propagation.
n For a Virtual Router and Virtual Switch: The command does not show the wrpj interfaces (created
automatically) that connect to Virtual Systems.

CLI R80.40 Reference Guide      |      1740

 Script Examples

Script Examples
Note - Line numbers in the left column are written only to make it easier to read the
script examples.

Example 1
Create a Virtual System connected to a Virtual Router.
Add a default route on the Virtual System that routes the traffic to the Virtual Router.
Add applicable routes on the Virtual Router to route the traffic to the Virtual System.

Line Command

1 transaction begin

2 add vd name VR1 vsx VSX1 type vr

3 add interface name eth3.100 ip 10.0.0.1/24

4 transaction end

5 transaction begin

6 add vd name VR2 vsx VSX2 type vr

7 add interface name eth3.200 ip 20.0.0.1/24

8 transaction end

9 transaction begin

10 add vd name VS1 vsx VSX1

11 add interface leads_to VR1 ip 192.168.1.1/32

12 add interface name eth4.20 ip 192.168.20.1/24 propagate true

13 add route destination default leads_to VR1

14 add route destination 192.168.40.0/25 next_hop 192.168.20.254

15 transaction end

CLI R80.40 Reference Guide      |      1741

 Script Examples

Example 2
Create a Virtual System connected to a Virtual Switch, with manual topology.

Line Command

1 transaction begin

2 add vd name VSW1 vsx VSX1 type vsw vs_mtu 1400

3 add interface name eth3.100

4 transaction end

5 transaction begin

6 add vd name VS1 vsx VSX1 calc_topo_auto false

7 add interface leads_to VSW1 ip 10.0.0.1/24 ip6 2001::1/64 topology

external

8 add interface name eth4.20 ip 192.168.20.1/25 ip6 2020::1/64

topology internal_this_network

9 add route destination default next_hop 10.0.0.254

10 add route destination default6 next_hop 2001::254

11 transaction end

Example 3
Add CoreXL Firewall instances to the Virtual System made in the last example.
Turn on automatic calculation of topology.
Change the name of the internal interface, and decrease its MTU.

Line Command

1 transaction begin

2 set vd name VS1 instances 4 instances6 2 calc_topo_auto true

3 set interface name eth4.20 new_name eth4.21 mtu 1400

4 transaction end

CLI R80.40 Reference Guide      |      1742

 QoS Commands

QoS Commands
For more information about QoS, see the R80.40 QoS Administration Guide.

CLI R80.40 Reference Guide      |      1743

 etmstart

etmstart
Description
Starts the QoS Software Blade on the Security Gateway - starts the QoS daemon fgd50, and fetches the
QoS policy from the Management Servers configured in the $FWDIR/conf/masters file on the Security
Gateway.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

etmstart

Example

[Expert@MyGW:0]# etmstart
FloodGate-1: Starting fgd50

FloodGate-1: Fetching QoS Policy from masters

Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
FloodGate-1 started
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1744

 etmstop

etmstop
Description
Stops the QoS Software Blade on the Security Gateway - kills the QoS daemon fgd50 and then unloads
the QoS policy.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

etmstop

Example

[Expert@CXL1_192.168.3.52:0]# etmstop
Unloading QoS Policy:
Target(s): CXL1_192.168.3.52
CXL1_192.168.3.52: QoS policy unloaded successfully.
Done.
FloodGate-1 stopped
[Expert@CXL1_192.168.3.52:0]#

CLI R80.40 Reference Guide      |      1745

 fgate

fgate
This section describes:

The 'fgate' command on Management Server

Description
Installs and uninstalls the QoS policy on the managed Security Gateways.
Shows the status of the QoS Software Blade on the managed Security Gateways.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

fgate [-d]
      load <Name of QoS Policy>.F <GW1> <GW2> ... <GWN>
      stat
            -h
            <GW1> <GW2> ... <GWN>
      unload <GW1> <GW2> ... <GWN>
      ver

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect

the output to a file, or use the script command to save
the entire CLI session.

CLI R80.40 Reference Guide      |      1746

 fgate

Parameter Description

load <Name of QoS Runs a verifier on the QoS policy <Name_of_QoS_Policy>.

Policy>.F <GW1>
If the QoS policy is valid, the Management Server compiles and
<GW2> ... <GWN>
installs the QoS Policy on the specified Security Gateways <GW1>
<GW2> ... <GWN>.

Notes:
n The maximal supported length of the <Name of
QoS Policy> string is 32 characters.
n To specify a Security Gateway, enter the main IP
address of the name of its object as configured in
SmartConsole. You can specify several Security
Gateways or cluster members in the same
command.

stat -h Shows the built-in usage for the "stat" parameter.

stat <GW1> <GW2> ... Shows the status of the QoS Software Blade and policy on the
<GWN> managed Security Gateways.

Note - To specify a Security Gateway, enter the main IP

address of the name of its object as configured in
SmartConsole. You can specify several Security
Gateways or cluster members in the same command.

Important - This command is outdated and exists only for

backward compatibility with very old versions. Use the
""cpstat" on page 912" command.

unload <GW1> <GW2> Uninstalls the QoS Policy from the specified Security Gateways
... <GWN> <GW1> <GW2> ... <GWN>.

Note - To specify a Security Gateway, enter the main IP

address of the name of its object as configured in
SmartConsole. You can specify several Security
Gateways or cluster members in the same command.

ver Shows the QoS Software Blade version on the Management

Server.

CLI R80.40 Reference Guide      |      1747

 fgate

Examples

Example 1 - Installing the QoS policy on one Security Gateway specified by its IP
address
[Expert@MGMT:0]# fgate load MyPolicy.F 192.168.3.52
QoS rules verified OK!
Downloading QoS Policy: MyPolicy.F...
Target(s): MyGW
MyGW: QoS policy transferred to module: MyGW.
MyGW: QoS policy installed succesfully.
Done.
[Expert@MGMT:0]#

Example 2 - Installing the QoS policy on two cluster members specified by their object
names
[Expert@MGMT:0]# fgate load MyPolicy.F MyClusterMember1 MyClusterMember2
QoS rules verified OK!
Downloading QoS Policy: MyPolicy.F...
MyClusterMember1: QoS policy transferred to module: MyClusterMember1.
MyClusterMember1: QoS policy installed succesfully.
MyClusterMember2: QoS policy transferred to module: MyClusterMember2.
MyClusterMember2: QoS policy installed succesfully.
Done.
[Expert@MGMT:0]#

Example 3 - Viewing the QoS status on one Security Gateway specified by its object
name
[Expert@MGMT:0]# fgate stat MyGW

Module name: MyGW

=======================

Product: QoS Software Blade

Version: R80.40
Kernel Build: 456
Policy Name: MyPolicy
Install time: Wed Dec 4 19:53:48 2019
Interfaces Num: 1

Interface table
----------------------------------------------------------------
|Name|Dir|Limit (Bps)|Avg Rate (Bps)|Conns|Pend pkts|Pend bytes|
----------------------------------------------------------------
|eth0|in | 1250000000| 0| 0| 0| 0|
|eth0|out| 1250000000| 0| 0| 0| 0|
----------------------------------------------------------------

[Expert@MGMT:0]#

Example 4 - Viewing the QoS Software Blade version

[Expert@MGMT:0]# fgate ver
This is Check Point QoS Software Blade R80.40 - Build 123
[Expert@MGMT:0]#

CLI R80.40 Reference Guide      |      1748

 fgate

The 'fgate' command on Security Gateway

Description
Installs and uninstalls the QoS policy on the managed Security Gateways.
Shows the status of the QoS Software Blade on the managed Security Gateways.
Controls the QoS debug.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

fgate [-d]
      ctl
            -h
            <QoS Module> {on | off}
      debug
            on
            off
      fetch
            -f
            <Management Server>
      kill [-t <Signal Number>] <Name of QoS Process>
      load
      log
            on
            off
            stat
      stat [-h]
      ver [-k]
      unload

CLI R80.40 Reference Guide      |      1749

 fgate

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then

redirect the output to a file, or use the script
command to save the entire CLI session.

ctl -h Shows the expected syntax and the list of the available QoS
modules.

ctl <QoS Module> {on | Controls the specified QoS module:

off}
n on - Enables the module (default)
n off - Disables the module

Note - In R80.40, the only available QoS module is

etmreg.

debug {on | off} Controls the debug mode of the QoS user space daemon
fgd50 (see sk41585):
n on - Enables the debug
n off - Disables the debug (default)
This sends additional debugging information to the fgd50
daemon's log file $FGDIR/log/fgd.elg.

fetch -f Fetches and installs the QoS Policy from all the Management
Servers configured in the $FWDIR/conf/masters file.

fetch <Management Fetches and installs the QoS Policy from the specified
Server> Management Server.
Enter the main IP address or the name of the Management
Server object as configured in SmartConsole.

CLI R80.40 Reference Guide      |      1750

 fgate

Parameter Description

kill [-t <Signal Sends the specified signal to the specified QoS user space
Number>] <Name of QoS process.
Process>
Notes:
n In R80.40, the only available QoS user space
process is fgd50.
n The QoS fgd50 daemon, upon its startup,
writes the PIDs of the applicable QoS user
spaces processes to the
$FWDIR/tmp/<Name of QoS
Process>.pid files.
For example: $FWDIR/tmp/fgd50.pid
n If the file $FWDIR/tmp/<Name of QoS
Process>.pid exists, then this command
sends the specified Signal Number to the PID
in that file.
n If you do not specify the signal explicitly, the
command sends Signal 15 (SIGTERM).
n For the list of available signals and their
numbers, run the kill -l command. For
information about the signals, see the manual
pages for the kill and signal.
n To restart the QoS fgd50 daemon manually,
run the "etmstop" on page 1745 and then
"etmstart" on page 1744 commands.

load Installs the local QoS Policy on the Security Gateway.

If this command fails, run the "etmstop" on page 1745 and
then "etmstart" on page 1744 commands.

log {on | off | stat} Controls the state of QoS logging in the Security Gateway
kernel:
n on - Enables the QoS logging (default)
n off - Disables the QoS logging
n stat - Shows the current QoS logging status
You can disable the QoS logging to save resources without
reinstalling the QoS policy.

CLI R80.40 Reference Guide      |      1751

 fgate

Parameter Description

stat [-h] Shows the status of the QoS Software Blade and policy on the
Security Gateway.
The -h parameter shows the built-in usage for the "stat"
parameter.

Important - This command is outdated and exists

only for backward compatibility with very old
versions. Use the ""cpstat" on page 912" command.

unload Uninstalls the QoS Policy from the Security Gateway.

ver [-k] Shows the QoS Software Blade version.

If you specify the "-k" parameter, the output also shows the
kernel version.

CLI R80.40 Reference Guide      |      1752

 fgate

Examples

Example 1 - Fetching the QoS policy based on the $FWDIR/conf/masters file

[Expert@MyGW]# fgate fetch -f
Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
[Expert@MyGW]#

Example 2 - Fetching the QoS policy from the Management Server specified by its IP
address
[Expert@MyGW]# fgate fetch 192.168.3.240
Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
[Expert@MyGW]#

Example 3 - Viewing the QoS status

[Expert@MyGW]# fgate stat

Product: QoS Software Blade

Version: R80.40
Kernel Build: 456
Policy Name: MyPolicy
Install time: Wed Dec 4 19:53:48 2019
Interfaces Num: 1

Interface table
----------------------------------------------------------------
|Name|Dir|Limit (Bps)|Avg Rate (Bps)|Conns|Pend pkts|Pend bytes|
----------------------------------------------------------------
|eth0|in | 1250000000| 0| 0| 0| 0|
|eth0|out| 1250000000| 0| 0| 0| 0|
----------------------------------------------------------------

[Expert@MyGW]#

Example 4 - Viewing the QoS Software Blade version

[Expert@MyGW:0]# fgate ver
This is Check Point QoS Software Blade R80.40 - Build 123
[Expert@MyGW:0]#
[Expert@MyGW:0]# fgate ver -k
This is Check Point QoS Software Blade R80.40 - Build 123
kernel: R80.40 - Build 456
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1753

 IPS Commands

IPS Commands
For more information about IPS, see the R80.40 Threat Prevention Administration Guide.
IPS commands let you configure and show the IPS on the Security Gateway without installing a new policy.
Important - Changes in the IPS configuration made with these commands are not persistent. If you install a
policy or restart the Security Gateway, the changes are deleted.

CLI R80.40 Reference Guide      |      1754

 ips

ips
Description
Shows various information about the IPS Software Blade.
Controls the IPS Software Blade.

Syntax

ips
      bypass <options>
      debug <options>
      off
      on
      pmstats <options>
      refreshcap
      stat
      stats <options>

Parameters

Parameter Description

No Parameters Shows the built-in usage.

bypass <options> Controls the IPS Bypass mode.

See "ips bypass" on page 1757.

debug <options> Collects the IPS debug.

See "ips debug" on page 1759.

off Disables the IPS Software Blade on-the-fly.

See "ips off" on page 1760.

on Enables the IPS Software Blade on-the-fly.

See "ips on" on page 1761.

pmstats <options> Collects statistics about the IPS Pattern Matcher.

See "ips pmstats" on page 1762.

refreshcap Refreshes the IPS sample capture repository.

See "ips refreshcap" on page 1763.

CLI R80.40 Reference Guide      |      1755

 ips

Parameter Description

stat Shows the IPS status.

See "ips stat" on page 1764.

stats <options> Shows statistics for the IPS performance and Pattern Matcher.
See "ips stats" on page 1765.

CLI R80.40 Reference Guide      |      1756

 ips bypass

ips bypass
Description
Controls the IPS Bypass mode:
n When CPU and/or Memory utilization reaches the configured higher threshold, IPS Software Blade
disables itself.
n When CPU and/or Memory utilization goes down to the configured lower threshold, IPS Software
Blade enables itself.

Syntax

ips bypass
      off
      on
      set <options>
      stat

Parameters

Parameter Description

No Shows the applicable built-in usage.

Parameters

off Disables the IPS Bypass mode.

on Enables the IPS Bypass mode.

CLI R80.40 Reference Guide      |      1757

 ips bypass

Parameter Description

set Configures the utilization thresholds (in per cent), at which to engage (higher threshold)
< or disengage (lower threshold) the IPS Bypass mode.
options>
The available options are:
n Configure the lower CPU threshold:

ips bypass set cpu low <0-100>

n Configure the higher CPU threshold:

ips bypass set cpu high <0-100>

n Configure the lower Memory threshold:

ips bypass set mem low <0-100>

n Configure the higher Memory threshold:

ips bypass set mem high <0-100>

Example:

ips bypass set cpu low 80

stat Shows the status of the IPS Bypass Under Load:

n IPS bypass mode
n CPU thresholds
n Memory thresholds

CLI R80.40 Reference Guide      |      1758

 ips debug

ips debug
Description
Collects the IPS debug information.

Note - For information about the kernel debug, see the R80.40 Next Generation
Security Gateway Guide - Chapter Kernel Debug on Security Gateway.

Syntax

ips debug [-e <Filter>] -o <Output File>

Parameters

Parameter Description

-e Specifies the INSPECT filter to capture packets.

<Filter>
For more information, see the explanation for the ""fw monitor" on page 1026"
command in sk30583: What is FW Monitor?

-o <Output Specifies the path and the name of the output debug file.
File>

Example
ips debug -o /var/log/IPS_debug.txt

CLI R80.40 Reference Guide      |      1759

 ips off

ips off
Description
Disables the IPS Software Blade on-the-fly.

Note - To enable, run the ""ips on" on page 1761" command.

Syntax

ips off

Example 1
[Expert@MyGW:0]# ips off
IPS is disabled
Please note that for the configuration to apply for connections from existing templates, you have to run this command with -n
flag which deletes existing templates.
Without '-n', it will fully take effect in a few minutes.
[Expert@MyGW:0]#

Example 2
[Expert@MyGW:0]# ips off -n
IPS is disabled
Deleting templates

Clearing table cphwd_tmpl

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1760

 ips on

ips on
Description
Enables the IPS Software Blade on-the-fly, if it was disabled with the ""ips off" on page 1760" command.

Syntax

ips on [-n]

Example 1
[Expert@MyGW:0]# ips on
IPS is enabled
Please note that for the configuration to apply for connections from existing templates, you have to run this command with -n
flag which deletes existing templates.
Without '-n', it will fully take effect in a few minutes.
[Expert@MyGW:0]#

Example 2
[Expert@MyGW:0]# ips on -n
IPS is enabled
Deleting templates

Clearing table cphwd_tmpl

[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1761

 ips pmstats

ips pmstats
Description
Collects statistics about the IPS Pattern Matcher.

Syntax

ips pmstats
      -o <Output File>
      reset

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

-o <Output File> Specifies the path and the name of the output file.

reset Resets the statistics counters.

Example

[Expert@MyGW:0]# ips pmstats -o /var/log/IPS_pmstats.txt

Set operation succeeded
Generating PM statistics report into /var/log/IPS_pmstats.txt...
Set operation succeeded
Set operation succeeded
Set operation succeeded
Done
Set operation succeeded
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# wc -l /var/log/IPS_pmstats.txt
707 /var/log/IPS_pmstats.txt
[Expert@MyGW:0]#
[Expert@MyGW:0]# ips pmstats reset
Set operation succeeded
Set operation succeeded
Resetted PM statistics
Set operation succeeded
Set operation succeeded
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1762

 ips refreshcap

ips refreshcap
Description
After you install a new policy, the IPS Software Blade captures the first packet for each IPS protection and
saves it in the packet capture repository.
This command refreshes the packet capture repository.
The IPS designates the next packet of each IPS protection as the first packet.
The new first packet replaces the previous one in the packet capture repository.

Syntax

ips refreshcap

Example

[Expert@MyGW:0]# ips refreshcap

Refreshed IPS sample capture
- A single new packet capture will be issued upon the next detection of each attack. You can see the packet
capture attached to the log or in the Packet Capture Repository.
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1763

 ips stat

ips stat
Description
Shows this information:
n IPS Status (Enabled or Disabled)
n IPS Update Version
n Global Detect (On or Off)
n Bypass Under Load (On or Off)

Syntax

ips stat

Example

[Expert@MyGW:0]# ips stat

IPS Status: Enabled
IPS Update Version: 635158746
Global Detect: Off
Bypass Under Load: Off
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1764

 ips stats

ips stats
Description
This tool generates a report that includes both IPS and Pattern Matcher statistics.
The report can help administrators and protection writers analyze, which IPS protections or IPS
components cause performance issues.
The output files are located in the $FWDIR/ips/statistics_results/ directory.
On a Standalone, the tool creates a directory for each specified IP address.
The output files are:

File Description

ips.dbg Contains the raw report, which contains all the information.

ips_stat_output_file.csv Contains the report with the IPS statistics.

pm_output_file.csv Contains the statistics for the Pattern Matcher.

tier1_output_file.csv Contains the statistics for the Pattern Matcher first tier.

tier2_output_file.csv Contains the statistics for the Pattern Matcher second tier.

Syntax

ips stats -h

ips stats

ips stats <Seconds>

ips stats -g <Seconds>

ips stats <IP Address of Gateway>

ips stats <IP Address of Gateway> <Seconds>

ips stats <IP Address of Gateway> -m

Important - To generate a report on a VSX Gateway, you must use the Manual Mode.

Parameters

Parameter Description

ips stats -h Shows the applicable built-in usage.

CLI R80.40 Reference Guide      |      1765

 ips stats

Parameter Description

ips stats Available only in Standalone configurations.

Collects the IPS and Pattern Matcher statistics on the Standalone
computer during 20 seconds.

ips stats <Seconds> Available only in Standalone configurations.

Collects the IPS and Pattern Matcher statistics on the Standalone
computer during the specified number of seconds.

ips stats -g Manual Mode on the current Security Gateway.

<Seconds>

Important - You must use this command on a VSX Gateway.

Collects the IPS and Pattern Matcher statistics during the specified
number of seconds.
The output file is /ips_tar.tgz (in the root partition)
For analysis, you must copy this file to the root partition on the
Management Server.

ips stats <IP Collects the IPS and Pattern Matcher statistics for the Security
Address of Gateway> Gateway with the main specified IP address during 20 seconds.

ips stats <IP Collects the IPS and Pattern Matcher statistics for the Security
Address of Gateway> Gateway with the main specified IP address during the specified
<Seconds> number of seconds.

ips stats <IP Available only on the Management Server.

Address of Gateway>
Runs an analysis on the output file /ips_tar.tgz that you collected
-m
from the Security Gateway with the main specified IP address.

Related SK article
sk43733: How to measure CPU time consumed by IPS protections.

Example 1 - Collect the statistics on the Security Gateway with IP address 192.168.20.14 during 40
seconds

ips_stats 192.168.20.14 40

Example 2- Collect the statistics on the current Security Gateway during 30 seconds

ips_stats -g 30

CLI R80.40 Reference Guide      |      1766

 ips stats

Example - Analyze the statistics you collected from the Security Gateway with IP address 192.168.20.14

ips_stats 192.168.20.14 -m

CLI R80.40 Reference Guide      |      1767

 Running Check Point Commands in Shell Scripts

Running Check Point Commands in

Shell Scripts
To run Check Point commands in shell scripts, you need to add the call for Check Point shell script
/etc/profile.d/CP.sh to your shell script.
Add this call right under the sha-bang line.

#!/bin/bash
source /etc/profile.d/CP.sh
<Check Point commands>
[mandatory last new line]

CLI R80.40 Reference Guide      |      1768

 Working with Kernel Parameters on Security Gateway

Working with Kernel Parameters on

Security Gateway
See the R80.40 Next Generation Security Gateway Guide.

Introduction to Kernel Parameters

Kernel parameters let you change the advanced behavior of your Security Gateway.
These are the supported types of kernel parameters:

Type Description

Integer Accepts only one integer value.

String Accepts only a plain-text string.

Important:
n In Cluster, you must see and configure the same value for the same kernel
parameter on each Cluster Member.
n In VSX Gateway, the configured values of kernel parameters apply to all existing
Virtual Systems and Virtual Routers.
Security Gateway gets the names and the default values of the kernel parameters from these kernel
module files:
n $FWDIR/modules/fw_kern_64.o
n $FWDIR/modules/fw_kern_64_v6.o
n $PPKDIR/modules/sim_kern_64.o
n $PPKDIR/modules/sim_kern_64_v6.o

CLI R80.40 Reference Guide      |      1769

 Working with Kernel Parameters on Security Gateway

Firewall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for Firewall,
you can use Firewall kernel parameters.
The names of applicable Firewall kernel parameters and their values appear in various SK articles in
Check Point Support Center, and provided by Check Point Support.
Important:
n The names of Firewall kernel parameters are case-sensitive.
n You can configure most of the Firewall kernel parameters on-the-fly with the "fw
ctl set" command.
This change does not survive a reboot.
n You can configure some of the Firewall kernel parameters only permanently in
the special configuration files - $FWDIR/boot/modules/fwkern.conf or
$FWDIR/boot/modules/vpnkern.conf.
This requires a maintenance window, because the new values of the kernel
parameters take effect only after a reboot.
n In Cluster, you must configure all the Cluster Members in the same way

Examples of Firewall kernel parameters

Type Name

Integer fw_allow_simultaneous_ping
fw_kdprintf_limit
fw_log_bufsize
send_buf_limit

String simple_debug_filter_addr_1
simple_debug_filter_daddr_1
simple_debug_filter_vpn_1
ws_debug_ip_str
fw_lsp_pair1

CLI R80.40 Reference Guide      |      1770

 Working with Kernel Parameters on Security Gateway

Working with Integer Kernel Parameters

Viewing the list of the available Firewall integer kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort

-u | grep _type | awk 'BEGIN {FS=":"} ; {print
$1}' | xargs -n 1 fw ctl get int 1>> /var/log/fw_
integer_kernel_parameters.txt 2>> /var/log/fw_
integer_kernel_parameters.txt

4 Analyze the output file:

/var/log/fw_integer_kernel_parameters.txt

Viewing the current value of a Firewall integer kernel parameter

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Check the current value of an integer kernel parameter:

fw ctl get int <Name of Integer Kernel Parameter>

[-a]

Example:

[Expert@MyGW:0]# fw ctl get int send_buf_limit

send_buf_limit = 80
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1771

 Working with Kernel Parameters on Security Gateway

Configuring a value for a Firewall integer kernel parameter temporarily

Important - This change does not survive reboot.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Set the new value for an integer kernel parameter:

fw ctl set int <Name of Integer Kernel Parameter>

<Integer Value>

Example:

[Expert@MyGW:0]# fw ctl set int send_buf_limit 100

Set operation succeeded
[Expert@MyGW:0]#

4 Make sure the new value is set:

fw ctl get int <Name of Integer Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get int send_buf_limit

send_buf_limit = 100
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1772

 Working with Kernel Parameters on Security Gateway

Configuring a value for a Firewall integer kernel parameter permanently

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the
applicable configuration files:
n For Firewall kernel parameters:
$FWDIR/boot/modules/fwkern.conf
n For VPN kernel parameters:
$FWDIR/boot/modules/vpnkern.conf
The exact instructions are provided in various SK articles in Check Point Support Center, and provided
by Check Point Support.
For more information, see sk26202: Changing the kernel global parameters for Check Point Security
Gateway.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 See if the configuration file already exists.

n For Firewall kernel parameters:

ls -l $FWDIR/boot/modules/fwkern.conf

n For VPN kernel parameters:

ls -l $FWDIR/boot/modules/vpnkern.conf

4 If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6.

n For Firewall kernel parameters:

touch $FWDIR/boot/modules/fwkern.conf

n For VPN kernel parameters:

touch $FWDIR/boot/modules/vpnkern.conf

5 Back up the current configuration file.

n For Firewall kernel parameters:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

n For VPN kernel parameters:

cp -v $FWDIR/boot/modules/vpnkern.conf{,_BKP}

CLI R80.40 Reference Guide      |      1773

 Working with Kernel Parameters on Security Gateway

Step Description

6 Edit the current configuration file.

n For Firewall kernel parameters:

vi $FWDIR/boot/modules/fwkern.conf

n For VPN kernel parameters:

vi $FWDIR/boot/modules/vpnkern.conf

7 Add the required Firewall kernel parameter with the assigned value in the exact format
specified below.

Important - These configuration files do not support space characters, tabulation

characters, and comments (lines that contain the # character).

n To add an integer kernel parameter:

<Name_of_Integer_Kernel_Parameter>=<Integer_Value>

n To add a string kernel parameter:

Note - You must write the value in single quotes, or double-quotes.

<Name_of_String_Kernel_Parameter>='<String_Text>'

or

<Name_of_String_Kernel_Parameter>="<String_Text>"

8 Save the changes in the file and exit the Vi editor.

9 Reboot the Security Gateway or Cluster Member.

Important - In cluster, this can cause a failover.

10 Connect to the command line on your Security Gateway or Cluster Member.

11 Log in to Gaia Clish or the Expert mode.

CLI R80.40 Reference Guide      |      1774

 Working with Kernel Parameters on Security Gateway

Step Description

12 Make sure the new value of the kernel parameter is set:

n For an integer kernel parameter, run:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

n For a string kernel parameter, run:

fw ctl get str <Name of String Kernel Parameter> [-a]

CLI R80.40 Reference Guide      |      1775

 Working with Kernel Parameters on Security Gateway

Working with String Kernel Parameters

Viewing the list of the available Firewall string kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:

modinfo -p $FWDIR/boot/modules/fw_kern*.o | sort

-u | grep 'string param' | awk 'BEGIN {FS=":"} ;
{print $1}' | xargs -n 1 fw ctl get str 1>>
/var/log/fw_string_kernel_parameters.txt 2>>
/var/log/fw_string_kernel_parameters.txt

4 Analyze the output file:

/var/log/fw_string_kernel_parameters.txt

Viewing the current value of a Firewall string kernel parameter

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Check the current value of a string kernel parameter:

fw ctl get str <Name of String Kernel Parameter>

[-a]

Example:

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset

fileapp_default_encoding_charset = 'UTF-8'
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1776

 Working with Kernel Parameters on Security Gateway

Configuring a value for a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Set the new value for a string kernel parameter:

Note - You must write the value in single quotes, or double-

quotes.

fw ctl set str <Name of String Kernel Parameter>

'<String Text>'

or

fw ctl set str <Name of String Kernel Parameter>

"<String Text>"

Example:

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1'

Set operation succeeded
[Expert@MyGW:0]#

4 Make sure the new value is set:

fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip

debug_filter_saddr_ip = '1.1.1.1'
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1777

 Working with Kernel Parameters on Security Gateway

Removing the current value from a Firewall string kernel parameter temporarily

Important - This change does not survive reboot.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to Gaia Clish or the Expert mode.

3 Clear the current value from a string kernel parameter:

Note - You must set an empty value in single quotes, or double-

quotes.

fw ctl set str '<Name of String Kernel

Parameter>'

or

fw ctl set str "<Name of String Kernel

Parameter>"

Example:

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip ''

Set operation succeeded
[Expert@MyGW:0]#

4 Make sure the value is cleared (the new value is empty):

fw ctl get str <Name of String Kernel Parameter>

Example:

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip

debug_filter_saddr_ip = ''
[Expert@MyGW:0]#

CLI R80.40 Reference Guide      |      1778

 Working with Kernel Parameters on Security Gateway

SecureXL Kernel Parameters

To change the internal default behavior of SecureXL or to configure special advanced settings for
SecureXL, you can use SecureXL kernel parameters.
The names of applicable SecureXL kernel parameters and their values appear in various SK articles in
Check Point Support Center, and provided by Check Point Support.
Important:
n The names of SecureXL kernel parameters are case-sensitive.
n You cannot configure SecureXL kernel parameters on-the-fly with the "fw ctl
set" command.
You must configure them only permanently in the special configuration file
$PPKDIR/conf/simkern.conf..
Schedule a maintenance window, because this procedure requires a reboot.
n For some SecureXL kernel parameters, you cannot get their current value on-
the-fly with the "fw ctl get" command (see sk43387).
n In Cluster, you must configure all the Cluster Members in the same way

Examples of SecureXL kernel parameters

Type Name

Integer num_of_sxl_devices
sim_ipsec_dont_fragment
tcp_always_keepalive
sim_log_all_frags
simple_debug_filter_dport_1
simple_debug_filter_proto_1

String simple_debug_filter_addr_1
simple_debug_filter_daddr_2
simlinux_excluded_ifs_list

CLI R80.40 Reference Guide      |      1779

 Working with Kernel Parameters on Security Gateway

Viewing the list of the available SecureXL integer kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:

modinfo -p $PPKDIR/boot/modules/sim_kern*.o |
sort -u | grep _type | awk 'BEGIN {FS=":"} ;
{print $1}' | xargs -n 1 fw ctl get int 1>>
/var/log/sxl_integer_kernel_parameters.txt 2>>
/var/log/sxl_integer_kernel_parameters.txt

4 Analyze the output file:

/var/log/sxl_integer_kernel_parameters.txt

Viewing the list of the available SecureXL string kernel parameters and their values

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 Get the list of the available integer kernel parameters and their values:

modinfo -p $PPKDIR/boot/modules/sim_kern*.o |
sort -u | grep 'string param' | awk 'BEGIN
{FS=":"} ; {print $1}' | xargs -n 1 fw ctl get
str 1>> /var/log/sxl_string_kernel_parameters.txt
2>> /var/log/sxl_string_kernel_parameters.txt

4 Analyze the output file:

/var/log/sxl_string_kernel_parameters.txt

CLI R80.40 Reference Guide      |      1780

 Working with Kernel Parameters on Security Gateway

Configuring a value for a SecureXL kernel parameter permanently

For more information, see sk26202: Changing the kernel global parameters for Check Point Security
Gateway.

Step Description

1 Connect to the command line on your Security Gateway or Cluster Member.

2 Log in to the Expert mode.

3 See if the configuration file already exists:

ls -l $PPKDIR/conf/simkern.conf

4 If this file already exists, skip to Step 5.

If this file does not exist, then create it manually and then skip to Step 6:

touch $PPKDIR/conf/simkern.conf

5 Back up the current configuration file:

cp -v $PPKDIR/conf/simkern.conf{,_BKP}

6 Edit the current configuration file:

vi $PPKDIR/conf/simkern.conf

CLI R80.40 Reference Guide      |      1781

 Working with Kernel Parameters on Security Gateway

Step Description

7 Add the required SecureXL kernel parameter with the assigned value in the exact format
specified below.

Important - This configuration file does not support space characters, tabulation
characters, and comments (lines that contain the # character).

n To add an integer kernel parameter:

<Name_of_SecureXL_Integer_Kernel_Parameter>=<Integer_
Value>

n To add a string kernel parameter:

Note - You must write the value in single quotes, or double-quotes.

<Name_of_SecureXL_String_Kernel_Parameter>='<String_
Text>'

or

<Name_of_SecureXL_String_Kernel_Parameter>="<String_
Text>"

8 Save the changes in the file and exit the Vi editor.

9 Reboot the Security Gateway or Cluster Member.

Important - In cluster, this can cause a failover.

10 Connect to the command line on your Security Gateway or Cluster Member.

11 Log in to Gaia Clish or the Expert mode.

12 Make sure the new value of the kernel parameter is set:

n For an integer kernel parameter, run:

fw ctl get int <Name of Integer Kernel Parameter> [-a]

n For a string kernel parameter, run:

fw ctl get str <Name of String Kernel Parameter> [-a]

CLI R80.40 Reference Guide      |      1782