Useful CLI Commands Check

Point

Cheatsheets
Check Point CLI Reference Card (https://www.roesen.org/files/cp_cli_ref_card.pdf)

FW Monitor (https://www.roesen.org/files/fw_monitor.pdf)

R80 Cheat Sheet FW-Monitor (https://www.ankenbrand24.de/index.php/articles/check-

point-articel/cheat-sheets/r80-cheat-sheet-fw-monitor/)

ClusterXL Cheat Sheet (https://www.ankenbrand24.de/index.php/articles/check-point-

articel/cheat-sheets/r80-cheat-sheet-clusterxl/)

CLISH Commands
To start a transaction in CLISH use start transaction.

Commands - commit, or rollback to be used to end the transaction mode. All changes
made using commands in transaction mode are applied at once or none of the changes are
applied based on the way transaction mode is terminated.

Show Commands
save config save the current configuration

show commands shows all commands

show allowed-client all show allowed clients

show arp dynamic all displays the dynamic arp entries

show arp proxy all shows proxy arp

show arp static all displays all the static arp entry

show as displays autonomous system number

show assets all display hardware information

show bgp stats shows bgp statistics

show bgp summary shows summary information about bgp

show vrrp stats show vrrp statistics

show bootp stats shows bootp/dhcp relay statistics

show bootp interface show all bootp/dhcp relay interfaces

show bonding groups show all bonding groups

show bridging groups show all bridging groups

show backups shows a list of local backups

show backup status show the status of a backup or restore operation being
performed

show backup last-successful show the latest successful backup

show backup logs show the logs of the recent backups/restores performed

show clock show current clock

show configuration show configuration

show-config state shows the state of configuration either saved or unsaved

show date shows date

show dns primary shows primary dns server

show dns secondary shows secondary dns server

show extended commands shows all extended commands

show groups shows all user groups

show hostname show host name

show inactivity-timeout shows inactivity-timeout settings

show interfaces shows all interfaces

show interfaces ethx shows settings related to an interface “x

show interfaces show detailed information about all interfaces

show ipv6-state shows ipv6 status as enabled or disabled

show management interface shows management interface configuration

show ntp active shows ntp status as enabled or disabled

show ntp servers shows ntp servers

show ospf database shows ospf database information

show ospf neighbors shows ospf neighbors information

show ospf summary shows ospf summary information

show pbr rules shows policy based routing rules

show pbr summary shows policy based routing summary information

show pbr tables show pbr tables

show route shows routing table

show routed version shows information about routed version

show snapshots shows a list of local snapshots

show snmp agent-version shows whether the version is v1/v2/v3

show snmp interfaces shows snmp agent interface

show snmp traps receivers shows snmp trap receivers

show time shows local machine time

show timezone show configured timezone

show uptime show system uptime

show users show configured users and their homedir, uid/gid and shell

show user <username> shows settings related to a particular user

show version all shows version related to os edition, kernel version, product
version etc

show virtual-system all show virtual-systems configured

show vpn tunnels use to show the vpn tunnels

show vrrp stats shows vrrp status

show vrrp interfaces shows vrrp enabled interfaces

Set Commands
add allowed-client host any-host / add allowed- add any host to the allowed clients list/ add allowed client
client host <ip address> by ipv4 address

add backup local create and store a backup file in /var/cpbackups/backups/(

on open servers) or /var/log/cpbackup/backups/ ( on
checkpoint appliances)

add backup scp ip value path value username value adds backup to scp server

add backup tftp ip value [ interactive ] adds backup to tftp server

add snapshot create snapshots which backs up everything like os

configuration, checkpoint configuration, versions, patch
level), including the drivers

add syslog log-remote-address <ip address> level specifies syslog parameters

<emerg/alert/crit/err/warning/notice/info/debug/all>

add user <username> uid <user-id-value> homedir creates a user

expert executes system shell

halt put system to halt

history shows command history

lock database override overrides the config-lock settings

quit exits out of a shell

reboot reboots a system

restore backup local [value] restores local backup interactively

rollback ends the transaction mode by reverting the changes made

during transaction

save config save the current configuration

set backup restore local <filename> restores a local backup

set cluster member admin {down | up} initiating manual cluster failover

set core-dump <enable/disable> enable/disable core dumps

set date yyyy-mm-dd sets system date

set dhcp server enable enable dhcp server

set dns primary <x.x.x.x> sets primary dns ip address

set dns secondary <x.x.x.x> sets secondary dns ip address

set expert-password set or change password for entering into expert mode

set edition default <value> set the default edition to 32-bit or 64-bit

set hostname <value> sets system hostname

set inactivity-timeout <value> sets the inactivity timeout

set interface ethx ipv4-address x.x.x.x mask-length adds ip address to an interface

24

set ipv6-state on/off sets ipv6 status as on or off

set kernel-routes on/off sets kernel routes to on/off state

set management interface <interface name> sets an interface as management interface

set message motd value sets message of the day

set ntp active on/off activates ntp on/off

set ntp server primary x.x.x.x version <1/2/3/4> sets primary ntp server

set ntp server secondary x.x.x.x version <1/2/3/4> sets secondary ntp server

set snapshot revert<filename> revert the machine to the selected snapshot

set snmp agent on/off sets the snmp agent daemon on/off

set snmp agent-version <value> sets snmp agent version

 set snmp community <value> read-only sets snmp readonly community string

add snmp interface <interface name> sets snmp agent interface

set snmp traps receiver <ip address> version v1 specifies trap receiver
community value

set snmp traps trap <value> set snmp traps

set static-route x.x.x.x/xx nexthop gateway address adds specific static route
x.x.x.x on comment static route
set static-route x.x.x.x/xx comment "{comment}"

set static-route NETWORK_ADDRESS/MASK_LENGTH Delete Routes

nexthop gateway address GATEWAY_IP_ADDRESS
off
set static-route <Destination IP address> off
set static-route default nexthop gateway address
GATEWAY_IP_ADDRESS off

set time <value> sets system time

set time zone <time-zone> sets the time zone

set vsx off sets vsx mode on

set vsx on sets vsx mode off

set user <username> password sets users password

set web session-timeout <value> sets web configuration session time-out in minutes

set web ssl-port <value> sets the web ssl-port for the system

Generic Commands
The commands below have to be used in expert mode and NOT in clish.

Action Use on Command

SIC Reset GW / MGMT 1. cpconfig
2. Secure Internal
Communication
3. re-initialize
communication
4. Enter activation key

On MGMT goto GW settings -

General Properties -
Communication
and re-initialize the SIC with the
provided activation key

More information:
How to reset SIC

How to troubleshoot SIC

How to reset SIC on a VSX

Gateway for a specific Virtual

System

Show licenses MGMT / GW cplic print -x

(-x print signatures)

Remove Evaluation License GW cplic eval_disable

You have disabled Check Point
evaluation period
For activation you need to restart ALL
Check Point modules
(performing cpstop & cpstart)

Get licenses from management GW contract_util mgmt

system on gateway

Show enabled blades GW enabled_blades

Example:
# enabled_blades
fw ips ThreatEmulation Scrub

ClusterXL Switch over (disable GW clusterXL_admin down

ClusterXL state) Note: The [-p] is an optional flag
(stands for "permanent")
- the Critical Device called
"admin_down" will be automatically
added to the
$FWDIR/conf/cphaprob.conf file,
so that this configuration survives the
reboot.

Show Cluster status GW cphaprob stat

Show Virtual Cluster Interfaces GW cphaprob -a if

Debug to see all dropped connections GW fw ctl zdebug drop
fw ctl zdebug -h (help)

Debug to see all NAT informations GW fw ctl zdebug + xlat

Debug to get a fast packet trace GW fw ctl zdebug + packet | grep -B 1

TCP |grep -B 1 "(SYN)"

See stats of number of connections GW cpstat fw

Connections load on the fw GW fw tab -s -t connections

Clear ALL connections on fw from the GW fw tab -t connections -x

table (CAUTION!)

ClusterXL sync statistics to R80.10 ( GW fw ctl pstat

sk34476) GW CLISH: show cluster statistics
sync
ClusterXL sync statistics for R80.20
Expert: cphaprob syncstat
and higher (sk34475)

Show connected SmartConsole clients MGMT cpstat mg

Manage the GUI clients that can use
SmartConsoles to connect to the
Security Management Server
MGMT cp_conf client get # Get the GUI
clients list
cp_conf client add <GUI client> #
Add one GUI Client
cp_conf client del < GUI client 1>
< GUI client 2>... # Delete GUI
Clients
cp_conf client createlist < GUI
client 1> < GUI client 2>... #
Create new list.

Show sync details GW fw ha -f all

Shows packets accepted, dropped, GW cpstat blades

peak connections, and top rule hits
Use CLI commands over SIC from MGMT cprid_util (--help)
MGMT without password, used as
example for "last chance" configs.
Example Reset admin password

without access to GW:

/sbin/grub-md5-crypt

cprid_util -server

<IP_of_Gateway> -verbose

rexec -rcmd /bin/clish -s -c \

'set config-lock on override' #

Ensure clish db is unlocked

cprid_util -server

<IP_of_Gateway> -verbose

rexec -rcmd /bin/clish -s -c \

'set user admin password-hash

<Password_Hash_from_Step_ab

ove>' # Set admin user pw

hash

cprid_util -server

<IP_of_Gateway> -verbose

rexec -rcmd /bin/clish -s -c \

'set expert-password-hash

<Password_Hash_from_Step_ab

ove>' # change expert pw hash

Show interfaces, ip-addresses and MGMT/GW fw getifs

subnet mask, used for a very good
interface-overview.

Show installed hotfixes and releases GW cpinfo -y all

Create cpinfo file for sending to the MGMT / GW cpinfo -Ddlzk -o

support. /var/tmp/$HOSTNAME
Included are log files and fw table
dump. The resulting file is
compressed
 Show statistics about accelerated GW fwaccel stats -s
traffic

This command will list what interface GW fw ctl affinity -l -v -r

is connected to what IRQ to what fw ctl affinity -s will subsequently
core. allow you to set the values.

**UNDOCUMENTED** GW CLISH:
Show state and timeline of ClusterXL show routed cluster-state
events in CLISH detailed

Top 10 Source-IPs in connection table. GW fw tab -u -t connections | awk '{

You need to manual convert hex in print $2 }' | sort -n | uniq -c | sort
ascii to get the ip, like so: 0a1f0af2 -nr | head -10
= 10.31.10.242.
For the top 10 destinations, substitute
$4 for $2 in the awk command.

Log Diagnostic Report LOG $RTDIR/scripts/doctor_log.sh

It will analyze the logs and give you a
brief output of your Current Logging
and Daily Average Logging rates.
It will also produce a detailed output
at /tmp/sme-
diag/results/detailed_diag_report.txt
https://community.checkpoint.com/t5/

Logging-and-Reporting/R80-xx-

equivalent-of-CPLogInvestigator-for-

Log-Volume-and/td-p/46792

VPN Commands
The commands below have to be used in expert mode and NOT in clish.

To view informations about VPN Tunnels

In R80+:
 Open SmartConsole > Logs & Monitor.
Open the catalog (new tab).
Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity)

Action Use on Command

VPN statistics GW cpstat -f all vpn

VPN Tunnel manipulation GW vpn tu

Interactive usage (better):
vpn shell

VPN Remote Access specific GW pep show user all

Check VPN-1 major and minor version GW vpn ver [-k]

as well as build number and latest
hotfix.
Use -k for kernel version

Show, if any, overlapping VPN GW vpn overlap_encdom

domains

VPN IKE Debugging (P1 and P2 GW vpn debug ikeon (enable IKE debug)
Communication) vpn debug ikeoff (disable IKE
The resulting $FWDIR/log/ike.elg debug)
and/or $FWDIR/log/ikev2.xml can
be used in the "IKEView" Utility from
Check Point, see here: sk30994

VSX specific
The commands below have to be used in expert mode and NOT in clish

Action Use on Command

Show VSX status. VSX / VS vsx stat [-v] [-l] [id]

Verbose with -v, interface list with -l
or status of single VS with VS ID <id>.
Show connections stats VSX vsx stat -v -l

Example:

# vsx stat -v -l

VSID: 0

VRID: 0

Type: VSX Gateway

Name: fwvsx01

Security Policy: fwvsx01_VSX

Installed at: 21Nov2019

10:30:11

SIC Status: Trust

Connections number: 66

Connections peak: 765

Connections limit: 14900

VSID: 1

VRID: 1

Type: Virtual System

Name: fw01p

Security Policy: FW_01

Installed at: 25Nov2019

11:30:39

SIC Status: Trust

Connections number: 30628

Connections peak: 90464

Connections limit: 119900

View current shell context. VSX vsenv

Set context to VS ID <id> VSX vsenv <id>

Reset SIC for VS VSX vsenv <id>; fw vsx sicreset

View state tables for virtual system VSX vsenv <id>; fw tab -t <table>
<id>.

View traffic for virtual system with ID VSX fw monitor -v <id> -e 'accept;'
<id>.
Attention: with fw monitor use -v
instead of -vs.
View HA state of all configured Virtual VSX cphaprob state
Systems.

View HA state for Virtual System ID VSX cphaprob -vs <id> state
<id>.

Show all bond interfaces and Cluster VSX cphaprob show_bond -a

state

Check VS bit state VSX vs_bits -stat

All VSs are at 64 bits (R80.20 default,
R80.10 need upgrade)

Show virtual devices memory usage VSX cpstat -f memory vsx

Traffic statistic per virtual system VSX snmpwalk -v 2c -c community

See sk90860 127.0.0.1
.1.3.6.1.4.1.2620.1.16.22.3 (
More information: Check Point Useful
vsxStatusMemoryUsage)
SNMP OIDs (VSX) SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.1.1.
0 = INTEGER: 0
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.1.2.
0 = INTEGER: 1
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.1.3.
0 = INTEGER: 2
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.1.4.
0 = INTEGER: 3
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.2.1.
0 = STRING: "vs0"
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.2.2.
0 = STRING: "vs1"
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.2.3.
0 = STRING: "vs2"
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.2.4.
0 = STRING: "vs3"
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.3.1.
0 = Gauge32: 0 help
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.3.2.
0 = Gauge32: 0 help
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.3.3.
0 = Gauge32: 0 help
SNMPv2-
SMI::enterprises.2620.1.16.22.3.1.3.4.
0 = Gauge32: 0 help
 To enable monitoring CPU per-VS with VSX fw vsx resctrl monitor enable
OID .1.3.6.1.4.1.2620.1.16.22.4

To enable monitoring memory per-VS VSX vsx mstat enable

with OID .1.3.6.1.4.1.2620.1.16.22.3
Needs a reboot!

API specific (mgmt_cli)

API Manual: https://sc1.checkpoint.com/documents/latest/APIs/index.html

The mgmt_cli tool is installed as part of Gaia on all R80 gateways and can be used in scripts
running in expert mode.
The mgmt_cli.exe tool is installed as part of the R80 SmartConsole installation (typically under
C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\) and can be copied to run on any
Windows machine.

On Windows you cannot login with a certificate since the mgmt_cli_login is missing, you need to
login with user/password or use the mgmt_cli tool on the management server.

To use the actual ssh login with mgmt_cli use the undocumented feature
mgmt_cli -r true

If your mgmt server is running on another port (ex. 8443) use

mgmt_cli --port 8443

Show api-settings
Check if clients are allowed to connect to the api and check all the api-settings.

mgmt_cli -r true --domain 'System Data' show api-settings

...

accepted-api-calls-from: "all ip addresses"

...

API Status
To confirm that the API is usable and available remotely, run the api status command. If
Accessibility shows “Require all granted” it means that any system can access the API (on R80 this
will show “Allow all”).
 [Expert@awsmgmt:0]# api status

API Settings:

---------------------

Accessibility: Require all granted

Automatic Start: Enabled

Processes:

Name State PID More Information

-------------------------------------------------

API Started 14472

CPM Started 14350 Check Point Security Management Server is running and ready

FWM Started 13807

Port Details:

-------------------

JETTY Internal Port: 50276

APACHE Gaia Port: 443

--------------------------------------------

Overall API Status: Started

--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:

------------

To collect troubleshooting data, please run 'api status -s <comment>'

API Status Troubleshooting data

To create a <comment>.tgz file with troubleshooting data start

api status -s <comment>

API restart
To restart the api process use the following
 api restart

2024-Jun-21 11:59:04 - Stopping API ...

2024-Jun-21 11:59:06 - API stopped successfully.

2024-Jun-21 11:59:06 - Starting API ...

2024-Jun-21 11:59:08 - API started successfully.

logging in
First create a session into a file and reuse it:

mgmt_cli login user admin > id.txt

With read-only access:

mgmt_cli login user admin read-only true > id.txt

Search object in database

search objects by IP, return all objects that contain the ip explicitly or within a nework address
space/range.

mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name,

subnet: .subnet4, mask: ."mask-length4"}'

Show Hosts
mgmt_cli -s id.txt show hosts --format json

Show access layers

mgmt_cli show access-layers limit 500 -s id.txt --format json | jq '."access-layers"[].name'

Output:
"Layer1"
"Layer2"
...

Show number of rules in policy

mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'
Show access rule base
mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary

true show-hits true hits-settings.from-date "2020-01-01" hits-settings.to-date "2020-12-31T23:59" hits-

settings.target "corporate-gw" --format json

Display rule with explicit uid

mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

Show unused objects in objects-db

mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" -s id.txt --format json

Show changes from who and when in objects-db

mgmt_cli show changes from-date "2019-04-11T08:20:50" to-date "2019-04-15" -s id.txt --format json

Run script on firewall

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.6%20

mgmt_cli run-script script-name "ifconfig" script "ifconfig" targets.1 "corporate-gateway" -s id.txt --format json

Show application-site URLs

mgmt_cli show application-site name "HTTPS Pass Through Global" details-level "standard" -s id.txt --version 1.2

--format json

Show VPN communities

mgmt_cli -r true show vpn-communities-star details-level full -s id.txt --format json

mgmt_cli -r true show vpn-communities-meshed details-level full -s id.txt --format json

Count and show access-layers (Inline Layers)

mgmt_cli show access-layers limit 500 --format json

Output:
 .

} ],

"from" : 1,

"to" : 260,

"total" : 260

Links
http://sicuriconnoi.blogspot.com/2017/11/top-checkpoint-cli-commands.html

Check Point stattest Utility for OID Troubleshooting on GW

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuid

e/Content/Topics-CLIG/FWG/stattest.htm

Revision #35
Created 20 October 2020 13:40:45
Updated 21 June 2024 09:59:46 by Peter Baumann