Checkpoint commands generally come under,
- cp – general
- fw – firewall
- fwm – management
CP, FW & FWM Commands
| cphaprob stat | List cluster status |
| cphaprob -a if | List status of interfaces |
| cphaprob syncstat | shows the sync status |
| cphaprob list | Shows a status in list form |
| cphastart/stop | Stops clustering on the specfic node |
| cp_conf sic | SIC stuff |
| cpconfig | config util |
| cplic print | prints the license |
| cprestart | Restarts all Checkpoint Services |
| cpstart | Starts all Checkpoint Services |
| cpstop | Stops all Checkpoint Services |
| cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
| cpwd_admin list | List checkpoint processes |
| cplic print | Print all the licensing information. |
| cpstat -f all polsrv | Show VPN Policy Server Stats |
| cpstat | Shows the status of the firewall |
| fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
| fw tab -t connections -s | Show connection stats |
| fw tab -t connections -f | Show connections with IP instead of HEX |
| fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
| fw tab -t peers_count -s | Shows VPN stats |
| fw tab -t userc_users -s | Shows VPN stats |
| fw checklic | Check license details |
| fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
| fw ctl set int [global kernel parameter] [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
| fw ctl arp | Shows arp table |
| fw ctl install | Install hosts internal interfaces |
| fw ctl ip_forwarding | Control IP forwarding |
| fw ctl pstat | System Resource stats |
| fw ctl uninstall | Uninstall hosts internal interfaces |
| fw exportlog .o | Export current log file to ascii file |
| fw fetch | Fetch security policy and install |
| fw fetch localhost | Installs (on gateway) the last installed policy. |
| fw hastat | Shows Cluster statistics |
| fw lichosts | Display protected hosts |
| fw log -f | Tail the current log file |
| fw log -s -e | Retrieve logs between times |
| fw logswitch | Rotate current log file |
| fw lslogs | Display remote machine log-file list |
| fw monitor | Packet sniffer |
| fw printlic -p | Print current Firewall modules |
| fw printlic | Print current license details |
| fw putkey | Install authenication key onto host |
| fw stat -l | Long stat list, shows which policies are installed |
| fw stat -s | Short stat list, shows which policies are installed |
| fw unloadlocal | Unload policy |
| fw ver -k | Returns version, patch info and Kernal info |
| fwstart | Starts the firewall |
| fwstop | Stop the firewall |
| fwm lock_admin -v | View locked admin accounts |
| fwm dbexport -f user.txt | used to export users , can also use dbimport |
| fwm_start | starts the management processes |
| fwm -p | Print a list of Admin users |
| fwm -a | Adds an Admin |
| fwm -r | Delete an administrator |
Provider 1
| mdsenv [cma name] | Sets the mds environment |
| mcd | Changes your directory to that of the environment. |
| mds_setup | To setup MDS Servers |
| mdsconfig | Alternative to cpconfig for MDS servers |
| mdsstat | To see the processes status |
| mdsstart_customer [cma name] | To start cma |
| mdsstop_customer [cma name] | To stop cma |
| cma_migrate | To migrate an Smart center server to CMA |
| cmamigrate_assist | If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
VPN
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail | Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
Debugging
| fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
SPLAT Only
| router | Enters router mode for use on Secure Platform Pro for advanced routing options |
| patch add cd | Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only) |
| backup | Allows you to preform a system operating system backup |
| restore | Allows you to restore your backup |
| snapshot | Performs a system backup which includes all Checkpoint binaries. Note : This issues a cpstop. |
VSX
| vsx get [vsys name/id] | get the current context |
| vsx set [vsys name/id] | set your context |
| fw -vs [vsys id] getifs | show the interfaces for a virtual device |
| fw vsx stat -l | shows a list of the virtual devices and installed policies |
| fw vsx stat -v | shows a list of the virtual devices and installed policies (verbose) |
| reset_gw | resets the gateway, clearing all previous virtual devices and settings. |
Comments:
For IPSO (depreciating, thanks to the new Gaia OS) and Gaia commands, they have a command line utility called “CLISH” (or CLI shell) that is an open-source linux utility for mapping linux commands to a cisco-esque CLI. It is a very robust shells so below is just a sample:
Gaia:
ver — Show GAiA Version.
show configuration — Show running configuration.
save config — Save running configuration.
history — Show command history.
show commands — Show all commands you are allowed to run.
lock database override — Acquire read/write access to the database.
start transaction — Start transaction mode. All changes made will be applied at once if you exit transaction mode with commit or discarded if you exit with rollback.
show version os edition — Show which OS edition (32 or 64-bit) is running.
set edition default 32-bit|64-bit — Switch between 32 and 64-bit kernel. 64-bit needs at least 6GB of RAM (or 1GB running in a VM).
expert — Switch to bash and expert mode.
show extended commands — Show all defined extended (OS level) commands
add command df path /bin/df description “list free hdd space” — Add f.i. Linux command df to the list of extended commands. You can also use all options of an ext. command from within clish: clish> df -h
IPSO clish (Better go and read the documentation. Clish is mighty 😉 You can enter clish commands either in the clish itself (command ‘clish’) or from the shell using clish [-s] -c “<command>”. The -s option runs save config afterwards.
show summary — Show system configuration summary.
show asset hardware — Show hardware information. See also output of ipsctl -a and cat /var/etc/.nvram .
show images — Show available IPSO images.
show image current — Show current IPSO image.
show package all|active — Show all available/active packages.
show interfaces — Show all interfaces and their configuration.
set package name <name> <on|off> — Activate or deactivate a package.
set ssh server log-level <level> — Set sshd log verbosity to quiet, fatal, error, info (default), verbose or debug.
show vrrp [interfaces] — View VRRP (interface) status.
reboot image <img> save — Reboot into <img> and run save before booting.
rm /config/active — Kind of factory default reset. Reboot afterwards.
set voyager daemonenable <1|0> ssl-port 8443 ssl-level 168 — Enable (or disable) Voyager on SSL port 8443 using 3DES crypto. Also works with true, false, on or off. save config afterwards.
Leave A Comment?
You must be logged in to post a comment.