Checkpoint commands generally come under,
- cp – general
- fw – firewall
- fwm – management
CP, FW & FWM Commands
cphaprob stat | List cluster status |
cphaprob -a if | List status of interfaces |
cphaprob syncstat | shows the sync status |
cphaprob list | Shows a status in list form |
cphastart/stop | Stops clustering on the specfic node |
cp_conf sic | SIC stuff |
cpconfig | config util |
cplic print | prints the license |
cprestart | Restarts all Checkpoint Services |
cpstart | Starts all Checkpoint Services |
cpstop | Stops all Checkpoint Services |
cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
cpwd_admin list | List checkpoint processes |
cplic print | Print all the licensing information. |
cpstat -f all polsrv | Show VPN Policy Server Stats |
cpstat | Shows the status of the firewall |
fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
fw tab -t connections -s | Show connection stats |
fw tab -t connections -f | Show connections with IP instead of HEX |
fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
fw tab -t peers_count -s | Shows VPN stats |
fw tab -t userc_users -s | Shows VPN stats |
fw checklic | Check license details |
fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
fw ctl set int [global kernel parameter] [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
fw ctl arp | Shows arp table |
fw ctl install | Install hosts internal interfaces |
fw ctl ip_forwarding | Control IP forwarding |
fw ctl pstat | System Resource stats |
fw ctl uninstall | Uninstall hosts internal interfaces |
fw exportlog .o | Export current log file to ascii file |
fw fetch | Fetch security policy and install |
fw fetch localhost | Installs (on gateway) the last installed policy. |
fw hastat | Shows Cluster statistics |
fw lichosts | Display protected hosts |
fw log -f | Tail the current log file |
fw log -s -e | Retrieve logs between times |
fw logswitch | Rotate current log file |
fw lslogs | Display remote machine log-file list |
fw monitor | Packet sniffer |
fw printlic -p | Print current Firewall modules |
fw printlic | Print current license details |
fw putkey | Install authenication key onto host |
fw stat -l | Long stat list, shows which policies are installed |
fw stat -s | Short stat list, shows which policies are installed |
fw unloadlocal | Unload policy |
fw ver -k | Returns version, patch info and Kernal info |
fwstart | Starts the firewall |
fwstop | Stop the firewall |
fwm lock_admin -v | View locked admin accounts |
fwm dbexport -f user.txt | used to export users , can also use dbimport |
fwm_start | starts the management processes |
fwm -p | Print a list of Admin users |
fwm -a | Adds an Admin |
fwm -r | Delete an administrator |
Provider 1
mdsenv [cma name] | Sets the mds environment |
mcd | Changes your directory to that of the environment. |
mds_setup | To setup MDS Servers |
mdsconfig | Alternative to cpconfig for MDS servers |
mdsstat | To see the processes status |
mdsstart_customer [cma name] | To start cma |
mdsstop_customer [cma name] | To stop cma |
cma_migrate | To migrate an Smart center server to CMA |
cmamigrate_assist | If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
VPN
vpn tu | VPN utility, allows you to rekey vpn |
vpn ipafile_check ipassignment.conf detail | Verifies the ipassignment.conf file |
dtps lic | show desktop policy license status |
cpstat -f all polsrv | show status of the dtps |
vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
vpn shell show interface detailed [VTI name] | show VTI detail |
Debugging
fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
SPLAT Only
router | Enters router mode for use on Secure Platform Pro for advanced routing options |
patch add cd | Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only) |
backup | Allows you to preform a system operating system backup |
restore | Allows you to restore your backup |
snapshot | Performs a system backup which includes all Checkpoint binaries. Note : This issues a cpstop. |
VSX
vsx get [vsys name/id] | get the current context |
vsx set [vsys name/id] | set your context |
fw -vs [vsys id] getifs | show the interfaces for a virtual device |
fw vsx stat -l | shows a list of the virtual devices and installed policies |
fw vsx stat -v | shows a list of the virtual devices and installed policies (verbose) |
reset_gw | resets the gateway, clearing all previous virtual devices and settings. |
Comments:
For IPSO (depreciating, thanks to the new Gaia OS) and Gaia commands, they have a command line utility called “CLISH” (or CLI shell) that is an open-source linux utility for mapping linux commands to a cisco-esque CLI. It is a very robust shells so below is just a sample:
Gaia:
ver — Show GAiA Version.
show configuration — Show running configuration.
save config — Save running configuration.
history — Show command history.
show commands — Show all commands you are allowed to run.
lock database override — Acquire read/write access to the database.
start transaction — Start transaction mode. All changes made will be applied at once if you exit transaction mode with commit or discarded if you exit with rollback.
show version os edition — Show which OS edition (32 or 64-bit) is running.
set edition default 32-bit|64-bit — Switch between 32 and 64-bit kernel. 64-bit needs at least 6GB of RAM (or 1GB running in a VM).
expert — Switch to bash and expert mode.
show extended commands — Show all defined extended (OS level) commands
add command df path /bin/df description “list free hdd space” — Add f.i. Linux command df to the list of extended commands. You can also use all options of an ext. command from within clish: clish> df -h
IPSO clish (Better go and read the documentation. Clish is mighty 😉 You can enter clish commands either in the clish itself (command ‘clish’) or from the shell using clish [-s] -c “<command>”. The -s option runs save config afterwards.
show summary — Show system configuration summary.
show asset hardware — Show hardware information. See also output of ipsctl -a and cat /var/etc/.nvram .
show images — Show available IPSO images.
show image current — Show current IPSO image.
show package all|active — Show all available/active packages.
show interfaces — Show all interfaces and their configuration.
set package name <name> <on|off> — Activate or deactivate a package.
set ssh server log-level <level> — Set sshd log verbosity to quiet, fatal, error, info (default), verbose or debug.
show vrrp [interfaces] — View VRRP (interface) status.
reboot image <img> save — Reboot into <img> and run save before booting.
rm /config/active — Kind of factory default reset. Reboot afterwards.
set voyager daemonenable <1|0> ssl-port 8443 ssl-level 168 — Enable (or disable) Voyager on SSL port 8443 using 3DES crypto. Also works with true, false, on or off. save config afterwards.
Leave A Comment?
You must be logged in to post a comment.