Checkpoint Command Line Cheat Sheet

Checkpoint commands generally come under,

  •    cp     –  general
  •    fw     –  firewall
  •    fwm  –  management

CP, FW & FWM Commands

cphaprob stat List cluster status
cphaprob -a if List status of interfaces
cphaprob syncstat shows the sync status
cphaprob list Shows a status in list form
cphastart/stop Stops clustering on the specfic node
cp_conf sic SIC stuff
cpconfig config util
cplic print prints the license
cprestart Restarts all Checkpoint Services
cpstart Starts all Checkpoint Services
cpstop Stops all Checkpoint Services
cpstop -fwflag -proc Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list List checkpoint processes
cplic print Print all the licensing information.
cpstat -f all polsrv Show VPN Policy Server Stats
cpstat Shows the status of the firewall
fw tab  -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s Show connection stats
fw tab -t connections -f Show connections with IP instead of HEX
fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s Shows VPN stats
fw tab -t userc_users -s Shows VPN stats
fw checklic Check license details
fw ctl get int [global kernel parameter] Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter]  [value] Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp Shows arp table
fw ctl install Install hosts internal interfaces
fw ctl ip_forwarding Control IP forwarding
fw ctl pstat System Resource stats
fw ctl uninstall Uninstall hosts internal interfaces
fw exportlog .o Export current log file to ascii file
fw fetch Fetch security policy and install
fw fetch localhost Installs (on gateway) the last installed policy.
fw hastat Shows Cluster statistics
fw lichosts Display protected hosts
fw log -f Tail the current log file
fw log -s -e Retrieve logs between times
fw logswitch Rotate current log file
fw lslogs Display remote machine log-file list
fw monitor Packet sniffer
fw printlic -p Print current Firewall modules
fw printlic Print current license details
fw putkey Install authenication key onto host
fw stat -l Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal Unload policy
fw ver -k Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall
fwm lock_admin -v View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start starts the management processes
fwm -p Print a list of Admin users
fwm -a Adds an Admin
fwm -r Delete an administrator


Provider 1

mdsenv [cma name] Sets the mds environment
mcd Changes your directory to that of the environment.
mds_setup To setup MDS Servers
mdsconfig Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name] To start cma
mdsstop_customer [cma name] To stop cma
cma_migrate To migrate an Smart center server to CMA
cmamigrate_assist If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server


vpn tu VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏ Verifies the ipassignment.conf file
dtps lic show desktop policy license status
cpstat -f all polsrv show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA
vpn shell show interface detailed [VTI name] show VTI detail



fw ctl zdebug drop shows dropped packets in realtime / gives reason for drop


router Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)
backup Allows you to preform a system operating system backup
restore Allows you to restore your backup
snapshot Performs a system backup which includes all Checkpoint binaries. Note : This issues a cpstop.


vsx get [vsys name/id] get the current context
vsx set [vsys name/id] set your context
fw -vs [vsys id] getifs show the interfaces for a virtual device
fw vsx stat -l shows a list of the virtual devices and installed policies
fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)
reset_gw resets the gateway, clearing all previous virtual devices and settings.


For IPSO (depreciating, thanks to the new Gaia OS) and Gaia commands, they have a command line utility called “CLISH” (or CLI shell) that is an open-source linux utility for mapping linux commands to a cisco-esque CLI. It is a very robust shells so below is just a sample:


ver — Show GAiA Version.
show configuration — Show running configuration.
save config — Save running configuration.
history — Show command history.
show commands — Show all commands you are allowed to run.
lock database override — Acquire read/write access to the database.
start transaction  — Start transaction mode. All changes made will be applied at once if you exit transaction mode with commit or discarded if you exit with rollback.

show version os edition — Show which OS edition (32 or 64-bit) is running.
set edition default 32-bit|64-bit — Switch between 32 and 64-bit kernel. 64-bit needs at least  6GB of RAM (or 1GB running in a VM).

expert — Switch to bash and expert mode.
show extended commands — Show all defined extended (OS level) commands
add command df path /bin/df description “list free hdd space” — Add f.i. Linux command df to the list of extended commands. You can also use all options of an ext. command from within clish: clish> df -h

IPSO clish (Better go and read the documentation. Clish is mighty 😉 You can enter clish commands either in the clish itself (command ‘clish’) or from the shell using clish [-s] -c “<command>”. The -s option runs save config afterwards.

show summary — Show system configuration summary.
show asset hardware — Show hardware information. See also output of ipsctl -a and  cat /var/etc/.nvram .
show images — Show available IPSO images.
show image current — Show current  IPSO image.
show package all|active — Show all available/active packages.
show interfaces — Show all interfaces and their configuration.
set package name <name> <on|off> — Activate or deactivate a package.
set ssh server log-level <level> — Set sshd log verbosity to quiet, fatal, error, info (default), verbose or debug.

show vrrp [interfaces] — View VRRP (interface) status.
reboot image <img> save — Reboot into <img> and run save before booting.
rm /config/active — Kind of factory default reset. Reboot afterwards.
set voyager daemonenable <1|0> ssl-port 8443 ssl-level 168 — Enable (or disable) Voyager on SSL port 8443 using 3DES crypto. Also works with true, false, on or off. save config afterwards.





Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.