Check Point CLI Reference Card & Cheat Sheet– v 1.

2 Basic firewall information gathering View and manage logfiles

by Jens Roesen – email – www - twitter fw ctl arp [-n] Display proxy arp table. -n disables name resolution. Without the -t switch it starts from the beginning.
fw ctl pstat Display internal statistics including information about fw log -b <starttime> View today's log entries between <starttime>
Preface and small warning
memory, inspect, connections and NAT. <endtime> and <endtime> with time format being
This small cheat sheet is intended as a brief reference with some practical HH:MM:SS. Example: fw log -b 09:00:00
examples for your daily work. Although most of the commands mentioned are fw ctl chain Displays in and out chain of CP Modules. Useful for
placing fw monitor into the chain with the -p option. 09:15:00.
meant for information gathering purposes or troubleshooting rather than
configuration issues you should be careful and know what you are doing. A full fw ctl zdebug drop Real time listing of dropped packets. fw log -c <action> Show only records with action <action>, e.g.
reference to the Check Point CLI can be found at the Check Point Support Center: cpstat <app_flag> Display status of the CP applications. Command has to accept, drop, reject etc. Starts from the top of
http://www.checkpoint.com/support/technical/documents [-f flavour] be used with a application flag app_flag and an the log, use -t to start a tail at the end.
I've sorted the commands and examples mostly by purpose and not by product or
optional flavour. Issue cpstat without any options to fwm logexport -i Export logfile in.log to file out.csv, use ,
alphabetically. Some may reoccur. in.log -o out.csv -d
see all possible application flags and corresponding (comma) as delimiter (CSV) and do not resolve
Environment variables flavours. Examples: ',' -p -n services or hostnames.
cpstat fw -f policy – verbose policy info
It's useful to know some of the environment variables set and needed by FW-1.
cpstat fw -f sync – Synchronisation statistics Display and manage licenses
Below are some of the most commonly used. Depending on your installation there
will be more. Check the env output for more information. cpstat os -f cpu – CPU utilization statistics cp_conf lic get View licenses. Same info as cplic db_print
cpstat os -f memory – Memory usage info -all -x.
$FWDIR FW-1 installation directory, with f.i. the conf, log, lib, bin cpstat os -f ifconfig – Interface table
and spool directories. You will mostly work in this tree. cplic print Display more detailed license information.
cp_conf sic state Display current SIC trust state.
$CPDIR SVN Foundation / cpshared tree. fw lichosts List protected hosts with limited hosts licenses.
cp_conf lic get View licenses.
$CPMDIR Management server installation directory. dtps lic SecureClient Policy Server license summary.
cp_conf finger get Display fingerprint on the management module.
$FGDIR FloodGate-1 installation directory. cplic del <sig> Delete CP license with signature sig from object
cp_conf client get Display GUI clients list. <obj> obj.
$MDSDIR MDS installation directory. Same as $FWDIR on MDS level.
fwm -p List administrator accounts. cplic get <ip host|-
$FW_BOOT_DIR Directory with files needed at boot time. Retrieve all licenses from a certain gateway or all
cp_conf admin get Display admin accounts and permissions. all> gateways in order to synchronize license repository
Basic starting and stopping cp_conf auto get Display auto state of all products. Also works with fw1, on the SmartCenter server with the gateway(s).
cpstop Stop all Check Point services except cprid. You can also all fg1 and rm instead of all. cplic put <-l file> Install local license from file to an local machine.
stop specific services by issuing an option with cpstop. cpinfo -z -o <file> Create a compressed cpinfo file to open with the cplic put <obj> <-l Attach one or more central or local licenses from
For instance cpstop FW1 stops FW-1/VPN-1 or use InfoView utility or to send to Check Point support. file> file remotely to obj.
cpstop WebAccess to stop WebAccess. fw hastat View HA state of local machine. cprlic Remote license management tool.
cpstart Start all Check Point services except cprid. cpstart cphaprob state View HA state of all cluster members.
works with the same options as cpstop. Basic configuration tasks, Admins, Users, SIC
vpn overlap_encdom Show, if any, overlapping VPN domains.
cprestart cpconfig Menu based configuration tool for the most
Combined cpstop and cpstart. Complete restart. fw tab –t <tbl> View kernel table contents. Make output short with -s common tasks like adding/removing admin
cpridstop Stop cprid, the Check Point Remote installation Daemon. [–s] switch. List all available tables with fw tab -s. E.g. accounts or GUI clients, managing licenses,
cpridstart Start cprid, the Check Point Remote installation fw tab -t connections -s – Connections table. SIC and so on. Options depend on the installed
Daemon. avsu_client [-app Get local signature version and status of content products and packages.
cpridrestart Combined cpridstop and cpridstart. <app>] get_version security <app> where <app> can be “Edge AV”, cp_conf -h Display cp_conf help. Options depend on the
“URL Filtering” and “ICS”. Without the -app installed products and packages.
fw kill [-t sig] Kill a Firewall process. PID file in $FWDIR/tmp/ must be
proc_name <app> option “Anti Virus” is used by default. cp_conf admin add <user> Add admin user with password pass and
present. Per default sends signal 15 (SIGTERM).
avsu_client [-app Check if signature for <app> is up-to-date. See <pass> <perm> permissions perm where w is read/write access
Example: fw kill -t 9 fwm
<app>] fetch_remote previous command for the possible values of <app>. and r is read only. Note: permission w does not
fw unloadlocal Uninstall local security policy. -fi allow administration of admin accounts.
Basic firewall information gathering show asset hardware View hw info like serial numbers in Nokia clish. See cp_admin_convert Export admin definitions created in cpconfig
fw ver Check FW-1/VPN-1 major and minor version as well as also ipsctl -a and cat /var/etc/.nvram. to SmartDashboard.
build number and latest installed hotfix. info device View Edge Appliance information (hw, fwl, license..) cp_conf admin del <user> Delete the admin account user.
fwm ver Check management module major and minor version info computers List active devices behind Edge Appliance. fwm expdate <dd-mmm-yyy> Set new expiration date for all users or with -f
as well as build number and latest installed hotfix. [-f <dd-mmm-yyyy>] for all users matching the expiration date filter:
vpn ver View and manage logfiles fwm expdate 31-Dec-2020 -f 31-Dec-2010.
Check VPN-1 major and minor version as well as build
number and latest installed hotfix. Use the switch -k fw lslogs View a list of available fw logfiles and their size. cp_conf client get Display GUI clients list.
for additional kernel version. fwm logexport Export/display current fw.log to stdout. cp_conf client add <ip> Add GUI client with IP ip.
cpshared_ver Show the version of the SVN Foundation. fw logswitch [-audit] Write the current (audit) logfile to YY-MM-DD- cp_conf client del <ip> Delete the GUI client with IP ip. You can delete
fw stat Show the name of the currently installed policy as well HHMMSS.log and start a new fw.log. multiple clients at once.
as a brief interface list. Can be used with the -long or fw fetchlogs -f file Fetch a logfile from a remote CP module. cp_conf sic state Display current SIC trust state.
-short switch for more information. module NOTICE: The log will be moved, hence deleted cp_conf sic reset Reset SIC.
cpwd_admin list Display process information about CP processes from the remote module. Does not work with
monitored by the CP WatchDog. current fw.log. cp_conf sic init <key> Initialize SIC.
fw ctl iflist Display interface list. fw log -f -t Tail the actual log file from the end of the log.

The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.
fw monitor SecurePlatform Provider-1
fw monitor, Check Points packet sniffing tool, is part of every FW-1 installation, sysconfig Menu based SecurePlatform OS configuration tool. mds_backup Backup binaries and data to current directory.
independent from the underlying platform. Also the syntax is the same for all webui <enable| Enable the WebUI on HTTPS port 443 or port [port] or You can exclude files by specifying them in
available platforms. Read the Check Point guide (http://bit.ly/fwmonref) or see my disable> [port] disable the WebUI. $MDSDIR/conf/mds_exclude.dat.
fw monitor cheat sheet (http://bit.ly/cpfwmon) for detailed info on this topic. mds_restore <file> Restore MDS backup from file.
showusers Display a list of configured SecurePlatform administrators.
fw monitor Examples: Notice: you may need to copy mds_backup
adduser <user> Add an admin account. Delete with deluser <user>.
from $MDSDIR/scripts/ as well as gtar and
# packets with IP 192.168.1.12 as SRC or DST
fw monitor -e 'accept host(192.168.1.12);'
backup Backup system config to /var/CPbackup/backups file gzip from $MDS_SYSTEM/shared/ to the
backup_host.domain_DD_MM_YYYY_hh_mm.tgz. directory with the backup file. Normally,
# all packets from 192.168.1.12 to 192.168.3.3 backup also works with the following switches: mds_backup does this during backup.
fw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;' --scp <ip> <user> <pass> -path <path> <file>
--tftp <ip> -path <tftpboot/subdir> file VPN & VPN Debugging
# UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
fw monitor -pi ipopt_strip -e 'accept udpport(53);' --ftp <ip> <user> <pass> -path <path> <file> vpn ver [-k] Check VPN-1 major and minor version as well as build
If you do not specify file or path the default naming number and latest hotfix. Use -k for kernel version.
# UPD traffic from or to unprivileged ports, only show post-out scheme and/or the homedir of the account will be used. A
fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);' vpn tu Start a menu based VPN TunnelUtil program where you
relative path results in a backup to a subdirectory of home.
can list and delete Security Associations (SAs) for peers.
# Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12 restore <file> Restores a backup from file <file>. Pretty much works with
fw monitor -e 'accept host(192.168.1.12) and tracert;' vpn shell Start the VPN shell.
the same switches as backup.
vpn debug ikeon| Debug IKE into $FWDIR/log/ike.elg.
# Capture web traffic for VSX virtual system ID 23 snapshot Take a snapshot of the entire system. Without options it's ikeoff
fw monitor -vs 23 -e 'accept tcpport(80);' menu based. Note: cpstop is issued! Examples:
snapshot --file <file> vpn debug on|off Debug VPN into $FWDIR/log/vpnd.elg.
# Capture traffic on a SecuRemote/SecureClient client into a file.
# srfw.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)
snapshot --tfpt <ip> <file> vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug.
srfw monitor -o output_file.cap snapshot --scp <ip> <user> <pass> <file>
vpn drv stat Show status of VPN-1 kernel module.
snapshot --ftp <ip> <user> <pass> <file>
vpn overlap_encdom Show, if any, overlapping VPN domains.
VSX revert Reboot system from a snapshot file. Same switches as
snapshot. vpn macutil <user> Show MAC for Secure Remote user <user>.
vsx stat [-v] [-l] [id] Display VSX status. Verbose output with -v,
interface list with -l or status of single system patch add cd Install the patch <patch> from CD. IPSO clish (Better go and read the docu. Clish is mighty ;)
with VS ID <id>. <patch>
You can enter clish commands either in the clish itself or from the shell using
vsx get View current shell context. cd_ver or ver View SecurePlatform build number. clish [-s] -c "<command>". The -s option runs save config afterwards.
vsx set <id> Set context to VS with the ID <id>. addarp <ip> Add a static ARP entry for ip. Survives a reboot. Use show summary Show system configuration summary.
<MAC> delarp with the same syntax to delete a ARP entry.
vsx sic reset <id> Reset SIC for VS ID <id>. show asset hardware Show hardware information. See also output of
fw -vs <id> getifs dns [add|del View DNS server setting or add/delete DNS servers. ipsctl -a and cat /var/etc/.nvram .
View driver interface list for a VS. You can also
<ip>]
use the VS name instead of -vs <id>. show images Show available IPSO images.
log list Show index of available system and error log files.
fw tab -vs <id> -t View state tables for virtual system <id>. show image current Show current IPSO image.
<table> log show <nr> View log file number <nr> from the log list index.
show package all|active Show all available/active packages.
fw monitor -vs <id> -e View traffic for virtual system with ID <id>. passwd Change login password. In expert mode it changes the
set package name <name> Activate or deactivate a package.
'accept;' expert pass, in standard mode it changes the admin pass.
<on|off>
In general, a lot of Check Point's commands do understand the -vs <id> switch. Use /usr/bin/passwd <user> in expert mode.
set ssh server log-level Set sshd log verbosity to quiet, fatal, error,
Provider-1 <level> info (default), verbose or debug.
ClusterXL
cp_conf ha enable| mdsenv [cma_name] Set the environment variables for MDS oder show vrrp [interfaces] View VRRP (interface) status.
Enable or disable HA.
disable [norestart] CMA level. reboot image <img> save Reboot into <img> and run save before booting.
cphastop mdsstart [-m|-s] Starts the MDS and all CMAs (10 at a time).
Disable ClusterXL on the cluster member. Issued on rm /config/active Kind of factory default reset. Reboot afterwards.
a cluster member running in HA Legacy Mode Start only the MDS with -m or the CMAs
subsequently with -s. set voyager daemon- Enable (or disable) Voyager on SSL port 8443
cphastop might stop the entire cluster. enable <1|0> ssl-port using 3DES crypto. Also works with true,
cphastart Activate ClusterXL on this cluster member. mdsstop [-m] Stop MDS and all CMAs or with -m just the 8443 ssl-level 168 false, on or off. save config afterwards.
MDS.
fw hastat View HA state of local machine.
mdsstat [cma_name]|[-m] Show status of the MDS and all CMAs or a Edge Appliances CLI and Sofaware SmartCenter Commands*
cphaprob state View HA state of all cluster members.
certain customer's CMA. Use -m for only MDS help [command] Show help topics. Also works with all commands.
cphaprob -a if View interface status. status.
info fw [rules] Show firewall statistics (in/out packets) or policy.
cphaprob -ia list View list and state of critical cluster devices. cpinfo -c <cma> Create a cpinfo for the customer cma <cma>.
info nat Display active nat policy.
cphaprob syncstat View sync transport layer statistics. Reset with Remember to run mdsenv <cma> in advance.
-reset. info device Show hardware information.
mcd <directory> Quick cd to $FWDIR/<directory> of the
cphaconf set_ccp Configure Cluster Control Protocol (CCP) to use current CMA. show net wan Show configuration of wan device.
<broadcast| unicast or multicast messages. By default set to mdsstop_customer <cma> Stop CMA. Run mdsenv <cma> in advance. export Export complete system configuration.
multicast> multicast. Setting survives reboot.
mdsstart_customer <cma> Start CMA. Run mdsenv <cma> in advance. swcmd Reboot <edge> Reboot <edge> from SmartCenter Console.*
Note: DO NOT run any cphaconf commands other than set_ccp. smsstart and smsstop
mdsconfig MDS replacement for cpconfig. Start/stop the Sofaware Management Server.*

The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.