You are on page 1of 2

Check Point CLI Reference Card & Cheat Sheet– v 1.

2 Basic firewall information gathering by Jens Roesen – email – www - twitter fw ctl arp [-n] Display proxy arp table. -n disables name resolution.
Preface and small warning This small cheat sheet is intended as a brief reference with some practical examples for your daily work. Although most of the commands mentioned are meant for information gathering purposes or troubleshooting rather than configuration issues you should be careful and know what you are doing. A full reference to the Check Point CLI can be found at the Check Point Support Center: http://www.checkpoint.com/support/technical/documents I've sorted the commands and examples mostly by purpose and not by product or alphabetically. Some may reoccur. Environment variables It's useful to know some of the environment variables set and needed by FW-1. Below are some of the most commonly used. Depending on your installation there will be more. Check the env output for more information. $FWDIR $CPDIR $CPMDIR $FGDIR $MDSDIR $FW_BOOT_DIR FW-1 installation directory, with f.i. the conf, log, lib, bin and spool directories. You will mostly work in this tree. SVN Foundation / cpshared tree. Management server installation directory. FloodGate-1 installation directory. MDS installation directory. Same as $FWDIR on MDS level. Directory with files needed at boot time. cp_conf sic state cp_conf lic get cp_conf finger get cp_conf client get fwm -p cp_conf admin get cp_conf auto get all cpinfo -z -o <file> fw hastat cphaprob state vpn overlap_encdom fw tab –t <tbl> [–s] avsu_client [-app <app>] get_version fw ctl pstat fw ctl chain fw ctl zdebug drop cpstat <app_flag> [-f flavour] Display internal statistics including information about memory, inspect, connections and NAT. Displays in and out chain of CP Modules. Useful for placing fw monitor into the chain with the -p option. Real time listing of dropped packets. Display status of the CP applications. Command has to be used with a application flag app_flag and an optional flavour. Issue cpstat without any options to see all possible application flags and corresponding flavours. Examples: cpstat fw -f policy – verbose policy info cpstat fw -f sync – Synchronisation statistics cpstat os -f cpu – CPU utilization statistics cpstat os -f memory – Memory usage info cpstat os -f ifconfig – Interface table Display current SIC trust state. View licenses. Display fingerprint on the management module. Display GUI clients list. List administrator accounts. Display admin accounts and permissions. Display auto state of all products. Also works with fw1, fg1 and rm instead of all. Create a compressed cpinfo file to open with the InfoView utility or to send to Check Point support. View HA state of local machine. View HA state of all cluster members. Show, if any, overlapping VPN domains. View kernel table contents. Make output short with -s switch. List all available tables with fw tab -s. E.g. fw tab -t connections -s – Connections table. Get local signature version and status of content security <app> where <app> can be “Edge AV”, “URL Filtering” and “ICS”. Without the -app <app> option “Anti Virus” is used by default. Check if signature for <app> is up-to-date. See previous command for the possible values of <app>. View hw info like serial numbers in Nokia clish. See also ipsctl -a and cat /var/etc/.nvram. View Edge Appliance information (hw, fwl, license..) List active devices behind Edge Appliance. View a list of available fw logfiles and their size. Export/display current fw.log to stdout. Write the current (audit) logfile to YY-MM-DDHHMMSS.log and start a new fw.log. Fetch a logfile from a remote CP module. NOTICE: The log will be moved, hence deleted from the remote module. Does not work with current fw.log. Tail the actual log file from the end of the log.

View and manage logfiles Without the -t switch it starts from the beginning. fw log -b <starttime> <endtime> View today's log entries between <starttime> and <endtime> with time format being HH:MM:SS. Example: fw log -b 09:00:00 09:15:00. Show only records with action <action>, e.g. accept, drop, reject etc. Starts from the top of the log, use -t to start a tail at the end. Export logfile in.log to file out.csv, use , (comma) as delimiter (CSV) and do not resolve services or hostnames.

fw log -c <action>

fwm logexport -i in.log -o out.csv -d ',' -p -n

Display and manage licenses cp_conf lic get View licenses. Same info as cplic db_print -all -x. cplic print fw lichosts dtps lic cplic del <sig> <obj> cplic get <ip host|all> cplic put <-l file> cplic put <obj> <-l file> cprlic Display more detailed license information. List protected hosts with limited hosts licenses. SecureClient Policy Server license summary. Delete CP license with signature sig from object obj. Retrieve all licenses from a certain gateway or all gateways in order to synchronize license repository on the SmartCenter server with the gateway(s). Install local license from file to an local machine. Attach one or more central or local licenses from file remotely to obj. Remote license management tool.

Basic starting and stopping cpstop Stop all Check Point services except cprid. You can also stop specific services by issuing an option with cpstop. For instance cpstop FW1 stops FW-1/VPN-1 or use cpstop WebAccess to stop WebAccess. cpstart cprestart cpridstop cpridstart cpridrestart fw kill [-t sig] proc_name fw unloadlocal Start all Check Point services except cprid. cpstart works with the same options as cpstop. Combined cpstop and cpstart. Complete restart. Stop cprid, the Check Point Remote installation Daemon. Start cprid, the Check Point Remote installation Daemon. Combined cpridstop and cpridstart. Kill a Firewall process. PID file in $FWDIR/tmp/ must be present. Per default sends signal 15 (SIGTERM). Example: fw kill -t 9 fwm Uninstall local security policy.

avsu_client [-app <app>] fetch_remote -fi show asset hardware info device info computers View and manage logfiles fw lslogs fwm logexport

Basic firewall information gathering fw ver Check FW-1/VPN-1 major and minor version as well as build number and latest installed hotfix. fwm ver Check management module major and minor version as well as build number and latest installed hotfix. vpn ver Check VPN-1 major and minor version as well as build number and latest installed hotfix. Use the switch -k for additional kernel version. cpshared_ver Show the version of the SVN Foundation. fw stat Show the name of the currently installed policy as well as a brief interface list. Can be used with the -long or -short switch for more information. Display process information about CP processes monitored by the CP WatchDog. Display interface list.

Basic configuration tasks, Admins, Users, SIC cpconfig Menu based configuration tool for the most common tasks like adding/removing admin accounts or GUI clients, managing licenses, SIC and so on. Options depend on the installed products and packages. cp_conf -h Display cp_conf help. Options depend on the installed products and packages. cp_conf admin add <user> Add admin user with password pass and <pass> <perm> permissions perm where w is read/write access and r is read only. Note: permission w does not allow administration of admin accounts. cp_admin_convert Export admin definitions created in cpconfig to SmartDashboard. cp_conf admin del <user> Delete the admin account user. fwm expdate <dd-mmm-yyy> [-f <dd-mmm-yyyy>] cp_conf client get cp_conf client add <ip> cp_conf client del <ip> cp_conf sic state cp_conf sic reset cp_conf sic init <key> Set new expiration date for all users or with -f for all users matching the expiration date filter:
fwm expdate 31-Dec-2020 -f 31-Dec-2010.

Display GUI clients list. Add GUI client with IP ip. Delete the GUI client with IP ip. You can delete multiple clients at once. Display current SIC trust state. Reset SIC. Initialize SIC.

fw logswitch [-audit] fw fetchlogs -f file module

cpwd_admin list fw ctl iflist

fw log -f -t

The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.

View sync transport layer statistics. Read the Check Point guide (http://bit. Show configuration of wan device. Pretty much works with the same switches as backup. MDS replacement for cpconfig. Export complete system configuration. Show status of the MDS and all CMAs or a certain customer's CMA. You can exclude files by specifying them in $MDSDIR/conf/mds_exclude. View HA state of local machine. Normally. Reset SIC for VS ID <id>.168. Activate ClusterXL on this cluster member. fatal.12) and tracert.1.ly/fwmonref) or see my fw monitor cheat sheet (http://bit.168. Remember to run mdsenv <cma> in advance. Start the VPN shell. mds_restore <file> VPN & VPN Debugging vpn ver [-k] Check VPN-1 major and minor version as well as build number and latest hotfix. ClusterXL cp_conf ha enable| disable [norestart] cphastop Enable or disable HA. Survives a reboot.3. Notice: you may need to copy mds_backup from $MDSDIR/scripts/ as well as gtar and gzip from $MDS_SYSTEM/shared/ to the directory with the backup file. Verbose output with -v. VSX. Run mdsenv <cma> in advance. View traffic for virtual system with ID <id>. IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies.domain_DD_MM_YYYY_hh_mm. Use /usr/bin/passwd <user> in expert mode. Reset with -reset. showusers Display a list of configured SecurePlatform administrators. Also works with all commands.3.12 as SRC or DST fw monitor -e 'accept host(192. in standard mode it changes the admin pass. Starts the MDS and all CMAs (10 at a time).elg. Change login password. View state tables for virtual system <id>. Show hardware information. Display active nat policy.' # all packets from 192. Use -k for kernel version. By default set to multicast. View SecurePlatform build number. false.168. . Quick cd to $FWDIR/<directory> of the current CMA. View list and state of critical cluster devices. View log file number <nr> from the log list index. Show index of available system and error log files. vsx get vsx set <id> vsx sic reset <id> fw -vs <id> getifs fw tab -vs <id> -t <table> fw monitor -vs <id> -e 'accept. Set the environment variables for MDS oder CMA level. vpn tu vpn shell vpn debug ikeon| ikeoff vpn debug on|off vpn debug trunc vpn drv stat Start a menu based VPN TunnelUtil program where you can list and delete Security Associations (SAs) for peers.ly/fw1cli. Install the patch <patch> from CD. Show available IPSO images.dat. Reboot afterwards. A relative path results in a backup to a subdirectory of home. ClusterXL. Configure Cluster Control Protocol (CCP) to use unicast or multicast messages. Take a snapshot of the entire system. fw monitor Examples: # packets with IP 192. Setting survives reboot.168.' # UDP port 53 (DNS) packets.1.ly/cpfwmon) for detailed info on this topic. Provider-1. SmartCenter.) You can enter clish commands either in the clish itself or from the shell using clish [-s] -c "<command>". Clish is mighty . info fw [rules] info nat info device show net wan export swcmd Reboot <edge> smsstart and smsstop Show firewall statistics (in/out packets) or policy. Same switches as snapshot. Also the syntax is the same for all available platforms. The -s option runs save config afterwards.12 fw monitor -e 'accept host(192. save config afterwards.' # UPD traffic from or to unprivileged ports. Stop MDS and all CMAs or with -m just the MDS. See also output of ipsctl -a and cat /var/etc/. mds_backup does this during backup. interface list with -l or status of single system with VS ID <id>. SecurePlatform. is part of every FW-1 installation. Use delarp with the same syntax to delete a ARP entry. <level> info (default). enable IKE & VPN debug. View interface status.3 fw monitor -e 'accept src=192. IPSO clish (Better go and read the docu. Create a cpinfo for the customer cma <cma>. backup also works with the following switches: --scp <ip> <user> <pass> -path <path> <file> --tftp <ip> -path <tftpboot/subdir> file --ftp <ip> <user> <pass> -path <path> <file> If you do not specify file or path the default naming scheme and/or the homedir of the account will be used. cphastart fw hastat cphaprob state cphaprob -a if cphaprob -ia list cphaprob syncstat cphaconf set_ccp <broadcast| multicast> mdsstop [-m] mdsstat [cma_name]|[-m] Edge Appliances CLI and Sofaware SmartCenter Commands* help [command] Show help topics. Check Points packet sniffing tool. You can also use the VS name instead of -vs <id>.1. Ltd. Set context to VS with the ID <id>. Backup system config to /var/CPbackup/backups file backup_host. Enable (or disable) Voyager on SSL port 8443 using 3DES crypto. Start CMA.cap SecurePlatform sysconfig Menu based SecurePlatform OS configuration tool. View driver interface list for a VS.' In general.' # Capture traffic on a SecuRemote/SecureClient client into a file. Delete with deluser <user>. independent from the underlying platform. overlapping VPN domains. Provider-1 mds_backup webui <enable| Enable the WebUI on HTTPS port 443 or port [port] or disable> [port] disable the WebUI. View current shell context. Stop CMA.3. Debug IKE into $FWDIR/log/ike. pre-in position is before 'ippot_strip' fw monitor -pi ipopt_strip -e 'accept udpport(53). Use -m for only MDS status. TTL<30) from and to 192. error.fw monitor fw monitor.12 and dst=192. Restores a backup from file <file>. verbose or debug. if any. SofaWare. restore <file> snapshot VSX vsx stat [-v] [-l] [id] revert Display VSX status. Kind of factory default reset.12 to 192.* cpinfo -c <cma> mcd <directory> mdsstop_customer <cma> mdsstart_customer <cma> mdsconfig Note: DO NOT run any cphaconf commands other than set_ccp.168. The latest version of this PDF is available at http://bit. vpn macutil <user> Show MAC for Secure Remote user <user>.' # Windows traceroute (ICMP. Reboot <edge> from SmartCenter Console.168. Start only the MDS with -m or the CMAs subsequently with -s. adduser <user> backup Add an admin account. Provider-1 mdsenv [cma_name] mdsstart [-m|-s] set ssh server log-level Set sshd log verbosity to quiet. Licensed under Creative Commons BY – NC – SA License.elg.1. Truncate and stamp logs. only show post-out fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023). # srfw. patch add cd <patch> cd_ver or ver addarp <ip> <MAC> dns [add|del <ip>] log list log show <nr> passwd Show status of VPN-1 kernel module. Restore MDS backup from file. Debug VPN into $FWDIR/log/vpnd.tgz. Show hardware information. Show current IPSO image. Note: cpstop is issued! Examples: snapshot --file <file> snapshot --tfpt <ip> <file> snapshot --scp <ip> <user> <pass> <file> snapshot --ftp <ip> <user> <pass> <file> Reboot system from a snapshot file. Without options it's menu based. show summary show asset hardware show images show image current show package all|active set package name <name> <on|off> Show system configuration summary.nvram . In expert mode it changes the expert pass.12). on or off. show vrrp [interfaces] reboot image <img> save rm /config/active set voyager daemonenable <1|0> ssl-port 8443 ssl-level 168 View VRRP (interface) status. Backup binaries and data to current directory. View DNS server setting or add/delete DNS servers. Reboot into <img> and run save before booting.* Start/stop the Sofaware Management Server. Show all available/active packages. View HA state of all cluster members. Disable ClusterXL on the cluster member.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin) srfw monitor -o output_file. a lot of Check Point's commands do understand the -vs <id> switch. Add a static ARP entry for ip.1.1.168. Also works with true.' # Capture web traffic for VSX virtual system ID 23 fw monitor -vs 23 -e 'accept tcpport(80).168. Issued on a cluster member running in HA Legacy Mode cphastop might stop the entire cluster. Activate or deactivate a package. vpn overlap_encdom Show. Run mdsenv <cma> in advance.