Checkpoint - Commands

Wednesday, 27 August 2008 11:20

Firewalls - Checkpoint

Checkpoint commands generally come under,

  •    cp     -  general
  •    fw     -  firewall
  •    fwm  -  management

CP, FW & FWM Commands

cphaprob stat              List cluster status 
cphaprob -a if List status of interfaces
cphaprob syncstat
shows the sync status
cphaprob list
Shows a status in list form
cphastart/stop                  Stops clustering on the specfic node
cp_conf sic                     SIC stuff   
cpconfig                       config util    
cplic print                           prints the license
cprestart              Restarts all Checkpoint Services
cpstart                             Starts all Checkpoint Services
cpstop                               Stops all Checkpoint Services
cpstop -fwflag -proc
Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list                List checkpoint processes   
cplic print Print all the licensing information.
cpstat -f all polsrv
Show VPN Policy Server Stats
cpstat
Shows the status of the firewall 
  
fw tab  -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s
Show connection stats
fw tab -t connections -f 
Show connections with IP instead of HEX
fw tab -t fwx_alloc -f
Show fwx_alloc with IP instead of HEX 
fw tab -t peers_count -s
 		Shows VPN stats
fw tab -t userc_users -s 
Shows VPN stats
fw checklic                      Check license details
fw ctl get int [global kernel parameter]
Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter]  [value]
Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. 
fw ctl arp                     Shows arp table
fw ctl install                       Install hosts internal interfaces
fw ctl ip_forwarding           Control IP forwarding
fw ctl pstat                         System Resource stats
fw ctl uninstall                   Uninstall hosts internal interfaces
fw exportlog .o                 Export current log file to ascii file
fw fetch                           Fetch security policy and install
fw fetch localhost
Installs (on gateway) the last installed policy.
fw hastat
Shows Cluster statistics
fw lichosts                         Display protected hosts
fw log -f                            Tail the current log file
fw log -s -e                        Retrieve logs between times
fw logswitch                     Rotate current log file
fw lslogs                           Display remote machine log-file list
fw monitor                       Packet sniffer
fw printlic -p                     Print current Firewall modules
fw printlic                         Print current license details
fw putkey                        Install authenication key onto host
fw stat -l    
Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal                     Unload policy
fw ver -k                          Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall 
  
fwm lock_admin -v 
View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start
starts the management processes
fwm -p                               Print a list of Admin users
fwm -a Adds an Admin
fwm -r       Delete an administrator

Provider 1

mdsenv [cma name]
Sets the mds environment
mcd 
Changes your directory to that of the environment.
mds_setup
To setup MDS Servers
mdsconfig
Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name] 
To start cma
mdsstop_customer [cma name]
 		To stop cma
cma_migrate
To migrate an Smart center server to CMA
cmamigrate_assist
If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server

VPN 

vpn tu                                           
VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏
Verifies the ipassignment.conf file
dtps lic
show desktop policy license status
cpstat -f all polsrv
show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip]
delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip]
delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip]
show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip]
show Phase 2 SA
vpn shell show interface detailed [VTI name]
show VTI detail

Debugging

fw ctl zdebug drop
shows dropped packets in realtime / gives reason for drop

SPLAT Only

router
 		Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd 
Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only) 
backup
Allows you to preform a system operating system backup
restore
Allows you to restore your backup
snapshot
Performs a system backup which includes all Checkpoint binaries. Note : This issues a cpstop.

VSX

vsx get [vsys name/id]
get the current context
vsx set [vsys name/id]
set your context
fw -vs [vsys id] getifs
show the interfaces for a virtual device
fw vsx stat -l
shows a list of the virtual devices and installed policies
fw vsx stat -v
shows a list of the virtual devices and installed policies (verbose)
reset_gw
resets the gateway, clearing all previous virtual devices and settings.

Article updates via email..


We have 15 guests online

Related Articles