English, Job stuff, Tech stuff

CheckPoint CLI troubleshooting & management commands (often used)

10. Juni 2016

CheckPoint Firewall (basic troubleshooting commands incl. clustering)

cphaprob stat List cluster status
cphaprob -a if List status of interfaces
cphaprob syncstat shows the sync status
cphaprob list Shows a status in list form
cphastart/stop Stops clustering on the specfic node
cp_conf sic SIC stuff
cpconfig config util
cplic print prints the license
cprestart Restarts all Check Point Services
cpstart Starts all Check Point Services
cpstop Stops all Check Point Services
cpstop -fwflag -proc Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list List checkpoint processes
cplic print Print all the licensing information.
cpstat -f all polsrv Show VPN Policy Server Stats
cpstat Shows the status of the firewall
fw tab -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s Show connection stats
fw tab -t connections -f Show connections with IP instead of HEX
fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s Shows VPN stats
fw tab -t userc_users -s Shows VPN stats
fw checklic Check license details
fw ctl get int [global kernel parameter] Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter]  [value] Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp Shows arp table
fw ctl install Install hosts internal interfaces
fw ctl ip_forwarding Control IP forwarding
fw ctl pstat System Resource stats
fw ctl uninstall Uninstall hosts internal interfaces
fw exportlog .o Export current log file to ascii file
fw fetch Fetch security policy and install
fw fetch localhost Installs (on gateway) the last installed policy.
fw hastat Shows Cluster statistics
fw lichosts Display protected hosts
fw log -f Tail the current log file
fw log -s -e Retrieve logs between times
fw logswitch Rotate current log file
fw lslogs Display remote machine log-file list
fw monitor Packet sniffer
fw printlic -p Print current Firewall modules
fw printlic Print current license details
fw putkey Install authenication key onto host
fw stat -l Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal Unload policy
fw ver -k Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall
fwm lock_admin -v View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start starts the management processes
fwm -p Print a list of Admin users
fwm -a Adds an Admin
fwm -r Delete an administrator

PROVIDER 1 Management

mdsenv [cma name] Sets the mds environment
mcd Changes your directory to that of the environment.
mds_setup To setup MDS Servers
mdsconfig Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name] To start cma
mdsstop_customer [cma name] To stop cma
cma_migrate To migrate an Smart center server to CMA
cmamigrate_assist If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server

VPN Troubleshooting

vpn tu VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏ Verifies the ipassignment.conf file
dtps lic show desktop policy license status
cpstat -f all polsrv show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA
vpn shell show interface detailed [VTI name] show VTI detail


fw ctl zdebug drop shows dropped packets in realtime / gives reason for drop


show commands

save config save the current configuration
show commands shows all commands
show allowed-client all show allowed clients
show arp dynamic all displays the dynamic arp entries
show arp proxy all shows proxy arp
show arp static all displays all the static arp entry
show as displays autonomous system number
show assets all display hardware information
show bgp stats shows bgp statistics
show bgp summary shows summary information about bgp
show vrrp stats show vrrp statistics
show bootp stats shows bootp/dhcp relay statistics
show bootp interface show all bootp/dhcp relay interfaces
show bonding group show all bonding groups
show bridging groups show all bridging groups
show backups shows a list of local backups
show backup status show the status of a backup or restore operation being performed
show backup last-successful show the latest successful backup
show backup logs show the logs of the recent backups/restores performed
show clock show current clock
show configuration show configuration
show-config state shows the state of configuration either saved or unsaved
show date shows date
show dns primary shows primary dns server
show dns secondary shows secondary dns server
show extended commands shows all extended commands
show groups shows all user groups
show hostname show host name
show inactivity-timeout shows inactivity-timeout settings
show interfaces shows all interfaces
show interfaces ethx shows settings related to an interface “x
show interfaces show detailed information about all interfaces
show ipv6-state shows ipv6 status as enabled or disabled
show management interface shows management interface configuration
show ntp active shows ntp status as enabled or disabled
show ntp servers shows ntp servers
show ospf database shows ospf database information
show ospf neighbors shows ospf neighbors information
show ospf summary shows ospf summary information
show pbr rules shows policy based routing rules
show pbr summary shows policy based routing summary information
show pbr tables show pbr tables
show route shows routing table
show routed version shows information about routed version
show snapshots shows a list of local snapshots
show snmp agent-version shows whether the version is v1/v2/v3
show snmp interfaces shows snmp agent interface
show snmp traps receivers shows snmp trap receivers
show time shows local machine time
show timezone show configured timezone
show uptime show system uptime
show users show configured users and their homedir, uid/gid and shell
show user <username> shows settings related to a particular user
show version all shows version related to os edition, kernel version, product version etc
show virtual-system all show virtual-systems configured
show vpn tunnels use to show the vpn tunnels
show vrrp stats shows vrrp status
show vrrp interfaces shows vrrp enabled interfaces

set commands

add allowed-client host any-host / add allowed-client host <ip address> add any host to the allowed clients list/ add allowed client by ipv4 address
add backup local create and store a backup file in /var/cpbackups/backups/( on open servers) or /var/log/cpbackup/backups/ ( on checkpoint appliances)
add backup scp ip value path value username value adds backup to scp server
add backup tftp ip value [ interactive ] adds backup to tftp server
add snapshot create snapshots which backs up everything like os configuration, checkpoint configuration, versions, patch level), including the drivers
add syslog log-remote-address <ip address> level <emerg/alert/crit/err/warning/notice/info/debug/all> specifies syslog parameters
add user <username> uid <user-id-value> homedir creates a user
expert executes system shell
halt put system to halt
history shows command history
lock database override overrides the config-lock settings
quit exits out of a shell
reboot reboots a system
restore backup local [value] restores local backup interactively
rollback ends the transaction mode by reverting the changes made during transaction
save config save the current configuration
set backup restore local <filename> restores a local backup
set core-dump <enable/disable> enable/disable core dumps
set date yyyy-mm-dd sets system date
set dhcp server enable enable dhcp server
set dns primary <x.x.x.x> sets primary dns ip address
set dns secondary <x.x.x.x> sets secondary dns ip address
set expert-password set or change password for entering into expert mode
set edition default <value> set the default edition to 32-bit or 64-bit
set hostname <value> sets system hostname
set inactivity-timeout <value> sets the inactivity timeout
set interface ethx ipv4-address x.x.x.x mask-length 24 adds ip address to an interface
set ipv6-state on/off sets ipv6 status as on or off
set kernel-routes on/off sets kernel routes to on/off state
set management interface <interface name> sets an interface as management interface
set message motd value sets message of the day
set ntp active on/off activates ntp on/off
set ntp server primary x.x.x.x version <1/2/3/4> sets primary ntp server
set ntp server secondary x.x.x.x version <1/2/3/4> sets secondary ntp server
set snapshot revert<filename> revert the machine to the selected snapshot
set snmp agent on/off sets the snmp agent daemon on/off
set snmp agent-version <value> sets snmp agent version
set snmp community <value> read-only sets snmp readonly community string
add snmp interface <interface name> sets snmp agent interface
set snmp traps receiver <ip address> version v1 community value specifies trap receiver
set snmp traps trap <value> set snmp traps
set static-route x.x.x.x/24 nexthop gateway address x.x.x.x on adds specific static route
set time <value> sets system time
set time zone <time-zone> sets the time zone
set vsx off sets vsx mode on
set vsx on sets vsx mode off
set user <username> password sets users password
set web session-timeout <value> sets web configuration session time-out in minutes
set web ssl-port <value> sets the web ssl-port for the system

You Might Also Like

No Comments

Leave a Reply

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.