Check Point CLI Reference Card - 20120724 Basic firewall information gathering

by Jens Roesen email www - twitter cpst!t /!pp_fl!g1 %&f fl!,o+r' Check Point Environment variables (most common ones) $FWDIR FW-1 installation directory, with f.i. the conf, log, lib, bin and spool directories. $CPDIR $CPMDIR $FGDIR $MDSDIR $FW_BOOT_DIR SVN Foundation c!shared tree. "ana#ement ser$er installation directory. Flood%ate-1 installation directory. "&S installation directory. Same as 'FW&(R on "&S le$el. &irectory with files needed at boot time. &is!lay status of the )+ a!!lications. )ommand has to be used with a a!!lication fla# !pp_fl!g and an o!tional fla$our. (ssue cpst!t without any o!tions to see all !ossible a!!lication fla#s and corres!ondin# fla$ours. 3,am!les5 cpst!t f# &f polic2 $erbose !olicy info cpst!t f# &f s2nc Synchronisation statistics cpst!t os &f cp+ )+6 utili:ation statistics cpst!t os &f (e(or2 "emory usa#e info cpst!t os &f ifconfig (nterface table

Display and manage licenses !ll1 #ateways in order to synchroni:e license re!ository on the Smart)enter ser$er with the #ateway1s4. cplic p+t /&l file1 (nstall local license from file to an local machine. cplic p+t /ob=1 /&l file1 cprlic contr!ct_+til (g(t .ttach one or more central or local licenses from file remotely to ob=. Remote license mana#ement tool. %et contracts from "ana#ement Ser$er.

Basic starting and stopping cpstop Sto! all )hec* +oint ser$ices e,ce!t cprid. -ou can also sto! s!ecific ser$ices by issuin# an o!tion with cpstop. For instance cpstop FW1 sto!s FW-1 V+N-1 or use cpstop Web ccess to sto! Web.ccess. cpst!rt cprest!rt cpridstop cpridst!rt cpridrest!rt f# $ill %&t sig' proc_n!(e f# +nlo!dloc!l Start all )hec* +oint ser$ices e,ce!t cprid. cpst!rt wor*s with the same o!tions as cpstop. )ombined cpstop and cpst!rt. )om!lete restart. Sto! cprid, the )hec* +oint Remote installation &aemon. Start cprid, the )hec* +oint Remote installation &aemon. )ombined cpridstop and cpridst!rt" /ill a Firewall !rocess. +(& file in $FWDIR)t(p) must be !resent. +er default sends si#nal 10 1S(%23R"4. 3,am!le5 f# $ill &t * f#( 6ninstall local security !olicy and disables (+ forwardin#.

cpinfo &. &o /file1 )reate a com!ressed c!info file to o!en with the (nfoView utility or to send to )hec* +oint su!!ort. f# -!st!t View ;. state of local machine. cp-!prob st!te ,pn o,erl!p_encdo( f# t!b 3t /tbl1 %3s' !,s+_client %&!pp /!pp1' get_,ersion View ;. state of all cluster members. Show, if any, o$erla!!in# V+N domains. View *ernel table contents. "a*e out!ut short with -s switch. 9ist all a$ailable tables with f# t!b &s. 3.#. f# t!b &t connections &s )onnections table. %et local si#nature $ersion and status of content security /!pp1 where /!pp1 can be 45dge 67, 48R9 Filtering7 and 4ICS7. Without the &!pp /!pp1 o!tion 4 nti 6ir+s7 is used by default.

Basic configuration tasks !dministrators "sers #$C $C! cpconfig "enu based confi#uration tool for the most common tas*s. ?!tions de!end on the installed !roducts and modules. cp_conf &&is!lay c!@conf hel!. ?!tions de!end on the installed !roducts and !ac*a#es. cp_conf !d(in !dd /+ser1 .dd admin +ser with !assword p!ss and /p!ss1 /per(1 !ermissions per( where # is read write access and r is read only. Note5 !ermission # does not allow administration of admin accounts. cp_!d(in_con,ert 3,!ort admin definitions created in cpconfig to Smart&ashboard. f#( loc$_!d(in &, View list of loc*ed administrators. f#( loc$_!d(in &+ /+ser1 cp_conf !d(in del /+ser1 f#( e:pd!te /dd&(((&2221 %&f /dd&(((&22221' cp_conf client get cp_conf client /!dd0del1 /ip1 f#( sic_reset 6nloc* admin +ser. 6nloc* all with &+!. &elete the admin account +ser. Set new e,!iration date for all users or with &f for all users matchin# the e,!iration date filter5
f#( e:pd!te C1&Dec&D>D> &f C1&Dec&D>1>.

!,s+_client %&!pp )hec* if si#nature for <a!!= is u!-to-date. See !re$ious /!pp1' fetc-_re(ote command for the !ossible $alues of /!pp1. &fi s-o# !sset -!rd#!re View hw info li*e serial numbers in No*ia clis-. .lso see ipsctl &! and c!t ),!r)etc)"n,r!(. info de,ice info co(p+ters View and manage logfiles f# lslogs f#( loge:port f# logs#itc- %&!+dit' f# log &c /!ction1 View 3d#e .!!liance information 1hw, fwl, license..4 9ist acti$e de$ices behind 3d#e .!!liance. View a list of a$ailable fw lo#files and their si:e. 3,!ort dis!lay current f#"log to stdo+t" Write the current 1audit4 lo#file to ;;&MM&DD& <<MMSS"log and start a new f#"log. Show only records with action /!ction1, e.#. !ccept, drop, re=ect etc. Starts from the to! of the lo#, use &t to start a tail at the end. 2ail the actual lo# file from the end of the lo#. Without the -t switch it starts from the be#innin#. View today>s lo# entries between /st!rtti(e1 and /endti(e1" 3,am!le5 f# log &b >*?>>?>> >*?1@?>>. Fetch a lo#file from a remote )+ module. N?2()35 2he lo# will be deleted from the remote module. &oes not wor* with current f#"log.

&is!lay %6( clients list. .dd delete %6( client with (+ ip. -ou can delete multi!le clients at once. Reset internal )ertificate .uthority 1().4 and delete certificates. (nitiali:e (). afterwards with cpconfig or cp_conf c! init. 1Re4initiali:e S(). "ana#e !arts of the ().. View, create and re$o*e certificates, start and sto! the (). Web "ana#ement 2ool.

Basic firewall information gathering f# ,er %&$' Show ma7or and minor $ersion as well as build number f#( ,er and latest installed hotfi, of a )hec* +oint module. ,pn ,er %&$' Show additional *ernel $ersion information with -* fg!te ,er switch. cps-!red_,er Show the $ersion of the SVN Foundation. f# st!t Show the name of the currently installed !olicy as well as a brief interface list. )an be used with the &long or &s-ort switch for more information. &is!lay !rocess information about )+ !rocesses monitored by the )+ Watch&o#. &is!lay all (). certificates. &is!lay interface list. &is!lay !ro,y ar! table. &n disables name resolution. &is!lay internal statistics includin# information about memory, ins!ect, connections and N.2. &is!lays in and out chain of )+ "odules. 6seful for !lacin# fw monitor into the chain with the -! o!tion. Real time listin# of dro!!ed !ac*ets. &is!lay current S() trust state. &is!lay fin#er!rint on the mana#ement module. &is!lay %6( clients list. &is!lay admin accounts and !ermissions. .lso f#( &p &is!lay autostart state of )hec* +oint modules. Status and statistics of Flood-%ate-1. Status and statistics or connection table of Secure89.

cp_conf sic init /$e21 cpc!_client

cp#d_!d(in list cpc!_client lscert f# ctl iflist f# ctl !rp %&n' f# ctl pst!t f# ctl c-!in f# ctl .deb+g drop cp_conf sic st!te cp_conf finger get cp_conf client get cp_conf !d(in get cp_conf !+to get /f#10fg10r(0!ll1 fg!te st!t f#!ccel /st!t0 st!ts0conns1

fw monitor E%amples T-e f# (onitor !ac*et sniffin# tool, is !art of e$ery FW-1 installation. For more info on this to!ic see the )hec* +oint #uide 1htt!5 bit.ly fwmonref4 or see my f# (onitor cheat sheet 1htt!5 bit.ly c!fwmon4. f#E (onitor is wor*in# with %ai.. &is!lay traffic with 1AB.1CD.1.1B as SR) or &S2 on interface (& B 19ist interfaces and corres!ondin# (&s with f# ctl iflist4
f# (onitor &e A!ccept -ostF1*D"1EG"1"1DH !nd ifidIDJA

f# log &f &t f# log &b /st!rtti(e1 /endti(e1 f# fetc-logs &f /file1 (od+le

&is!lay all !ac*ets from 1AB.1CD.1.1B to 1AB.1CD.E.E

f# (onitor &e A!ccept srcI1*D"1EG"1"1D !nd dstI1*D"1EG"C"CJA

f#( loge:port &i in"log 3,!ort lo#file in"log to file o+t"cs,, use B &o o+t"cs, &d ABA &p &n 1comma4 as delimiter 1)SV4 and do not resol$e ser$ices or hostnames. Display and manage licenses cp_conf lic get View licenses. cplic print f# lic-osts dtps lic cplic get /ip -ost0& &is!lay more detailed license information. 9ist !rotected hosts with limited hosts licenses. Secure)lient +olicy Ser$er license summary. Retrie$e all licenses from a certain #ateway or all

6&+ !ort 0E 1&NS4 !ac*ets, !re-in !osition is before >i!!ot@stri!>

f# (onitor &pi ipopt_strip &e A!ccept +dpportF@CHJA

6+& traffic from or to un!ri$ile#ed !orts, only show !ost-out

f# (onitor &( O &e A!ccept +dp !nd Fsport11>DC or dport11>DCHJA

&is!lay Windows traceroute 1()"+, 229<EF4 from and to 1AB.1CD.1.1B

f# (onitor &e A!ccept -ostF1*D"1EG"1"1DH !nd tr!certJA

)a!ture web traffic for VS8 $irtual system (& BE

f# (onitor &, DC &e A!ccept tcpportFG>HJA

cplic del /sig1 /ob=1 &elete license with si#nature sig from ob7ect ob=.

)a!ture traffic on a SecuRemote Secure)lient client into a file. srf#"e:e in $SRDIR)bin 1)5G+ro#ram FilesG)hec*+ointGSecuRemoteGbin4
srf# (onitor &o o+tp+t_file"c!p

9icensed under )reati$e )ommons H- N) S. . Secure+latform, SofaWare, Smart)enter, )luster89, Secure89, Flood-%ate-1, +ro$ider-1, VS8, (+S?, V+N-1 62"-1 3d#e and %.i. are all re#istered trademar*s of )hec* +oint Software 2echnolo#ies, 9td .

&!i! clish ,er s-o# config+r!tion s!,e config -istor2 s-o# co((!nds loc$ d!t!b!se o,erride st!rt tr!ns!ction

Show %.i. Version. Show runnin# confi#uration. Sa$e runnin# confi#uration. Show command history. Show all commands you are allowed to run. .cIuire read write access to the database. Start transaction mode. .ll chan#es made will be a!!lied at once if you e,it transaction mode with co((it or discarded if you e,it with rollb!c$.

Provider*+ (dsconfig p1s-ell (dsen, %d(s_n!(e' (dsst!rt %&(0&s' (dsstop %&('

"&S re!lacement for cpconfig" Start the +1Shell if it>s not the default shell. Set the en$ironment $ariables for "&S or &"S le$el. Starts the "&S and all &"S 11F at a time4. Start only "&S with &( or &"S subseIuently with &s. Sto! "&S and all &"S or with &( 7ust the "&S.

s-o# ,ersion os edition Show which ?S edition 1EB or CJ-bit4 is runnin#. set edition def!+lt Switch between EB and CJ-bit *ernel. CJ-bit needs CD&bit0EK&bit at least C%H of R." 1or 1%H runnin# in a V"4. e:pert Switch to bash and e,!ert mode. s-o# e:tended co((!nds !dd co((!nd df p!t)bin)df description Llist free -dd sp!ceL Show all defined e,tended 1?S le$el4 commands .dd f.i. 9inu, command df to the list of e,tended commands. -ou can also use all o!tions of an e,t. command from within clish5 clis-1 df &-

(dsst!t %d(s_n!(e'0%&(' Show status of the "&S and all &"S or a certain customer>s &"S. 6se -m for only "&S status. cpinfo &c /d(s1 )reate a cpinfo for the customer &"S /d(s1. Remember to run (dsen, /d(s1 in ad$ance. (cd /dir1 (dsstop_c+sto(er /d(s1 (ds_b!c$+p %&l' %&d director2' Muic* cd to $FWDIR)/dir1 of the current &"S. Sto! &"S d(s. Hac*u! binaries and data to current directory. )han#e out!ut directory with &d, e,clude lo#s with &l. -ou can e,clude files by s!ecifyin# them in $MDSDIR)conf)(ds_e:cl+de"d!t. Restore "&S bac*u! from file. Notice5 you may need to co!y (ds_b!c$+p from $MDSDIR)scripts) as well as gt!r and g.ip from $MDS_S;ST5M)s-!red) to the directory with the bac*u! file. Normally, (ds_b!c$+p does this durin# bac*u!. )onnect to a 1remote4 "&S as )+"( client and confi#ure or mana#e it. See (dsc(d -elp. +erfom VS8 maintenance from the main &"S. See ,s:_+til &- for subcommands.

#ecurePlatform cpshell b!c$+p Hac*u! system confi# to ),!r)CPb!c$+p)b!c$+ps file b!c$+p_-ost"do(!in_DD_MM_;;;;_--_(("tg.. b!c$+p wor*s with the followin# switches5 &&scp /ip1 /+ser1 /p!ss1 &p!t- /p!t-1 /file1 &&tftp /ip1 &p!t- /tftpboot)s+bdir1 file &&ftp /ip1 /+ser1 /p!ss1 &p!t- /p!t-1 /file1 (f you do not s!ecify file or p!t- the default namin# scheme and or the homedir of the account will be used. . relati$e !ath results in a bac*u! to a subdirectory of home. restore /file1 Restores a bac*u! from file <file1. +retty much wor*s with the same switches as b!c$+p. sn!ps-ot 2a*e a sna!shot of the entire system. Without o!tions it>s menu based. (ote. cpstop is issued/ 3,am!les5 sn!ps-ot &&file /file1 sn!ps-ot &&tfpt /ip1 /file1 sn!ps-ot &&scp /ip1 /+ser1 /p!ss1 /file1 sn!ps-ot &&ftp /ip1 /+ser1 /p!ss1 /file1 Reboot system from sna!shot. Same switches as sn!ps-ot. (nstall the !atch <!atch= from )&. .dd a static .R+ entry for ip. Sur$i$es a reboot. 6se del!rp with the same synta, to delete a .R+ entry. View &NS ser$er settin# or add delete &NS ser$ers. Show inde, of a$ailable system and error lo# files. View lo# file number <nr= from the log list inde,. )han#e !assword. (n standard mode 1 cps-ell4 it chan#es the admin !assword, in e,!ert mode p!ss#d is an alias for )bin)e:pert_p!ss#d and chan#es only the e,!ert !ass. .s e,!ert use )+sr)bin)p!ss#d /+ser1 for other users.

(dsst!rt_c+sto(er /d(s1 Start &"S d(s. re,ert p!tc- !dd cd /p!tc-1 !dd!rp /ip1 /M C1 dns %!dd0del /ip1' log list log s-o# /nr1 p!ss#d

$P#' clish 1Hetter #o and read the documentation. )lish is mi#hty K4 -ou can enter clis- commands either in the clis- itself or from the shell usin# clis- %&s' &c L/co((!nd1L. 2he &s o!tion runs s!,e config afterwards. s-o# s+((!r2 s-o# !sset -!rd#!re s-o# i(!ges s-o# i(!ge c+rrent s-o# p!c$!ge !ll0!cti,e s-o# interf!ces set p!c$!ge n!(e /n!(e1 /on0off1 Show system confi#uration summary. Show hardware information. See also out!ut of ipsctl &! and c!t ),!r)etc)"n,r!( . Show a$ailable (+S? ima#es. Show current (+S? ima#e. Show all a$ailable acti$e !ac*a#es. Show all interfaces and their confi#uration. .cti$ate or deacti$ate a !ac*a#e.

")(ds_restore /file1

(dsc(d /s+bc(ds1 %&( (ds &+ +ser &p p!ss' ,s:_+til /s+bco((!nd1 Cluster,cp_conf -! en!ble0 dis!ble %norest!rt' cp-!st!rt cp-!stop f# -!st!t cp-!prob st!te cp-!prob &! if cp-!prob &i! list cp-!prob s2ncst!t cp-!conf set_ccp /bro!dc!st0 (+ltic!st1 cl+sterN9_!d(in %&p' /+p0do#n1

3nable or disable ;.. 3nable &isable )luster89 on the cluster member. (ssued on a cluster member runnin# in ;. 9e#acy "ode cp-!stop mi#ht sto! the entire cluster. View ;. state of local machine. View ;. state of all cluster members. View interface status. View list and state of critical cluster de$ices. View sync trans!ort layer statistics. Reset with &reset. )onfi#ure )luster )ontrol +rotocol 1))+4 to use unicast or multicast messa#es. Hy default set to multicast. Settin# sur$i$es reboot. +erform a #raceful manual failo$er by re#isterin# a failde$ice. Sur$i$es a reboot with &p switch set

c-s- &s )han#e the lo#in shell for the user admin to always be in )bin)b!s- !d(in e,!ert mode after lo#in. V#, 012 (Commands for 023456V# E%pert 7ode are in italics) ,s: st!t %&,' %&l' %id' Show VS8 status. Verbose with &,, interface list with &l or status of sin#le VS with VS (& /id1. ,s: get vsenv ,s: set /id1 vsenv <id> ,s: sic reset /id1 vsx sicreset cpinfo &: /,s1 View current shell conte,t. Set conte,t to VS with the (& /id1. Reset S() for VS <id=. For details see s*EJFAD. Reset S() in current conte,t in RN0.JFVS. Start cpinfo collectin# data for VS (& /,s1"

set ss- ser,er log&le,el Set sshd lo# $erbosity to M+iet, f!t!l, error, /le,el1 info 1default4, ,erbose or deb+g. s-o# ,rrp %interf!ces' reboot i(!ge /i(g1 s!,e r( )config)!cti,e set ,o2!ger d!e(on& en!ble /10>1 ssl&port GKKC ssl&le,el 1EG View VRR+ 1interface4 status. Reboot into /i(g1 and run sa$e before bootin#. /ind of factory default reset. Reboot afterwards. 3nable 1or disable4 Voya#er on SS9 !ort DJJE usin# E&3S cry!to. .lso wor*s with tr+e, f!lse, on or off. s!,e config afterwards.

VP( ) VP( Debugging ,pn ,er %&$' )hec* V+N-1 ma7or and minor $ersion as well as build number and latest hotfi,. 6se &$ for *ernel $ersion. ,pn t+ ,pn s-ell ,pn deb+g i$eon0 i$eoff ,pn deb+g on0off ,pn deb+g tr+nc ,pn dr, st!t Start a menu based V+N 2unnel6til !ro#ram where you can list and delete Security .ssociations 1S.s4 for !eers. Start the V+N shell. &ebu# (/3 into $FWDIR)log)i$e"elg. &ebu# V+N into $FWDIR)log),pnd"elg. 2runcate and stam! lo#s, enable (/3 L V+N debu#.

,pn &,s /id1 deb+g tr+nc 3m!ty L stam! lo#s, enable (/3 L V+N debu#. f# &,s /id1 getifs View dri$er interface list for a VS. -ou can also use the VS name instead of &,s /id1. f# t!b &,s /id1 &t /t!ble1 f# (onitor &, /id1 &e A!cceptJA cp-!prob &,s /id1 st!te cp-!prob &,s /id1 register $lin+:_co((!nd &. /id1 tr!cero+te &O /id1 View state tables for $irtual system /id1. View traffic for $irtual system with (& /id1. .ttn5 with f# (onitor use &, instead of &,s View ;. state for Virtual System id when O+er Virtual System ;.P mode is confi#ured. Re#ister a failde$ice and switch VS /id1 to the ne,t cluster member 1only in +er VS ;. VS9S4. (n RCN set conte,t for ifconfig, ip, !rp, ping or netst!t. 6!!ercase O:P for tr!cero+te.

Note5 &? N?2 run any cp-!conf commands other than cp-!conf set_ccp. #ecurePlatform cpshell cd_,er or ,er s2sconfig View Secure+latform build number. S+9.2 ?S confi#uration and )+ Software installation tool. #eb+i /en!ble0 3nable the Web6( on ;22+S !ort JJE or !ort %port' or dis!ble1 %port' disable the Web6(. s-o#+sers &is!lay a list of confi#ured Secure+latform administrators. !dd+ser /+ser1 .dd an admin account. &elete with del+ser /+ser1.

Show status of V+N-1 *ernel module. ,pn o,erl!p_encdo( Show, if any, o$erla!!in# V+N domains. ,pn (!c+til /+ser1 Show ".) for Secure Remote user /+ser1. -ou can analy:e the #enerated files i$e"elg and ,pnd"elg with the (/3View tool !ro$ided by )hec* +oint.

(n #eneral, a lot of )hec* +oint>s commands do understand the &,s /id1 switch.