Check Point CLI Reference Card & Cheat Sheet– v 0.

5 Basic firewall information gathering View and manage logfiles

by Jens Roesen – email – www - twitter cpwd_admin list Display process information about CP processes fw log -b <starttime> View today's log entries between <starttime>
monitored by the CP WatchDog <endtime> and <endtime> with time format being
Preface and litte warning HH:MM:SS. Example: fw log -b 09:00:00
fw ctl iflist Display interface list.
This small cheat sheet is intended as a brief reference with some practical 09:15:00
fw ctl arp Display proxy arp table.
examples for your daily work. Although most of the commands mentioned are
fw ctl pstat fw log -c <action> Show only records with action <action>, e.g.
meant for information gathering purposes or debugging rather than configuration Display internal statistics including information about
issues you should be careful and know what you are doing. A full reference to the memory, inspect, connections and NAT accept, drop, reject etc. Starts from the top
Check Point CLI can be found at the Check Point Support Center: of the log, use -t to start a tail at the end
fw ctl chain Displays in and out chain of CP Modules. Useful for
http://www.checkpoint.com/support/technical/documents placing fw monitor into the chain with the -p option. fwm logexport Export/display current fw.log to stdout.
I've sorted the commands and examples mostly by purpose and not by product or
fw ctl zdebug drop Real time listing of dropped packets fwm logexport -i Export logfile in.log to file out.csv, use ,
alphabetically. Some may reoccur.
cpstat <app_flag> in.log -o out.csv -d (comma) as delimiter (CSV) and do not resolve
Display status of the CP applications. Command has
environment variables ',' -p -n services or hosts.
[-f flavour] to be used with a application flag app_flag and an
It's useful to know some of the environment variables set and needed by FW-1. optional flavour. Issue cpstat without any options to
Below are some of the most commonly used. Depending on you installation there see all possible application flags and corresponding Display and manage licenses
will be more. Check the env output for more information. flavours. Examples: cp_conf lic get View licenses. Same info as cplic db_print
$FWDIR FW-1 installation directory, with f.i. the conf, log, lib, bin cpstat fw -f policy – policy information with -all -x
and spool directories. You will mostly work in this tree. dropped, rejected and accepted packets information cplic print Display more detailed license information.
cpstat fw -f sync – Synchronisation statistics
$CPDIR SVN Foundation / cpshared tree. cpstat os -f cpu – CPU utilization statistics fw lichosts List protected hosts with limited hosts licenses.
$CPMDIR Management server installation directory. cpstat os -f memory – Memory usage info dtps lic SecureClient Policy Server license summary.
$FGDIR FloodGate-1 installation directory. cp_conf sic state Display current SIC trust state. cplic del <sig> Delete CP license with signature sig from object
$MDSDIR <obj> obj.
MDS installation directory. Same as $FWDIR on MDS level. cp_conf lic get View licenses.
$FW_BOOT_DIR Directory with files needed at boot time. cp_conf finger get Display fingerprint. Only works on the management cplic get <ip host|- Retrieve all licenses from a certain gateway or all
module. all> gateways in order to synchronize license repository
on the SmartCenter server with the gateway(s).
Basic starting and stopping cp_conf client get Display GUI clients list.
cplic put <-l file> Install local license from file to an local machine.
cpstop Stop all Check Point services except cprid. You can also cp_conf admin get Display admin accounts and permissions.
stop specific services by issuing an option with cpstop. cplic put <obj> <-l Attach one or more central or local licenses from
cp_conf auto get Display auto state of all products. Also works with file>
For instance cpstop FW1 stops FW-1/VPN-1 or use file remotely to obj.
all fw1, fg1 and rm instead of all.
cpstop WebAccess to stop WebAccess. cprlic Remote license management tool.
cpinfo -z -o <file> Create a compressed cpinfo file to open with InfoView
cpstart Start all Check Point services except cprid. cpstart utility or to send to Check Point support.
works with the same options as cpstop. Basic configuration tasks
fw hastat View HA state of local machine.
cprestart Combined cpstop and cpstart. Complete restart. cpconfig Menu based configuration tool for the most
cphaprob state View HA state of all cluster members. common tasks like adding/removing admin
fwstop Stop only FW-1/VPN-1, Management deamon fwm if vpn overlap_encdom Show, if any, overlapping VPN domains. accounts or GUI clients, managing licenses,
installed with running daemons and auth servers. SIC ando so on. Options depend on the
fw tab –t <tbl> View kernel table contents. Make output short with -s
fwstart Start only FW-1/VPN-1 fwd, Management deamon fwm if [–s] installed products and packages.
switch. List all available tables with fw tab -s. E.g.
installed, required daemons and auth servers. fw tab -t connections -s – Connections table cp_conf -h Display cp_conf help. Options depend on the
cpridstop Stop cprid, the Check Point Remote installation Daemon installed products and packages.
avsu_client [-app Get local signature version and status of content
cpridstart Start cprid, the Check Point Remote installation Daemon <app>] get_version security <app> where <app> can be “Edge AV”, cp_conf admin add <user> Add admin user with password pass and
“URL Filtering” and “ICS”. Without the -app <pass> <perm> permissions perm where w is read/write
cpridrestart Combined cpridstop and cpridstart.
<app> option the default app “Anti Virus” is access and r is read only. Note: permission w
fw unloadlocal Uninstall local security policy does not allow administration of admin
used.
accounts.
avsu_client [-app Check if signature for <app> is up-to-date.
Basic firewall information gathering <app>] fetch_remote cp_admin_convert Export admin definitions created in cpconfig
fw ver Check FW-1/VPN-1 major and minor version as well -fi to SmartDashboard
as build number and latest installed hotfix. cp_conf admin del <user> Delete the admin account user.
fwm ver Check management module major and minor version View and manage logfiles
cp_conf client get Display GUI clients list.
as well as build number and latest installed hotfix. fw lslogs View a list of available logfiles amd sizes.
cp_conf client add <ip> Add GUI client wit IP ip.
vpn ver Check VPN-1 major and minor version as well as fw logswitch Write the current logfile to YY-MM-DD-
build number and latest installed hotfix. Use the cp_conf client del <ip> Delete the GUI client with IP ip. You can
HHMMSS.log and start a new fw.log.
switch -k for additional kernel version. delete multiple clients at once.
fw fetchlogs -f file Fetch a logfile from a remote CP module.
cpshared_ver Show the version of the SVN Foundation module cp_conf sic state Display current SIC trust state.
NOTICE: The log will be moved, hence deleted
fw stat Show the name of the currently installed policy as well from the remote module. Does not work with cp_conf sic reset Reset SIC.
as a brief interface list. Can be used with the -long current fw.log. cp_conf sic init <key> Initialize SIC.
or -short switch for more information. fw log -f -t Tail the actual log file from the end of the log.
fwm -p List administrator accounts Without the -t switch it starts from the beginning.

Check Point CLI Cheat Sheet/Reference Card, Current version available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. FireWall-1, Provider-1 and VSX are a registered trademarks of Check Point Software Technologies, Ltd.
Cluster XL VSX Provider-1
cp_conf ha enable| Enable or disable HA fw -vs <id> getifs View driver interface list for a VS. You can also mdsenv [cma_name] Set the environment variables for MDS oder
disable [norestart] use the VS name instead of -vs <id> CMA level
cphastop Disable ClusterXL on the cluster member. Issued on vsx stat [-v] [-l] [id] Display VSX status. Verbose output with -v, mdsstart [-m|-s] Starts the MDS and all CMAs (10 at a time).
a cluster member running in HA Legacy Mode interface list with -l or status of singe system Start only the MDS with -m or the CMAs
cphastop might stop the entire cluster. with VS ID <id>. subsequently with -s.
cphastart Activate ClusterXL on this cluster member. vsx get View current shell context. mdsstop [-m] Stop MDS and all CMAs or with -m just the
fw hastat View HA state of local machine. vsx set <id> Set context to VS with the ID <id>. MDS.
cphaprob state View HA state of all cluster members. vsx sic reset <id> Reset SIC for VS ID <id> mdsstat [cma_name]|[-m] Show status of the MDS and all CMAs or a
certain customer's CMA. Use -m for only MDS
cphaprob -a if View interface status. fw tab -vs <id> -t View state tables for virtual system <id>.
status.
cphaprob -ia list <table>
View list and state of critical cluster devices. mcd <directory>
fw monitor -vs <id> -e Quick cd to $FWDIR/<directory> of the
cphaprob syncstat View sync transport layer statistics. Reset with View traffic for virtual system with ID <id>
'accept;' current CMA.
-reset.
mds_backup Backup binaries and data to current directory.
cphaconf set_ccp In general, a lot of Check Point's commands do understand the -vs <id> switch.
Configure Cluster Control Protocol (CCP) to use You can exclude files by specifying them in
<broadcast| unicast or multicast messages. By default set to $MDSDIR/conf/mds_exclude.dat.
multicast> multicast. Setting survives reboot. VPN & VPN Debugging
mds_restore <file> Restore MDS backup from file.
Note: DO NOT run any other cphaconf commands other than set_ccp. vpn ver Check VPN-1 major and minor version as well as
Notice: you may need to copy mds_backup
build number and latest installed hotfix. Use the
from $MDSDIR/scripts/ as well as gtar and
Secure Plattform switch -k for additional kernel version.
gzip from $MDS_SYSTEM/shared/ to the
webui enable Enable the WebUI on HTTPS port 443 or port [port] or vpn tu Start menu based VPN TunnelUtil program where directory with the backup file. Normally,
[port] disable the WebUI. you can list and delete Security Associations (SAs) mds_backup does this during backup.
webui disable for peers.
mdsstop_customer <cma> Stop CMA. Run mdsenv <cma> before.
backup Backup system config to /var/CPbackup/backups file vpn shell Start the VPN shell.
mdsstart_customer <cma> Start CMA. Run mdsenv <cma> before.
backup_host.domain_DD_MM_YYYY_hh_mm.tgz. Also vpn debug ikeon| Debug IKE into $FWDIR/log/ike.elg
backup works with the following switches: ikeoff mdsconfig MDS replacement for cpconfig
--scp ip user pass --path /remote/path file vpn debug on|off cpinfo -c <cma> Create a cpinfo for the customer cma <cma>.
Debug VPN into $FWDIR/log/vpnd.elg
--tftp ip --path tftpboot/subdir file Remember to run mdsenv <cma> in advance.
--ftp ip user pass vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug
If you do not specify file or path the default naming vpn drv stat Show status of VPN-1 kernel module.
scheme and/or homedir of the account will be used. A Notes (will most probably be replaced by FW Debugging and/or SAM)
vpn overlap_encdom Show, if any, overlapping VPN domains.
relative path results in a backup to a subdir of home.
vpn macutil <user> Show MAC for Secure Remote user <user>.
restore <file> Restores a backup from file file. Pretty much works with
the same switches as backup.
fw monitor
snapshot Take a snapshot of the entire system. Examples:
snapshot --file file fw monitor, Check Points packet sniffing tool, is part of every FW-1 installation,
snapshot --tfpt ip file independent from the underlying platform. Also the syntax is the same for all
snapshot --scp user pass file available platforms. See my fw monitor cheat sheet (http://bit.ly/cpfwmon) or
snapshot --ftp user pass file read the Check Point guide (http://bit.ly/fwmonref) for detailed info on this topic.
revert fw monitor Examples:
Reboot system from a snapshot file. Same switches as
snapshot. # packets with IP 192.168.1.12 as SRC or DST
patch add cd Install the patch <patch> from CD fw monitor -e 'accept host(192.168.1.12);'
<patch>
# all packets from 192.168.1.12 to 192.168.3.3
cd_ver or ver View Secure Plattform build number fw monitor -e 'accept src=192.168.1.12 and dst 192.168.3.3;'
sysconfig Configure Secure Plattform OS like hostname, DNS, # UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
interfaces and routing, NTP fw monitor -pi ipopt_strip -e 'accept udpport(53);'
addarp <ip> Add a static ARP entry for ip. Survives a reboot. # UPD traffic from or to unprivileged ports, only show post-out
<MAC> fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);'
delarp <ip> Delete the static ARP entry for ip.
<MAC> # Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12
fw monitor -e 'accept host(192.168.1.12) and tracert;'
log list Show index of available log files.
# Capture web traffic for VSX virtual system ID 23
log show <nr> View log file number <rb> from the index. fw monitor -vs 23 -e 'accept tcpport(80);'
passwd Change login password. In expert mode it changes expert
pass, in standard mode this will change the admin pass. # Capture traffic on a SecuRemote/SecureClient client into a file.
# srfw.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)
Use /usr/bin/passwd <user> in expert mode. srfw monitor -o output_file.cap

Check Point CLI Cheat Sheet/Reference Card, Current version available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. FireWall-1, Provider-1 and VSX are a registered trademarks of Check Point Software Technologies, Ltd.