Professional Documents
Culture Documents
Check Point CLI Cheat Sheet/Reference Card, Current version available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. FireWall-1, Provider-1 and VSX are a registered trademarks of Check Point Software Technologies, Ltd.
Cluster XL VSX Provider-1
cp_conf ha enable| Enable or disable HA fw -vs <id> getifs View driver interface list for a VS. You can also mdsenv [cma_name] Set the environment variables for MDS oder
disable [norestart] use the VS name instead of -vs <id> CMA level
cphastop Disable ClusterXL on the cluster member. Issued on vsx stat [-v] [-l] [id] Display VSX status. Verbose output with -v, mdsstart [-m|-s] Starts the MDS and all CMAs (10 at a time).
a cluster member running in HA Legacy Mode interface list with -l or status of singe system Start only the MDS with -m or the CMAs
cphastop might stop the entire cluster. with VS ID <id>. subsequently with -s.
cphastart Activate ClusterXL on this cluster member. vsx get View current shell context. mdsstop [-m] Stop MDS and all CMAs or with -m just the
fw hastat View HA state of local machine. vsx set <id> Set context to VS with the ID <id>. MDS.
cphaprob state View HA state of all cluster members. vsx sic reset <id> Reset SIC for VS ID <id> mdsstat [cma_name]|[-m] Show status of the MDS and all CMAs or a
certain customer's CMA. Use -m for only MDS
cphaprob -a if View interface status. fw tab -vs <id> -t View state tables for virtual system <id>.
status.
cphaprob -ia list <table>
View list and state of critical cluster devices. mcd <directory>
fw monitor -vs <id> -e Quick cd to $FWDIR/<directory> of the
cphaprob syncstat View sync transport layer statistics. Reset with View traffic for virtual system with ID <id>
'accept;' current CMA.
-reset.
mds_backup Backup binaries and data to current directory.
cphaconf set_ccp In general, a lot of Check Point's commands do understand the -vs <id> switch.
Configure Cluster Control Protocol (CCP) to use You can exclude files by specifying them in
<broadcast| unicast or multicast messages. By default set to $MDSDIR/conf/mds_exclude.dat.
multicast> multicast. Setting survives reboot. VPN & VPN Debugging
mds_restore <file> Restore MDS backup from file.
Note: DO NOT run any other cphaconf commands other than set_ccp. vpn ver Check VPN-1 major and minor version as well as
Notice: you may need to copy mds_backup
build number and latest installed hotfix. Use the
from $MDSDIR/scripts/ as well as gtar and
Secure Plattform switch -k for additional kernel version.
gzip from $MDS_SYSTEM/shared/ to the
webui enable Enable the WebUI on HTTPS port 443 or port [port] or vpn tu Start menu based VPN TunnelUtil program where directory with the backup file. Normally,
[port] disable the WebUI. you can list and delete Security Associations (SAs) mds_backup does this during backup.
webui disable for peers.
mdsstop_customer <cma> Stop CMA. Run mdsenv <cma> before.
backup Backup system config to /var/CPbackup/backups file vpn shell Start the VPN shell.
mdsstart_customer <cma> Start CMA. Run mdsenv <cma> before.
backup_host.domain_DD_MM_YYYY_hh_mm.tgz. Also vpn debug ikeon| Debug IKE into $FWDIR/log/ike.elg
backup works with the following switches: ikeoff mdsconfig MDS replacement for cpconfig
--scp ip user pass --path /remote/path file vpn debug on|off cpinfo -c <cma> Create a cpinfo for the customer cma <cma>.
Debug VPN into $FWDIR/log/vpnd.elg
--tftp ip --path tftpboot/subdir file Remember to run mdsenv <cma> in advance.
--ftp ip user pass vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug
If you do not specify file or path the default naming vpn drv stat Show status of VPN-1 kernel module.
scheme and/or homedir of the account will be used. A Notes (will most probably be replaced by FW Debugging and/or SAM)
vpn overlap_encdom Show, if any, overlapping VPN domains.
relative path results in a backup to a subdir of home.
vpn macutil <user> Show MAC for Secure Remote user <user>.
restore <file> Restores a backup from file file. Pretty much works with
the same switches as backup.
fw monitor
snapshot Take a snapshot of the entire system. Examples:
snapshot --file file fw monitor, Check Points packet sniffing tool, is part of every FW-1 installation,
snapshot --tfpt ip file independent from the underlying platform. Also the syntax is the same for all
snapshot --scp user pass file available platforms. See my fw monitor cheat sheet (http://bit.ly/cpfwmon) or
snapshot --ftp user pass file read the Check Point guide (http://bit.ly/fwmonref) for detailed info on this topic.
revert fw monitor Examples:
Reboot system from a snapshot file. Same switches as
snapshot. # packets with IP 192.168.1.12 as SRC or DST
patch add cd Install the patch <patch> from CD fw monitor -e 'accept host(192.168.1.12);'
<patch>
# all packets from 192.168.1.12 to 192.168.3.3
cd_ver or ver View Secure Plattform build number fw monitor -e 'accept src=192.168.1.12 and dst 192.168.3.3;'
sysconfig Configure Secure Plattform OS like hostname, DNS, # UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
interfaces and routing, NTP fw monitor -pi ipopt_strip -e 'accept udpport(53);'
addarp <ip> Add a static ARP entry for ip. Survives a reboot. # UPD traffic from or to unprivileged ports, only show post-out
<MAC> fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);'
delarp <ip> Delete the static ARP entry for ip.
<MAC> # Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12
fw monitor -e 'accept host(192.168.1.12) and tracert;'
log list Show index of available log files.
# Capture web traffic for VSX virtual system ID 23
log show <nr> View log file number <rb> from the index. fw monitor -vs 23 -e 'accept tcpport(80);'
passwd Change login password. In expert mode it changes expert
pass, in standard mode this will change the admin pass. # Capture traffic on a SecuRemote/SecureClient client into a file.
# srfw.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)
Use /usr/bin/passwd <user> in expert mode. srfw monitor -o output_file.cap
Check Point CLI Cheat Sheet/Reference Card, Current version available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. FireWall-1, Provider-1 and VSX are a registered trademarks of Check Point Software Technologies, Ltd.