cp_conf snmp

Description Activate or deactivate SNMP.

Syntax

> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP Extension.

cp_conf auto

Description Configure the Security Gateway and Security Management Server products that start automatically when the appliance or server reboots.

Syntax

> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable} <product1> <product2>...

cp_conf sxl

Description Enable or disable SecureXL acceleration.

Syntax

> cp_conf sxl {enable|disable}

cpconfig

Description Run a command line version of the Check Point Configuration Tool. This tool is used to configure an installed Check Point product. The options shown depend on the installed configuration and products. Amongst others, these options include:

• Licenses and contracts - Modify the necessary Check Point licenses and contracts.
• Administrator - Modify the administrator authorized to connect to the Security Management server.
• GUI Clients - Modify the list of SmartConsole Client machines from which the administrators are authorized to connect to a Security Management server.
• SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables SecurePlatform to export its status to external network management tools.
• PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform; see details of the token, and test its functionality.
• Random Pool - Configure the RSA keys, to be used by SecurePlatform.
• Certificate Authority - Install the Certificate Authority on the Security Management server in a first-time installation.
• Secure Internal Communication - Set up trust between the gateway on which this command is being run and the Security Management server.
• Certificate's Fingerprint - Display the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate.
• Automatic Start of Check Point Products - Specify whether Check Point Security Gateways will start automatically at boot time.

Syntax `

> cpconfig

Further Info. See the R76 Installation and Upgrade Guide.

cpinfo

Description - CPinfo is a utility that collects data on a machine at the time of execution. The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location. Engineers can open the CPinfo file in demo mode, while viewing real Security Policies and objects. This allows for in-depth analysis of all of configuration options and environment settings.

Syntax

> cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c <domain> ... | -x <vs>]

Further Info. SecureKnowledge solution sk30567.

cplic

The cplic command and all its derivatives relate to Check Point license management.

All cplic commands are located in $CPDIR/bin. License Management is divided into three types of commands:

• Local licensing commands are executed on local machines.
• Remote licensing commands are commands which affect remote machines are executed on the Security Management Server.
• License repository commands are executed on the Security Management Server.

cplic check

Description Check whether the license on the local machine will allow a given feature to be used.

Syntax

> cplic check [-p <product>] [-v <version>] [-c count] [-t <date>] [-r routers] [-S SRusers] <feature>

cplic db_add

Description Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, central licenses need to undergo the attachment process.

This command is a license repository command, it can only be executed on the Security Management server.

Syntax

> cplic db_add -l <license-file> [<host>] [<expiration-date>] [<signature>] [<SKU/features >]

Example If the file 192.0.2.11.lic contains one or more licenses, the command: cplic db_add -l 192.0.2.11.lic will produce output similar to the following:

cplic db_print

Description Displays the details of Check Point licenses stored in the license repository on the Security Management Server.

Syntax

> cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached]

Comments This command is a license repository command, it can only be executed on the Security Management server.

cplic db_rm

Description The cplic db_rm command removes a license from the license repository on the Security Management server. It can be executed ONLY after the license was detached using the cplic del command. Once the license has been removed from the repository, it can no longer be used.

Syntax

> cplic db_rm <signature>

Example cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

Comments This command is a license repository command, it can only be executed on the Security Management server.

cplic del

Description Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines

Syntax

> cplic del [-F <output file>] <signature> <object name>

cplic del <object name>

Description Detach a Central license from a Check Point Security Gateway. When this command is executed, the license repository is automatically updated. The Central license remains in the repository as an unattached license. This command can be executed only on a Security Management server.

Syntax

> cplic del <object name> [-F <outputfile>] [-ip <dynamic ip>] <signature>

Comments This is a Remote Licensing command which affects remote machines that is executed on the Security Management server.

cplic get

Description The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. This command helps you to synchronize the repository with the Check Point Security Gateways. When the command is run, all local changes are updated.

Syntax

> cplic get {<ipaddr>|<hostname>|-all} [-v41]

Example If the Check Point Security Gateway with the object name caruso contains four Local licenses, and the license repository contains two other Local licenses, the command: cplic get caruso produces output similar to the following:

Get retrieved 4 licenses.
Get removed 2 licenses.

Comments This is a Remote Licensing Command which affects remote machines that is executed on the Security Management Server.

cplic put

Description Install one or more Local licenses on a local machine.

Syntax

> cplic put [-o|-overwrite] [-c|-check-only] [-s|-select] [-F <output file>] [-P|-Pre-boot] [-k|-kernel-only] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>]

Comments Copy and paste the following parameters from the license received from the User Center.

• host - One of the following:

All platforms - The IP address of the external interface (in dot notation); last part cannot be 0 or 255.

Solaris2 - The response to the hostid command (beginning with 0x).

• expiration date - The license expiration date. Can be never.
• signature -The License signature string. For example:

  aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are optional.)

• SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license. For example: CPMP-EVAL-1-3DES-NG CK0123456789ab

Example cplic put -l 215.153.142.130.lic produces output similar to the following:

Host             Expiration SKU

215.153.142.130  26Dec2001  CPMP-EVAL-1-3DES-NG CK0123456789ab

cplic put <object name> ...

Description Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated.

Syntax

> cplic put <object name> [-ip dynamic ip] [-F <output file>]
-l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>

Comments This is a Remote Licensing Command which affects remote machines that is executed on the Security Management server.

Copy and paste the following parameters from the license received from the User Center. More than one license can be attached.

• host - the target hostname or IP address.
• expiration date - The license expiration date. Can be never.
• signature -The License signature string. For example:

  aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are optional)

• SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license. For example: CPMP-EVAL-1-3DES-NG CK0123456789ab

cplic print

Description The cplic print command (located in $CPDIR/bin) prints details of Check Point licenses on the local machine.

Syntax

> cplic print [-n|-noheader][-x prints signatures][-t type][-F <outputfile>] [‑p preatures]

Comments On a Check Point gateway, this command will print all licenses that are installed on the local machine — both Local and Central licenses.

cplic upgrade

Description Use the cplic upgrade command to upgrade licenses in the license repository using licenses in a license file obtained from the User Center.

Usage cplic upgrade <–l inputfile>

Syntax

Example The following example explains the procedure which needs to take place in order to upgrade the licenses in the license repository.

• Upgrade the Security Management Server to the latest version.

  Ensure that there is connectivity between the Security Management Server and the Security Gateways with the previous version products.

• Import all licenses into the license repository. This can also be done after upgrading the products on the remote gateways.
• Run the command: cplic get –all. For example:

Getting licenses from all modules ...

count:root(su) [~] # cplic get -all

golda:

Retrieved 1 licenses.

Detached  0 licenses.

Removed  0 licenses.

count:

Retrieved 1 licenses.

Detached  0 licenses.

Removed   0 licenses.

• To see all the licenses in the repository, run the command cplic db_print -all –a

count:root(su) [~] # cplic db_print -all -a 

Retrieving license information from database ...

The following licenses appear in the database:

==================================================

Host        Expiration Features

192.0.2.11  Never      CPFW-FIG-25-53        CK-49C3A3CC7121 golda

192.0.2.11  26Nov2012  CPSUITE-EVAL-3DES-NGX CK-1234567890   count

• In the User Center, view the licenses for the products that were upgraded from version NGX to a Software Blades license and create new upgraded licenses.
• Download a file containing the upgraded licenses. Only download licenses for the products that were upgraded from version NGX to Software Blades.
• If you did not import the version NGX licenses into the repository, import the version NGX licenses now using the command cplic get -all
• Run the license upgrade command: cplic upgrade –l <inputfile>

  - The licenses in the downloaded license file and in the license repository are compared.

  - If the certificate keys and features match, the old licenses in the repository and in the remote Security Gateways are updated with the new licenses.

  - A report of the results of the license upgrade is printed.

• In the example, there are two Software Blades licenses in the file. One does not match any license on a remote Security Gateway, the other matches a version NGX license on a Security Gateway that should be upgraded:

Comments This is a Remote Licensing Command which affects remote Security Gateways, that is executed on the Security Management Server.

Further Info. See the SmartUpdate chapter of the R76 Installation and Upgrade Guide.

cp_merge

Description The cp_merge utility has two main functionalities

• Export and import of policy packages.
• Merge of objects from a given file into the Security Management server database.

Syntax

> cp_merge help

cp_merge delete_policy

Description Provides the options of deleting an existing policy package. Note that the default policy can be deleted by delete action.

Syntax

> cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>

Comments Further considerations:

1. Either use certificate file or user and password
2. Optional

Example Delete the policy package called standard.

> cp_merge delete_policy -n Standard

cp_merge export_policy

Description Provides the options of leaving the policy package in the active repository, or deleting it as part of the export process. The default policy cannot be deleted during the export action.

Syntax

> cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <policy package name> | -l <policy name>] [-d <output directory>] [-f <outputfile>] [-r]

-s <db server>

-u <user>

-c <certificate file>

-p <password>

-n <policy package name>

-l <policy name>

-d <output directory>

-f <outputfile>

-r

Comments Further considerations:

1. Either use certificate file or user and password.

2. Optional.

3. If both -n and -l are omitted all policy packages are exported.

4. If both -n and -l are present -l is ignored.

Example Export policy package Standard to file:

> cp_merge export_policy -n Standard -f StandardPolicyPackageBackup.pol -d C:\bak

cp_merge import_policy and cp_merge restore_policy

Description Provides the options to overwrite an existing policy package with the same name, or preventing overwriting when the same policy name already exists.

Syntax

> cp_merge import_policy|restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]

Comments Further considerations

1. Either use certificate file or user and password

2. Optional

The cp_mergerestore_policy works only locally on the Security Management server and it will not work from remote machines.

Caution: A Security policy from <policy>.W file can be restored using this utility; however, important information may be lost when the policy is translated into .W format. This restoration should be used only if there is no other backup of the policy.

Example Import the policy package saved in file Standard.pol into the repository and rename it to StandardCopy.

> cp_merge import_policy -f Standard.pol -n StandardCopy

cp_merge list_policy

Syntax

> cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]

Comments Further considerations:

1. Either use certificate file or user and password.
2. Optional.

Example List all policy packages which reside in the specified repository:

cp_merge list -s localhost

cppkg

Description Manage the product repository. It is always executed on the Security Management server.

cppkg add

Description Add a product package to the product repository. Only SmartUpdate packages can be added to the product repository.

Products can be added to the Repository as described in the following procedures, by importing a file downloaded from the Download Center. The package file can be added to the Repository directly from the DVD or from a local or network drive.

Syntax

> cppkg add {<package-full-path>|<CD drive> [product]}

Comments cppkg add does not overwrite existing packages. To overwrite existing packages, you must first delete existing packages.

Example

[d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-R76\

Enter package name:

----------------------

(1) SVNfoundation

(2) firewall

(3) floodgate

(4) rtm

(e) Exit

Enter your choice : 1

Enter package OS :

----------------------

(1) win32

(2) linux

(3) ipso

(e) Exit

Enter your choice : 1

You choose to add 'SVNfoundation' for 'win32' OS. Is this correct? [y/n] : y

cppkg delete

Description Delete a product package from the repository. To delete a product package you must specify a number of options. To see the format of the options and to view the contents of the product repository, use the cppkg print command.

Syntax

> cppkg delete <vendor> <product> <version> <os> [sp]

Comments It is not possible to undo the cppkg del command.

cppkg get

Description Synchronizes the Package Repository database with the content of the actual package repository under $SUROOT.

Syntax

> cppkg get

cppkg getroot

Description Find out the location of the product repository. The default product repository location on Windows machines is C:\SUroot. On UNIX it is /var/SUroot.

Syntax

> cppkg getroot

Example

> cppkg getroot

Current repository root is set to : /var/suroot/

cppkg print

Description List the contents of the product repository.

Use cppkg print to see the product and OS strings required to install a product package using the cprinstall command, or to delete a package using the cppkg delete command.

Syntax

> cppkg print

cppkg setroot

Description Create a new repository root directory location, and to move existing product packages into the new repository.

The default product repository location is created when the Security Management server is installed. On Windows machines the default location is C:\SUroot and on UNIX it is /var/SUroot. Use this command to change the default location.

When changing repository root directory:

• The contents of the old repository is copied into the new repository.
• The $SUROOT environment variable gets the value of the new root path.
• A product package in the new location will be overwritten by a package in the old location, if the packages are the same (that is, they have the same ID strings).

The repository root directory should have at least 200 Mbyte of free disk space.

Syntax

> cppkg setroot <repository>

Comments It is important to reboot the Security Management server after performing this command, in order to set the new $SUROOT environment variable.

Example

cppkg setroot /var/new_suroot 

Repository root is set to : /var/new_suroot/

Note: When changing repository root directory :

1. Old repository content will be copied into the new repository.

2. A package in the new location will be overwritten by a package in the old 
location, if the packages have the same name.

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/new_suroot

Notice : To complete the setting of your directory, reboot the machine!

cpridrestart

Description Stops and starts the Check Point Remote Installation Daemon (cprid). This is the daemon that is used for remote upgrade and installation of products. In Windows it is a service.

cpridstart

Description Start the Check Point Remote Installation Daemon (cprid). This is the service that allows for the remote upgrade and installation of products. In Windows it is a service.

Syntax

> cpridstart

cpridstop

Description Stop the Check Point Remote installation Daemon (cprid). This is the service that allows for the remote upgrade and installation of products. In Windows it is a service.

Syntax

> cpridstop

cprinstall

Description Use cprinstall commands to perform remote installation of product packages, and associated operations.

On the Security Management server, cprinstall commands require licenses for SmartUpdate

On the remote Check Point gateways the following are required:

• Trust must be established between the Security Management server and the Check Point gateway.
• cpd must run.
• cprid remote installation daemon must run.

cprinstall boot

Description Boot the remote computer.

Syntax

> cprinstall boot <object name>

Example > cprinstall boot harlin

cprinstall cpstart

Description Enable cpstart to be run remotely.

All products on the Check Point Security Gateway must be of the same version.

Syntax

> cprinstall cpstart <object name>

cprinstall cpstop

Description Enables cpstop to be run remotely.

All products on the Check Point Security Gateway must be of the same version.

Syntax

> cprinstall cpstop {-proc|-nopolicy} <object name>

cprinstall get

Description Obtain details of the products and the operating system installed on the specified Check Point Security Gateway, and to update the database.

Syntax

> cprinstall get <object name>

Example

cprinstall get gw1

Checking cprid connection...

Verified

Operation completed successfully

Updating machine information...

Update successfully completed

'Get Gateway Data' completed successfully

Operating system   Major Version      Minor Version

------------------------------------------------------------------------

SecurePlatform     R75.20             R75.20

Vendor             Product            Major Version       Minor Version

------------------------------------------------------------------------

Check Point        VPN-1 Power/UTM    R75.20              R75.20

Check Point        SecurePlatform     R75.20              R75.20                 

Check Point        SmartPortal        R75.20              R75.20                 

cprinstall install

Description Install Check Point products on remote Check Point Security Gateways. To install a product package you must specify a number of options. Use the cppkg print command and copy the required options.

Syntax

> cprinstall install [-boot] <Object name> <vendor> <product> <version> [sp]

Comments Before transferring any files, this command runs the cprinstall verify command to verify that the Operating System is appropriate and that the product is compatible with previously installed products.

Example

# cprinstall install -boot fred checkpoint firewall R70

Installing firewall R75.20 on fred...

Info : Testing Check Point Gateway

Info : Test completed successfully.

Info : Transferring Package to Check Point Gateway

Info : Extracting package on Check Point Gateway

Info : Installing package on Check Point Gateway

Info : Product was successfully applied.

Info : Rebooting the Check Point Gateway

Info : Checking boot status

Info : Reboot completed successfully.

Info : Checking Check Point Gateway

Info : Operation completed successfully.

cprinstall uninstall

Description Uninstall products on remote Check Point Security Gateways. To uninstall a product package you must specify a number of options. Use the cppkg print command and copy the required options.

Syntax

> cprinstall uninstall [-boot] <Object name> <vendor> <product> <version> [sp]

Comments Before uninstalling any files, this command runs the cprinstall verify command to verify that the Operating System is appropriate and that the product is installed.

After uninstalling, retrieve the Check Point Security Gateway data by running cprinstall get.

Example

# cprinstall uninstall fred checkpoint firewall R75.20

Uninstalling firewall R75.20 from fred...

Info : Removing package from Check Point Gateway

Info : Product was successfully applied.

Operation Success. Please get network object data to complete the operation.

cprinstall verify

Description Makes sure these operations were successful:

• If a specific product can be installed on the remote Check Point Security Gateway
• That the operating system and currently installed products are appropriate for the package
• That there is enough disk space to install the product
• That there is a CPRID connection

Syntax

> cprinstall verify <Object name> <vendor> <product> <version> [sp]

Example The following examples show a successful and a failed verify operation:

Verify succeeds:

cprinstall verify harlin checkpoint SVNfoundation R75.20

Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway.

Info : Test completed successfully.

Info : Installation Verified, The product can be installed.

Verify fails:

cprinstall verify harlin checkpoint SVNfoundation R75.20

Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway

Info : SVN Foundation R70 is already installed on 192.0.2.134

Operation Success. Product cannot be installed, did not pass dependency check.

cprinstall snapshot

Description Creates a snapshot <filename> on the Check Point Security Gateway.

Syntax

> cprinstall snapshot <object name> <filename>

Comments Supported on SecurePlatform only

cprinstall show

Description Displays all snapshot (backup) files on the Check Point Security Gateway.

Syntax

> cprinstall show <object name>

Comments Supported on SecurePlatform only

Example

# cprinstall show GW1

SU_backup.tzg

cprinstall revert

Description Restores the Check Point Security Gateway from a snapshot.

Syntax

> cprinstall revert <object name> <filename>

Comments Supported on SecurePlatform only.

cprinstall transfer

Description Transfers a package from the repository to a Check Point Security Gateway without installing the package.

Syntax

> cprinstall transfer <object name> <vendor> <product> <version> [sp]

cpstart

Description Start all Check Point processes and applications running on an appliance or server.

Syntax

> cpstart

Comments This command cannot be used to start cprid. cprid is invoked when the machine is booted and it runs independently.

cpstat

Description cpstat displays the status of Check Point applications, either on the local or on another appliance or server, in various formats.

Syntax

> cpstat [-h <host>][-p <port>][-s <SICname>][-f <flavor>][-o <polling>][-c <count>][-e <period>][-d] <application_flag>

The following parameters can be added to the application flags:

• fw — "default", "interfaces", "all", "policy", "perf", "hmem", "kmem", "inspect",
"cookies", "chains", "fragments", "totals", "ufp", "http", "ftp", "telnet", "rlogin",
"smtp", "pop3", "sync"
• vpn — "default", "product", "IKE", "ipsec", "traffic", "compression", "accelerator",
"nic", "statistics", "watermarks", "all"
• fg — "all"
• ha — "default", "all"
• os — "default", "ifconfig", "routing", "memory", "old_memory", "cpu", "disk", "perf",
"multi_cpu", "multi_disk", "all", "average_cpu", "average_memory", "statistics"
• mg — "default"
• persistency — "product", "Tableconfig", "SourceConfig"
• polsrv — "default", "all"
• uas — "default"
• svr — "default"
• cpsemd — "default"
• cpsead — "default"
• asm — "default", "WS"
• ls — "default"
• ca — "default", "crl", "cert", user", "all"

Example

> cpstat fw

Policy name:  Standard

Install time: Wed Nov  1 15:25:03 2000

Interface table

-----------------------------------------------------------------

|Name|Dir|Total *|Accept**|Deny|Log|

-----------------------------------------------------------------

|hme0|in |739041*|738990**|51 *|7**|

-----------------------------------------------------------------

|hme0|out|463525*|463525**| 0 *|0**|

-----------------------------------------------------------------

*********|1202566|1202515*|51**|7**|

cpstop

Description Terminate all Check Point processes and applications, running on an appliance or server.

Syntax

> cpstop
> cpstop -fwflag {-proc|-default}

Comments This command cannot be used to terminate cprid. cprid is invoked when the appliance or server is booted and it runs independently.

cpwd_admin

Description cpwd (also known as WatchDog) is a process that invokes and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail. Among the processes monitored by Watchdog are cpd, fwd, fwm.

fwd does not work in a Security Management Only machine. To work with fwd in a Security Management Only machine add -n (for example, fwd -n).

cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file. In addition, monitoring information is written to the console on UNIX platforms, and to the Windows Event Viewer.

The cpwd_admin utility is used to show the status of processes, and to configure cpwd.

Syntax

> cpwd_admin

cpwd_admin start

Description Start a new process by cpwd.

Syntax

> cpwd_admin start -name <process name> -path "<full path>" -command "<executable name>"

Example To start and monitor the fwm process.

> cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"

cpwd_admin stop

Description Stop a process which is being monitored by cpwd.

Syntax

> cpwd_admin stop -name <process name> [-path <"full path">] [-command <"executable name">]

Comments If -path and -command are not stipulated, cpwd will abruptly terminate the process.

Example Stops the FWM process using fw kill

> cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"

cpwd_admin list

Description Print a status of the selected processes being monitored by cpwd.

Syntax

> cpwd_admin list

Output The status report output includes the following information:

• APP — Application. The name of the process.
• PID — Process Identification Number.
• STAT — Whether the process Exists (E) or has been Terminated (T).
• #START —How many times the process has been started since cpwd took control of the process.
• START TIME — The last time the process was run.
• COMMAND — The command that cpwd used to start the process.

For example:

#cpwd_admin list

APP  PID   STAT  #START    START_TIME                COMMAND

CPD  463     E      1      [20:56:10] 21/5/2001      cpd

FWD  440     E      1      [20:56:24] 21/5/2001      fwd

FWM  467     E      1      [20:56:25] 21/5/2001      fwm

cpwd_admin exist

Description Check whether cpwd is alive.

Syntax

> cpwd_admin exist

cpwd_admin kill

Description Terminate cpwd.

Syntax

> cpwd_admin kill

cpwd_admin config

Description Set cpwd configuration parameters. When parameters are changed, these changes do not take effect until cpwd has been stopped and restarted.

Syntax

> cpwd_admin config {-p|-a <value=data value=data...>|-d <value value...>|-r}

These are the descriptions of the <value> parameters:

Example The following example shows two configuration parameters being changed:
timeout to 120 seconds, and no_limit to 10.

C:\>cpwd_admin config -p

WD doesn't have configuration parameters

C:\>cpwd_admin config -a timeout=120 no_limit=12

C:\>cpwd_admin config -p

WD Configuration parameters are:

timeout : 120

no_limit : 12cpwd_admin config -a timeout=120 no_limit=10

config -a and cpwd_adminconfig -d have no effect if cpwd is running. They will affect cpwd the next time it is run.

disconnect_client

SmartDashboard can connect to a Security Management Server using one of these modes:

• Read/Write - Administrators have full permissions to create or change all objects, settings and policies.
• Read Only - Administrators can see all objects, settings and policies, but cannot add, change or delete them.

Only one administrator can use SmartDashboard to connect to a Security Management Server in the read/write mode at one time. When an administrator connects in the Read/Write mode, this prevents other administrators from doing these actions:

• Connecting to the same management in the read/write mode
• Creating or changing objects, settings and policies
• Backing up the management server database
• Installing a Security Policy

You can use a special command line utility to disconnect a different SmartDashboard client that is open in the Read/Write mode.

To remove the database lock, run disconnect_client from the Security Management Server command line.

For more information, see sk65146

dbedit

Description Edit the objects file on the Security Management server. Editing the objects.C file on the gateway is not required or desirable, since it will be overwritten the next time a Policy is installed.

Syntax

> dbedit [-s <server>] [- u <user>|-c <certificate>] [-p <password>] [-f <filename>] [-r <db-open-reason>] [-help]

dbedit commands:

create

[object_type] [object_name]

modify

[table_name] [object_name] [field_name] [value]

update

[table_name] [object_name]

delete

[table_name] [object_name]

addelement

[table_name] [object_name] [field_name] [value]

rmelement

[table_name] [object_name] [field_name] [value]

rename

[table_name][object_name]
[new_object_name]

quit

Example Replace the owned object with a new null object, where NULL is a reserved word specifying a null object:

Example Extended Format

firewall_properties owns the object floodgate_preferences.

floodgate_preferences has a Boolean attribute turn_on_logging, which will be set to true.

comments is a field of the owned object contained in the ordered container. The 0 value indicates the first element in the container (zero based index).

Replace the owned object with a new one with its default values.

dbver

Description The dbver utility is used to export and import different revisions of the database. The properties of the revisions (last time created, administrator responsible for, etc) can be reviewed. The utility can be found in $FWDIR/bin. Run these commands from Expert mode.

Syntax

dbver> export <version_numbers> <delete|keep>
dbver> import <exported_version_in_server>
dbver> create <version_name> <version_comment>
dbver> delete <version_numbers>
dbver> print <version_file_path>
dbver> print_all

dbver create

Description Create a revision from the current state of $fwdir/conf, including current objects, rule bases, and so on.

Syntax

dbver> create <version_name> <version_comment>

dbver export

Description Archive the revision as an archive file in the revisions repository: $fwdir/conf/db_versions/export.

Syntax

dbver> export <version_numbers> <delete|keep>

<version_numbers>

<delete|keep>

dbver import

Description Add an exported revision to the repository a version from $fwdir/conf/db_versions/export. Give filename of revision as input.

Syntax

dbver> import <exported_version_in_server>

dbver print

Description Print the properties of the revision.

Syntax

dbver> print <version_file_path>

Output

dbver> print c:\rwright_2002-04-01_160810.tar.gz

Version Id: 1

Version Date: Mon Apr  1 16:08:10 2009

Version Name: save

Created by Administrator: jbrown

Major Version: R75.20

Minor Version: R75.20

dbver print_all

Description Print the properties of all revisions to be found on the server side: $fwdir/conf/db_versions

Syntax

dbver> print_all

dynamic_objects

Description dynamic_objects specifies an IP address to which the dynamic object will be resolved on this machine. First, define the dynamic object in the SmartDashboard. Then create the same object with the CLI (-n parameter). After the new object is created on the gateway with the CLI, you can use the dynamic_objects command to specify an IP address for the object.

Syntax

# dynamic_objects -o <object_name> [-r <fromIP> <toIP> ...] [-a <fromIP> <toIP> ...] [-d <fromIP> <toIP> ...] [-l] [-n <object_name>] [-c]

Example Create a new dynamic object named "bigserver" and add to it the IP address range 192.0.2.1-192.0.2.40: dynamic_objects -n bigserver -r 192.0.2.1 192.0.2.40 -a

fw

Description The fw commands are used for working with various aspects of the firewall. All fw commands are executed on the Check Point Security Gateway.

Typing fw at the command prompt sends a list of available fw commands to the standard output.

Syntax

> fw

fw on a virtual device

To run commands on a virtual device such as a Virtual System, change the context to a different virtual device and then run the command. By default, the command output is for the VSX Gateway (VS0)

Many CLI commands for VSX are run on each context (virtual device) separately. Change the context to a different virtual device and then run the command.

Use the set virtual-system or vsenv command to change context to a different virtual device.

• set virtual-system - Run from the CLI
• vsenv - Run from Expert mode

Syntax

set virtual-system <vsid>

vsenv <vsid>

vsid

Example

set virtual-system 3

Output

Context is set to vsid 3

fw -i

Description Generally, when Check Point Security gateway commands are executed on a Security gateway they will relate to the gateway as a whole, rather than to an individual kernel instance. For example, the fw tab command will enable viewing or editing of a single table of information aggregated for all kernel instances.

This command specifies that certain commands apply to an individual kernel instance. By adding -i <kern> after fw in the command, where <kern> is the kernel instance's number.

Syntax

> fw -i applies to the following commands:

> fw ctl debug (when used without the -buf parameter)

> fw ctl get
> fw ctl set
> fw ctl leak
> fw ctl pstat
> fw monitor
> fw tab

For details and additional parameters for any of these commands, refer to the command's entry.

Example To view the connections table for kernel instance #1 use the following command:

> fw -i 1 tab -t connections

fw ctl

Description The fw ctl command controls the Firewall kernel module.

Syntax

fw ctl {install|uninstall}

fw ctl debug [-m <module>] [+|-] {options | all | 0}

fw ctl debug -buf [buffer size]

fw ctl kdebug

fw ctl pstat [-h][-k][-s][-n][-l]

fw ctl iflist

fw ctl arp [-n]

fw ctl block {on|off}

fw ctl chain

fw ctl conn

fw ctl debug

Description Generate debug messages to a buffer.

Syntax A number of debug options are available:

fw ctl debug -buf [buffer size]
fw ctl debug [-m <module>] [+ | -] {options|all|0}

fw ctl debug 0

fw ctl debug [-d <comma separated list of strings>]

fw ctl debug [-d <comma separated list of ^strings>]

fw ctl debug [-s <string>]

fw ctl debug -h

fw ctl debug -x

fw ctl affinity

fw ctl affinity -s

Description Sets CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R76 Performance Tuning Administration Guide.

fw ctl affinity -s settings are not persistent through a restart of the Security Gateway. If you want the settings to be persistent, either use:

• sim affinity (a Performance Pack command)
• Or edit the fwaffinity.conf configuration file

To set interface affinities, you should use fw ctl affinity only if Performance Pack is not running. If Performance Pack is running, you should set affinities by using the Performance Pack sim affinity command. These settings will be persistent. If Performance Pack's sim affinity is set to Automatic mode (even if Performance Pack was subsequently disabled), you will not be able to set interface affinities by using fw ctl affinity -s.

Syntax

> fw ctl affinity -s <proc_selection> <cpuid>

<proc_selection> is one of the following parameters:

<cpuid> should be a processing core number or a list of processing core numbers. To have no affinity to any specific processing core, <cpuid> should be: all.

Example To set kernel instance #3 to run on processing core #5, run:

> fw ctl affinity -s -k 3 5

fw ctl affinity -l

Description Lists existing CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R76 Performance Tuning Administration Guide.

Syntax

> fw ctl affinity -l [<proc_selection>] [<listtype>]

If <proc_selection> is omitted, fw ctl affinity -l lists affinities of all Check Point daemons, kernel instances and interfaces. Otherwise, <proc_selection> is one of the following parameters:

If <listtype> is omitted, fw ctl affinity -l lists items with specific affinities, and their affinities. Otherwise, <listtype> is one or more of the following parameters:

Example To list complete affinity information for all Check Point daemons, kernel instances and interfaces, including items without specific affinities, and with additional information, run:

> fw ctl affinity -l -a -v

fw ctl engine

Description Enables the INSPECT2C engine, which dynamically converts INSPECT code to C code.

Run the command on the Check Point Security Gateway.

Syntax

> fw ctl engine {on|off|stat|setdefault}

fw ctl multik stat

Description Displays multi-kernel statistics for each kernel instance. The state and processing core number of each instance is displayed, along with:

• The number of connections currently being handled
• The peak number of concurrent connections the instance has handled since its inception

fw ctl sdstat

Description The IPS performance counters measure the percentage of CPU consumed by each IPS protection. The measurement itself is divided according to the type of protection: Pattern based protections or INSPECT based protections. In addition, the IPS counters measure the percentage of CPU used by each section ("context") of the protocol, and each protocol parser.

Syntax

> fw ctl zdebug >& outputfile
> fw ctl sdstat start
> fw ctl sdstat stop

Example The workflow is as follows:

Run the following commands on the Check Point Security Gateway (version R70 or higher):

On the Check Point Security Gateway:

• Run fw ctl zdebug >& outputfile
• Run fw ctl sdstat start

Let the counters run. However- do not leave the counters on for more than 10 minutes.

• Run fw ctl sdstat stop

It is important to stop the counters explicitly, otherwise there may be performance penalty

This generates the output file outputfile that must be processed on the (SecurePlatform only) Security Management Server.

On the Security Management Server:

• From $FWDIR/script, run the script
  ./sdstat_analyse.csh outputfile

The output of the script is a report in csv format that can be viewed in Microsoft Excel.

If there is a problem in the report, or if more details are needed, a debug flag is available which prints extra information to outputfile.

• Run fw ctl zdebug + spii >& outputfile

Comments

1. A value in the report of "< 1" means that the percentage of CPU used by a protection is less than 1%.
2. The report generated by the sdstat_analyse script may contain a number instead of a protection name. This is because the original output contains a signature id, but the id is missing from the Security Policy on the Gateway.

fw fetch

Description Fetches the Inspection Code from the specified host and installs it to the kernel.

Syntax

> fw fetch [-n] [-f <filename>] [-c] [-i] master1 [master2] ...

fw fetchlogs

Description fw fetchlogs fetches Log Files from a remote machine. You can use the fw fetchlogs command to transfer Log Files to the machine on which the fw fetchlogs command is executed. The Log Files are read from and written to the directory $FWDIR/log.

Usage fw fetchlogs [[-f file name] ... ] module

Syntax

Comments The files transferred by the fw fetchlogs command are MOVED from the source machine to the target machine. This means that they are deleted from the source machine once they have been successfully copied.

Fetching Current Log Data

The active Log File (fw.log) cannot be fetched. If you want to fetch the most recent log data, proceed as follows:

• Run \ to close the currently active Log File and open a new one.
• Run fw lslogs to see the newly-generated file name.
• Run fw fetchlogs -f filename to transfer the file to the machine on which the fw fetchlogs command is executed. The file is now available for viewing in the SmartView Tracker.

After a file has been fetched, it is renamed. The gateway name and the original Log File name are concatenated to create a new file name. The new file name consists of the gateway name and the original file name separated by two (underscore) _ _ characters.

Example The following command:
fw fetchlogs -f 2001-12-31_123414.log module3

fetches the Log File 2001-12-31_123414.log from Module3.

After the file has been fetched, the Log File is renamed:

module3_ _2001-12-31_123414.log

Further Info. See the R76 Security Management Administration Guide.

fw getifs

Description

Shows a driver interface list for a specific Virtual System. By default, the VSX Gateway interface is displayed.

Run vsenv <vsid> to change context and show an interface list for a different Virtual System.

Syntax

fw getifs

Return Value

0 (zero) indicates that the command executed successfully. Any other response indicates an error.

Output

fw getifs

localhost vnd0 0.0.0.0 0.0.0.0

localhost eth0 4.4.6.101 255.255.0.0

localhost eth1 0.0.0.0 0.0.0.0

localhost sdp0 0.0.0.0 0.0.0.0

localhost int 0.0.0.0 0.0.0.0

localhost mgmt 10.18.83.171 255.255.255.0

localhost sync 7.7.7.171 255.255.255.0

localhost wrpj50001 0.0.0.0 0.0.0.0

localhost wrpj50003 0.0.0.0 0.0.0.0

fw hastat

Description The fw hastat command displays information about High Availability machines and their states.

Syntax

> fw hastat [<target>]

fw isp_link

Description Takes down (or up) a redundant ISP link.

Syntax

> fw isp_link [<target>] <link-name> {up|down}

Comments This command can be executed locally on the Check Point Security Gateway or remotely from the Security Management server. In the latter case, the target argument must be supplied. For this command to work, the Check Point Security Gateway should be using the ISP redundancy feature.

fw kill

Description Prompts the kernel to shut down all firewall daemon processes. The command is located in the $FWDIR/bin directory on the Security Management server or gateway machine.

The firewall daemons and Security servers write their pids to files in the $FWDIR/tmp directory upon startup. These files are named $FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.

Syntax

> fw kill [-t <sig_no>] <proc-name>

Comments In Windows, only the default syntax is supported: fw kill proc_name. If the -t option is used it is ignored.

fw lea_notify

Description Send a LEA_COL_LOGS event to all connected lea clients, see the LEA Specification documentation. It should be used after new log files have been imported (manually or automatically) to the $FWDIR/log directory in order to avoid the scheduled update which takes 30 minutes.

This command should be run from the Security Management server.

Syntax

> fw lea_notify

fw lichosts

Description Print a list of hosts protected by Security Gateway products. The list of hosts is in the file $fwdir/database/fwd.h

Syntax

> fw lichosts [-x] [-l]

fw log

Description fw log displays the content of Log files.

Syntax

> fw log [-f [-t]] [-n] [-l] [-o] [-c <action>] [-h <host>] [-s <starttime>] [-e <endtime>] [-b <starttime> <endtime>] [-u <unification_scheme_file>] [-m {initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]

Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed.

Example

> fw log
> fw log | more
> fw log -c reject
> fw log -s "May 26, 1999"
> fw log -f -s 16:00:00 

Output [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ...

Each output line consists of a single log record, whose fields appear in the format shown above.

Example Output

14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com;
dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access
denied - wrong user name or password  ; scheme: IKE; reject_category:
Authentication error; product: Security Gateway

	14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com;
user: a; rule: 0; reason: Client Encryption: Authenticated by Internal
Password; scheme: IKE; methods: AES-256,IKE,SHA1; product: Security Gateway;

	14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com;
peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.;
CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods:
 AES-256 + SHA1, Internal Password; user: a;  product: Security Gateway; 

fw logswitch

Description fw logswitch creates a new active Log File. The current active Log File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. The format of the default name <current_time_stamp>.log is YYYY-MM-DD_HHMMSS.log. For example: 2003-03-26_041200.log

Warning:

• The Logswitch operation fails if a log file is given a pre-existing file name.
• The rename operation fails on Windows if the active log that is being renamed, is open at the same time that the rename operation is taking place; however; the Logswitch will succeed and the file will be given the default name $FWDIR/log/current_time_stamp.log.

The new Log File that is created is given the default name $FWDIR/log/fw.log. Old Log Files are located in the same directory.

A Security Management server can use fw logswitch to change a Log File on a remote machine and transfer the Log File to the Security Management server. This same operation can be performed for a remote machine using fw lslogs and fw fetchlogs.

When a log file is sent to the Security Management server, the data is compressed.

Syntax

> fw logswitch [-audit] [<filename>]
> fw logswitch -h <hostage> [+|-][<filename>]

Comments Files are created in the $FWDIR/log directory on both host and the Security Management server when the + or - parameters are specified. Note that if - is specified, the Log File on the host is deleted rather than renamed.

hostage specified:

• filename specified - On hostage, the old Log File is renamed to old_log. On the Security Management Server, the copied file will have the same name, prefixed by hostages name. For example, the command fw logswitch -h venus +xyz creates a file named venus_xyz.log on the Security Management Server.
• filename not specified - On hostage, the new name is
  the current date, for example: 2003-03-26_041200.log.
  On the Security Management Server, the copied file will have the same name, but prefixed by hostage_. For example, target_2003-03-26_041200.log.

hostage not specified:

• filename specified - On the Security Management Server, the old Log File is renamed to old_log.
• filename not specified - On the Security Management Server, the old Log File is renamed to the current date.

Compression

When log files are transmitted from one machine to another, they are compressed using the zlib package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method.

The compression ratio varies with the content of the log records and is difficult to predict. Binary data are not compressed, but string data such as user names and URLs are compressed.

fw mergefiles

Description Merge several Log Files into a single Log File. The merged file can be sorted according to the creation time of the Log entries, and the times can be "fixed" according to the time zones of the origin Log servers.

Logs entries with the same Unique-ID are unified. If a Log switch was performed before all the segments of a specific log were received, this command will merge the records with the same Unique-ID from two different files, into one fully detailed record.

Syntax

> fw mergefiles [-s] [-t <time_conversion_file>] <log_file_name_1> [... <log_file_name_n>] <output_file>

Comments It is not recommended to merge the current active fw.log file with other Log Files. Instead, run the fw logswitch command and then run fw mergefiles.

fw monitor

Description Inspecting network traffic is an essential part of troubleshooting network deployments. fw monitor is a powerful built-in tool to simplify the task of capturing network packets at multiple capture points within the firewall chain. These packets can be inspected using industry-standard tools later on.

In many deployment and support scenarios capturing network packets is an essential functionality. tcpdump or snoop are tools normally used for this task. fw monitor provides an even better functionality but omits many requirements and risks of these tools.

• No Security Flaws — tcpdump and snoop are normally used with network interface cards in promiscuous mode. Unfortunately the promiscuous mode allows remote attacks against these tools. fw monitor does not use the promiscuous mode to capture packets. In addition most firewall operating systems are hardened. In most cases this hardening includes the removal of tools like tcpdump or snoop because of their security risk.
• Available on all Security Gateway installations — fw monitor is a built-in firewall tool which needs no separate installation in case capturing packets is needed. It is a functionality provided with the installation of the Firewall package.
• Multiple capture positions within the firewall kernel module chain — fw monitor allows you to capture packets at multiple capture positions within the firewall kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the Firewall.
• Same tool and syntax on all platforms — Another important fact is the availability of fw monitor on different platforms. Tools like snoop or tcpdump are often platform dependent or have specific "enhancements" on certain platforms. fw monitor and all its related functionality and syntax is absolutely identical across all platforms. There is no need to learn any new "tricks" on an unknown platform.

Normally the Check Point kernel modules are used to perform several functions on packets (like filtering, encrypting and decrypting, QoS …). fw monitor adds its own modules to capture packets. Therefore fw monitor can capture all packets which are seen and/or forwarded by the Firewall.

Only one instance of fw monitor can be run at a time.

Use ^C (that is Control + C) to stop fw monitor from capturing packets.

Syntax

> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l <len>] [-m <mask>]
[-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO <pos>] | -p all]] [-a]
[-ci <count>] [-co <count>] [-h] -T

Example The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from every interface that passes (or at least reaches) the Check Point Security Gateway. The same packet appears several times (two times in the example below). This is caused by fw monitor capturing the packets at different capture points.

Output

cpmodule> fw monitor

 monitor: getting filter (from command line)

 monitor: compiling

monitorfilter:

Compiled OK.

 monitor: loading

 monitor: monitoring (control-C to stop)

eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:I[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:o[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:O[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:o[1500]: 192.0.2.2 -> 192.0.2.133 (TCP) len=1500 id=44600

TCP

^C

: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83

monitor: caught sig 2

 monitor: unloading

The first line of the fw monitor output is

This packet was captured on the first network interface (eth0) in inbound direction before the virtual machine (lowercase i). The packet length is 285 bytes (in square parenthesis; repeated at the end of the line. Note that these two values may be different. The packets ID is 1075. The packet was sent from 192.0.2.133 to 192.0.2.2 and carries a TCP header/payload.

The second line of the fw monitor output is

The second line tells us that this is a TCP payload inside the IP packet which was sent from port 1050 to port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged sequence number (ack=941b05bc). You will see similar information for UDP packets.

You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or cannot be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing.

Further Info. See SecureKnowledge solution sk30583.

fw lslogs

Description Display a list of Log Files residing on a remote or local machine. You must initialize SIC between the Security Management server and the remote machine.

Syntax

> fw lslogs [[-f <filename>] ...] [-e] [-s {<name>|<size>|<stime>|<etime>}] [-r] [<machine>]

Example This example shows the extended file list you see when you use the fw lslogs -e command:

> fw lslogs -e module3

Size  Creation Time       Closing Time         Log file name

99KB  10Jan2002 16:46:27  10Jan2002 18:36:05   2002-01-10_183752.log

16KB  10Jan2002 18:36:05     --                fw.log

fw putkey

Description Install a Check Point authentication password on a host. This password is used to authenticate internal communications between Security Gateways and between a Check Point Security Gateway and its Security Management server. A password is used to authenticate the control channel the first time communication is established. This command is required for backward compatibility scenarios.

Syntax

> fw putkey [-opsec] [-no_opsec] [-ssl] [-no_ssl] [-k <num>] [-n <myname>] [-p <pswd>] <host>...

Comments This command is never used in a script.

fw repairlog

Description fw repairlog rebuilds a Log file's pointer files. The three files: name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from data in the specified Log file. The Log file itself is modified only if the -u flag is specified.

Syntax

fw repairlog [-u] <logfile>

fw sam

Description Manage the Suspicious Activity Monitoring (SAM) server. Use the SAM server to block connections to and from IP addresses without the need to change the Security Policy.

SAM commands are logged. Use this command to (also) monitor active SAM requests (see -M option).

To configure the SAM server on the Security Management server or Security Gateway, use SmartDashboard to edit the Advanced > SAM page of the Check Point Security Gateway object.

Syntax

Add/Cancel SAM rule according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>][-t <timeout>][-l <log>][-C] -{n|i|I|j|J} <Criteria>

Delete all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -D

Monitor all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} all

Monitor SAM rules according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} <Criteria>

Syntax

Usage Criteria are used to match connections, and are composed of various combinations of the following parameters:

<source ip><source netmask><destination ip><destination netmask> <service><protocol>

Possible combinations are:

src <ip>

dst <ip>

any <<ip>

subsrc <ip><netmask>

subdst <ip><netmask>

subany <ip><netmask>

srv <src ip><dest ip><service><protocol>

subsrv <src ip><src netmask><dest ip><dest netmask><service> <protocol>

subsrvs <src ip><src netmask><dest ip><service><protocol>

subsrvd <src ip><dest ip><dest netmask><service><protocol>

dstsrv <dest ip><service><protocol>

subdstsrv <dest ip><dest netmask><service><protocol>

srcpr <ip><protocol>

dstpr <ip><protocol>

subsrcpr <ip><netmask><protocol>

subdstpr <ip><netmask><protocol>

Syntax

Example This command inhibits all connections originating on louvre for 10 minutes. Connections made during this time will be rejected:

> fw sam -t 600 -i src louvre

This command inhibits all FTP connections from the louvre subnet to the eifel subnet. All existing open connections will be closed. New connection will be dropped, a log is kept and an alert is sent:

> fw sam -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

The previous command will be enforced forever - or until canceled by the following command:

> fw sam -C -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

This command monitors all active "inhibit" or "notify SAM" requests for which lourve is the source or destination address:

> fw sam -M -nij any lourve

This command cancels the command in the first example:

> fw sam -C -i src louvre

fw stat

Description Use fw stat to view the policy installed on the gateway, and which interfaces are being protected.

Syntax

> fw stat -l

> fw stat -s

Examples

HOST      POLICY        DATE

localhost Standard      18Apr2012 15:01:51 :  [>eth0] [<eth0]

Two interfaces are being protected. The arrows show the direction of the packets.

After the policy is uninstalled, the output becomes:

HOST      POLICY     DATE

localhost -          -                :   >eth0   <eth0

This shows that there is no policy installed, and the interfaces are not protected.

fw tab

Description The fw tab command shows data from the kernel tables, and lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.

Kernel tables (also known as State tables) store data that the Firewall and other modules in the Security Gateway use to inspect packets. These kernel tables are the "memory" of the virtual computer in the kernel and are a critical component of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel memories.

Syntax

fw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-a|-x} -e <entry>] [-y] [<hostname>]

Example > fw tab -t arp_table -a -e "1,2,3,4,5"
Adds an entry: <00000001,00000002,00000003,00000004,00000005,> to arp_table

fw tab - m 100 -r sample-gw

Comments If a table has the expire attribute, when you use the -a parameter to add entries, the default table timeout is added.

This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands.
The -x flag can be used independently of the -e flag in which case the entire table content is deleted.
This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts.

fw ver

Description Display the Security Gateway major and minor version number and build number.

Syntax

> fw ver [-k][-f <filename>]

fwm

Description Perform management operations on the Security Gateway. It controls fwd and all Check Point daemons.

Syntax

> fwm

fwm dbimport

Description Imports users into the Check Point User Database from an external file. You can create this file yourself, or use a file generated by fwm dbexport.

Syntax

> fwm dbimport [-m] [-s] [-v] [-r] [-k <errors>] [-f <file>] [-d <delim>]

Comments The IKE pre shared secret does not work when exporting from one machine and importing to another.

To ensure that there is no dependency on the previous database values, use the‑r flag together with the -m flag.

File Format

The import file must conform to the following Usage:

• The first line in the file is an attribute list.
  • The attribute list can be any partial set of the following attribute set, as long as name is included:

• The attributes must be separated by a delimiter character.
  • The default delimiter is the ; character. However, you can use a different character by specifying the -d option in the command line.
• The rest of the file contains lines specifying the values of the attributes per user. The values are separated by the same delimiter character used for the attribute list. An empty value for an attribute means use the default value.
• For attributes that contain a list of values (for example, days), enclose the values in curly braces, that is,{}. Values in a list must be separated by commas. If there is only one value in a list, the braces may be omitted. A + or - character appended to a value list means to add or delete the values in the list from the current default user values. Otherwise the default action is to replace the existing values.
• Legal values for the days attribute are: MON, TUE, WED, THU, FRI, SAT, SUN.
• Legal values for the authentication method are: Undefined, S/Key, SecurID, Unix Password, VPN‑1 & FireWall‑1 Password, RADIUS, Defender.
• Time format is hh:mm.
• Date format is dd-mmm-yy, where mmm is one of {Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec}.
• If the S/Key authentication method is used, all the other attributes regarding this method must be provided.
• If the Check Point password authentication method is used, a valid Check Point password should be given as well. The password should be encrypted with the C language encrypt function.
• Values regarding authentication methods other than the one specified are ignored.
• The userc field specifies the parameters of the user's SecuRemote connections, and has three parameters, as follows:
  • key encryption method - DES, CLEAR, Any
  • data encryption method - DES, CLEAR, Any
  • integrity method - MD5,[blank] = no data integrity.
  • "Any" means the best method available for the connection. This depends on the encryption methods available to both sides of the connection. For example,

    {DES,CLEAR,} means: key encryption method is DES; no data encryption; no data integrity.

• A line beginning with the ! character is considered a comment.

fwm expdate

Description Modify the expiration date of all users and administrators.

Syntax

> fw expdate dd-mmm-1976

Comments The date can be modified using a filter.

Example fw expdate 02-mar-2003 -f 01-mar-2003

fwm dbexport

Description Export the Check Point User Database to a file. The file may be in one of the following formats:

• The same syntax as the import file for fwm dbimport
• LDIF format, which can be imported into an LDAP server using ldapmodify

Syntax

To export the User Database to a file that can be used with fwm dbimport:

> fwm dbexport [ [-g group | -u user] [-d delim] [-a {attrib1, attrib2, ...} ] [-f file] ]

To export the User Database as an LDIF file:

> fwm dbexport -l -p [-d] -s subtree [-f file] [-k IKE-shared-secret]

Comments Note:

• The IKE pre shared secret does not work when exporting from one machine and importing to another.
• If you use the -a parameter to specify a list of attributes, and then import the created file using fwm dbimport, the attributes not exported will be deleted from the user database.
• fwm dbexport and fwm dbimport (non-LDIF Usage) cannot export and import user groups. To export and import a user database, including groups, proceed as follows:

  * Run fwm dbexport on the source Security Management server.

  * On the destination Security Management server, create the groups manually.

  * Run fwm dbimport on the destination Security Management server.

The users will be added to the groups to which they belonged on the source Security Management server.

• If you wish to import different groups of users into different branches, run fwm dbexport once for each subtree, for example:

Next, import the individual files into the LDAP server one after the other. For information on how to do this, refer to the documentation for your LDAP server.

• The LDIF file is a text file which you may wish to edit before importing it into an LDAP server. For example, in the Check Point user database, user names may be what are in effect login names (such as "maryj") while in the LDAP server, the DN should be the user's full name ("Mary Jones") and "maryj" should be the login name.

Example Suppose the User Database contains two users, "maryj" and "ben".

creates a LDIF file consisting of two entries with the following DNs:

fwm dbload

Description Download the user database and network objects information to selected targets. If no target is specified, then the database is downloaded to localhost.

Syntax

> fwm dbload {-all|-conf <conffile>} [<targets>]

fwm ikecrypt

Description fwm ikecrypt command line encrypts the password of a SecuRemote user using IKE. The resulting string must then be stored in the LDAP database.

Syntax

> fwm ikecrypt <shared-secret> <user-password>

Comments An internal CA must be created before implementing IKE encryption. An Internal CA is created during the initial configuration of the Security Management server, following installation.

fwm getpcap

Description fwm getpcap command line fetches the packet capture.

Syntax > fwm getpcap -g <gw> -u <cap id> [-p <path>] [-c <domain>]

fwm load

Description Compile and install a Security Policy or a specific version of the Security Policy on the target's Security Gateways. This is done in one of two ways:

• fwm load compiles and installs an Inspection Script (*.pf) file on the designated Security Gateways.
• fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection Script (*.pf) file then installs it to the designated Security Gateways.

Versions of the Security Policy and databases are maintained in a version repository on the Security Management server. Using this command specific versions of the Security Policy can be installed on a gateway (local or remote) without changing the definition of the current active database version on the Security Management server.

To protect a target, you must load a Policy that contains rules whose scope matches the target. If none of the rules are enforced on the target, then all traffic through the target is blocked.

Syntax > fwm load [-p <plug-in>] [-S] <rulebase> <targets>

Example The following command installs the Security Policy standard in the target gateway johnny.

fwm load Standard johnny

fwm lock_admin

Description View and unlock locked administrators.

Syntax >fwm lock_admin [-v][-u <administrator>][-ua]

fwm logexport

Description fwm logexport exports the Log file to an ASCII file.

Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n] [-p]
[-f] [-m {initial|semi|raw}] [-a]

Comments Controlling the Output of fwm logexport using logexport.ini

The output of fwm logexport can be controlled by creating a file called logexport.ini and placing it in the conf directory: $FWDIR/conf. The logexport.ini file should be in the following format:

[Fields_Info]

included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100

excluded_fields = field10,field11

note that:

• the num field will always appear first, and cannot be manipulated using logexport.ini
• <REST_OF_FIELDS> is a reserved token that refers to a list of fields. It is optional. If -f option is set, <REST_OF_FIELDS> is based on a list of fields taken from the file logexport_default.C.
• If -f is not set, <REST_OF_FIELDS> will be based on the given input log file.
• It is not mandatory to specify both included_fields and excluded_fields.

Format:

The fwm logexport output appears in tabular format. The first row lists the names of all fields included in the subsequent records. Each of the subsequent rows consists of a single log record, whose fields are sorted in the same order as the first row. If a record has no information on a specific field, this field remains empty (as indicated by two successive semi-colons).

Example

1; 5Dec2002;9:08:44;jam.checkpoint.com;control; ;;daemon;inbound;VPN-1 & FireWall-1;;
ftp;23456;1.2.3.4;3.4.5.6; 

fwm sic_reset

Description Reset the Internal CA and delete all the certificates from the Internal CA and the Internal CA itself. After running sic_reset, the ICA should be initialized through the cpconfig command. If this command is run all the certified IKE from the Internal CA should be removed (using the SmartConsole).

Syntax > fwm sic_reset

fwm unload <targets>

Description Uninstall the currently loaded Inspection Code from selected targets.

Syntax > fwm unload <targets> [-all|-c <conffile>]

fwm ver

Description fwm ver shows the build number.

Syntax > fwm ver [-f <filename>]

fwm verify

Description The fwm verify command verifies the specified policy package without installing it.

Syntax > fwm verify <policy>

GeneratorApp

Description Generate a report for SmartReporter. Both command line parameters are required. Run this command from Expert mode.

Syntax # GeneratorApp <Directory> <ReportID>

Example For automatic directory computation use "". In such a case, the directory should be as follows:

<Result location>/<Report Name>/<Generation Date and Time>

inet_alert

Description Notify a company's Internet Service Provider (ISP) when the company's corporate network is under attack. The inet_alert utility forwards log messages generated by the alert daemon to an external Management Station, typically located at the ISP site. The ISP can then analyze the alert and decide how to react.

inet_alert uses the ELA Protocol to send the alert. The Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must be performed between the Management Station running the ELA Proxy and the Security Gateway generating the alert.

To use this utility, enter it into a script. From Global Properties > Logs and alert > alert commands > early versions compatibility > run 4.x alert script, and enter the name of the script.

Syntax

# inet_alert -s <ipaddr> [-o] [-a <auth_type>] [-p <port>] [-f <token value>] [-m <alerttype>]

Return Value

Example

# inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies that in the event of an attack, inet_alert should take the following actions:

• Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4.
• Send a log message to the specified ELA Proxy. The product field of this log message should be set to "cads". This means that "cads" will be displayed in the product column of SmartView Tracker.
• Trigger the OS command specified in the Popup Alert Command field of the Log and Alert tab of the Properties Setup window in the SmartDashboard.

ldapcmd

Description ldapcmd is used to manage processes running on the Security Gateway collectively or individually. It includes:

Cache

Cache operations, such as emptying the cache, as well as providing debug information.

Statistics

Lookup statistics such as:

• All user search
• Pending lookups (when two or more lookups are identical)
• Total lookup time (the total search time for a specific lookup)
• Cache statistics such as hits and misses

Logging

View the alert and warning log regarding debug.

Syntax

# ldapcmd -p {<process_name>|all} <command> [-d debug_level] [command_arg]

ldapcompare

Description ldapcompare is used to perform compare queries that prints a message whether the result returned a match or not. ldapcompare opens a connection to an LDAP directory server, binds, and performs the comparison specified on the command line or from a specified file.

Syntax

# ldapcompare -d [<options>] dn <attribute> <value>

The ldapcompare options are as follows:

• -u - Include user-friendly entry names in the output.
• -d <level> - Set LDAP debugging level to "level".
• -F sep -Print "sep" instead of "=" between attribute names and values.
• -f <file> - Perform sequence of compares listed in "file".
• -D <binddn> - Bind DN.
• -w <passwd> - Bind password (for simple authentication).
• -h <host> - LDAP server.
• -p <port> - Port on the LDAP server.
• -T <timeout> - Client side timeout for all operations (in milliseconds).
• -l <time limit> - Server Side time limit (in seconds) for compare.
• -z <size limit> - Server Side size limit (in entries) for compare.

ldapconvert

Description ldapconvert is a utility program to port from Member mode to MemberOf mode. This is done by searching all specified group/template entries and fetching their Member attribute values.

Each value is the DN of a member entry. The entry identified by this DN will be added the MemberOf attribute value of the group/template DN at hand. In addition, those Member attribute values will be deleted from the group/template unless Both mode is specified.

While running the program, a log file, named ldapconvert.log, is generated in the current directory, logging all modifications done and errors encountered.

Syntax

> ldapconvert -d -h <host> -p <port> -D user_DN -w <secret> [-g group_DN | -f <file>]
-m mem_attr -o memberof_attr –c memberobjectclass[<extra options>]

The ldapcomvert extra options are as follows:

• -M -Maximum number of member LDAP updated simultaneously (default is 20).
• -B -Convert to Both mode.
• -p <port> -LDAP port (default is 389).
• -T <timeout> -Client side timeout for LDAP operations, in milliseconds: default is "never".
• -l <time limit> -Server side time limit for LDAP operations, in seconds: default is "never".
• -s -Server side size limit for LDAP operations (in entries) (default is "none").
• -z -Use SSL.

Comments It is recommended to make a backup of the LDAP server before running the conversion program in case unrecoverable errors are encountered.

There are two GroupMembership modes: template-to-groups and user-to-groups. It is imperative to keep these modes consistent. For instance, if you apply conversion on LDAP users to include 'MemberOf' attributes for their groups, then this conversion should also be applied on LDAP defined templates for their groups.

Why does a command run with the option –M fail?

The program terminates with an error message stating the connection terminated unexpectedly.

This means that the LDAP server could not handle so many LDAP requests simultaneously and closed the connection. The solution is to run the program again with a lower value for the –M option (the default value should be adequate but could also cause a connection failure in extreme situation). Continue to reduce the value until the program exits normally. Each time you run the program with the same set of groups the program will pick up where it left off.

Example A group is defined with the DN: cn=cpGroup,ou=groups, ou=cp, c=il and the following attributes:

...

cn=cpGroup

uniquemember="cn=member1,ou=people, ou=cp,c=il"

uniquemember=" cn=member2, ou=people, ou=cp,c=il"

...

For the 2 member entries:

...

cn=member1

objectclass=fw1Person

...

and:

...

cn=member2

objectclass=fw1Person

...

Run ldapconvert with the following arguments:

ldapconvert -g cn=cpGroup,ou=groups, ou=cp, c=il -h myhost  -d cn=admin -w secret 
\ –m uniquemember -o memberof -c fw1Person

The result for the group DN will be as follows:

...

cn=cpGroup

...

The result for the 2 member entries will be as follows:

...

cn=member1

objectclass=fw1Person

memberof="cn=cpGroup,ou=groups, ou=cp, c=il"

...

and

...

cn=member2

objectclass=fw1Person

memberof=" cn=cpGroup,ou=groups, ou=cp, c=il"

...

Running the same command with the –B options, will produce the same result but the group entry will not be modified.

If there is another member attribute value for the same group entry:

uniquemember="cn=template1,ou=people, ou=cp,c=il"

and the template is: