Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Security Management Server and Firewall Commands

In This Chapter

comp_init_policy

cp_admin_convert

cpca_client

cp_conf

cpconfig

cpinfo

cplic

cp_merge

cppkg

cpridrestart

cpridstart

cpridstop

cprinstall

cpstart

cpstat

cpstop

cpwd_admin

disconnect_client

dbedit

dbver

dynamic_objects

fw

fwm

GeneratorApp

inet_alert

ldapcmd

ldapcompare

ldapconvert

ldapmodify

ldapsearch

log_export

queryDB_util

rs_db_tool

sam_alert

svr_webupload_config

comp_init_policy

Description Use the comp_init_policy command to generate and load, or to remove, the Initial Policy.

The Initial Policy offers protection to the gateway before the administrator has installed a Policy on the gateway.

Syntax

> $FWDIR/bin/comp_init_policy [-u] [-g]

Parameter

Description

-u

Removes the current Initial Policy, and ensures that it will not be generated in future when cpconfig is run.

-g

Can be used if there is no Initial Policy. If there is, make sure that after removing the policy, you delete the $FWDIR\state\local\FW1\ folder.

Generates the Initial Policy and ensures that it will be loaded the next time a policy is fetched (at cpstart, or at next boot, or via the fw fetch localhost command). After running this command, cpconfig will add an Initial Policy when needed.

The comp_init_policy -g command will only work if there is no previous Policy. If you perform the following commands:
comp_init_policy -g + fw fetch localhost
comp_init_policy -g + cpstart
comp_init_policy -g + reboot
The original policy will still be loaded.

cp_admin_convert

Description Automatically export administrator definitions that were created in cpconfig to SmartDashboard.

Syntax

> cp_admin_convert

cpca_client

Description These commands execute operations on the ICA (Internal Certificate Authority).

Syntax

> cpca_client

cpca_client create_cert

Description Prompt the ICA to issue a SIC certificate for the Security Management server.

Syntax

> cpca_client [-d] create_cert [-p <ca_port>] -n "CN=<common name>" -f <PKCS12>

Parameter

Description

-d

Runs the command in debug mode

-p <ca_port>

Specifies the port used to connect to the CA (if the CA was not run from the default port 18209)

-n "CN=<common name>"

Sets the CN to <common name>

-f <PKCS12>

Specifies the file name, <PKCS12>, that stores the certificate and keys.

cpca_client revoke_cert

Description Revoke a certificate issued by the ICA.

Syntax

> cpca_client [-d] revoke_cert [-p <ca_port>] -n "CN=<common name>"

Parameter

Description

-d

Runs the command in debug mode

-p <ca_port>

Specifies the port which is used to connect to the CA (if the CA was not run from the default port 18209)

-n "CN=<common name>"

Sets the CN to <common name>

cpca_client lscert

Description Show all certificates issued by the ICA.

Syntax

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}] [-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter

Description

-d

Runs the command in debug mode

-dn substring

Filters results to those with a DN that matches this <substring>

-stat

Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed

-kind

Filters results for specified kind: SIC, IKE, User, or LDAP

-ser <serial>

Filters results for this serial number

-dp <dp>

Filters results from this CDP (certificate distribution point)

cpca_client set_mgmt_tool

Description Starts or stops the ICA Management Tool.

Syntax

> cpca_client [-d] set_mgmt_tool {on|off|add|remove|clean|print} [-p <ca_port>] [-no_ssl] {-a <administrator DN>, -u <user DN>, -c <custom user DN>, ...}

Parameter

Description

-d

Runs the command in debug mode.

set_mgmt_tool {on|off|add|remove|
clean|print}
  • on - Starts ICA Management Tool
  • off - Stops ICA Management Tool
  • add - Adds an administrator, user, or custom user
  • remove - Removes an administrator, user, or custom user
  • clean - Removes all the administrators, users, or custom users
  • print - Shows the administrators, users, or custom users

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265.

-no_ssl

Configures the server to use HTTP instead of HTTPS.

-a <administrator DN>

Sets the DNs of the administrators that are permitted to use the ICA Management Tool.

-u <user DN>

Sets the DNs of the users that are permitted to use the ICA Management Tool.

-c <custom user DN>

Sets the DN for custom users that can use the ICA Management Tool.

Comments

  1. If the command is run without -a or -u the list of the permitted users and administrators isn't changed. The server can be stopped or started with the previously defined permitted users and administrators.
  2. If two consecutive start operations are initiated, the ICA Management Tool will not respond, unless you change the SSL mode. After the SSL mode has been modified, the server can be stopped and restarted.

cpca_client search

Description Searches for certificates in the ICA (Internal Certificate Authority).

Syntax

> cpca_client search <string> [-where {dn|comment|serial}] [-kind [SIC|IKE|User|LDAP]] [-stat [Pending|Valid|Revoked|Expired|Renewed]] [-max <max results>] [-showfp {y|n}]

Parameter

Description

-where {dn|comment|serial}

Where to search for the string, in the dn, serial number, or comment field.

The default is all locations.

-kind [SIC|IKE|User|LDAP]

The type of certificate. You can enter multiple values in this format: -kind value1 value2 value3. The default is all values.

-stat [Pending|Valid|Revoked|Expired|Renewed]

Filters according to the status of the certificate. You can enter multiple values in this format: -stat value1 value2 value3. The default is all values.

-max <max results>

Enter the maximum number of results to show. The default setting is 200.

-showfp {y|n}

Show the certificate's fingerprint: yes or no. The default is yes.

Example > cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending Valid Renewed

cpca_client init_certs

Description Imports a list of DNs for users and creates a file with registration keys for each user.

Syntax

> cpca_client init certs [-p <ca_port>] -i <input_file> -o <output_file>

Parameter

Description

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265.

-i <input_file>

Imports the specified file. Make sure to use the full path.

Make sure that there is an empty line between each DN in the file:

CN=test1,OU=users

<empty line>

CN=test2,OU=users

-o <output_file>

Saves the registration keys to the specified file.

cp_conf

Description Configure/reconfigure a Security Gateway installation. The configuration available options for any machine depend on the installed configuration and products.

Syntax

> cp_conf

cp_conf on a virtual device

To run commands on a virtual device such as a Virtual System, change the context to a different virtual device and then run the command. By default, the command output is for the VSX Gateway (VS0)

Many CLI commands for VSX are run on each context (virtual device) separately. Change the context to a different virtual device and then run the command.

Use the set virtual-system or vsenv command to change context to a different virtual device.

  • set virtual-system - Run from the CLI
  • vsenv - Run from Expert mode

Syntax

set virtual-system <vsid>
vsenv <vsid>

Parameter

Description

 
vsid

ID of the virtual device.

Example

set virtual-system 3

Output

Context is set to vsid 3
 


cp_conf sic


Description 	Use the cp_conf sic commands to manage SIC on the Security Management Server.


Syntax		


> cp_conf sic state 
> cp_conf sic init <key> [norestart] 
> cp_conf sic cert_pull <management> <object>






Parameter



Description







state



Shows the SIC trust state.







init <key>



Restarts SIC with the Activation Key <key>.







[no restart]



By default, the Security Gateway runs cpstop and cpstart when you restart SIC. Use the norestart parameter to restart SIC and to not run cpstop and cpstart.







cert_pull



For DAIP Security Gateways, pulls a certificate from the Security Management Server for the <object>







<management>



Name or IP address of the Security Management Server










cp_conf admin


Description 	Manage Check Point system administrators for the Security Management Server


Syntax		


> cp_conf admin get # Get the list of administrators.
> cp_conf admin add <user> <pass> {a|w|r} 
> cp_conf admin del <admin1> <admin2>... 






Parameter



Description







get



Shows a list of the administrators







add <user> <pass>



Adds a new administrator <user> with password <pass>







{a|w|r}



Sets the permissions for the new administrator:


a - Read, write and manage administrators


w - Read and write


r - Read only







del <admin1>



Deletes one or more administrators <admin1>, <admin2>, and so on










cp_conf ca


Description 	Initialize the Certificate Authority


Syntax		


> cp_conf ca init 
> cp_conf ca fqdn <name> 






Parameter



Description







init



Initializes the internal CA







fqdn <name>



Sets the FQDN of the internal CA to <name>










cp_conf finger


Description 	Displays the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate


Syntax		


> cp_conf finger get 


cp_conf lic


Description 	Shows the installed licenses and lets you manually add new ones.


Syntax		


> cp_conf lic get 
> cp_conf lic add -f <file> 
> cp_conf lic add -m <Host> <Date> <Key> <SKU> 
> cp_conf lic del <Signature Key> 






Parameter



Description







get



Shows the installed licenses 







add -f <file>



Adds the license from <file> 







add -m



Manually adds a license with these parameters:


<host> - name of the Security Management Server


<Date> - Date of the license


<Key> - License key


<SKU> - License SKU







del <Key>



Deletes license <key> 










cp_conf client


Description 	Manage the GUI clients that can use SmartConsoles to connect to the Security Management Server.


Syntax		


> cp_conf client get # Get the GUI clients list
> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients
> cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new list.






Parameter



Description







get



Shows the IP addresses of the allowed GUI clients.







add <GUI client>



Adds the <GUI client> IP address to the list of allowed GUI clients.







del <GUI client1> <GUI client 2>



Deletes one or more IP addresses from the list of allowed GUI clients.







createlist <GUI client1> <GUI client 2>



Deletes allowed GUI clients and creates a new list. The new list allows <GUI client 1>, <GUI client 2>, and so on.










cp_conf ha


Description 	Enable or disable High Availability.


Syntax		


> cp_conf ha {enable|disable} [norestart] 



						

						
							
					 
				

			

				
	

	


	
	

		
			

				

					Top of Page
					©2014 Check Point Software Technologies Ltd. All rights reserved.
					
						Download Complete PDF
						
						Send Feedback
						
						Print