Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

cp_conf snmp

Description Activate or deactivate SNMP.

Syntax

> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP Extension.

Parameter

Description

get

Shows the SNMP status.

{activate|deactivate}

Enables or disables SNMP.

[no restart]

By default, the Security Gateway runs cpstop and cpstart when you enable or disable SNMP. Use the norestart parameter to configure SNMP and to not run cpstop and cpstart.

cp_conf auto

Description Configure the Security Gateway and Security Management Server products that start automatically when the appliance or server reboots.

Syntax

> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable} <product1> <product2>...

Parameter

Description

get

Shows which products start automatically

{enable|disable} <product1> <product2>

Enables or disables the one or more products that start automatically

cp_conf sxl

Description Enable or disable SecureXL acceleration.

Syntax

> cp_conf sxl {enable|disable}

cpconfig

Description Run a command line version of the Check Point Configuration Tool. This tool is used to configure an installed Check Point product. The options shown depend on the installed configuration and products. Amongst others, these options include:

  • Licenses and contracts - Modify the necessary Check Point licenses and contracts.
  • Administrator - Modify the administrator authorized to connect to the Security Management server.
  • GUI Clients - Modify the list of SmartConsole Client machines from which the administrators are authorized to connect to a Security Management server.
  • SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables SecurePlatform to export its status to external network management tools.
  • PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform; see details of the token, and test its functionality.
  • Random Pool - Configure the RSA keys, to be used by SecurePlatform.
  • Certificate Authority - Install the Certificate Authority on the Security Management server in a first-time installation.
  • Secure Internal Communication - Set up trust between the gateway on which this command is being run and the Security Management server.
  • Certificate's Fingerprint - Display the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate.
  • Automatic Start of Check Point Products - Specify whether Check Point Security Gateways will start automatically at boot time.

Syntax `

> cpconfig

Further Info. See the R76 Installation and Upgrade Guide.

cpinfo

Description - CPinfo is a utility that collects data on a machine at the time of execution. The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location. Engineers can open the CPinfo file in demo mode, while viewing real Security Policies and objects. This allows for in-depth analysis of all of configuration options and environment settings.

Syntax

> cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c <domain> ... | -x <vs>]

Parameter

Description

-z

Output gzipped (effective with -o option)

-r

Includes the registry (for Windows servers - shows a large output)

-v

Prints version information

-l

Embeds log records (very large output)

-n

Does not resolve network addresses (faster)

-o

Output to a file and to the screen

-t

Output consists of tables only (SR only)

-c <domain>

Get information about the specified <domain> Domain Management Server (Multi-Domain Security Management)

-x <vs>

Get information about the specified <vs> Virtual System (VSX)

Further Info. SecureKnowledge solution sk30567.

cpstart

Description Start all Check Point processes and applications running on an appliance or server.

Syntax

> cpstart

Comments This command cannot be used to start cprid. cprid is invoked when the machine is booted and it runs independently.

cpstat

Description cpstat displays the status of Check Point applications, either on the local or on another appliance or server, in various formats.

Syntax

> cpstat [-h <host>][-p <port>][-s <SICname>][-f <flavor>][-o <polling>][-c <count>][-e <period>][-d] <application_flag>

Parameter

Description

-h <host>

A resolvable hostname, a dot-notation address (for example: 192.0.2.23), or a DAIP object name. The default is localhost.

-p <port>

Port number of the AMON server. The default is the standard AMON port (18192).

-s <SICname>

Secure Internal Communication (SIC) name of the AMON server.

-f <flavor>

The flavor of the output (as it appears in the configuration file). The default is the first flavor found in the configuration file.

-o <polling>

Polling interval (seconds) specifies the pace of the results.

The default is 0, meaning the results are shown only once.

-c <count>

Specifies how many times the results are shown. The default is 0, meaning the results are repeatedly shown.

-e <period>

Specifies the interval (seconds) over which 'statistical' olds are computed. Ignored for regular olds.

-d

Debug mode.

<application_flag>

One of the following:

  • fw — Firewall component of the Security Gateway
  • vpn — VPN component of the Security Gateway
  • fg — QoS (formerly FloodGate-1)
  • ha — ClusterXL (High Availability)
  • os — OS Status
  • mg — for the Security Management server
  • persistency - for historical status values
  • polsrv
  • uas
  • svr
  • cpsemd
  • cpsead
  • asm
  • ls
  • ca

The following parameters can be added to the application flags:

  • fw "default", "interfaces", "all", "policy", "perf", "hmem", "kmem", "inspect",
    "cookies", "chains", "fragments", "totals", "ufp", "http", "ftp", "telnet", "rlogin",
    "smtp", "pop3", "sync"
  • vpn — "default", "product", "IKE", "ipsec", "traffic", "compression", "accelerator",
    "nic", "statistics", "watermarks", "all"
  • fg"all"
  • ha"default", "all"
  • os"default", "ifconfig", "routing", "memory", "old_memory", "cpu", "disk", "perf",
    "multi_cpu", "multi_disk", "all", "average_cpu", "average_memory", "statistics"
  • mg"default"
  • persistency "product", "Tableconfig", "SourceConfig"
  • polsrv "default", "all"
  • uas "default"
  • svr "default"
  • cpsemd "default"
  • cpsead "default"
  • asm "default", "WS"
  • ls "default"
  • ca "default", "crl", "cert", user", "all"

Example

> cpstat fw
 
Policy name:  Standard
Install time: Wed Nov  1 15:25:03 2000
 
Interface table
-----------------------------------------------------------------
|Name|Dir|Total *|Accept**|Deny|Log|
-----------------------------------------------------------------
|hme0|in |739041*|738990**|51 *|7**|
-----------------------------------------------------------------
|hme0|out|463525*|463525**| 0 *|0**|
-----------------------------------------------------------------
*********|1202566|1202515*|51**|7**|

cpstop

Description Terminate all Check Point processes and applications, running on an appliance or server.

Syntax

> cpstop
> cpstop -fwflag {-proc|-default}

Parameter

Description

-fwflag -proc

Kills Check Point daemons and Security servers while maintaining the active Security Policy running in the kernel. Rules with generic allow/reject/drop rules, based on services continue to work.

-fwflag -default

Kills Check Point daemons and Security servers. The active Security Policy running in the kernel is replaced with the default filter.

Comments This command cannot be used to terminate cprid. cprid is invoked when the appliance or server is booted and it runs independently.

fw

Description The fw commands are used for working with various aspects of the firewall. All fw commands are executed on the Check Point Security Gateway.

Typing fw at the command prompt sends a list of available fw commands to the standard output.

Syntax

> fw

fw -i

Description Generally, when Check Point Security gateway commands are executed on a Security gateway they will relate to the gateway as a whole, rather than to an individual kernel instance. For example, the fw tab command will enable viewing or editing of a single table of information aggregated for all kernel instances.

This command specifies that certain commands apply to an individual kernel instance. By adding -i <kern> after fw in the command, where <kern> is the kernel instance's number.

Syntax

> fw -i applies to the following commands:

> fw ctl debug (when used without the -buf parameter)

> fw ctl get
> fw ctl set
> fw ctl leak
> fw ctl pstat
> fw monitor
> fw tab

For details and additional parameters for any of these commands, refer to the command's entry.

Example To view the connections table for kernel instance #1 use the following command:

> fw -i 1 tab -t connections

fw ctl

Description The fw ctl command controls the Firewall kernel module.

Syntax

fw ctl {install|uninstall}
fw ctl debug [-m <module>] [+|-] {options | all | 0}
fw ctl debug -buf [buffer size]
fw ctl kdebug
fw ctl pstat [-h][-k][-s][-n][-l]
fw ctl iflist
fw ctl arp [-n]
fw ctl block {on|off}
fw ctl chain
fw ctl conn

Parameter

Description

{Install| Uninstall}

  • Uninstall — tells the operating system to stop passing packets to the Security Gateway, and unloads the Security Policy. The networks behind it become unprotected.
  • Install — tells the operating system to start passing packets to the Security Gateway. The command fw ctl install runs automatically when cpstart is performed.

    Note - If you run fw ctl uninstall followed by fw ctl install, the Security Policy is not restored.

debug

Generate debug messages to a buffer. See fw ctl debug.

kdebug

Reads the debug buffer and obtains the debug messages. If there is no debug buffer, the command will fail.

  • [-f] read the buffer every second and print the messages, until Ctrl-C is pressed. Otherwise, read the current buffer contents and end.
  • [-t/-T] print the time field (seconds/microseconds)
  • [-p] to print specific fields all|proc|pid|date|mid|type|freq|topic|time|ticks|tid|text|err|host|vsid|cpu
  • [-m] - number of cyclic files, [-s] - size of each

pstat [-h]
[-k][-s]
[-n][-l]

Displays Security Gateway internal statistics:

-h — Generates additional hmem details.

-k — Generates additional kmem details.

-s — Generates additional smem details.

-n — Generates NDIS information (Windows only).

-l — Generates general Security Gateway statistics.

iflist

Displays the IP interfaces known to the kernel, by name and internal number.

arp [-n]

Displays ARP proxy table.

-n — Do not perform name resolution.

block {on|off}

on — Blocks all traffic.

off — Restores traffic and the Security Policy.

chain

Prints the names of internal Security Gateways that deal with packets. Use to ensure that a gateway is loaded. The names of these gateways can be used in the fw monitor -p command.

conn

Prints the names of the connection modules.

fw ctl debug

Description Generate debug messages to a buffer.

Syntax A number of debug options are available:

fw ctl debug -buf [buffer size]
fw ctl debug [-m <module>] [+ | -] {options|all|0}
fw ctl debug 0
fw ctl debug [-d <comma separated list of strings>]
fw ctl debug [-d <comma separated list of ^strings>]
fw ctl debug [-s <string>]
fw ctl debug -h
fw ctl debug -x

Parameter

Description

-buf [buffer size]

Allocates a buffer of size kilobytes (default 128) and starts collecting messages there. If the -buf argument is not set, the debug messages are printed to the console.

-m <module>

Specify the Security Gateway module you wish to debug. The default module is fw.

For example: fw ctl debug –m VPN all

[+ | -] <options|all|0>

Sets or resets debug flags for the requested gateway).

  • If + is used, the specified flags are set, and the rest remain as they were.
  • If - is used, the specified flags are reset, and the rest remain as they were.
  • If neither + nor - are used, the specified flags are set and the rest are reset.

-h

Print a list of debug modules and flags.

0

Returns all flags in all gateways to their default values, releases the debug buffer (if there was one).

-d <comma separated list of strings>

Only lines containing these strings are included in the output. (Available in R70 or higher)

-d <comma separated list of ^strings>

Lines containing these strings are omitted from the output (Available in R70 or higher)

For example:

fw ctl debug –d error,failed,^packet

Output shows only lines containing the words "error" or "failed" and not the word "packet"

-s <string>

Stop debug messages when a certain string is issues (Available in R70 or higher)

For example: fw ctl debug –s error

-x

Shuts down the debug.

fw ctl affinity

fw ctl affinity -s

Description Sets CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R76 Performance Tuning Administration Guide.

fw ctl affinity -s settings are not persistent through a restart of the Security Gateway. If you want the settings to be persistent, either use:

  • sim affinity (a Performance Pack command)
  • Or edit the fwaffinity.conf configuration file

To set interface affinities, you should use fw ctl affinity only if Performance Pack is not running. If Performance Pack is running, you should set affinities by using the Performance Pack sim affinity command. These settings will be persistent. If Performance Pack's sim affinity is set to Automatic mode (even if Performance Pack was subsequently disabled), you will not be able to set interface affinities by using fw ctl affinity -s.

Note - The fw ctl affinity command is different for a VSX Gateway and a Security Gateway:

VSX Gateway - Use the -d parameter to save the CoreXL affinity settings after you reboot it

  • Security Gateway - The CoreXL affinity settings are not saved after you reboot it

Syntax

> fw ctl affinity -s <proc_selection> <cpuid>

<proc_selection> is one of the following parameters:

Parameter

Description

-p <pid>

Sets affinity for a particular process, where <pid> is the process ID#.

-n <cpdname>

Sets affinity for a Check Point daemon, where <cpdname> is the Check Point daemon name (for example: fwd).

-k <instance>

Sets affinity for a kernel instance, where <instance> is the instance's number.

-i <interfacename>

Sets affinity for an interface, where <interfacename> is the interface name (for example: eth0).

<cpuid> should be a processing core number or a list of processing core numbers. To have no affinity to any specific processing core, <cpuid> should be: all.

Note - Setting an Interface Affinity will set the affinities of all interfaces sharing the same IRQ to the same processing core. To view the IRQs of all interfaces, run: fw ctl affinity -l -v -a .

Example To set kernel instance #3 to run on processing core #5, run:

> fw ctl affinity -s -k 3 5

fw ctl affinity -l

Description Lists existing CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R76 Performance Tuning Administration Guide.

Syntax

> fw ctl affinity -l [<proc_selection>] [<listtype>]

If <proc_selection> is omitted, fw ctl affinity -l lists affinities of all Check Point daemons, kernel instances and interfaces. Otherwise, <proc_selection> is one of the following parameters:

Parameter

Description

-p <pid>

Displays the affinity of a particular process, where <pid> is the process ID#.

-n <cpdname>

Displays the affinity of a Check Point daemon, where <cpdname> is the Check Point daemon name (for example: fwd).

-k <instance>

Displays the affinity of a kernel instance, where <instance> is the instance's number.

-i <interfacename>

Displays the affinity of an interface, where <interfacename> is the interface name (for example: eth0).

If <listtype> is omitted, fw ctl affinity -l lists items with specific affinities, and their affinities. Otherwise, <listtype> is one or more of the following parameters:

Parameter

Description

-a

All: includes items without specific affinities.

-r

Reverse: lists each processing core and the items that have it as their affinity.

-v

Verbose: list includes additional information.

Example To list complete affinity information for all Check Point daemons, kernel instances and interfaces, including items without specific affinities, and with additional information, run:

> fw ctl affinity -l -a -v

fw ctl engine

Description Enables the INSPECT2C engine, which dynamically converts INSPECT code to C code.

Run the command on the Check Point Security Gateway.

Syntax

> fw ctl engine {on|off|stat|setdefault}

Parameter

Description

on

Compile the engine if necessary, and activate it.

Because the engine may not have been previously compiled, turning the engine ON may not activate it immediately. Instead, the engine is activated in the background after the compilation.

After turning the engine ON, the engine recompiles and reactivates itself every policy installation regardless of the values of inspect2c_compile and inspect2c_activate.

off

Deactivates the engine if active. Subsequent policy installation on the gateway does NOT auto-activate the engine unless the command is used again.

stat

Print the status of the engine. For example: "During compilation", "Before auto-activation", "Deactivated".

setdefault

Restore control to database settings. Security Management server settings are ignored.

At the next policy installation, return the control of the engine to the values of the following gateway database attributes:

  • inspect2c_compile (true/false) - controls whether or not the engine is compiled on the gateway during policy installation. Compilation is performed in the background and may take a few minutes.
  • inspect2c_activate (true/false) - controls whether the engine is automatically activated after it is compiled. When set to true, the engine is compiled regardless of the value of inspect2c_compile.

Use GuiDBEdit to change the values of the attributes.

fw ctl multik stat

Description Displays multi-kernel statistics for each kernel instance. The state and processing core number of each instance is displayed, along with:

  • The number of connections currently being handled
  • The peak number of concurrent connections the instance has handled since its inception

fw ctl sdstat

Description The IPS performance counters measure the percentage of CPU consumed by each IPS protection. The measurement itself is divided according to the type of protection: Pattern based protections or INSPECT based protections. In addition, the IPS counters measure the percentage of CPU used by each section ("context") of the protocol, and each protocol parser.

Syntax

> fw ctl zdebug >& outputfile
> fw ctl sdstat start
> fw ctl sdstat stop

Parameter

Description

fw ctl zdebug >& outputfile

Turn on debug mode and specify an output file.

fw ctl sdstat start

Activate the IPS counters

fw ctl sdstat stop

Print a report and stop the counters.

Example The workflow is as follows:

Run the following commands on the Check Point Security Gateway (version R70 or higher):

On the Check Point Security Gateway:

  • Run fw ctl zdebug >& outputfile
  • Run fw ctl sdstat start

Let the counters run. However- do not leave the counters on for more than 10 minutes.

  • Run fw ctl sdstat stop

It is important to stop the counters explicitly, otherwise there may be performance penalty

This generates the output file outputfile that must be processed on the (SecurePlatform only) Security Management Server.

On the Security Management Server:

  • From $FWDIR/script, run the script
    ./sdstat_analyse.csh outputfile

The output of the script is a report in csv format that can be viewed in Microsoft Excel.

If there is a problem in the report, or if more details are needed, a debug flag is available which prints extra information to outputfile.

  • Run fw ctl zdebug + spii >& outputfile

Example Debug Message

Explanation

sdstat_get_stats_all_instances : Smart Defense report objects are not initalized, hence no report can be done.

User tried to create a report without initializing the counters, or an error occurred during initialization and the user then tried to print a report.

FW-1 - sdstats_print_report: Failed to calculate Smart Defense (total_smart_defense is 0)

The measurement process failed and the total time units for IPS is zero.

Comments

  1. A value in the report of "< 1" means that the percentage of CPU used by a protection is less than 1%.
  2. The report generated by the sdstat_analyse script may contain a number instead of a protection name. This is because the original output contains a signature id, but the id is missing from the Security Policy on the Gateway.

fw fetch

Description Fetches the Inspection Code from the specified host and installs it to the kernel.

Syntax

> fw fetch [-n] [-f <filename>] [-c] [-i] master1 [master2] ...

Parameter

Description

-n

Fetch the Security Policy from the Security Management server to the local state directory, and install the Policy only if the fetched Policy is different from the Policy already installed.

-f <filename>

Fetch the Security Policy from the Security Management server listed in <filename>. If filename is not specified, the list in
conf/masters is used.

-c

Cluster mode, get policy from one of the cluster members, from the Check Point High Availability (CPHA) kernel list.

-i

Ignore SIC information (for example, SIC name) in the database and use the information in conf/masters. This option is used when a Security Policy is fetched for the first time by a DAIP gateway from a Security Management server with a changed SIC name.

master1

Execute command on the designated master.

The IP address of the Security Management Server from which to fetch the Policy. You can specify one or more servers, which will be searched in the order listed.

If no targets is not specified, or if targets is inaccessible, the Policy is fetched from localhost.

fw fetchlogs

Description fw fetchlogs fetches Log Files from a remote machine. You can use the fw fetchlogs command to transfer Log Files to the machine on which the fw fetchlogs command is executed. The Log Files are read from and written to the directory $FWDIR/log.

Usage fw fetchlogs [[-f file name] ... ] module

Syntax

Parameter

Description

-f filename

The Log Files to be transferred. The file name can include wildcards. In Solaris, any file containing wildcards should be enclosed in quotes.

The default parameter is *.log.

Related pointer files will automatically be fetched.

module

The name of the remote machine from where you transfer the Log Files.

Comments The files transferred by the fw fetchlogs command are MOVED from the source machine to the target machine. This means that they are deleted from the source machine once they have been successfully copied.

Fetching Current Log Data

The active Log File (fw.log) cannot be fetched. If you want to fetch the most recent log data, proceed as follows:

  • Run \ to close the currently active Log File and open a new one.
  • Run fw lslogs to see the newly-generated file name.
  • Run fw fetchlogs -f filename to transfer the file to the machine on which the fw fetchlogs command is executed. The file is now available for viewing in the SmartView Tracker.

After a file has been fetched, it is renamed. The gateway name and the original Log File name are concatenated to create a new file name. The new file name consists of the gateway name and the original file name separated by two (underscore) _ _ characters.

Example The following command:
fw fetchlogs -f 2001-12-31_123414.log module3

fetches the Log File 2001-12-31_123414.log from Module3.

After the file has been fetched, the Log File is renamed:

module3_ _2001-12-31_123414.log

Further Info. See the R76 Security Management Administration Guide.

fw hastat

Description The fw hastat command displays information about High Availability machines and their states.

Syntax

> fw hastat [<target>]

Parameter

Description

<target>

A list of machines whose status will be displayed. If target is not specified, the status of the local machine will be displayed.

fw isp_link

Description Takes down (or up) a redundant ISP link.

Syntax

> fw isp_link [<target>] <link-name> {up|down}

Parameter

Description

target

The name of the Check Point Security Gateway.

link-name

The name of the ISP link as defined in the ISP-redundancy tab.

Comments This command can be executed locally on the Check Point Security Gateway or remotely from the Security Management server. In the latter case, the target argument must be supplied. For this command to work, the Check Point Security Gateway should be using the ISP redundancy feature.

fw kill

Description Prompts the kernel to shut down all firewall daemon processes. The command is located in the $FWDIR/bin directory on the Security Management server or gateway machine.

The firewall daemons and Security servers write their pids to files in the $FWDIR/tmp directory upon startup. These files are named $FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.

Syntax

> fw kill [-t <sig_no>] <proc-name>

Parameter

Description

-t <sig_no>

This Unix only command specifies that if the file $FWDIR/tmp/proc-name.pid exists, send signal sig_no to the pid given in the file.

If no signal is specified, signal 15 (sigterm or the terminate command) is sent.

<proc-name>

Prompt the kernel to shut down specified firewall daemon processes.

Comments In Windows, only the default syntax is supported: fw kill proc_name. If the -t option is used it is ignored.

fw lea_notify

Description Send a LEA_COL_LOGS event to all connected lea clients, see the LEA Specification documentation. It should be used after new log files have been imported (manually or automatically) to the $FWDIR/log directory in order to avoid the scheduled update which takes 30 minutes.

This command should be run from the Security Management server.

Syntax

> fw lea_notify

fw lichosts

Description Print a list of hosts protected by Security Gateway products. The list of hosts is in the file $fwdir/database/fwd.h

Syntax

> fw lichosts [-x] [-l]

Parameter

Description

-x

Use hexadecimal format

-l

Use long format

fw log

Description fw log displays the content of Log files.

Syntax

> fw log [-f [-t]] [-n] [-l] [-o] [-c <action>] [-h <host>] [-s <starttime>] [-e <endtime>] [-b <starttime> <endtime>] [-u <unification_scheme_file>] [-m {initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]

Parameter

Description

-f [-t]

After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written.

The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed.

-t must come with a -f flag. These flags are relevant only for active files.

-n

Do not perform DNS resolution of the IP addresses in the Log file (the default behavior). This option significantly speeds up the processing.

-l

Display both the date and the time for each log record (the default is to show the date only once above the relevant records, and then specify the time per log record).

-o

Show detailed log chains (all the log segments a log record consists of).

-c <action>

Display only events whose action is action, that is, accept, drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed.

-h <host>

Display only log whose origin is the specified IP address or name.

-s <starttime>

Display only events that were logged after the specified time (see time format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed.

-e <endtime>

Display only events that were logged before the specified time (see time format below). endtime may be a date, a time, or both.

-b <starttime> <endtime>

Display only events that were logged between the specified start and end times (see time format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag.

-u <unification_scheme
_file>

Unification scheme file name.

-m

This flag specifies the unification mode.

  • initial - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default.
    When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter.
  • semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id.
  • raw - output all records, with no unification.

-a

Output account log records only.

-k {<alert_name>|all}

Display only events that match a specific alert type. The default is all, for any alert type.

-g

Do not use a delimited style. The default is:

  • : after field name
  • ; after field value

logfile

Use logfile instead of the default Log file. The default Log File is $FWDIR/log/fw.log.

Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed.

Example

> fw log
> fw log | more
> fw log -c reject
> fw log -s "May 26, 1999"
> fw log -f -s 16:00:00

Output [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ...

Each output line consists of a single log record, whose fields appear in the format shown above.

Example Output

14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com;
dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access
denied - wrong user name or password ; scheme: IKE; reject_category:
Authentication error; product: Security Gateway
	14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com;
user: a; rule: 0; reason: Client Encryption: Authenticated by Internal
Password; scheme: IKE; methods: AES-256,IKE,SHA1; product: Security Gateway;
	14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com;
peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.;
CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods:
AES-256 + SHA1, Internal Password; user: a; product: Security Gateway;

fw logswitch

Description fw logswitch creates a new active Log File. The current active Log File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. The format of the default name <current_time_stamp>.log is YYYY-MM-DD_HHMMSS.log. For example: 2003-03-26_041200.log

Warning:

  • The Logswitch operation fails if a log file is given a pre-existing file name.
  • The rename operation fails on Windows if the active log that is being renamed, is open at the same time that the rename operation is taking place; however; the Logswitch will succeed and the file will be given the default name $FWDIR/log/current_time_stamp.log.

The new Log File that is created is given the default name $FWDIR/log/fw.log. Old Log Files are located in the same directory.

A Security Management server can use fw logswitch to change a Log File on a remote machine and transfer the Log File to the Security Management server. This same operation can be performed for a remote machine using fw lslogs and fw fetchlogs.

When a log file is sent to the Security Management server, the data is compressed.

Syntax

> fw logswitch [-audit] [<filename>]
> fw logswitch -h <hostage> [+|-][<filename>]

Parameter

Description

-audit

Does logswitch for the Security Management server audit file. This is relevant for local activation.

<filename>

The name of the file to which the log is saved. If no name is specified, a default name is provided.

-h <hostage>

The resolvable name or IP address of the remote machine (running either a Security Gateway or a Security Management server) on which the Log File is located. The Security Management server (on which the fw logswitch command is executed) must be defined as one of host's Security Management servers. In addition, you must initialize SIC between the Security Management server and the host.

+

Change a remote log and copy it to the local machine.

-

Change a remote log and move it to the local machine thereby deleting the log from the remote machine.

Comments Files are created in the $FWDIR/log directory on both host and the Security Management server when the + or - parameters are specified. Note that if - is specified, the Log File on the host is deleted rather than renamed.

hostage specified:

  • filename specified - On hostage, the old Log File is renamed to old_log. On the Security Management Server, the copied file will have the same name, prefixed by hostages name. For example, the command fw logswitch -h venus +xyz creates a file named venus_xyz.log on the Security Management Server.
  • filename not specified - On hostage, the new name is
    the current date, for example: 2003-03-26_041200.log.
    On the Security Management Server, the copied file will have the same name, but prefixed by hostage_. For example, target_2003-03-26_041200.log.

hostage not specified:

  • filename specified - On the Security Management Server, the old Log File is renamed to old_log.
  • filename not specified - On the Security Management Server, the old Log File is renamed to the current date.

Compression

When log files are transmitted from one machine to another, they are compressed using the zlib package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method.

The compression ratio varies with the content of the log records and is difficult to predict. Binary data are not compressed, but string data such as user names and URLs are compressed.

fw mergefiles

Description Merge several Log Files into a single Log File. The merged file can be sorted according to the creation time of the Log entries, and the times can be "fixed" according to the time zones of the origin Log servers.

Logs entries with the same Unique-ID are unified. If a Log switch was performed before all the segments of a specific log were received, this command will merge the records with the same Unique-ID from two different files, into one fully detailed record.

Syntax

> fw mergefiles [-s] [-t <time_conversion_file>] <log_file_name_1> [... <log_file_name_n>] <output_file>

Parameter

Description

-s

Sort merged file by log records time field.

-t <time_conversion_file>

Fix different GMT zone log records time in the event that the log files originated from Log Servers in different time zone.

The time_conversion_file format is as follows:

ip-address signed_date_time_in_seconds

ip-address signed_date_time_in_seconds

<log_file_name_n>

Full pathnames of the Log File(s).

<output_file>

Full pathname of the output Log File.

Comments It is not recommended to merge the current active fw.log file with other Log Files. Instead, run the fw logswitch command and then run fw mergefiles.

fw monitor

Description Inspecting network traffic is an essential part of troubleshooting network deployments. fw monitor is a powerful built-in tool to simplify the task of capturing network packets at multiple capture points within the firewall chain. These packets can be inspected using industry-standard tools later on.

In many deployment and support scenarios capturing network packets is an essential functionality. tcpdump or snoop are tools normally used for this task. fw monitor provides an even better functionality but omits many requirements and risks of these tools.

  • No Security Flawstcpdump and snoop are normally used with network interface cards in promiscuous mode. Unfortunately the promiscuous mode allows remote attacks against these tools. fw monitor does not use the promiscuous mode to capture packets. In addition most firewall operating systems are hardened. In most cases this hardening includes the removal of tools like tcpdump or snoop because of their security risk.
  • Available on all Security Gateway installationsfw monitor is a built-in firewall tool which needs no separate installation in case capturing packets is needed. It is a functionality provided with the installation of the Firewall package.
  • Multiple capture positions within the firewall kernel module chain fw monitor allows you to capture packets at multiple capture positions within the firewall kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the Firewall.
  • Same tool and syntax on all platforms — Another important fact is the availability of fw monitor on different platforms. Tools like snoop or tcpdump are often platform dependent or have specific "enhancements" on certain platforms. fw monitor and all its related functionality and syntax is absolutely identical across all platforms. There is no need to learn any new "tricks" on an unknown platform.

Normally the Check Point kernel modules are used to perform several functions on packets (like filtering, encrypting and decrypting, QoS …). fw monitor adds its own modules to capture packets. Therefore fw monitor can capture all packets which are seen and/or forwarded by the Firewall.

Only one instance of fw monitor can be run at a time.

Use ^C (that is Control + C) to stop fw monitor from capturing packets.

Syntax

> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l <len>] [-m <mask>]
[-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO <pos>] | -p all]] [-a]
[-ci <count>] [-co <count>] [-h] -T

Parameter

Description

-u|s

Printing the UUID or the SUUID: The option –u or –s is used to print UUIDs or SUUIDs for every packet. Please note that it is only possible to print the UUID or the SUUID – not both.

-i

Flushing the standard output: Use to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running fw monitor process and want to be sure that all data is written to a file.

[-d] [-D]

Debugging fw monitor: The -d option is used to start fw monitor in debug mode. This will give you an insight into fw monitor's inner workings. This option is only rarely used outside Check Point. It is also possible to use –D to create an even more verbose output.

{-e <expr>|{-f <filter-file>|-}}

Filtering fw monitor packets: fw monitor has the ability to capture only packets in which you are interested. fw monitor filters use a subset of INSPECT to specify the packets to be captured. Set the filter expression:

  • on the command line using the –e switch.
  • by reading it from a file using the -f switch.
  • by reading it from standard input using the -f - switch.

-l <len>

Limiting the packet length: fw monitor lets you limit the packet data which will be read from the kernel with -l. This is especially useful if you have to debug high sensitive communication. It lets you to capture only the headers of a packet (e.g. IP and TCP header) while omitting the actual payload. Therefore you can debug the communication without seeing the actual data transmitted. Another possibility is to keep the amount of data low. If you don't need the actual payload for debugging you can decrease the file site by omitting the payload. It's also very useful to reduce packet loss on high-loaded machines. fw monitor uses a buffer to transfer the packets from kernel to user space. If you reduce the size of a single packet this buffer won't fill up so fast.

-m <mask>

Setting capture masks: By default fw monitor captures packets before and after the virtual machine in both directions. These positions can be changed. This option allows you to specify in which of the four positions you are interested.

-x <offset>[,<len>]

Printing packet/payload data: In addition to the IP and Transport header fw monitor can also print the packets' raw data using the –x option. Optionally it is also possible to send all data that is written only to the screen the data written.

-o <file>

Write output to file: Save the raw packet data to a file in a standard (RFC 1761) format. The file can be examined using by tools like snoop, tcpdump or Ethereal.

Note - The snoop file format is normally used to store Layer 2 frames. For "normal" capture files this means that the frame includes data like a source and a destination MAC address. fw monitor operates in the firewall kernel and therefore has no access to Layer 2 information like MAC addresses. Instead of writing random MAC addresses, fw monitor includes information like interface name, direction and chain position as "MAC addresses".

-T

Print time stamp in microseconds. -T is needed only when -o is not used. When -o is used the exact time is written to the snoop file by default as of Corsica.

[[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO <pos>] | -p all]]

Insert fw monitor chain module at a specific position: In addition to capture masks (which give the ability to look at packets in a specific position) fw monitor has the ability to define where exactly in the firewall chain the packets should be captured. This can be defined using these options.

-a

Use absolute chain positions: If you use fw monitor to output the capture into a file (option –o), one of the fields written down to the capture file is the chain position of the fw monitor chain module. Together with a simultaneous execution of fw ctl chain you can determine where the packet was captured. Especially when using –p all you will find the same packet captured multiples times at different chain positions. The option –a changes the chain ID from a relative value (which only makes sense with the matching fw ctl chain output) to an absolute value. These absolute values are known to CPEthereal and can be displayed by it.

[-ci <count>]
[-co <count>]

Capture a specific number of packets: fw monitor enables you to limit the number of packets being captured. This is especially useful in situations where the firewall is filtering high amounts of traffic. In such situations fw monitor may bind so many resources (for writing to the console or to a file) that recognizing the break sequence (Control-C) might take very long.

-h

Displays the usage.

Example The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from every interface that passes (or at least reaches) the Check Point Security Gateway. The same packet appears several times (two times in the example below). This is caused by fw monitor capturing the packets at different capture points.

Output

cpmodule> fw monitor
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075
TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc
eth0:I[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075
TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc
eth0:o[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599
TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83
eth0:O[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599
TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83
eth0:o[1500]: 192.0.2.2 -> 192.0.2.133 (TCP) len=1500 id=44600
TCP
^C
: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83
monitor: caught sig 2
 monitor: unloading

The first line of the fw monitor output is

eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

This packet was captured on the first network interface (eth0) in inbound direction before the virtual machine (lowercase i). The packet length is 285 bytes (in square parenthesis; repeated at the end of the line. Note that these two values may be different. The packets ID is 1075. The packet was sent from 192.0.2.133 to 192.0.2.2 and carries a TCP header/payload.

The second line of the fw monitor output is

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

The second line tells us that this is a TCP payload inside the IP packet which was sent from port 1050 to port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged sequence number (ack=941b05bc). You will see similar information for UDP packets.

You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or cannot be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing.

Further Info. See SecureKnowledge solution sk30583.

fw lslogs

Description Display a list of Log Files residing on a remote or local machine. You must initialize SIC between the Security Management server and the remote machine.

Syntax

> fw lslogs [[-f <filename>] ...] [-e] [-s {<name>|<size>|<stime>|<etime>}] [-r] [<machine>]

Parameter

Description

-f <filename>

The list of files to be displayed. The file name can include wildcards. In Unix, any file containing wildcards should be enclosed in quotes.

The default parameter is *.log.

-e

Display an extended file list. It includes the following data:

  • Size - The size of the file and its related pointer files together.
  • Creation Time - The time the Log File was created.
  • Closing Time - The time the Log File was closed.
  • Log File Name - The file name.

-s

Specify the sort order of the Log Files using one of the following sort options:

  • name - The file name.
  • size - The file size.
  • stime - The time the Log File was created.
  • etime - The time the Log File was closed.

The default is stime.

-r

Reverse the sort order (descending order).

<machine>

The name of the machine on which the files are located. It can be a gateway or a Log Server. The default is localhost.

Example This example shows the extended file list you see when you use the fw lslogs -e command:

> fw lslogs -e module3
Size  Creation Time       Closing Time         Log file name
99KB  10Jan2002 16:46:27  10Jan2002 18:36:05   2002-01-10_183752.log
16KB  10Jan2002 18:36:05     --                fw.log

fw putkey

Description Install a Check Point authentication password on a host. This password is used to authenticate internal communications between Security Gateways and between a Check Point Security Gateway and its Security Management server. A password is used to authenticate the control channel the first time communication is established. This command is required for backward compatibility scenarios.

Syntax

> fw putkey [-opsec] [-no_opsec] [-ssl] [-no_ssl] [-k <num>] [-n <myname>] [-p <pswd>] <host>...

Parameter

Description

-opsec

Only control connections are enabled.

-no_opsec

Only OPSEC control connections are enabled.

-ssl

The key is used for an SSL connection.

-no_ssl

The key is not used for an SSL connection.

-k <num>

The length of the first S/Key password chain for fwa1 authentication (Check Point's proprietary authentication protocol). The default is 7. When fewer than 5 passwords remain, the hosts renegotiate a chain of length 100, based on a long random secret key. The relatively small default value ensures that the first chain, based on a short password entered by the user, is quickly exhausted.

-n <myname>

The IP address (in dot notation) to be used by the Check Point Security Gateway when identifying this host to all other hosts, instead of, for example, the resolution of the hostname command.

-p <psw>

The key (password). If you do not enter the password on the command line, you will be prompted for it.

<host>

The IP address(es) or the resolvable name(s) of the other host(s) on which you are installing the key (password). This should be the IP address of the interface "closest" to the host on which the command is run. If it is not, you will get error messages such as the following:
"./fwd: Authentication with hostname for command sync failed"

Comments This command is never used in a script.

fw repairlog

Description fw repairlog rebuilds a Log file's pointer files. The three files: name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from data in the specified Log file. The Log file itself is modified only if the -u flag is specified.

Syntax

fw repairlog [-u] <logfile>

Parameter

Description

-u

Indicates that the unification chains in the Log file should be rebuilt.

<logfile>

The name of the Log file to repair.

fw sam

Description Manage the Suspicious Activity Monitoring (SAM) server. Use the SAM server to block connections to and from IP addresses without the need to change the Security Policy.

SAM commands are logged. Use this command to (also) monitor active SAM requests (see -M option).

To configure the SAM server on the Security Management server or Security Gateway, use SmartDashboard to edit the Advanced > SAM page of the Check Point Security Gateway object.

Syntax

Add/Cancel SAM rule according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>][-t <timeout>][-l <log>][-C] -{n|i|I|j|J} <Criteria>

Delete all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -D

Monitor all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} all

Monitor SAM rules according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} <Criteria>

Syntax

Parameter

Description

-v

Verbose mode. Writes one message (describing whether the command was successful or not) to stderr for each Security Gateway machine on which the command is enforced.

-s <sam_server>

The IP address (in dot format) or the resolvable name of the FireWalled host that will enforce the command. The default is localhost.

-S <server_sic_name>

The SIC name for the SAM server to be contacted. It is expected that the SAM server will have this SIC name, otherwise the connection will fail. If no server SIC name is supplied the connection will proceed without SIC names comparison. For more information about enabling SIC refer to the OPSEC API Specification.

-f <fw host>

Specify the host, the Security Gateway machine on which to enforce the action.

host can be one of the following (default is All):

  • localhost—Specify the computer running the SAM server to enforce the action on it.
  • The name of the object or group—the action is enforced on this object; if this object is a group, on every object in the group.
  • Gateways—Action enforced on FireWalls defined as gateways and managed by Security Management server where the SAM server runs.
  • All—Enforced on FireWalls managed by Smart- Center server where SAM server runs.

-D

Cancel all inhibit (-i, -j,-I,-J) and notify (-n) commands.
To "uninhibit" inhibited connections, execute fw sam with the -C or -D parameters. It is also possible to use this command for active SAM requests.

-C

Cancel the command to inhibit connections with the specified parameters. These connections will no longer be inhibited (rejected or dropped). The command parameters must match the ones in the original command, except for the -t (timeout) parameter.

-t <timeout>

The time period (in seconds) for which the action will be enforced. The default is forever or until cancelled.

-l <log>

The type of the log for enforced actions can be one of the following: nolog, long_noalert, long_alert. The default is long_alert.

-n

Notify, or generate, a long‑format log entry. Generates an alert when connections that match the specified services or IP addresses pass through the FireWall. This action does not inhibit or close connections.

-i

Inhibit (do not allow) new connections with the specified parameters. Each inhibited connection is logged according to log type. Matching connections will be rejected.

-I

Inhibit new connections with the specified parameters, and close all existing connections with the specified parameters. Each inhibited connection is logged according to the log type. Matching connections will be rejected.

-j

Inhibit new connections with the specified parameters. Each inhibited connection is logged according to the log type. Connections will be dropped.

-J

Inhibit new connections with the specified parameters, and close all existing connections with the specified parameters. Each inhibited connection is logged according to the log type. Connections will be dropped.

-M

Monitor the active SAM requests with the specified actions and criteria.

all

Get all active requests. For monitoring purposes only.

Usage Criteria are used to match connections, and are composed of various combinations of the following parameters:

<source ip><source netmask><destination ip><destination netmask> <service><protocol>

Possible combinations are:

src <ip>
dst <ip>
any <<ip>
subsrc <ip><netmask>
subdst <ip><netmask>
subany <ip><netmask>
srv <src ip><dest ip><service><protocol>
subsrv <src ip><src netmask><dest ip><dest netmask><service> <protocol>
subsrvs <src ip><src netmask><dest ip><service><protocol>
subsrvd <src ip><dest ip><dest netmask><service><protocol>
dstsrv <dest ip><service><protocol>
subdstsrv <dest ip><dest netmask><service><protocol>
srcpr <ip><protocol>
dstpr <ip><protocol>
subsrcpr <ip><netmask><protocol>
subdstpr <ip><netmask><protocol>

Syntax

Criteria Parameters

Description

src <ip>

Match the source IP address of the connection.

dst <ip>

Match the destination IP address of the connection.

any <ip>

Match either the source IP address or the destination IP address of the connection.

subsrc <ip> <netmask>

Match the source IP address of the connections according to the netmask.

subdst <ip> <netmask>

Match the destination IP address of the connections according to the netmask.

subany <ip> <netmask>

Match either the source IP address or destination IP address of connections according to the netmask.

srv <src ip> <dst ip> <service> <protocol>

Match the specific source IP address, destination IP address, service and protocol.

subsrv <src ip> <netmask>

<dst ip> <netmask> <service> <protocol>

Match the specific source IP address, destination IP address, service and protocol. Source and destination IP addresses are assigned according to the netmask.

subsrvs <src ip> <src netmask> <dest ip> <service> <protocol>

Match the specific source IP address, source netmask, destination netmask, service and protocol.

subsrvd <src ip> <dest ip>

<dest netmask> <service> <protocol>

Match specific source IP address, destination IP, destination netmask, service and protocol.

dstsrv <dst ip> <service> <protocol>

Match specific destination IP address, service and protocol.

subdstsrv <dst ip> <netmask> <service> <protocol>

Match specific destination IP address, service and protocol. Destination IP address is assigned according to the netmask.

srcpr <ip> <protocol>

Match the source IP address and protocol.

dstpr <ip> <protocol>

Match the destination IP address and protocol.

subsrcpr <ip> <netmask> <protocol>

Match the source IP address and protocol of connections. Source IP address is assigned according to the netmask.

subdstpr <ip> <netmask> <protocol>

Match the destination IP address and protocol of connections. Destination IP address is assigned according to the netmask.

Example This command inhibits all connections originating on louvre for 10 minutes. Connections made during this time will be rejected:

> fw sam -t 600 -i src louvre

This command inhibits all FTP connections from the louvre subnet to the eifel subnet. All existing open connections will be closed. New connection will be dropped, a log is kept and an alert is sent:

> fw sam -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

The previous command will be enforced forever - or until canceled by the following command:

> fw sam -C -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

This command monitors all active "inhibit" or "notify SAM" requests for which lourve is the source or destination address:

> fw sam -M -nij any lourve

This command cancels the command in the first example:

> fw sam -C -i src louvre

fw stat

Description Use fw stat to view the policy installed on the gateway, and which interfaces are being protected.

Note - The cpstat command is an enhanced version of fw stat

Syntax

> fw stat -l
> fw stat -s

Parameter

Description

-l

Show a long, detailed listing of the installed policies.

-s

Shows a short summary of the installed policies.

Examples

> fw stat

HOST      POLICY        DATE
localhost Standard      18Apr2012 15:01:51 :  [>eth0] [<eth0]

Two interfaces are being protected. The arrows show the direction of the packets.

After the policy is uninstalled, the output becomes:

> fw stat

HOST      POLICY     DATE
localhost -          -                :   >eth0   <eth0
 

This shows that there is no policy installed, and the interfaces are not protected.

fw tab

Description The fw tab command shows data from the kernel tables, and lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.

Kernel tables (also known as State tables) store data that the Firewall and other modules in the Security Gateway use to inspect packets. These kernel tables are the "memory" of the virtual computer in the kernel and are a critical component of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel memories.

Syntax

fw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-a|-x} -e <entry>] [-y] [<hostname>]

Parameter

Description

- t <table>

Specifies a table for the command.

-s

Shows a short summary of the table (s) data.

-c

Shows formatted table information in common format.

-f

Shows a formatted version of the table data. Each table can use a different style.

-o <filename>

Outputs CL formatted file called <filename>.You can open the file with fw log and other commands or processes that can read FW log formats.

-r

Resolves IP addresses in formatted output.

-u

Show unlimited table entries.

-m <maxval>

Sets the maximum table entries that are shown to <maxval>.

-a|-x

Adds (-a) or removes (-x) an entry from the specified table.

Include the -t <table> parameter when you run the fw tab command with the -a and -x parameters. You cannot run these parameters on remote appliances or servers.

Caution - If you use the -a and -x parameters incorrectly, you can cause the appliance or server to become unstable.

-e <entry>

One or more entries that you add or remove from the table.

-y

Do not show a prompt to users before they run commands.

[<hostname>]

One or more target appliances or servers for the fw tab command. If you do not use this parameter, the default setting is localhost.

Example > fw tab -t arp_table -a -e "1,2,3,4,5"
Adds an entry: <00000001,00000002,00000003,00000004,00000005,> to arp_table

fw tab - m 100 -r sample-gw

Comments If a table has the expire attribute, when you use the -a parameter to add entries, the default table timeout is added.

This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands.
The -x flag can be used independently of the -e flag in which case the entire table content is deleted.
This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts.

fw ver

Description Display the Security Gateway major and minor version number and build number.

Syntax

> fw ver [-k][-f <filename>]

Parameter

Description

-k

Print the version name and build number of the Kernel module.

-f <filename>

Print the version name and build number to the specified file.

fwm

Description Perform management operations on the Security Gateway. It controls fwd and all Check Point daemons.

Syntax

> fwm

fwm dbimport

Description Imports users into the Check Point User Database from an external file. You can create this file yourself, or use a file generated by fwm dbexport.

Syntax

> fwm dbimport [-m] [-s] [-v] [-r] [-k <errors>] [-f <file>] [-d <delim>]

Parameter

Description

-m

If an existing user is encountered in the import file, the user's default values will be replaced by the values in the template (the default template or the one given in the attribute list for that user in the import file), and the original values will be ignored.

-s

Suppress the warning messages issued when an existing user's values are changed by values in the import file.

-v

verbose mode

-r

fwm dbimport will delete all existing users in the database.

-k <errors>

Continue processing until nerror errors are encountered.
The line count in the error messages starts from 1 including the attributes line and counting empty or commented out lines.

-f <file>

The name of the import file. The default import file is $FWDIR/conf/user_def_file.

-d <delim>

Specifies a delimiter different from the default value (;).

Comments The IKE pre shared secret does not work when exporting from one machine and importing to another.

To ensure that there is no dependency on the previous database values, use the‑r flag together with the -m flag.

File Format

The import file must conform to the following Usage:

  • The first line in the file is an attribute list.
    • The attribute list can be any partial set of the following attribute set, as long as name is included:

{name; groups; destinations; sources; auth_method; fromhour; tohour; expiration_date; color; days; internal_password; SKEY_seed; SKEY_passwd; SKEY_gateway; template; comments; userc}

  • The attributes must be separated by a delimiter character.
    • The default delimiter is the ; character. However, you can use a different character by specifying the -d option in the command line.
  • The rest of the file contains lines specifying the values of the attributes per user. The values are separated by the same delimiter character used for the attribute list. An empty value for an attribute means use the default value.
  • For attributes that contain a list of values (for example, days), enclose the values in curly braces, that is,{}. Values in a list must be separated by commas. If there is only one value in a list, the braces may be omitted. A + or - character appended to a value list means to add or delete the values in the list from the current default user values. Otherwise the default action is to replace the existing values.
  • Legal values for the days attribute are: MON, TUE, WED, THU, FRI, SAT, SUN.
  • Legal values for the authentication method are: Undefined, S/Key, SecurID, Unix Password, VPN‑1 & FireWall‑1 Password, RADIUS, Defender.
  • Time format is hh:mm.
  • Date format is dd-mmm-yy, where mmm is one of {Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec}.
  • If the S/Key authentication method is used, all the other attributes regarding this method must be provided.
  • If the Check Point password authentication method is used, a valid Check Point password should be given as well. The password should be encrypted with the C language encrypt function.
  • Values regarding authentication methods other than the one specified are ignored.
  • The userc field specifies the parameters of the user's SecuRemote connections, and has three parameters, as follows:
    • key encryption method - DES, CLEAR, Any
    • data encryption method - DES, CLEAR, Any
    • integrity method - MD5,[blank] = no data integrity.
    • "Any" means the best method available for the connection. This depends on the encryption methods available to both sides of the connection. For example,

      {DES,CLEAR,} means: key encryption method is DES; no data encryption; no data integrity.

  • A line beginning with the ! character is considered a comment.

fwm expdate

Description Modify the expiration date of all users and administrators.

Syntax

> fw expdate dd-mmm-1976

Comments The date can be modified using a filter.

Example fw expdate 02-mar-2003 -f 01-mar-2003

fwm dbexport

Description Export the Check Point User Database to a file. The file may be in one of the following formats:

  • The same syntax as the import file for fwm dbimport
  • LDIF format, which can be imported into an LDAP server using ldapmodify

Syntax

To export the User Database to a file that can be used with fwm dbimport:

> fwm dbexport [ [-g group | -u user] [-d delim] [-a {attrib1, attrib2, ...} ] [-f file] ]

To export the User Database as an LDIF file:

> fwm dbexport -l -p [-d] -s subtree [-f file] [-k IKE-shared-secret]

Parameter

Description

-g group

Specifies a group (group) to be exported. The users in the group are not exported.

-u user

Specifies that only one user (user) is to be exported.

-d

Debug flag

-a {attrib1,
attrib2, ...}

Specifies the attributes to export, in the form of a comma-separated list, between {} characters, for example,
-a {name,days}. If there is only one attribute, the {} may be omitted.

-f file

 

file specifies the name of the output file. The default output file is $FWDIR/conf/user_def_file.

-l

Create an LDIF format file for importation by an LDAP server.

-p

The profile name.

-s

The branch under which the users are to be added.

-k

This is the Account Unit's IKE shared secret (IKE Key in the Encryption tab of the Account Unit Properties window.)

Comments Note:

  • The IKE pre shared secret does not work when exporting from one machine and importing to another.
  • If you use the -a parameter to specify a list of attributes, and then import the created file using fwm dbimport, the attributes not exported will be deleted from the user database.
  • fwm dbexport and fwm dbimport (non-LDIF Usage) cannot export and import user groups. To export and import a user database, including groups, proceed as follows:

    * Run fwm dbexport on the source Security Management server.

    * On the destination Security Management server, create the groups manually.

    * Run fwm dbimport on the destination Security Management server.

The users will be added to the groups to which they belonged on the source Security Management server.

  • If you wish to import different groups of users into different branches, run fwm dbexport once for each subtree, for example:

fwm dbexport -f f1 -l -s ou=marketing,o=WidgetCorp,c=us

fwm dbexport -f f2 -l -s ou=rnd,o=WidgetCorp,c=uk

Next, import the individual files into the LDAP server one after the other. For information on how to do this, refer to the documentation for your LDAP server.

  • The LDIF file is a text file which you may wish to edit before importing it into an LDAP server. For example, in the Check Point user database, user names may be what are in effect login names (such as "maryj") while in the LDAP server, the DN should be the user's full name ("Mary Jones") and "maryj" should be the login name.

Example Suppose the User Database contains two users, "maryj" and "ben".

fwm dbexport -l -s o=WidgetCorp,c=us

creates a LDIF file consisting of two entries with the following DNs:

cn=ben,o=WidgetCorp,c=us

cn=maryj,o=WidgetCorp,c=us

fwm dbload

Description Download the user database and network objects information to selected targets. If no target is specified, then the database is downloaded to localhost.

Syntax

> fwm dbload {-all|-conf <conffile>} [<targets>]

Parameter

Description

-all

Execute command on all targets specified in the default system configuration file ($FWDIR/conf/sys.conf). This file must be manually created.

-conf <conffile>

Only OPSEC control connections are enabled.

<targets>

Execute command on the designated targets.

fwm ikecrypt

Description fwm ikecrypt command line encrypts the password of a SecuRemote user using IKE. The resulting string must then be stored in the LDAP database.

Syntax

> fwm ikecrypt <shared-secret> <user-password>

Parameter

Description

<shared-secret>

The IKE Key defined in the Encryption tab of the LDAP Account Unit Properties window.

<user-password>

The SecuRemote user's password.

Comments An internal CA must be created before implementing IKE encryption. An Internal CA is created during the initial configuration of the Security Management server, following installation.

fwm getpcap

Description fwm getpcap command line fetches the packet capture.

Syntax > fwm getpcap -g <gw> -u <cap id> [-p <path>] [-c <domain>]

Parameter

Description

-g <gw>

Host name of the gateway

-u <cap id>

Capture UID

-p <path>

Output pathname

-c <domain>

Host name of the Domain Management Server

fwm load

Description Compile and install a Security Policy or a specific version of the Security Policy on the target's Security Gateways. This is done in one of two ways:

  • fwm load compiles and installs an Inspection Script (*.pf) file on the designated Security Gateways.
  • fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection Script (*.pf) file then installs it to the designated Security Gateways.

Versions of the Security Policy and databases are maintained in a version repository on the Security Management server. Using this command specific versions of the Security Policy can be installed on a gateway (local or remote) without changing the definition of the current active database version on the Security Management server.

To protect a target, you must load a Policy that contains rules whose scope matches the target. If none of the rules are enforced on the target, then all traffic through the target is blocked.

Syntax > fwm load [-p <plug-in>] [-S] <rulebase> <targets>

Parameter

Description

-S

The targets are UTM-1 Edge gateways.

-p <plug-in>

Specifies the product name <plug-in> if applicable.

rulebase

A Rule Base created by the GUI. Specify the name of the rulebase, such as Standard (case sensitive).

<targets>

Execute command on the designated target.

Example The following command installs the Security Policy standard in the target gateway johnny.

fwm load Standard johnny

fwm lock_admin

Description View and unlock locked administrators.

Syntax >fwm lock_admin [-v][-u <administrator>][-ua]

Parameter

Description

-v

View the names of all locked administrators.

-u <administrator>

Unlock a single administrator.

-ua

Unlock all locked administrators.

fwm logexport

Description fwm logexport exports the Log file to an ASCII file.

Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n] [-p]
[-f] [-m {initial|semi|raw}] [-a]

Parameter

Description

-d <delimiter>

Set the output delimiter. The default is a semicolon (;).

-i <filename>

The name of the input Log file. The default is the active Log file, fw.log

-o <outputfile>

The name of the output file. The default is printing to the screen.

-n

Do not perform DNS resolution of the IP addresses in the Log file (this option significantly speeds the processing).

-p

Do not perform service resolution. A service port number is displayed.

-f

If this is the active Log file (fw.log), wait for new records and export them to the ASCII output file as they occur.

-m {initial|semi|raw}

This flag specifies the unification mode.

  • initial - the default mode. Complete the unification of log records; that is, output one unified record for each id.
  • semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id.
  • raw - output all records, with no unification.

-a

Show account records only (the default is to show all records).

Comments Controlling the Output of fwm logexport using logexport.ini

The output of fwm logexport can be controlled by creating a file called logexport.ini and placing it in the conf directory: $FWDIR/conf. The logexport.ini file should be in the following format:

[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100
excluded_fields = field10,field11

note that:

  • the num field will always appear first, and cannot be manipulated using logexport.ini
  • <REST_OF_FIELDS> is a reserved token that refers to a list of fields. It is optional. If -f option is set, <REST_OF_FIELDS> is based on a list of fields taken from the file logexport_default.C.
  • If -f is not set, <REST_OF_FIELDS> will be based on the given input log file.
  • It is not mandatory to specify both included_fields and excluded_fields.

Format:

The fwm logexport output appears in tabular format. The first row lists the names of all fields included in the subsequent records. Each of the subsequent rows consists of a single log record, whose fields are sorted in the same order as the first row. If a record has no information on a specific field, this field remains empty (as indicated by two successive semi-colons).

Example

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;sys_message:;service;s_port;src;dst;

0; 5Dec2002;9:08:44;jam.checkpoint.com;control; ;;daemon;inbound;VPN-1 & FireWall-1;The hme0 interface
is not protected by the anti-spoofing feature. Your network may be at risk;;;;;

1; 5Dec2002;9:08:44;jam.checkpoint.com;control; ;;daemon;inbound;VPN-1 & FireWall-1;;
ftp;23456;1.2.3.4;3.4.5.6;

fwm sic_reset

Description Reset the Internal CA and delete all the certificates from the Internal CA and the Internal CA itself. After running sic_reset, the ICA should be initialized through the cpconfig command. If this command is run all the certified IKE from the Internal CA should be removed (using the SmartConsole).

Syntax > fwm sic_reset

fwm unload <targets>

Description Uninstall the currently loaded Inspection Code from selected targets.

Syntax > fwm unload <targets> [-all|-c <conffile>]

Parameter

Description

<targets>

Execute command on the designated targets.

-all

Execute command on all targets specified in the default system configuration file ($FWDIR/conf/sys.conf). This file must be manually created.

-c conffile

Execute command on targets specified in the conffile.

fwm ver

Description fwm ver shows the build number.

Syntax > fwm ver [-f <filename>]

Parameter

Description

-f <filename>

Exports the build number data to a file

fwm verify

Description The fwm verify command verifies the specified policy package without installing it.

Syntax > fwm verify <policy>

Parameter

Description

<policy>

The name of an available policy package.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print