Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Security Management Server and Firewall Commands

In This Chapter

cpca_client

cp_conf

cpconfig

cpinfo

cpstart

cpstat

cpstop

fw

fwm

cpca_client

Description These commands execute operations on the ICA (Internal Certificate Authority).

Syntax

> cpca_client

cpca_client create_cert

Description Prompt the ICA to issue a SIC certificate for the Security Management server.

Syntax

> cpca_client [-d] create_cert [-p <ca_port>] -n "CN=<common name>" -f <PKCS12>

Parameter

Description

-d

Runs the command in debug mode

-p <ca_port>

Specifies the port used to connect to the CA (if the CA was not run from the default port 18209)

-n "CN=<common name>"

Sets the CN to <common name>

-f <PKCS12>

Specifies the file name, <PKCS12>, that stores the certificate and keys.

cpca_client revoke_cert

Description Revoke a certificate issued by the ICA.

Syntax

> cpca_client [-d] revoke_cert [-p <ca_port>] -n "CN=<common name>"

Parameter

Description

-d

Runs the command in debug mode

-p <ca_port>

Specifies the port which is used to connect to the CA (if the CA was not run from the default port 18209)

-n "CN=<common name>"

Sets the CN to <common name>

cpca_client lscert

Description Show all certificates issued by the ICA.

Syntax

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}] [-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter

Description

-d

Runs the command in debug mode

-dn substring

Filters results to those with a DN that matches this <substring>

-stat

Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed

-kind

Filters results for specified kind: SIC, IKE, User, or LDAP

-ser <serial>

Filters results for this serial number

-dp <dp>

Filters results from this CDP (certificate distribution point)

cpca_client set_mgmt_tool

Description Starts or stops the ICA Management Tool.

Syntax

> cpca_client [-d] set_mgmt_tool {on|off|add|remove|clean|print} [-p <ca_port>] [-no_ssl] {-a <administrator DN>, -u <user DN>, -c <custom user DN>, ...}

Parameter

Description

-d

Runs the command in debug mode.

set_mgmt_tool {on|off|add|remove|
clean|print}
  • on - Starts ICA Management Tool
  • off - Stops ICA Management Tool
  • add - Adds an administrator, user, or custom user
  • remove - Removes an administrator, user, or custom user
  • clean - Removes all the administrators, users, or custom users
  • print - Shows the administrators, users, or custom users

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265.

-no_ssl

Configures the server to use HTTP instead of HTTPS.

-a <administrator DN>

Sets the DNs of the administrators that are permitted to use the ICA Management Tool.

-u <user DN>

Sets the DNs of the users that are permitted to use the ICA Management Tool.

-c <custom user DN>

Sets the DN for custom users that can use the ICA Management Tool.

Comments

  1. If the command is run without -a or -u the list of the permitted users and administrators isn't changed. The server can be stopped or started with the previously defined permitted users and administrators.
  2. If two consecutive start operations are initiated, the ICA Management Tool will not respond, unless you change the SSL mode. After the SSL mode has been modified, the server can be stopped and restarted.

cp_conf

Description Configure/reconfigure a Security Gateway installation. The configuration available options for any machine depend on the installed configuration and products.

Syntax

> cp_conf

cp_conf sic

Description Use the cp_conf sic commands to manage SIC on the Security Management Server.

Syntax

> cp_conf sic state
> cp_conf sic init <key> [norestart]
> cp_conf sic cert_pull <management> <object>

Parameter

Description

state

Shows the SIC trust state.

init <key>

Restarts SIC with the Activation Key <key>.

[no restart]

By default, the Security Gateway runs cpstop and cpstart when you restart SIC. Use the norestart parameter to restart SIC and to not run cpstop and cpstart.

cert_pull

For DAIP Security Gateways, pulls a certificate from the Security Management Server for the <object>

<management>

Name or IP address of the Security Management Server

cp_conf admin

Description Manage Check Point system administrators for the Security Management Server

Syntax

> cp_conf admin get # Get the list of administrators.
> cp_conf admin add <user> <pass> {a|w|r}
> cp_conf admin del <admin1> <admin2>...

Parameter

Description

get

Shows a list of the administrators

add <user> <pass>

Adds a new administrator <user> with password <pass>

{a|w|r}

Sets the permissions for the new administrator:

a - Read, write and manage administrators

w - Read and write

r - Read only

del <admin1>

Deletes one or more administrators <admin1>, <admin2>, and so on

cp_conf ca

Description Initialize the Certificate Authority

Syntax

> cp_conf ca init
> cp_conf ca fqdn <name>

Parameter

Description

init

Initializes the internal CA

fqdn <name>

Sets the FQDN of the internal CA to <name>

cp_conf finger

Description Displays the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate

Syntax

> cp_conf finger get

cp_conf lic

Description Shows the installed licenses and lets you manually add new ones.

Syntax

> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>

Parameter

Description

get

Shows the installed licenses

add -f <file>

Adds the license from <file>

add -m

Manually adds a license with these parameters:

<host> - name of the Security Management Server

<Date> - Date of the license

<Key> - License key

<SKU> - License SKU

del <Key>

Deletes license <key>

cp_conf client

Description Manage the GUI clients that can use SmartConsoles to connect to the Security Management Server.

Syntax

> cp_conf client get # Get the GUI clients list
> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients
> cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new list.

Parameter

Description

get

Shows the IP addresses of the allowed GUI clients.

add <GUI client>

Adds the <GUI client> IP address to the list of allowed GUI clients.

del <GUI client1> <GUI client 2>

Deletes one or more IP addresses from the list of allowed GUI clients.

createlist <GUI client1> <GUI client 2>

Deletes allowed GUI clients and creates a new list. The new list allows <GUI client 1>, <GUI client 2>, and so on.

cp_conf ha

Description Enable or disable High Availability.

Syntax

> cp_conf ha {enable|disable} [norestart]

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print