Security Management Server and Firewall Commands

cpca_client

Description These commands execute operations on the ICA (Internal Certificate Authority).

Syntax

> cpca_client

cpca_client create_cert

Description Prompt the ICA to issue a SIC certificate for the Security Management server.

Syntax

> cpca_client [-d] create_cert [-p <ca_port>] -n "CN=<common name>" -f <PKCS12>

cpca_client revoke_cert

Description Revoke a certificate issued by the ICA.

Syntax

> cpca_client [-d] revoke_cert [-p <ca_port>] -n "CN=<common name>"

cpca_client lscert

Description Show all certificates issued by the ICA.

Syntax

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}] [-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

cpca_client set_mgmt_tool

Description Starts or stops the ICA Management Tool.

Syntax

> cpca_client [-d] set_mgmt_tool {on|off|add|remove|clean|print} [-p <ca_port>] [-no_ssl] {-a <administrator DN>, -u <user DN>, -c <custom user DN>, ...}

Comments

1. If the command is run without -a or -u the list of the permitted users and administrators isn't changed. The server can be stopped or started with the previously defined permitted users and administrators.
2. If two consecutive start operations are initiated, the ICA Management Tool will not respond, unless you change the SSL mode. After the SSL mode has been modified, the server can be stopped and restarted.

cp_conf

Description Configure/reconfigure a Security Gateway installation. The configuration available options for any machine depend on the installed configuration and products.

Syntax

> cp_conf

cp_conf sic

Description Use the cp_conf sic commands to manage SIC on the Security Management Server.

Syntax

> cp_conf sic state
> cp_conf sic init <key> [norestart]
> cp_conf sic cert_pull <management> <object>

cp_conf admin

Description Manage Check Point system administrators for the Security Management Server

Syntax

> cp_conf admin get # Get the list of administrators.
> cp_conf admin add <user> <pass> {a|w|r}
> cp_conf admin del <admin1> <admin2>...

cp_conf ca

Description Initialize the Certificate Authority

Syntax

> cp_conf ca init
> cp_conf ca fqdn <name>

cp_conf finger

Description Displays the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate

Syntax

> cp_conf finger get

cp_conf lic

Description Shows the installed licenses and lets you manually add new ones.

Syntax

> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>

cp_conf client

Description Manage the GUI clients that can use SmartConsoles to connect to the Security Management Server.

Syntax

> cp_conf client get # Get the GUI clients list
> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients
> cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new list.

cp_conf ha

Description Enable or disable High Availability.

Syntax

> cp_conf ha {enable|disable} [norestart]

cp_conf snmp

Description Activate or deactivate SNMP.

Syntax

> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP Extension.

cp_conf auto

Description Configure the Security Gateway and Security Management Server products that start automatically when the appliance or server reboots.

Syntax

> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable} <product1> <product2>...

cp_conf sxl

Description Enable or disable SecureXL acceleration.

Syntax

> cp_conf sxl {enable|disable}

cpconfig

Description Run a command line version of the Check Point Configuration Tool. This tool is used to configure an installed Check Point product. The options shown depend on the installed configuration and products. Amongst others, these options include:

• Licenses and contracts - Modify the necessary Check Point licenses and contracts.
• Administrator - Modify the administrator authorized to connect to the Security Management server.
• GUI Clients - Modify the list of SmartConsole Client machines from which the administrators are authorized to connect to a Security Management server.
• SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables SecurePlatform to export its status to external network management tools.
• PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform; see details of the token, and test its functionality.
• Random Pool - Configure the RSA keys, to be used by SecurePlatform.
• Certificate Authority - Install the Certificate Authority on the Security Management server in a first-time installation.
• Secure Internal Communication - Set up trust between the gateway on which this command is being run and the Security Management server.
• Certificate's Fingerprint - Display the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate.
• Automatic Start of Check Point Products - Specify whether Check Point Security Gateways will start automatically at boot time.

Syntax `

> cpconfig

Further Info. See the R77 Installation and Upgrade Guide.

cpinfo

Description - CPinfo is a utility that collects data on a machine at the time of execution. The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location. Engineers can open the CPinfo file in demo mode, while viewing real Security Policies and objects. This allows for in-depth analysis of all of configuration options and environment settings.

Syntax

> cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c <domain> ... | -x <vs>]

Further Info: SecureKnowledge solution sk30567.

cpstart

Description Start all Check Point processes and applications running on an appliance or server.

Syntax

> cpstart

Comments This command cannot be used to start cprid. cprid is invoked when the machine is booted and it runs independently.

cpstat

Description cpstat displays the status of Check Point applications, either on the local or on another appliance or server, in various formats.

Syntax

> cpstat [-h <host>][-p <port>][-s <SICname>][-f <flavor>][-o <polling>][-c <count>][-e <period>][-d] <application_flag>

The following parameters can be added to the application flags:

• fw — "default", "interfaces", "all", "policy", "perf", "hmem", "kmem", "inspect",
"cookies", "chains", "fragments", "totals", "ufp", "http", "ftp", "telnet", "rlogin",
"smtp", "pop3", "sync"
• vpn — "default", "product", "IKE", "ipsec", "traffic", "compression", "accelerator",
"nic", "statistics", "watermarks", "all"
• fg — "all"
• ha — "default", "all"
• os — "default", "ifconfig", "routing", "memory", "old_memory", "cpu", "disk", "perf",
"multi_cpu", "multi_disk", "all", "average_cpu", "average_memory", "statistics"
• mg — "default"
• persistency — "product", "Tableconfig", "SourceConfig"
• polsrv — "default", "all"
• uas — "default"
• svr — "default"
• cpsemd — "default"
• cpsead — "default"
• asm — "default", "WS"
• ls — "default"
• ca — "default", "crl", "cert", user", "all"

Example

> cpstat fw

Policy name:  Standard

Install time: Wed Nov  1 15:25:03 2000

Interface table

-----------------------------------------------------------------

|Name|Dir|Total *|Accept**|Deny|Log|

-----------------------------------------------------------------

|hme0|in |739041*|738990**|51 *|7**|

-----------------------------------------------------------------

|hme0|out|463525*|463525**| 0 *|0**|

-----------------------------------------------------------------

*********|1202566|1202515*|51**|7**|

cpstop

Description Terminate all Check Point processes and applications, running on an appliance or server.

Syntax

> cpstop
> cpstop -fwflag {-proc|-default}

Comments This command cannot be used to terminate cprid. cprid is invoked when the appliance or server is booted and it runs independently.

fw

Description The fw commands are used for working with various aspects of the firewall. All fw commands are executed on the Check Point Security Gateway.

Typing fw at the command prompt sends a list of available fw commands to the standard output.

Syntax

> fw

fw -i

Description Generally, when Check Point Security gateway commands are executed on a Security gateway they will relate to the gateway as a whole, rather than to an individual kernel instance. For example, the fw tab command will enable viewing or editing of a single table of information aggregated for all kernel instances.

This command specifies that certain commands apply to an individual kernel instance. By adding -i <kern> after fw in the command, where <kern> is the kernel instance's number.

Syntax

> fw -i applies to the following commands:

> fw ctl debug (when used without the -buf parameter)

> fw ctl get
> fw ctl set
> fw ctl leak
> fw ctl pstat
> fw monitor
> fw tab

For details and additional parameters for any of these commands, refer to the command's entry.

Example To view the connections table for kernel instance #1 use the following command:

> fw -i 1 tab -t connections

fw ctl

Description The fw ctl command controls the Firewall kernel module.

Syntax

fw ctl {install|uninstall}

fw ctl debug [-m <module>] [+|-] {options | all | 0}

fw ctl debug -buf [buffer size]

fw ctl kdebug

fw ctl pstat [-h][-k][-s][-n][-l]

fw ctl iflist

fw ctl arp [-n]

fw ctl block {on|off}

fw ctl chain

fw ctl conn

fw ctl debug

Description Generate debug messages to a buffer.

Syntax A number of debug options are available:

fw ctl debug -buf [buffer size]
fw ctl debug [-m <module>] [+ | -] {options|all|0}

fw ctl debug 0

fw ctl debug [-d <comma separated list of strings>]

fw ctl debug [-d <comma separated list of ^strings>]

fw ctl debug [-s <string>]

fw ctl debug -h

fw ctl debug -x

fw ctl affinity

fw ctl affinity -s

Description Sets CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R77 Performance Tuning Administration Guide.

fw ctl affinity -s settings are not persistent through a restart of the Security Gateway. If you want the settings to be persistent, either use:

• sim affinity (a Performance Pack command)
• Or edit the fwaffinity.conf configuration file

To set interface affinities, you should use fw ctl affinity only if Performance Pack is not running. If Performance Pack is running, you should set affinities by using the Performance Pack sim affinity command. These settings will be persistent. If Performance Pack's sim affinity is set to Automatic mode (even if Performance Pack was subsequently disabled), you will not be able to set interface affinities by using fw ctl affinity -s.

Syntax

> fw ctl affinity -s <proc_selection> <cpuid>

<proc_selection> is one of the following parameters:

<cpuid> should be a processing core number or a list of processing core numbers. To have no affinity to any specific processing core, <cpuid> should be: all.

Example To set kernel instance #3 to run on processing core #5, run:

> fw ctl affinity -s -k 3 5

fw ctl affinity -l

Description Lists existing CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R77 Performance Tuning Administration Guide.

Syntax

> fw ctl affinity -l [<proc_selection>] [<listtype>]

If <proc_selection> is omitted, fw ctl affinity -l lists affinities of all Check Point daemons, kernel instances and interfaces. Otherwise, <proc_selection> is one of the following parameters:

If <listtype> is omitted, fw ctl affinity -l lists items with specific affinities, and their affinities. Otherwise, <listtype> is one or more of the following parameters:

Example To list complete affinity information for all Check Point daemons, kernel instances and interfaces, including items without specific affinities, and with additional information, run:

> fw ctl affinity -l -a -v

fw ctl engine

Description Enables the INSPECT2C engine, which dynamically converts INSPECT code to C code.

Run the command on the Check Point Security Gateway.

Syntax

> fw ctl engine {on|off|stat|setdefault}

fw ctl multik stat

Description Displays multi-kernel statistics for each kernel instance. The state and processing core number of each instance is displayed, along with:

• The number of connections currently being handled
• The peak number of concurrent connections the instance has handled since its inception

fw ctl sdstat

Description The IPS performance counters measure the percentage of CPU consumed by each IPS protection. The measurement itself is divided according to the type of protection: Pattern based protections or INSPECT based protections. In addition, the IPS counters measure the percentage of CPU used by each section ("context") of the protocol, and each protocol parser.

Syntax

> fw ctl zdebug >& outputfile
> fw ctl sdstat start
> fw ctl sdstat stop

Example The workflow is as follows:

Run the following commands on the Check Point Security Gateway (version R70 or higher):

On the Check Point Security Gateway:

• Run fw ctl zdebug >& outputfile
• Run fw ctl sdstat start

Let the counters run. However- do not leave the counters on for more than 10 minutes.

• Run fw ctl sdstat stop

It is important to stop the counters explicitly, otherwise there may be performance penalty

This generates the output file outputfile that must be processed on the (SecurePlatform only) Security Management Server.

On the Security Management Server:

• From $FWDIR/script, run the script
  ./sdstat_analyse.csh outputfile

The output of the script is a report in csv format that can be viewed in Microsoft Excel.

If there is a problem in the report, or if more details are needed, a debug flag is available which prints extra information to outputfile.

• Run fw ctl zdebug + spii >& outputfile

Comments

1. A value in the report of "< 1" means that the percentage of CPU used by a protection is less than 1%.
2. The report generated by the sdstat_analyse script may contain a number instead of a protection name. This is because the original output contains a signature id, but the id is missing from the Security Policy on the Gateway.

fw fetch

Description Fetches the Inspection Code from the specified host and installs it to the kernel.

Syntax

> fw fetch [-n] [-f <filename>] [-c] [-i] master1 [master2] ...

fw fetchlogs

Description fw fetchlogs fetches Log Files from a remote machine. You can use the fw fetchlogs command to transfer Log Files to the machine on which the fw fetchlogs command is executed. The Log Files are read from and written to the directory $FWDIR/log.

Syntax

> fw fetchlogs [[-f <file name>] ... ] <module>

Comments The files transferred by the fw fetchlogs command are MOVED from the source machine to the target machine. This means that they are deleted from the source machine once they have been successfully copied.

Fetching Current Log Data

The active Log File (fw.log) cannot be fetched. If you want to fetch the most recent log data, proceed as follows:

• Run \ to close the currently active Log File and open a new one.
• Run fw lslogs to see the newly-generated file name.
• Run fw fetchlogs -f filename to transfer the file to the machine on which the fw fetchlogs command is executed. The file is now available for viewing in the SmartView Tracker.

After a file has been fetched, it is renamed. The gateway name and the original Log File name are concatenated to create a new file name. The new file name consists of the gateway name and the original file name separated by two (underscore) _ _ characters.

Example The following command:
> fw fetchlogs -f 2001-12-31_123414.log module3

fetches the Log File 2001-12-31_123414.log from Module3.

After the file has been fetched, the Log File is renamed:

module3_ _2001-12-31_123414.log

fw hastat

Description The fw hastat command displays information about High Availability machines and their states.

Syntax

> fw hastat [<target>]

fw isp_link

Description Takes down (or up) a redundant ISP link.

Syntax

> fw isp_link [<target>] <link-name> {up|down}

Comments This command can be executed locally on the Check Point Security Gateway or remotely from the Security Management server. In the latter case, the target argument must be supplied. For this command to work, the Check Point Security Gateway should be using the ISP redundancy feature.

fw kill

Description Prompts the kernel to shut down all firewall daemon processes. The command is located in the $FWDIR/bin directory on the Security Management server or gateway machine.

The firewall daemons and Security servers write their pids to files in the $FWDIR/tmp directory upon startup. These files are named $FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.

Syntax

> fw kill [-t <sig_no>] <proc-name>

Comments In Windows, only the default syntax is supported: fw kill proc_name. If the -t option is used it is ignored.

fw lea_notify

Description Send a LEA_COL_LOGS event to all connected lea clients, see the LEA Specification documentation. It should be used after new log files have been imported (manually or automatically) to the $FWDIR/log directory in order to avoid the scheduled update which takes 30 minutes.

This command should be run from the Security Management server.

Syntax

> fw lea_notify

fw lichosts

Description Print a list of hosts protected by Security Gateway products. The list of hosts is in the file $fwdir/database/fwd.h

Syntax

> fw lichosts [-x] [-l]

fw log

Description fw log displays the content of Log files.

Syntax

> fw log [-f [-t]] [-n] [-l] [-o] [-c <action>] [-h <host>] [-s <starttime>] [-e <endtime>] [-b <starttime> <endtime>] [-u <unification_scheme_file>] [-m {initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]

Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed.

Example

> fw log
> fw log | more
> fw log -c reject
> fw log -s "May 26, 1999"
> fw log -f -s 16:00:00 

Output [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ...

Each output line consists of a single log record, whose fields appear in the format shown above.

Example Output

14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com;
dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access
denied - wrong user name or password  ; scheme: IKE; reject_category:
Authentication error; product: Security Gateway

	14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com;
user: a; rule: 0; reason: Client Encryption: Authenticated by Internal
Password; scheme: IKE; methods: AES-256,IKE,SHA1; product: Security Gateway;

	14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com;
peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.;
CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods:
 AES-256 + SHA1, Internal Password; user: a;  product: Security Gateway; 

fw logswitch

Description fw logswitch creates a new active Log File. The current active Log File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. The format of the default name <current_time_stamp>.log is YYYY-MM-DD_HHMMSS.log. For example: 2003-03-26_041200.log

Warning:

• The Logswitch operation fails if a log file is given a pre-existing file name.
• The rename operation fails on Windows if the active log that is being renamed, is open at the same time that the rename operation is taking place; however; the Logswitch will succeed and the file will be given the default name $FWDIR/log/current_time_stamp.log.

The new Log File that is created is given the default name $FWDIR/log/fw.log. Old Log Files are located in the same directory.

A Security Management server can use fw logswitch to change a Log File on a remote machine and transfer the Log File to the Security Management server. This same operation can be performed for a remote machine using fw lslogs and fw fetchlogs.

When a log file is sent to the Security Management server, the data is compressed.

Syntax

> fw logswitch [-audit] [<filename>]
> fw logswitch -h <hostage> [+|-][<filename>]

Comments Files are created in the $FWDIR/log directory on both host and the Security Management server when the + or - parameters are specified. Note that if - is specified, the Log File on the host is deleted rather than renamed.

hostage specified:

• filename specified - On hostage, the old Log File is renamed to old_log. On the Security Management Server, the copied file will have the same name, prefixed by hostages name. For example, the command fw logswitch -h venus +xyz creates a file named venus_xyz.log on the Security Management Server.
• filename not specified - On hostage, the new name is
  the current date, for example: 2003-03-26_041200.log.
  On the Security Management Server, the copied file will have the same name, but prefixed by hostage_. For example, target_2003-03-26_041200.log.

hostage not specified:

• filename specified - On the Security Management Server, the old Log File is renamed to old_log.
• filename not specified - On the Security Management Server, the old Log File is renamed to the current date.

Compression

When log files are transmitted from one machine to another, they are compressed using the zlib package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method.

The compression ratio varies with the content of the log records and is difficult to predict. Binary data are not compressed, but string data such as user names and URLs are compressed.

fw mergefiles

Description Merge several Log Files into a single Log File. The merged file can be sorted according to the creation time of the Log entries, and the times can be "fixed" according to the time zones of the origin Log servers.

Logs entries with the same Unique-ID are unified. If a Log switch was performed before all the segments of a specific log were received, this command will merge the records with the same Unique-ID from two different files, into one fully detailed record.

Syntax

> fw mergefiles [-s] [-t <time_conversion_file>] <log_file_name_1> [... <log_file_name_n>] <output_file>

Comments It is not recommended to merge the current active fw.log file with other Log Files. Instead, run the fw logswitch command and then run fw mergefiles.

fw monitor

Description Inspecting network traffic is an essential part of troubleshooting network deployments. fw monitor is a powerful built-in tool to simplify the task of capturing network packets at multiple capture points within the firewall chain. These packets can be inspected using industry-standard tools later on.

In many deployment and support scenarios capturing network packets is an essential functionality. tcpdump or snoop are tools normally used for this task. fw monitor provides an even better functionality but omits many requirements and risks of these tools.

• No Security Flaws — tcpdump and snoop are normally used with network interface cards in promiscuous mode. Unfortunately the promiscuous mode allows remote attacks against these tools. fw monitor does not use the promiscuous mode to capture packets. In addition most firewall operating systems are hardened. In most cases this hardening includes the removal of tools like tcpdump or snoop because of their security risk.
• Available on all Security Gateway installations — fw monitor is a built-in firewall tool which needs no separate installation in case capturing packets is needed. It is a functionality provided with the installation of the Firewall package.
• Multiple capture positions within the firewall kernel module chain — fw monitor allows you to capture packets at multiple capture positions within the firewall kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the Firewall.
• Same tool and syntax on all platforms — Another important fact is the availability of fw monitor on different platforms. Tools like snoop or tcpdump are often platform dependent or have specific "enhancements" on certain platforms. fw monitor and all its related functionality and syntax is absolutely identical across all platforms. There is no need to learn any new "tricks" on an unknown platform.

Normally the Check Point kernel modules are used to perform several functions on packets (like filtering, encrypting and decrypting, QoS …). fw monitor adds its own modules to capture packets. Therefore fw monitor can capture all packets which are seen and/or forwarded by the Firewall.

Only one instance of fw monitor can be run at a time.

Use ^C (that is Control + C) to stop fw monitor from capturing packets.

Syntax

> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l <len>] [-m <mask>]
[-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO <pos>] | -p all]] [-a]
[-ci <count>] [-co <count>] [-h] -T

Example The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from every interface that passes (or at least reaches) the Check Point Security Gateway. The same packet appears several times (two times in the example below). This is caused by fw monitor capturing the packets at different capture points.

Output

cpmodule> fw monitor

 monitor: getting filter (from command line)

 monitor: compiling

monitorfilter:

Compiled OK.

 monitor: loading

 monitor: monitoring (control-C to stop)

eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:I[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:o[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:O[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:o[1500]: 192.0.2.2 -> 192.0.2.133 (TCP) len=1500 id=44600

TCP

^C

: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83

monitor: caught sig 2

 monitor: unloading

The first line of the fw monitor output is

This packet was captured on the first network interface (eth0) in inbound direction before the virtual machine (lowercase i). The packet length is 285 bytes (in square parenthesis; repeated at the end of the line. Note that these two values may be different. The packets ID is 1075. The packet was sent from 192.0.2.133 to 192.0.2.2 and carries a TCP header/payload.

The second line of the fw monitor output is

The second line tells us that this is a TCP payload inside the IP packet which was sent from port 1050 to port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged sequence number (ack=941b05bc). You will see similar information for UDP packets.

You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or cannot be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing.

Further Info. See SecureKnowledge solution sk30583.

fw lslogs

Description Display a list of Log Files residing on a remote or local machine. You must initialize SIC between the Security Management server and the remote machine.

Syntax

> fw lslogs [[-f <filename>] ...] [-e] [-s {<name>|<size>|<stime>|<etime>}] [-r] [<machine>]

Example This example shows the extended file list you see when you use the fw lslogs -e command:

> fw lslogs -e module3

Size  Creation Time       Closing Time         Log file name

99KB  10Jan2002 16:46:27  10Jan2002 18:36:05   2002-01-10_183752.log

16KB  10Jan2002 18:36:05     --                fw.log

fw putkey

Description Install a Check Point authentication password on a host. This password is used to authenticate internal communications between Security Gateways and between a Check Point Security Gateway and its Security Management server. A password is used to authenticate the control channel the first time communication is established. This command is required for backward compatibility scenarios.

Syntax

> fw putkey [-opsec] [-no_opsec] [-ssl] [-no_ssl] [-k <num>] [-n <myname>] [-p <pswd>] <host>...

Comments This command is never used in a script.

fw repairlog

Description fw repairlog rebuilds a Log file's pointer files. The three files: name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from data in the specified Log file. The Log file itself is modified only if the -u flag is specified.

Syntax

fw repairlog [-u] <logfile>

fw sam

Description Manage the Suspicious Activity Monitoring (SAM) server. Use the SAM server to block connections to and from IP addresses without the need to change the Security Policy.

SAM commands are logged. Use this command to (also) monitor active SAM requests (see -M option).

To configure the SAM server on the Security Management server or Security Gateway, use SmartDashboard to edit the Advanced > SAM page of the Check Point Security Gateway object.

Syntax

Add/Cancel SAM rule according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>][-t <timeout>][-l <log>][-C] -{n|i|I|j|J} <Criteria>

Delete all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -D

Monitor all SAM rules:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} all

Monitor SAM rules according to criteria:

> fw sam [-v][-s <sam server>][-S <server sic name>][-f <fw host>] -M -{i|j|n} <Criteria>

Syntax

Usage Criteria are used to match connections, and are composed of various combinations of the following parameters:

<source ip><source netmask><destination ip><destination netmask> <service><protocol>

Possible combinations are:

src <ip>

dst <ip>

any <<ip>

subsrc <ip><netmask>

subdst <ip><netmask>

subany <ip><netmask>

srv <src ip><dest ip><service><protocol>

subsrv <src ip><src netmask><dest ip><dest netmask><service> <protocol>

subsrvs <src ip><src netmask><dest ip><service><protocol>

subsrvd <src ip><dest ip><dest netmask><service><protocol>

dstsrv <dest ip><service><protocol>

subdstsrv <dest ip><dest netmask><service><protocol>

srcpr <ip><protocol>

dstpr <ip><protocol>

subsrcpr <ip><netmask><protocol>

subdstpr <ip><netmask><protocol>

Syntax

Example This command inhibits all connections originating on louvre for 10 minutes. Connections made during this time will be rejected:

> fw sam -t 600 -i src louvre

This command inhibits all FTP connections from the louvre subnet to the eifel subnet. All existing open connections will be closed. New connection will be dropped, a log is kept and an alert is sent:

> fw sam -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

The previous command will be enforced forever - or until canceled by the following command:

> fw sam -C -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6

This command monitors all active "inhibit" or "notify SAM" requests for which lourve is the source or destination address:

> fw sam -M -nij any lourve

This command cancels the command in the first example:

> fw sam -C -i src louvre

fw stat

Description Use fw stat to view the policy installed on the gateway, and which interfaces are being protected.

Syntax

> fw stat -l

> fw stat -s

Examples

HOST      POLICY        DATE

localhost Standard      18Apr2012 15:01:51 :  [>eth0] [<eth0]

Two interfaces are being protected. The arrows show the direction of the packets.

After the policy is uninstalled, the output becomes:

HOST      POLICY     DATE

localhost -          -                :   >eth0   <eth0

This shows that there is no policy installed, and the interfaces are not protected.

fw tab

Description The fw tab command shows data from the kernel tables, and lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.

Kernel tables (also known as State tables) store data that the Firewall and other modules in the Security Gateway use to inspect packets. These kernel tables are the "memory" of the virtual computer in the kernel and are a critical component of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel memories.

Syntax

fw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-a|-x} -e <entry>] [-y] [<hostname>]

Example > fw tab -t arp_table -a -e "1,2,3,4,5"
Adds an entry: <00000001,00000002,00000003,00000004,00000005,> to arp_table

fw tab - m 100 -r sample-gw

Comments If a table has the expire attribute, when you use the -a parameter to add entries, the default table timeout is added.

This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands.
The -x flag can be used independently of the -e flag in which case the entire table content is deleted.
This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts.

fw ver

Description Display the Security Gateway major and minor version number and build number.

Syntax

> fw ver [-k][-f <filename>]

fwm

Description Perform management operations on the Security Gateway. It controls fwd and all Check Point daemons.

Syntax

> fwm

fwm dbimport

Description Imports users into the Check Point User Database from an external file. You can create this file yourself, or use a file generated by fwm dbexport.

Syntax

> fwm dbimport [-m] [-s] [-v] [-r] [-k <errors>] [-f <file>] [-d <delim>]

Comments The IKE pre shared secret does not work when exporting from one machine and importing to another.

To ensure that there is no dependency on the previous database values, use the‑r flag together with the -m flag.

File Format

The import file must conform to the following Usage:

• The first line in the file is an attribute list.
  • The attribute list can be any partial set of the following attribute set, as long as name is included:

• The attributes must be separated by a delimiter character.
  • The default delimiter is the ; character. However, you can use a different character by specifying the -d option in the command line.
• The rest of the file contains lines specifying the values of the attributes per user. The values are separated by the same delimiter character used for the attribute list. An empty value for an attribute means use the default value.
• For attributes that contain a list of values (for example, days), enclose the values in curly braces, that is,{}. Values in a list must be separated by commas. If there is only one value in a list, the braces may be omitted. A + or - character appended to a value list means to add or delete the values in the list from the current default user values. Otherwise the default action is to replace the existing values.
• Legal values for the days attribute are: MON, TUE, WED, THU, FRI, SAT, SUN.
• Legal values for the authentication method are: Undefined, S/Key, SecurID, Unix Password, VPN‑1 & FireWall‑1 Password, RADIUS, Defender.
• Time format is hh:mm.
• Date format is dd-mmm-yy, where mmm is one of {Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec}.
• If the S/Key authentication method is used, all the other attributes regarding this method must be provided.
• If the Check Point password authentication method is used, a valid Check Point password should be given as well. The password should be encrypted with the C language encrypt function.
• Values regarding authentication methods other than the one specified are ignored.
• The userc field specifies the parameters of the user's SecuRemote connections, and has three parameters, as follows:
  • key encryption method - DES, CLEAR, Any
  • data encryption method - DES, CLEAR, Any
  • integrity method - MD5,[blank] = no data integrity.
  • "Any" means the best method available for the connection. This depends on the encryption methods available to both sides of the connection. For example,

    {DES,CLEAR,} means: key encryption method is DES; no data encryption; no data integrity.

• A line beginning with the ! character is considered a comment.

fwm expdate

Description Modify the expiration date of all users and administrators.

Syntax

> fw expdate dd-mmm-1976

Comments The date can be modified using a filter.

Example fw expdate 02-mar-2003 -f 01-mar-2003

fwm dbexport

Description Export the Check Point User Database to a file. The file may be in one of the following formats:

• The same syntax as the import file for fwm dbimport
• LDIF format, which can be imported into an LDAP server using ldapmodify

Syntax

To export the User Database to a file that can be used with fwm dbimport:

> fwm dbexport [ [-g group | -u user] [-d delim] [-a {attrib1, attrib2, ...} ] [-f file] ]

To export the User Database as an LDIF file:

> fwm dbexport -l -p [-d] -s subtree [-f file] [-k IKE-shared-secret]

Comments Note:

• The IKE pre shared secret does not work when exporting from one machine and importing to another.
• If you use the -a parameter to specify a list of attributes, and then import the created file using fwm dbimport, the attributes not exported will be deleted from the user database.
• fwm dbexport and fwm dbimport (non-LDIF Usage) cannot export and import user groups. To export and import a user database, including groups, proceed as follows:

  * Run fwm dbexport on the source Security Management server.

  * On the destination Security Management server, create the groups manually.

  * Run fwm dbimport on the destination Security Management server.

The users will be added to the groups to which they belonged on the source Security Management server.

• If you wish to import different groups of users into different branches, run fwm dbexport once for each subtree, for example:

Next, import the individual files into the LDAP server one after the other. For information on how to do this, refer to the documentation for your LDAP server.

• The LDIF file is a text file which you may wish to edit before importing it into an LDAP server. For example, in the Check Point user database, user names may be what are in effect login names (such as "maryj") while in the LDAP server, the DN should be the user's full name ("Mary Jones") and "maryj" should be the login name.

Example Suppose the User Database contains two users, "maryj" and "ben".

creates a LDIF file consisting of two entries with the following DNs:

fwm dbload

Description Download the user database and network objects information to selected targets. If no target is specified, then the database is downloaded to localhost.

Syntax

gw> fwm dbload [-a|-c <conffile>] [<targets>]

fwm ikecrypt

Description fwm ikecrypt command line encrypts the password of a SecuRemote user using IKE. The resulting string must then be stored in the LDAP database.

Syntax

> fwm ikecrypt <shared-secret> <user-password>

Comments An internal CA must be created before implementing IKE encryption. An Internal CA is created during the initial configuration of the Security Management server, following installation.

fwm getpcap

Description fwm getpcap command line fetches the packet capture.

Syntax > fwm getpcap -g <gw> -u <cap id> [-p <path>] [-c <domain>]

Note - This command only works with IPS packet captures stored on the Gateway in $FWDIR//opt/CPsuite-R77/fw1/log/captures_repository. It does not work with other blades such as Anti-Bot and Anti-Virus that store packet captures in $FWDIR/log/blob.

fwm load

Description Compile and install a Security Policy or a specific version of the Security Policy on the target's Security Gateways. This is done in one of two ways:

• fwm load compiles and installs an Inspection Script (*.pf) file on the designated Security Gateways.
• fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection Script (*.pf) file then installs it to the designated Security Gateways.

Versions of the Security Policy and databases are maintained in a version repository on the Security Management server. Using this command, specific versions of the Security Policy can be installed on a gateway (local or remote) without changing the definition of the current active database version on the Security Management server.

To protect a target, you must load a Policy that contains rules whose scope matches the target. If none of the rules are enforced on the target, then all traffic through the target is blocked.

Syntax > fwm load [-p <plug-in>] [-S] <rulebase> <targets>

Example The following command installs the Security Policy standard in the target gateway johnny.

fwm load Standard johnny

fwm lock_admin

Description View and unlock locked administrators.

Syntax >fwm lock_admin [-v][-u <administrator>][-ua]

fwm logexport

Description fwm logexport exports the Log file to an ASCII file.

Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n] [-p]
[-f] [-m {initial|semi|raw}] [-a]

Comments Controlling the Output of fwm logexport using logexport.ini

The output of fwm logexport can be controlled by creating a file called logexport.ini and placing it in the conf directory: $FWDIR/conf. The logexport.ini file should be in the following format:

[Fields_Info]

included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100

excluded_fields = field10,field11

note that:

• the num field will always appear first, and cannot be manipulated using logexport.ini
• <REST_OF_FIELDS> is a reserved token that refers to a list of fields. It is optional. If -f option is set, <REST_OF_FIELDS> is based on a list of fields taken from the file logexport_default.C.
• If -f is not set, <REST_OF_FIELDS> will be based on the given input log file.
• It is not mandatory to specify both included_fields and excluded_fields.

Format:

The fwm logexport output appears in tabular format. The first row lists the names of all fields included in the subsequent records. Each of the subsequent rows consists of a single log record, whose fields are sorted in the same order as the first row. If a record has no information on a specific field, this field remains empty (as indicated by two successive semi-colons).

Example

1; 5Dec2002;9:08:44;jam.checkpoint.com;control; ;;daemon;inbound;VPN-1 & FireWall-1;;
ftp;23456;1.2.3.4;3.4.5.6; 

fwm sic_reset

Description Reset the Internal CA and delete all the certificates from the Internal CA and the Internal CA itself. After running sic_reset, the ICA should be initialized through the cpconfig command. If this command is run all the certified IKE from the Internal CA should be removed (using the SmartConsole).

Syntax > fwm sic_reset

fwm unload <targets>

Description Uninstall the currently loaded Inspection Code from selected targets.

Syntax > fwm unload <targets> [-all|-c <conffile>]

fwm ver

Description fwm ver shows the build number.

Syntax > fwm ver [-f <filename>]

fwm verify

Description The fwm verify command verifies the specified policy package without installing it.

Syntax > fwm verify <policy>