Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Mobile Access Commands

In This Section:

cvpn_ver

listusers

cvpnstop

cvpnstart

cvpnrestart

cvpnd_admin

cvpnd_settings

deleteUserSettings

ics_updates_script

rehash_ca_bundle

admin_wizard

fwpush

cvpn_ver

Description Shows the version of the Mobile Access Software Blade. Use with fw ver -k to get all version details.

Usage cvpn_ver

listusers

Description Shows a list of end-users connected to the gateway, along with their source IP addresses.

Usage listusers

cvpnstop

Description Stops all Mobile Access blade services.

Usage cvpnstop

Notes: While this command does not terminate sessions, it closes all TCP connections. End-users might lose their work

cvpnstart

Description Starts all Mobile Access blade services.

Usage cvpnstart

cvpnrestart

Description Restarts all Mobile Access blade services.

Usage cvpnrestart [--with-pinger]

Parameters

Parameter

Description

--with-pinger

Restarts the ‘pinger’ service, responsible for ActiveSync and Outlook Web Access push mail notifications.

Notes: While this command does not terminate sessions, it closes all TCP connections. End-users might lose their work

cvpnd_admin

Description A utility to change the behavior of the Mobile Access cvpnd process.

Usage cvpnd_admin [policy [hard] | [debug [off | set… | trace]]

Parameters

Parameter

Description

policy

Updates the Mobile Access services according to the current policy. For Apache services, each httpd process waits until its current request is finished, then exits.

policy hard

Updates the Mobile Access services according to the current policy. For Apache services, all httpd processes exit immediately, terminating current http requests.

debug set TDERROR_ALL_ALL=5

Enables all cvpnd debug output for the running cvpnd process. The output is in $CVPNDIR/log/cvpnd.elg.

Note: Enabling all debug topics might have a small effect on performance.

debug off

Disables all cvpnd debug output.

debug trace on

debug trace users=username

The TraceLogger feature generates full captures of incoming and outgoing authenticated Mobile Access traffic. The output is in: $CVPNDIR/log/trace_log/.

 

debug trace on - Enables the TraceLogger feature for all users.

debug trace users=<username> - Enables the TraceLogger feature for a specified username

Important Notes:

1. The TraceLogger feature has a major effect on performance, because all traffic is saved as files.

2. The feature uses a lot of disk space. After a maximum number of files is output, the oldest files are removed from the disk, which also has a performance cost.

3. TraceLogger creates a security concern: end-user passwords sent to internal resources might appear in the capture files.

appMonitor status

Shows the status of the Application Monitor feature. The application monitor is a software component that monitors internal servers to track their up time.

If problems are found, a system alert log is created.

This command lists the applications monitored by the Application Monitor and their status.

cvpnd_settings

Description Changes a Mobile Access gateway's local configuration file, cvpnd.C.

Usage cvpnd_settings <conf_file_path> <get|set|add|listAdd|listRemove> <Attribute-Name> [Attribute-Value]

Parameters Run: cvpnd_settings –h for a full explanation of the parameters.

Important - Changes made by the cvpnd_settings command are not saved in gateway upgrades. Keep a backup of your cvpnd.C file after you make manual changes.

deleteUserSettings

Description Deletes all persistent settings (favorites, cookies, credentials) of one or more end-users.

Usage deleteUserSettings [-s] <username1> [<username2> ...]

Parameters

Parameter

Description

-s

Runs in silent mode with no output to the end-user's screen.

ics_updates_script

Description Manually starts an Endpoint Security on Demand (ESOD) update on the gateway. Use this script to troubleshoot ESOD updates.

Usage $CVPNDIR/bin/ics_updates_script <ICS_updates_file_path>

Notes:

  • The script requires an ESOD update package on the gateway.
  • Usually this script is not necessary and you start updates from SmartDashboard. Go to Mobile Access tab > Endpoint Security on Demand > Endpoint Compliance Updates > Update Database Now.
  • Be careful not to run other scripts with the name ics_updates_script, for example, the one in $FWDIR/bin/.

rehash_ca_bundle

Description Imports all of the Certificate Authority (CA) files from the $CVPNDIR/var/ssl/ca-bundle/ directory into the Mobile Access trusted CA bundle.

The trusted CA bundle is used when the Mobile Access gateway accesses an internal server (such as OWA) through HTTPS. If the SSL server certificate of the internal server is not trusted by the gateway, the gateway responds based on the settings for the Internal Web Server Verification feature. The default setting is Monitor.

To accept certificates from a specified server, add its server certificate CA to the CA bundle.

Usage rehash_ca_bundle

admin_wizard

Description Tests connectivity to websites and Exchange server services.

  • For websites: It tests connectivity to the website.
  • For Exchange servers: It tests the response from an Exchange server. It also finds the address protocol (HTTP or HTTPS) and authentication method(Basic or NTLM) of the Exchange server services.

Usage

  • For websites: admin_wizard wizard <website address>
  • For Exchange servers: admin_wizard  exchange_wizard <Exchange server address> <user name> <password> [<parameters>]

Parameters

To enter more than one item within a parameter, separate items with a comma. For example: as,owa

Parameter

Description

[-t <as|ews|owa|all>]

Select the services to test on the Exchange server:

  • as - Test ActiveSync
  • ews -Test Exchange Web Services
  • owa - Search for the Outlook Web Application address of the Exchange server
  • all - Test all of the above services (default)

[-d <dns servers>]

Enter DNS servers

[-x <proxy servers>]

Enter proxy servers

[-c <username:password>]

Enter a user name and password for proxy authentication

[-n]

Allow only NTLM authentication instead of Basic and NTLM

[-m <domain name>]

Enter a user domain name

[-s <ActiveSync path>]

Test a specified ActiveSync service path (default: /Microsoft-Server-ActiveSync)

[-e <EWS path>]

Test a specified Exchange Web Services service path, (default: /EWS/Exchange.asmx)

[-f <file name>]

Write the results to a file

[-r]

Send a request with the configured: proxy, DNS, HTTP protocol, and authentication method.

If [-n] is included, then NTLM authentication method is used. If not, only Basic is used.

[-v]

Make the HTTP requests verbose. The verbose result files go to $CVPNDIR/log/trace_log/

[-p]

Validate the SSL certificate of the web server

fwpush

This feature is supported in R77.10 and higher.

Description: Sends command interrupts to fwpushd process.

Usage: fwpush info|send|print|unsub

Switch

Description

info

Get data on notifications in the push queue:

  • Number of items in queues
  • Number of seconds the oldest item is in the queue
  • Number of seconds the newest item is in the queue
  • Number of seconds a batch waits in the queue
  • Number of seconds to the sending of the next batch
  • Number of batch errors and authentication request timeouts

send -token [<token>|<username>] -os <OS> -msg "<notification message>

Send an on-demand push notification from a command line, using a username or a token.

print

Show the push notifications queue and the pending batches.

unsub [<token>|<username>|<User-UID>] -all

Unsubscribe a user:

  • token - Delete the token from the User-Settings
  • User-Name or User-UID - Unsubscribe the user from all business emails
  • User-Name or User-UID -all - Delete all the user's tokens

Important - Before you use the fwpush command with the send switch, make sure the user is registered on the Exchange Server and is connected.

To see user connection status:

Run: [expert@hostname:0]# UserSettingsUtil show_exchange_registered_users

Example output:

User Name: CN=JohnD,OU=USERS,OU=RND,OU=PO,OU=ISRAEL,DC=AD,DC=CHECKPOINT,DC=COM User Settings id: c4b6c6fbb0c4a4ff4469265e93e0e372
Push Token: xxxxxxxxxxxxx65b48e424023eb7952fbc5ca22ea788cfb3cxxxxxxxxxx Device id: 46c5XXXXcc1d10b4e18cf5a1ff3290f2

Use the value of the CN variable (JohnD in this example) for the username in the fwpush send command:
[expert@hostname:0]# fwpush send -uid JohnD -msg "hello push"

If you use a token, it must be taken from the output of the command:
UserSettingsUtil show_exchange_registered_users

For example:
[Expert@secure-GW]# UserSettingsUtil show_exchange_registered_users

If you use a different token, push notifications cannot work with the gateway.

Note - Users only get push notifications while logged in.

 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print