The Security Management Server CLI

comp_init_policy

Description Generates, loads or removes the Initial Policy.

The Initial Policy offers protection to the gateway before the administrator has installed a policy on the gateway.

Syntax :

> $FWDIR/bin/comp_init_policy [-u] [-g]

cp_admin_convert

Description Automatically exports administrator definitions that were created in cpconfig, to SmartConsole.

Syntax:

> cp_admin_convert

cp_conf

Description Configures or reconfigures a Security Gateway installation. The configuration options for each machine depends on the installed configuration and products.

Syntax:

> cp_conf

cp_conf sic

Description Manages SIC on the Security Management Server.

Syntax:

> cp_conf sic state
> cp_conf sic init <key> [norestart]
> cp_conf sic cert_pull <management> <object>

cp_conf admin

Description Manages Check Point system administrators for the Security Management Server

Syntax:

> cp_conf admin get # Get the list of administrators.
> cp_conf admin add <user> <pass> {a|w|r}
> cp_conf admin del <admin1> <admin2>...

cp_conf ca

Description Initializes the Certificate Authority

Syntax:

> cp_conf ca init
> cp_conf ca fqdn <name>

cp_conf finger

Description Displays the fingerprint which will be used on first-time launch. This verifies the identity of the Security Management Server being accessed by SmartConsole. This fingerprint is a text string derived from the Security Management Server certificate.

Syntax:

> cp_conf finger get

cp_conf lic

Description Shows the installed licenses and lets you manually add new ones.

Syntax:

> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>

cp_conf client

Description Manages the GUI clients that can use SmartConsoles to connect to the Security Management Server.

Syntax:

> cp_conf client get # Get the GUI clients list
> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del <GUI client 1> <GUI client 2>... # Delete GUI Clients
> cp_conf client createlist <GUI client 1> <GUI client 2>... # Create new list.

cp_conf ha

Description Enables or disables High Availability.

Syntax:

> cp_conf ha {enable|disable} [norestart]

cp_conf snmp

Description Activates or deactivates SNMP.

Syntax:

> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP Extension.

cp_conf auto

Description Configures the Security Gateway and Security Management Server products that start automatically when the appliance or server reboots.

Syntax

> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable} <product1> <product2>...

cp_conf sxl

Description Enables or disables SecureXL acceleration.

Syntax:

> cp_conf sxl {enable|disable}

cpconfig

Description Run a command line version of the Check Point configuration tool. This tool is used to configure an installed Check Point product. The options shown depend on the installed configuration and products and include:

• Licenses and contracts - Modify the necessary Check Point licenses and contracts.
• Administrator - Modify the administrator authorized to connect to the Security Management Server.
• GUI Clients - Modify the list of SmartConsole client machines from which the administrators are authorized to connect to a Security Management Server.
• SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables SecurePlatform to export its status to external network management tools.
• PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform, see details of the token, and test its functionality.
• Random Pool - Configure the RSA keys, to be used by SecurePlatform.
• Certificate Authority - Install the Certificate Authority on the Security Management Server in a first-time installation.
• Secure Internal Communication - Set up trust between the gateway on which this command is being run and the Security Management Server.
• Certificate's Fingerprint - Display the fingerprint which will be used on first-time launch to verify the identity of the Security Management Server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management Server's certificate.
• Automatic Start of Check Point Products - Specify whether Check Point Security Gateways will start automatically at boot time.

Syntax

> cpconfig

cpinfo

Description An auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution, and uploads it to Check Point servers. The CPinfo output file enables Check Point support engineers to analyze setups from a remote location. Engineers can open the CPinfo file in demo mode, while viewing real security policies and objects. This allows for in-depth analysis of all of configuration options and environment settings.

Syntax:

> cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c <domain> ... | -x <vs>]

For more information, see sk92739.

cplic

Description cplic all its derivatives relate to Check Point license management.

All cplic commands are located in $CPDIR/bin. License Management is divided into three types of commands:

• Local licensing commands are executed on local machines.
• Remote licensing commands are commands which affect remote machines are executed on the Security Management Server.
• License repository commands are executed on the Security Management Server.

cplic check

Description

Confirms that the license includes the feature on the local gateway or Security Management Server.

Syntax

cplic check [-p <product>] [-v <version>] [-c|-count] [-t <date>] [-r|-routers] [-S|-SRusers] <feature>

cplic del

Description

Deletes a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines

Syntax

cplic del [-F <output file>] <signature> <object name>

cplic get

Description

Retrieves all licenses from Security Gateways into the license repository on the Security Management Server. This command helps to synchronize the repository with the Check Point Security Gateways. When the command is run, all local changes are updated.

Syntax

cplic get {<ipaddr>|<hostname>|-all} [-v41]

Example

If the Check Point Security Gateway with the object name caruso contains four Local licenses, and the license repository contains two other Local licenses, the command cplic get caruso produces output similar to this:

Get retrieved 4 licenses.
Get removed 2 licenses.

Note - This is a Remote Licensing Command, which affects remote machines. It is executed on the Security Management Server.

cplic print

Description

The cplic print command, located in $CPDIR/bin, prints details of Check Point licenses on the local machine.

Syntax

cplic print [-n|-noheader][-x prints signatures][-t type][-F <outputfile>] [‑p preatures]

Note - On a Check Point gateway, this command prints all licenses that are installed on the local machine, both local and central licenses.

cplic put

Description

Installs one or more local licenses on a local machine.

Syntax

cplic put [-o|-overwrite] [-c|-check-only] [-s|-select] [-F <output file>] [-P|-Pre-boot] [-k|-kernel-only] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>]

Note - Copy and paste the parameters from the license received from the User Center.

• host - One of these:
  • All platforms - The IP address of the external interface (in dot notation). The last part cannot be 0 or 255.
  • Solaris2 - The response to the hostid command (beginning with 0x).
• expiration date - The license expiration date. It can be never
• signature - The license signature string.

  For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are optional.)

SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license.

For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

cplic put -l License.lic produces output similar to this:

Host             Expiration SKU

192.168.2.3  14Jan2016  CPSB-SWB CPSB-ADNC-M CK0123456789ab

cp_merge

Description cp_merge utility has two main functionalities:

• Export and import of policy packages.
• Merge of objects from a given file into the Security Management Server database.

Syntax :

> cp_merge help

cp_merge delete_policy

Description Gives the option to delete an existing policy package. Note that the default policy can be deleted by delete action.

Syntax :

> cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>

Note - Further considerations:

1. Either use certificate file or user and password
2. Optional

Example: Delete the policy package called standard

> cp_merge delete_policy -n Standard

cp_merge export_policy

Description Gives the option of leaving the policy package in the active repository or delete it as part of the export process. The default policy cannot be deleted during the export action.

Syntax :

> cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <policy package name> | -l <policy name>] [-d <output directory>] [-f <outputfile>] [-r]

-s <db server>

-u <user>

-c <certificate file>

-p <password>

-n <policy package name>

-l <policy name>

-d <output directory>

-f <outputfile>

-r

Note - Further considerations:

1. Either use certificate file or user and password.

2. Optional.

3. If both -n and -l are omitted all policy packages are exported.

4. If both -n and -l are present -l is ignored.

Example: Export policy package standard to file:

> cp_merge export_policy -n Standard -f StandardPolicyPackageBackup.pol -d C:\bak

cp_merge import_policy and cp_merge restore_policy

Description Gives the option to overwrite an existing policy package with the same name, or prevent overwriting when the same policy name already exists.

Syntax :

> cp_merge import_policy|restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]

Note - Further considerations

1. Either use certificate file or user and password.

2. Optional.

The cp_mergerestore_policy works only locally on the Security Management Server and it will not work from remote machines.

Caution: A security policy from <policy>.W file can be restored using this utility; however, important information may be lost when the policy is translated into .W format. This restoration should be used only if there is no other backup of the policy.

Example: Import the policy package saved in file Standard.pol into the repository and rename it to StandardCopy

> cp_merge import_policy -f Standard.pol -n StandardCopy

cp_merge list_policy

Syntax

cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]

Note - Further considerations:

1. Either use certificate file or user and password.
2. Optional.

Example: List all policy packages which reside in the specified repository:

> cp_merge list_policy -s localhost

disconnect_client

SmartConsole can connect to a Security Management Server using one of these modes:

• Read/Write - Administrators have full permissions to create or change all objects, settings and policies.
• Read Only - Administrators can see all objects, settings and policies, but cannot add, change or delete them.

Only one administrator can use SmartConsole to connect to a Security Management Server in the Read/Write Mode at one time. When an administrator connects in the Read/Write Mode, this prevents other administrators from doing these actions:

• Connecting to the same management in the Read/Write Mode
• Creating or changing objects, settings and policies
• Backing up the management server database
• Installing a Security Policy

You can use a special command line utility to disconnect a different SmartConsole client that is open in the Read/Write Mode.

To remove the database lock, run disconnect_client from the Security Management Server command line.

For more information, see sk65146

dbver

Description The dbver utility is used to export and import different revisions of the database. The properties of the revisions (last time created, administrator responsible for, etc) can be reviewed. The utility can be found in $FWDIR/bin. Run these commands from Expert Mode.

Syntax

dbver> export <version_numbers> <delete|keep>
dbver> import <exported_version_in_server>
dbver> create <version_name> <version_comment>
dbver> delete <version_numbers>
dbver> print <version_file_path>
dbver> print_all

dbver create

Description Creates a revision from the current state of $FWDIR/conf, including current objects, Rule Bases, and so on.

Syntax

dbver> create <version_name> <version_comment>

dbver export

Description Archives the revision as an archive file in the revisions repository: $FWDIR/conf/db_versions/export

Syntax

dbver> export <version_numbers> <delete|keep>

<version_numbers>

<delete|keep>

dbver import

Description Adds an exported revision to the repository a version from $FWDIR/conf/db_versions/export. Gives filename of revision as input.

Syntax

dbver> import <exported_version_in_server>

dbver print

Description Prints the properties of the revision.

Syntax

dbver> print <version_file_path>

Output

dbver> print c:\rwright_2002-04-01_160810.tar.gz

Version Id: 1

Version Date: Mon Apr  1 16:08:10 2009

Version Name: save

Created by Administrator: jbrown

Major Version: R75.20

Minor Version: R75.20

dbver print_all

Description Prints the properties of all revisions to be found on the server side: $FWDIR/conf/db_versions

Syntax

dbver> print_all

fw

Description The fw commands are used for working with various aspects of the firewall. All fw commands are executed on the Check Point Security Gateway.

Typing fw at the command prompt sends a list of available fw commands to the standard output.

Syntax

> fw

fw -i

Description Generally, when Check Point Security Gateway commands are executed on a Security Gateway they will relate to the gateway as a whole, rather than to an individual kernel instance. For example, the fw tab command will enable viewing or editing of a single table of information aggregated for all kernel instances.

This command specifies that certain commands apply to an individual kernel instance. By adding -i <kern> after fw in the command, where <kern> is the CoreXL FW instance's number.

Syntax

> fw -i applies to the following commands:

> fw ctl debug (when used without the -buf parameter)

> fw ctl get
> fw ctl set
> fw ctl leak
> fw ctl pstat
> fw monitor
> fw tab

For details and additional parameters for any of these commands, refer to the command's entry.

Example To view the connections table for kernel instance #1 use the following command:

> fw -i 1 tab -t connections

fw ctl affinity

fw ctl affinity -s

Description Sets CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities, see the R80.10 Rerformance Tuning Administration Guide.

fw ctl affinity -s settings are not persistent through a restart of the Security Gateway. If you want the settings to be persistent, use:

• sim affinity (a Performance Pack command)

  OR

• Edit the fwaffinity.conf configuration file

To set interface affinities, you should use fw ctl affinity only if Performance Pack is not running. If Performance Pack is running, you should set affinities by using the Performance Pack sim affinity command. These settings will be persistent. If Performance Pack's sim affinity is set to Automatic mode (even if Performance Pack was subsequently disabled), you will not be able to set interface affinities by using fw ctl affinity -s

Note - The fw ctl affinity command is different for a VSX Gateway and a Security Gateway.

For the VSX Gateway, use the -d parameter to save the CoreXL affinity settings after you reboot

For the Security Gateway, the CoreXL affinity settings are not saved after reboot.

Syntax

> fw ctl affinity -s <proc_selection> <cpuid>

<proc_selection> is one of the following parameters:

<cpuid> should be a processing core number or a list of processing core numbers. To have no affinity to any specific processing core, <cpuid> should be all

Note - Setting an Interface Affinity will set the affinities of all interfaces sharing the same IRQ to the same processing core. To view the IRQs of all interfaces, run: fw ctl affinity -l -v -a

Example To set kernel instance #3 to run on processing core #5, run:

> fw ctl affinity -s -k 3 5

fw ctl affinity -l

Description Lists existing CoreXL affinities when Security Gateway uses multiple CPU processors. For an explanation of kernel, daemon and interface affinities, see the R80.10 Rerformance Tuning Administration Guide.

Syntax

> fw ctl affinity -l [<proc_selection>] [<listtype>]

If <proc_selection> is omitted, fw ctl affinity -l lists affinities of all Check Point daemons, CoreXL FW instances and interfaces. Otherwise, <proc_selection> is one of the following parameters:

If <listtype> is omitted, fw ctl affinity -l lists items with specific affinities, and their affinities. Otherwise, <listtype> is one or more of the following parameters:

Example:

To list complete affinity information for all Check Point daemons, kernel instances and interfaces, including items without specific affinities, and with additional information, run: > fw ctl affinity -l -a -v

fw ctl debug

Description Generates debug messages from Check Point Firewall kernel to a buffer.

Syntax A number of debug options are available:

fw ctl debug -buf [buffer size]
fw ctl debug [-m <module>] [+ | -] {options|all|0}

fw ctl debug 0

fw ctl debug [-d <comma separated list of strings>]

fw ctl debug [-d <comma separated list of ^strings>]

fw ctl debug [-s <string>]

fw ctl debug -h

fw ctl debug -x

For more information, see R80.10 Kernel Debug flags.

fw ctl engine

Description Enables the INSPECT2C engine, which dynamically converts INSPECT code to C code.

Run the command on the Check Point Security Gateway.

Syntax

> fw ctl engine {on | off | stat | setdefault}

fw ctl multik stat

Description Displays multi-kernel statistics for each kernel instance. The state and processing core number of each instance is displayed, along with:

• The number of connections currently being handled
• The peak number of concurrent connections the instance has handled since its inception

fw ctl sdstat

Description The IPS performance counters measure the percentage of CPU consumed by each IPS protection.

The measurement itself is divided according to the type of protection:

• Pattern based protections
• INSPECT based protections

In addition, the IPS counters measure the percentage of CPU used by each section (context) of the protocol, and each protocol parser.

For more information, see sk43733 How to measure CPU time consumed by IPS protections.

Syntax

> fw ctl zdebug >& outputfile
> fw ctl sdstat start
> fw ctl sdstat stop

Example:

The workflow is as follows. Run the following commands on the Check Point Gateway (version R70 or higher):

On the Check Point Security Gateway:

• Run fw ctl zdebug >& outputfile
• Run fw ctl sdstat start

Let the counters run. However, do not leave the counters on for more than 10 minutes. It is important to stop the counters explicitly, otherwise there may be performance penalty.

Run fw ctl sdstat stop

This generates the output file outputfile that must be processed on the (SecurePlatform only) Security Management Server.

On the Security Management Server:

From $FWDIR/script, run the script /sdstat_analyse.csh outputfile

The output of the script is a report in csv format that can be viewed in Microsoft Excel.

If there is a problem in the report, or if more details are needed, a debug flag is available which prints extra information to outputfile

Run fw ctl zdebug + spii >& outputfile

Comments

1. A value in the report of "< 1" means that the percentage of CPU used by a protection is less than 1%.
2. The report generated by the sdstat_analyse script may contain a number instead of a protection name. This is because the original output contains a signature id, but the id is missing from the Security Policy on the gateway.

fw isp_link

Description Takes down (or up) a redundant <tp_isp> link.

Syntax

> fw isp_link [<target>] <link-name> {up|down}

Note - This command can be executed locally on the Check Point Security Gateway or remotely from the Security Management Server. In the latter case, the target argument must be supplied. For this command to work, the Check Point Security Gateway should be using the <tp_isp> redundancy feature.

fw kill

Description Prompts the kernel to shut down all firewall daemon processes. The command is located in the $FWDIR/bin directory on the Security Management Server or gateway machine.

The firewall daemons and Security Servers write their pids to files in the $FWDIR/tmp directory upon startup. These files are named $FWDIR/tmp/daemon_name.pid.

For example, the file containing the pid of the firewall snmp daemon is: s$FWDIR/tmp/snmpd.pid.

Syntax

> fw kill [-t <sig_no>] <proc-name>

Note - In Windows, only the default syntax is supported fw kill proc_name. If the -t option is used it is ignored.

fw logswitch

Description Creates a new active log file. The current active log file is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. The format of the default name <current_time_stamp>.log is YYYY-MM-DD_HHMMSS.log. For example, 2003-03-26_041200.log

Warning:

• The Logswitch operation fails if a log file is given a pre-existing file name
• The rename operation fails on Windows if the active log that is being renamed, is open at the same time that the rename operation is taking place. However, the Logswitch will succeed and the file will be given the default name $FWDIR/log/current_time_stamp.log

The new log file that is created is given the default name $FWDIR/log/fw.log. Old log files are located in the same directory.

A Security Management Server can use fw logswitch to change a log file on a remote machine and transfer the log file to the Security Management Server. This same operation can be performed for a remote machine using fw lslogs and fw fetchlogs

When a log file is sent to the Security Management Server, the data is compressed.

Syntax

> fw logswitch [-audit] [<filename>]
> fw logswitch -h <hostage> [+|-][<filename>]

Note - Files are created in the $FWDIR/log directory on both the host and the Security Management Server when the + or - parameters are specified. Note that if - is specified, the log file on the host is deleted rather than renamed.

hostage specified:

• filename specified - On hostage, the old log file is renamed to old_log. On the Security Management Server, the copied file will have the same name, prefixed by hostages name. For example, the command fw logswitch -h venus +xyz creates a file named venus_xyz.log on the Security Management Server.

  filename not specified - On hostage, the new name is the current date. For example, 2003-03-26_041200.log.

  On the Security Management Server, the copied file will have the same name, but prefixed by hostage_. For example, target_2003-03-26_041200.log.

hostage not specified:

• filename specified - On the Security Management Server, the old log file is renamed to old_log
• filename not specified - On the Security Management Server, the old log file is renamed to the current date.

Compression

When log files are transmitted from one machine to another, they are compressed using the zlib package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method.

The compression ratio varies with the content of the log records and is difficult to predict. Binary data are not compressed, but string data such as user names and URLs are compressed.

fw lslogs

Description Displays a list of log files residing on a remote or local machine. You must initialize SIC between the Security Management Server and the remote machine.

Syntax

> fw lslogs [[-f <filename>] ...] [-e] [-s {<name>|<size>|<stime>|<etime>}] [-r] [<machine>]

Example:

This example shows the extended file list you see when you use the fw lslogs -e command.

> fw lslogs -e module3

Size  Creation Time       Closing Time         Log file name

99KB  10Jan2002 16:46:27  10Jan2002 18:36:05   2002-01-10_183752.log

16KB  10Jan2002 18:36:05     --                fw.log

fw monitor

Description Inspecting network traffic is an essential part of troubleshooting network deployments. fw monitor is a powerful built-in tool to simplify the task of capturing network packets at multiple capture points within the firewall chain. These packets can be inspected using industry-standard tools later on.

In many deployment and support scenarios capturing network packets is an essential functionality. tcpdump or snoop are tools normally used for this task. Check Point fw monitor provides an even better functionality, but omits many requirements and risks of these tools. For more information, see sk30583.

• No Security Flaws - tcpdump and snoop are normally used with network interface cards in Promiscuous Mode. Unfortunately the Promiscuous Mode allows remote attacks against these tools. fw monitor does not use the Promiscuous Mode to capture packets. In addition most firewall operating systems are hardened. In most cases this hardening includes the removal of tools like tcpdump or snoop because of their security risk.
• Available on all Security Gateway installations - fw monitor is a built-in firewall tool, which does not need separate installation in case you need to capture packets. It is a functionality provided with the installation of the firewall package.
• Multiple capture positions within the firewall kernel module chain - fw monitor allows you to capture packets at multiple capture positions within the firewall kernel module chain, both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall.
• Same tool and syntax on all platforms - Another important fact is the availability of fw monitor on different platforms. Tools like snoop or tcpdump are often platform dependent or have specific enhancements on certain platforms. fw monitor and all its related functionality and syntax is absolutely identical across all platforms. There is no need to learn any new tricks on an unknown platform.

Normally the Check Point kernel modules are used to perform several functions on packets (like filtering, encrypting and decrypting, QoS …). fw monitor adds its own modules to capture packets. Therefore fw monitor can capture all packets which are seen and/or forwarded by the firewall.

Only one instance of fw monitor can be run at a time.

Use CTRL + C to stop fw monitor.

Usage fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all > [-a] [-ci count] [-co count] [-h] -T

Syntax

Example:

The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from every interface that passes (or at least reaches) the Check Point Security Gateway. The same packet appears several times (two times in the example below). This is caused by fw monitor capturing the packets at different capture points.

Output:

cpmodule]# fw monitor

 monitor: getting filter (from command line)

 monitor: compiling

monitorfilter:

Compiled OK.

 monitor: loading

 monitor: monitoring (control-C to stop)

eth0:i[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:I[285]: 192.0.2.133 -> 192.0.2.2 (TCP) len=285 id=1075

TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc

eth0:o[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:O[197]: 192.0.2.2 -> 192.0.2.133 (TCP) len=197 id=44599

TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83

eth0:o[1500]: 192.0.2.2 -> 192.0.2.133 (TCP) len=1500 id=44600

TCP

^C

: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83

monitor: caught sig 2

 monitor: unloading

The first line of the fw monitor output is:

This packet was captured on the first network interface (eth0) in inbound direction before the virtual machine (lowercase i). The packet length is 285 bytes (in square parenthesis, repeated at the end of the line. Note that these two values may be different. The packets ID is 1075. The packet was sent from 192.0.2.133 to 192.0.2.2 and carries a TCP header/payload.

The second line of the fw monitor output is:

The second line tells us that this is a TCP payload inside the IP packet which was sent from port 1050 to port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged sequence number (ack=941b05bc). You will see similar information for UDP packets.

You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or cannot be analyzed because it is encrypted (for example, ESP or encapsulated (GRE)) the second line is missing.

For more information, see sk30583.

fw monitor Filters

Description Use these expressions to help when you are filtering fw monitor

Syntax > fw monitor -e "accept <expression>;"

Expressions for Protocols

Expressions for Services

Expressions for VPN

For more information, see sk52421.

Expressions for ICA (Internal Certificate Authority)

For more information, see sk52421.

Expressions for Security Management Server

Expressions for Common Tasks

Expressions to Exclude Background Traffic

Example: > fwmonitor -e "accept https;"

fw repairlog

Description Rebuilds a log file pointer files. The three files: name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from data in the specified log file. The log file itself is modified only if the -u flag is specified.

Syntax

fw repairlog [-u] <logfile>

fw stat

Description Use fw stat to view the policy installed on the gateway, and which interfaces are being protected.

Note - The cpstat command is an enhanced version of fw stat

Syntax

> fw stat -l

> fw stat -s

Examples:

Two interfaces are being protected. The arrows show the direction of the packets.

HOST      POLICY        DATE

localhost Standard      18Apr2012 15:01:51 :  [>eth0] [<eth0]

This shows that there is no policy installed, and the interfaces are not protected. After the policy is uninstalled, the output becomes:

HOST      POLICY     DATE

localhost -          -                :   >eth0   <eth0

fw tab

Description Shows data from the kernel tables, and lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.

Kernel tables (also known as State tables) store data that the Firewall and other modules in the Security Gateway use to inspect packets. These kernel tables are the memory of the virtual computer in the kernel and are a critical component of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel memories.

Syntax

fw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-a|-x} -e <entry>] [-y] [<hostname>]

Example:

> fw tab -t arp_table -a -e "1,2,3,4,5"
Adds an entry: <00000001,00000002,00000003,00000004,00000005,> to arp_table

fw tab - m 100 -r sample-gw

Notes

• If a table has the expire attribute, when you use the -a parameter to add entries, the default table timeout is added. This feature only works on local machine kernel tables and does not work on a remote machine's tables like additional fw tab commands.
• The -x flag can be used independently of the -e flag in which case the entire table content is deleted.
  This feature should only be used for debug purposes.
• We do not advise that you arbitrarily change the content of any kernel table. Doing so may have unexpected results including unexpected security and connectivity impacts.

fw ver

Description Displays the Security Gateway major and minor version number and build number.

Syntax

> fw ver [-k][-f <filename>]

GeneratorApp

Description Generates a report for SmartReporter. Both command line parameters are required. Run this command from Expert Mode.

Syntax # GeneratorApp <Directory> <ReportID>

Example:

For automatic directory computation use "". In this case, the directory should be as follows:

<Result location>/<Report Name>/<Generation Date and Time>

ldap

ldapcmd

Description Manages processes running on the Security Gateway collectively or individually and includes the following:

• Cache

  Cache operations, such as emptying the cache, as well as providing debug information.

• Statistics

  Finds statistics such as:

  • All user searches
  • Pending lookups (when two or more lookups are identical)
  • Total lookup time (the total search time for a specific lookup)
  • Cache statistics such as hits and misses
• Logging

  View the alert and warning log regarding debug.

Syntax

# ldapcmd -p {<process_name>|all} <command> [-d debug_level] [command_arg]

ldapcompare

Description Performs compare queries. Prints a message whether the result returned a match or not. ldapcompare opens a connection to an LDAP directory server, and binds and performs the comparison specified on the command line or from a specified file.

Syntax

# ldapcompare -d [<options>] dn <attribute> <value>

The ldapcompare options:

• -u - Include user-friendly entry names in the output.
• -d <level> - Set LDAP debugging level to level
• -F sep -Print sep instead of = between attribute names and values.
• -f <file> - Perform sequence of compares listed in file
• -D <binddn> - Bind DN.
• -w <passwd> - Bind password (for simple authentication).
• -h <host> - LDAP server.
• -p <port> - Port on the LDAP server.
• -T <timeout> - Client side timeout for all operations (in milliseconds).
• -l <time limit> - Server side time limit (in seconds) for compare.
• -z <size limit> - Server side size limit (in entries) for compare.

ldapconvert

Description A utility program to port from Member Mode to MemberOf Mode. This is done by searching all specified group/template entries and fetching their Member attribute values.

Each value is the DN of a member entry. The entry identified by this DN is added to the MemberOf attribute value of the group/template DN at hand. In addition, those Member attribute values will be deleted from the group/template unless Both Mode is specified.

When your run the program, a log file, ldapconvert.log is generated in the current directory. It logs all modifications done and errors encountered.

Syntax

> ldapconvert -d -h <host> -p <port> -D user_DN -w <secret> [-g group_DN | -f <file>]
-m mem_attr -o memberof_attr –c memberobjectclass[<extra options>]

The ldapconvert extra options are as follows:

• -M - Maximum number of member LDAP updated simultaneously. Default is 20.
• -B - Convert to Both Mode.
• -p <port> -LDAP port. Default is 389.
• -T <timeout> -Client side timeout for LDAP operations, in milliseconds. Default is never
• -l <time limit> -Server side time limit for LDAP operations, in seconds. Default is never
• -s -Server side size limit for LDAP operations in entries. Default is none
• -z -Use SSL.

Note - We recommend you make a backup of the LDAP server before running the conversion program in case unrecoverable errors are encountered.

There are two GroupMembership modes. You must keep these modes consistent.

• template-to-groups
• user-to-groups

For example, if you apply conversion on LDAP users to include MemberOf attributes for their groups, then this conversion has to be applied on LDAP defined templates for their groups.

Symptom:

A command runs with the option –M fail. The program stops with an error message stating the connection stopped unexpectedly.

Solution:

The LDAP server could not handle that many LDAP requests simultaneously and closed the connection.

Run the program again with a lower value for the –M option. The default value should be adequate but can also cause a connection failure in extreme situations. Continue to reduce the value until the program exits normally. Each time you run the program with the same set of groups the program will pick up where it left off.

Example 1:

A group is defined with the DN: cn=cpGroup,ou=groups, ou=cp, c=il and the following attributes:

...

cn=cpGroup

uniquemember="cn=member1,ou=people, ou=cp,c=il"

uniquemember=" cn=member2, ou=people, ou=cp,c=il"

...

For the two member entries:

...

cn=member1

objectclass=fw1Person

...

and:

...

cn=member2

objectclass=fw1Person

...

Run: ldapconvert with the following arguments:

ldapconvert -g cn=cpGroup,ou=groups, ou=cp, c=il -h myhost -d cn=admin -w secret 
\ –m uniquemember -o memberof -c fw1Person

The result for the group DN will be as follows:

...

cn=cpGroup

...

The result for the two member entries will be as follows:

...

cn=member1

objectclass=fw1Person

memberof="cn=cpGroup,ou=groups, ou=cp, c=il"

...

and:

...

cn=member2

objectclass=fw1Person

memberof=" cn=cpGroup,ou=groups, ou=cp, c=il"

...

If you run the same command with the –B options, it will produce the same result but the group entry will not be modified.

Example 2:

If there is another member attribute value for the same group entry:

uniquemember="cn=template1,ou=people, ou=cp,c=il"

and the template is:

cn=member1

objectclass=fw1Template

After running the same command line the template entry will stay intact because the command line specified the option –c fw1Person, but the object class of template1 is fw1Template

ldapmodify

Description Imports users to an LDAP server. The input file must be in the LDIF format.

Syntax

# ldapmodify -a -c -d -h <host> -p <port> -D <LDAPadminDN> -p <LDAPadminPassword>
-f <exportfilename>.ldif -d

Note - You can import the Security Management user database to an LDAP server by first generating an LDIF file using fwm dbexport, and then using ldapmodify

Before importing, prepare the LDAP directory as follows:

• Make sure the root branch is defined as an allowed branch on your LDAP server.
• Restart the LDAP server.
• Create the branch into which the users will be imported, either by using Create Tree Object in the Account Management Client or with the ldapmodify command:

ldapmodify -a -h <host> -p <port> -D <LDAPadminDN> -w <LDAPadminPassword>
dn: o=myOrg,c=US

objectclass: organization

o:myOrg

Example:

Importing users using ldapmodify:

1. Export the users with fwm dbexport and use hello1234 as the pre-shared secret.

fwm dbexport -l -f ./o_file.ldif -s "o=bigcorp,c=uk" -k hello1234

1. Create the "o=bigcorp,c=uk" branch.
2. Import the users:

ldapmodify -a -c -h <host> -p <port> -D bindDN -w bindPas -f ./o_file.ldif

1. Define an account unit with these parameters.

ldapsearch

Description Queries an LDAP directory and returns the results.

Syntax

ldapsearch [options] filter [attributes] -d

The following are the attributes for options:

• -A -Retrieve attribute names only, without values.
• -B -Do not suppress printing of non-ASCII values.
• -D bindDN -The DN to be used for binding to the LDAP server.
• -F separator -Print separator between attribute name and value instead of =
• -h host -The LDAP server identified by IP address or resolvable name.
• -l timelimit -The server side time limit for search, in seconds.
• -p portnum -The port number. The default is standard LDAP port 389.
• -S attribute -Sort the results by the values of attribute
• -s scope -One of the following: base, one, sub
• -b -Base distinguished name (DN) for search.
• -t -Write values to files in /tmp. Each attribute-value pair is written to a separate file, named: /tmp/ldapsearch-<attribute>-<value>.

  For example, for the fw1color attribute, the file written is named /tmp/ldapsearch-fw1color-a00188

• -T timeout - Client-side timeout in milliseconds, for all operations.
• -u - Show user friendly entry names in the output. For example, show cn=Babs Jensen, users, omi instead of cn=Babs Jensen, cn=users,cn=omi
• -w password - The password.
• -Z - Encrypt using SSL.
• -z sizelimit -Server-side size limit for search, in entries.

Example:

ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

The LDAP directory will be queried for fw1host objects using port number 18185 with DN common name omi. For each object found, the value of its objectclass attribute is printed.

sam_alert

Description This tool executes SAM (Suspicious Activity Monitoring) actions according to information received through standard input. This tool is for executing SAM actions with the user defined alerts mechanism.

Syntax

sam_alert [-o] [-v] [-s <sam_server>] [-t <timeout>] [-f <fw_host1> <fw_host2>...]
[-C] [-n|-i|-I -src|-dst|-any|-srv]

svr_webupload_config

Description Configures the SmartReporter web upload script. For the complete upload procedure and additional information refer to the section How to Upload Reports to a Web Server in the R80.10 SmartReporter Administration Guide.

Syntax

# svr_webupload_config [-i <perl_int_loc>]
[-p <rep_dir_root>]