Print Download PDF Send Feedback

Previous

cprinstall verify

Description Confirms these operations were successful:

Syntax:

> cprinstall verify <Object name> <vendor> <product> <version> [sp]

Parameter

Description

Object name

Object name of the Check Point Security Gateway defined in SmartConsole.

vendor

Package vendor. For example, checkpoint

product

Package name.

Options are: SVNfoundation, firewall, floodgate

version

Package version.

sp

Package minor version. This parameter is optional.

Example:

Successful - Verify succeeds

cprinstall verify harlin checkpoint SVNfoundation R75.20

 

Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway.

Info : Test completed successfully.

Info : Installation Verified, The product can be installed.

Unsuccessful - Verify fails

cprinstall verify harlin checkpoint SVNfoundation R75.20

 

Verifying installation of SVNfoundation R75.20 on jimmy...

Info : Testing Check Point Gateway

Info : SVN Foundation R70 is already installed on 192.0.2.134

Operation Success. Product cannot be installed, did not pass dependency check.

cpstart and cpstop

Description Starts or stops all Check Point processes and applications.

Syntax:

> cpstart / cpstop

Note - This command cannot be used to start cprid. cprid is invoked when the machine is booted and it runs independently.

cpstat

Description

Shows Check Point statistics for applications.

Syntax

cpstat [-p <port>] [-s <SICname>] [-f <flavor>] [-o <polling>] [-c <count>] [-e <period>] [-x] [-j] [-d] application_flag <flag>

Parameters

Parameter

Description

-p <port>

Port number of the server. The default is the standard server port (18192).

-s <SICname>

Secure Internal Communication (SIC) name of the server.

-f <flavor>

The flavor of the output (as it appears in the configuration file). The default is the first flavor found in the configuration file.

-o <polling>

Polling interval (seconds) specifies the pace of the results.

The default is 0, meaning the results are shown only once.

-c <count>

Specifies how many times the results are shown. The default is 0, meaning the results are repeatedly shown.

-e <period>

Specifies the interval (seconds) over which 'statistical' olds are computed. Ignored for regular olds.

-x

XML output mode

-j

Json output mode

-d

Debug mode.

<flag>

One of these applications is displayed:

One of the following:

fw — Firewall component of the Security Gateway

vpn — VPN component of the Security Gateway

fg — QoS (formerly FloodGate-1)

ha — ClusterXL (High Availability)

os — OS Status

mg — for the Security Management Server

persistency - for historical status values

polsrv

uas

svr

cpsemd

cpsead

asm

ls

ca

Return Value

0 on success, 1 on failure

Example

cpstat -c 3 -o 3 fw

Output

Success shows OK. Failure shows an appropriate error message.

The following flavors can be added to the application flags:

dbedit

Description Edits the objects file on the Security Management Server (see skI3301). Editing the objects.C file on the gateway is not required or desirable, since it will be overwritten the next time a policy is installed.

Important - Do NOT run this command unless explicitly instructed by Check Point Support or R&D to do so. Otherwise, you can corrupt settings in the management database.

Syntax

> dbedit [-s <server>] [- u <user>|-c <certificate>] [-p <password>] [-f <filename>] [-r <db-open-reason>] [-help]

Parameter

Description

-s server

The Security Management Server on which the objects_5_0.C file to be edited is located. If this is not specified in the command line, the user will be prompted for it.
If the server is not localhost, the user will be required to authenticate.

-u user |
-c certificate

The user's name (the name used for the SmartConsole) or the full path to the certificate file.

-p password

The user's password (the password used for the SmartConsole).

-f filename

The name of the file containing the commands. If filename is not given, then the user will be prompted for commands.

-r db-open-reason

A non-mandatory flag used to open the database with a string that states the reason. This reason will be attached to audit logs on database operations.

-help

Print usage and short explanation.

dbedit internal commands:

Parameter

Description

create

[object_type] [object_name]

Create an object with its default values.
The create command may use an extended (owned) object. Changes are committed to the database only by an update or quit command.

modify

[table_name] [object_name] [field_name] [value]

Modify fields of an object which is:

  • Stored in the database (the command will lock the object in such case).
  • Newly created by dbedit

Extended formats for owned objects can be used:

For example, [field_name] = Field_A:Field_B

update

[table_name] [object_name]

Update the database with the object. This command will check the object validity and will issue an error message if appropriate.

delete

[table_name] [object_name]

Delete an object from the database and from the client implicit database.

addelement

[table_name] [object_name] [field_name] [value]

Add an element (of type string) to a multiple field.

rmelement

[table_name] [object_name] [field_name] [value]

Remove an element (of type string) from a multiple field.

 

rename

[table_name][object_name]
[new_object_name]

Assign a new name for a given object. The operation also performs an update.

Example:

Rename network object London to Chicago.

rename network_objects london chicago

quit

Quit dbedit and update the database with modified objects not yet committed.

Example:

Replace the owned object with a new null object, where NULL is a reserved word specifying a null object:

modify network_objects my_obj firewall_setting NULL

Example:

Extended Format

firewall_properties owns the object floodgate_preferences

floodgate_preferences has a Boolean attribute turn_on_logging, which will be set to true

modify properties firewall_properties floodgate_preferences:turn_on_logging true

comments is a field of the owned object contained in the ordered container. The 0 value indicates the first element in the container (zero based index).

modify network_objects my_networkObj interfaces:0:comments my_comment

Replace the owned object with a new one with its default values.

modify network_objects my_net_obj interfaces:0:security interface_security

dynamic objects

Manages dynamic objects on the appliance. The dynamic_objects command specifies an IP address to which the dynamic object is resolved.

First, define the dynamic object in the SmartConsole. Then create the same object with the CLI (-n argument). After the new object is created on the gateway with the CLI, you can use the dynamic_objects command to specify an IP address for the object.

Any change you make to dynamic objects' ranges are applied immediately to the objects. It is not necessary to reinstall the policy.

Description

Manages dynamic objects on the appliance.

Syntax

dynamic_objects -o <object> [-r <fromIP> <toIP> ...] [-a] [-d] [-l] [-n <object> ] [-c] [-do <object>]

Parameters

Parameter

Description

-o

Name of the dynamic object that is being configured.

-r

Defines the range of IP addresses that are being configured for this object.

-a

Adds range of IP addresses to the dynamic object.

-d

Deletes range of IP addresses from the dynamic object.

-l

Lists dynamic objects that are used on the appliance.

-n

Creates a new dynamic object.

-c

Compare the objects in the dynamic objects file and in objects.

-do

Deletes the dynamic object.

<object>

Name of dynamic object.

<fromIP>

Starting IPv4 address.

<toIP>

Ending IPv4 address.

Example

dynamic_objects -n sg80gw -r 190.160.1.1 190.160.1.40 -a

Output

Success shows Operation completed successfully. Failure shows an appropriate error message.

fw logswitch

Description Creates a new active log file. The current active log file is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. The format of the default name <current_time_stamp>.log is YYYY-MM-DD_HHMMSS.log. For example, 2003-03-26_041200.log

Warning:

The new log file that is created is given the default name $FWDIR/log/fw.log. Old log files are located in the same directory.

A Security Management Server can use fw logswitch to change a log file on a remote machine and transfer the log file to the Security Management Server. This same operation can be performed for a remote machine using fw lslogs and fw fetchlogs

When a log file is sent to the Security Management Server, the data is compressed.

Syntax

> fw logswitch [-audit] [<filename>]
> fw logswitch -h <host> [+|-][<filename>]

Parameter

Description

-audit

Logswitch for the Security Management Server audit file is done. This is relevant for local activation.

<filename>

The name of the file to which the log is saved. If no name is specified, a default name is provided.

-h <host>

The resolvable name or IP address of the remote machine (running either a Security Gateway or <to_sms>) on which the log file is located. The Security Management Server (on which the fw logswitch command is executed) must be defined as one of host's Security Management Servers. In addition, you must initialize SIC between the Security Management Server and the host

+

Change a remote log and copy it to the local machine.

-

Change a remote log and move it to the local machine thereby deleting the log from the remote machine.

Note - Files are created in the $FWDIR/log directory on both the host and the Security Management Server when the + or - parameters are specified. Note that if - is specified, the log file on the host is deleted rather than renamed.

host specified:

host not specified:

Compression

When log files are transmitted from one machine to another, they are compressed using the zlib package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method.

The compression ratio varies with the content of the log records and is difficult to predict. Binary data are not compressed, but string data such as user names and URLs are compressed.

fwm

Description Performs management operations on the Security Gateway. fwm controls fwd and all Check Point daemons.

Syntax

> fwm

fwm expdate

Description Modifies the expiration date of all users and administrators.

Syntax

> fw expdate dd-mmm-20xx

Comments The date can be modified using a filter.

Example fw expdate 02-mar-20xx -f 01-mar-20xx

fwm dbload

Description Downloads the user database and network objects information to selected targets. If no target is specified, then the database is downloaded to localhost

Syntax

gw> fwm dbload [-a|-c <conffile>] [<targets>]

Parameter

Description

-a <conffile>

Executes commands on all targets specified in the default system configuration file, $FWDIR/conf/sys.conf. This file must be manually created.

-c <conffile>

Only OPSEC control connections in the file are enabled.

<targets>

Executes commands on the designated targets.

fwm ikecrypt

Description Encrypts the password of a SecuRemote user using IKE. The resulting string must then be stored in the LDAP database.

Syntax

> fwm ikecrypt <shared-secret> <user-password>

Parameter

Description

<shared-secret>

The IKE Key is defined in the Encryption tab of the LDAP Account Unit Properties window.

<user-password>

The password for the SecuRemote user.

Note - An internal CA must be created before implementing IKE encryption. An Internal CA is created during the initial configuration of the Security Management Server, following installation.

fwm getpcap

Description Fetches the packet capture.

Syntax > fwm getpcap -g <gw> -u <cap id> [-p <path>] [-c <domain>]

Parameter

Description

-g <gw>

Host name of the gateway.

-u <cap id>

Captures UID.

-p <path>

Outputs pathname.

-c <domain>

Host name of the Domain Management Server.

fwm logexport

Description Exports the log file to an ASCII file.

Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n] [-p]
[-f] [-m {initial|semi|raw}] [-a]

Parameter

Description

-d <delimiter>

Sets the output delimiter. The default is a semicolon (;).

-i <filename>

The name of the input log file. The default is the active log file, fw log

-o <outputfile>

The name of the output file. The default prints to the screen.

-n

Does not perform DNS resolution of the IP addresses in the log file (this option significantly speeds the processing).

-p

Does not perform service resolution. A service port number is displayed.

-f

If this is the active log file, fw log, wait for new records and export them to the ASCII output file as they occur.

-m {initial|semi|raw}

This flag specifies the unification mode.

  • initial - The default mode. Completes the unification of log records. There is output one unified record for each ID.
  • semi - Step-by-step unification for each log record. Output a record that unifies this record with all previously-encountered records with the same ID.
  • raw - Output all records, with no unification.

-a

Shows account records only. The default is to show all records.

Use logexport.ini to control the output of fwm logexport. Put the logexport.ini file in the conf directory $FWDIR/conf

The logexport.ini file should be in the following format:

[Fields_Info]

included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100

excluded_fields = field10,field11

Notes:

Format:

The fwm logexport output appears in tabular format. The first row lists the names of all fields included in the next records. Each of the next rows consist of a single log record whose fields are sorted in the same order as the first row. If a record has no information on a specific field, this field remains empty (as indicated by two successive semi-colons).

Example:

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;sys_message:;service;s_port;src;dst;

0; 5Dec2002;9:08:44;jam.checkpoint.com;control; ;;daemon;inbound;VPN-1 & FireWall-1;The hme0 interface
is not protected by the anti-spoofing feature. Your network may be at risk;;;;;

1; 5Dec2002;9:08:44;jam.checkpoint.com;control; ;;daemon;inbound;VPN-1 & FireWall-1;;
ftp;23456;1.2.3.4;3.4.5.6;

fwm ver

Description Shows the build number.

Syntax > fwm ver [-f <filename>]

Parameter

Description

-f <filename>

Exports the build number data to a file.

fwm verify

Description Verifies the specified policy package without installing it.

Syntax > fwm verify <policy>

Parameter

Description

<policy>

The name of an available policy package.

inet_alert

Description Notifies an Internet Service Provider (ISP) when a company's corporate network is under attack. The inet_alert utility forwards log messages generated by the alert daemon to an external Management Station. This is usually located at the ISP site. The ISP can then analyze the alert and react accordingly.

inet_alert uses the ELA Protocol to send the alert. The Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must be performed between the Management Station running the ELA Proxy and the Security Gateway generating the alert.

To use this utility, enter it into a script:

  1. From Manage & Settings tab > Global Properties > Log and Alert > Alert early versions compatibility > run 4.x alert script.
  2. Enter the name of the script.

Syntax

# inet_alert -s <ipaddr> [-o] [-a <auth_type>] [-p <port>] [-f <token value>] [-m <alerttype>]

Parameter

Description

-s <ipaddr>

The IP address, in dot format, of the ELA Proxy to be contacted.

-o

Print the alert log received by inet_alert to stdout. Use this option when inet_alert is part of a pipe.

-a <auth_type>

The type of connection to the ELA Proxy.

One of the following values:

  • ssl_opsec - The connection is authenticated and encrypted, by default.
  • auth_opsec - The connection is authenticated.
  • clear - The connection is neither authenticated nor encrypted.

-p <port>

The ELA proxy port number. Default is 18187.

-f <token value>

A field to be added to the log, represented by a token-value pair as follows:

  • token - The name of the field to be added to the log. token cannot contain spaces.
  • value - The field's value. value cannot contain spaces.

This option can be used multiple times to add multiple token-value pairs to the log.

-m <alerttype>

The alert to be triggered at the ISP site. This alert overrides the alert specified in the log message generated by the alert daemon.

The response to the alert is handled according to the actions specified in the ISP Security Policy:

The following alerts execute the OS commands.

  • alert - Popup alert command
  • mail - Mail alert command
  • snmptrap - SNMP trap alert command
  • spoofalert - Anti-spoof alert command

The following NetQuota and ServerQuota alerts execute the OS commands specified in: $FWDIR/conf/objects.C:

value=clientquotaalert. Parameter=clientquotaalertcmd

You can configure the alert in the Manage & Settings tab > Global Properties > Log and Alert > Alert

Return Value

Exit status

Description

0

Execution was successful.

102

Undetermined error.

103

Unable to allocate memory.

104

Unable to obtain log information from stdin

106

Invalid command line arguments.

107

Failed to invoke the OPSEC API.

Example

# inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies that in the event of an attack, inet_alert should take the following actions:

ldap

ldapcmd

Description Manages processes running on the Security Gateway collectively or individually and includes the following:

Syntax

# ldapcmd -p {<process_name>|all} <command> [-d debug_level] [command_arg]

Parameter

Description

-p

Runs a specified process or all processes.

<command>

Valid values for the command parameter:

  • cacheclear {all|UserCacheObject|TemplateCacheObject|TemplateExtGrpCacheObject}
  • cachetrace {all|UserCacheObject|TemplateCacheObject|TemplateExtGrpCacheObject}
  • stat {print_interval {<reset interval time in secs>|0} [stop statistics]}
  • log {on|off}

log

Specifies whether or not to create LDAP logs.

ldapcompare

Description Performs compare queries. Prints a message whether the result returned a match or not. ldapcompare opens a connection to an LDAP directory server, and binds and performs the comparison specified on the command line or from a specified file.

Syntax

# ldapcompare -d [<options>] dn <attribute> <value>

Parameter

Description

-d

Debug flag.

<options>

See below.

dn

The DN object.

attribute

The attribute of the DN object.

value

The value of the attribute of the DN object.

The ldapcompare options:

ldapconvert

Description A utility program to port from Member Mode to MemberOf Mode. This is done by searching all specified group/template entries and fetching their Member attribute values.

Each value is the DN of a member entry. The entry identified by this DN is added to the MemberOf attribute value of the group/template DN at hand. In addition, those Member attribute values will be deleted from the group/template unless Both Mode is specified.

When your run the program, a log file, ldapconvert.log is generated in the current directory. It logs all modifications done and errors encountered.

Syntax

> ldapconvert -d -h <host> -p <port> -D user_DN -w <secret> [-g group_DN | -f <file>]
-m mem_attr -o memberof_attr –c memberobjectclass[<extra options>]

Parameter

Description

-d

Debug flag.

-h <host>

LDAP server IP address.

-p <port>

LDAP server port number.

-D user_DN

LDAP bind DN.

-w <secret>

LDAP bind password.

-g group_DN

Group or template DN to perform the conversion on. May appear multiple times for multiple entries.

-f <file>

File containing a list of group DNs each separated by a new line.

-m mem_attr

LDAP attribute name when fetching and (possibly) deleting a Member attribute value.

-o memberof_attr

LDAP attribute name when adding MemberOf attribute value.

–c memberobjectclass

LDAP objectclass attribute value that filters which type of member entries to modify. May appear multiple times creating a compound filter.

<extra options>

See below.

The ldapconvert extra options are as follows:

Note - We recommend you make a backup of the LDAP server before running the conversion program in case unrecoverable errors are encountered.

There are two GroupMembership modes. You must keep these modes consistent.

For example, if you apply conversion on LDAP users to include MemberOf attributes for their groups, then this conversion has to be applied on LDAP defined templates for their groups.

Symptom:

A command runs with the option –M fail. The program stops with an error message stating the connection stopped unexpectedly.

Solution:

The LDAP server could not handle that many LDAP requests simultaneously and closed the connection.

Run the program again with a lower value for the –M option. The default value should be adequate but can also cause a connection failure in extreme situations. Continue to reduce the value until the program exits normally. Each time you run the program with the same set of groups the program will pick up where it left off.

Example 1:

A group is defined with the DN: cn=cpGroup,ou=groups, ou=cp, c=il and the following attributes:

...

cn=cpGroup

uniquemember="cn=member1,ou=people, ou=cp,c=il"

uniquemember=" cn=member2, ou=people, ou=cp,c=il"

...

For the two member entries:

...

cn=member1

objectclass=fw1Person

...

and:

...

cn=member2

objectclass=fw1Person

...

Run: ldapconvert with the following arguments:

ldapconvert -g cn=cpGroup,ou=groups, ou=cp, c=il -h myhost -d cn=admin -w secret
\ –m uniquemember -o memberof -c fw1Person

The result for the group DN will be as follows:

...

cn=cpGroup

...

The result for the two member entries will be as follows:

...

cn=member1

objectclass=fw1Person

memberof="cn=cpGroup,ou=groups, ou=cp, c=il"

...

and:

...

cn=member2

objectclass=fw1Person

memberof=" cn=cpGroup,ou=groups, ou=cp, c=il"

...

If you run the same command with the –B options, it will produce the same result but the group entry will not be modified.

Example 2:

If there is another member attribute value for the same group entry:

uniquemember="cn=template1,ou=people, ou=cp,c=il"

and the template is:

cn=member1

objectclass=fw1Template

After running the same command line the template entry will stay intact because the command line specified the option –c fw1Person, but the object class of template1 is fw1Template

ldapmodify

 

 

Description Imports users to an LDAP server. The input file must be in the LDIF format.

Syntax

# ldapmodify -a -c -d -h <host> -p <port> -D <LDAPadminDN> -p <LDAPadminPassword>
-f <exportfilename>.ldif -d

Parameter

Description

-a

Adds users.

-c

Continue on errors.

-h <host>

LDAP server IP address.

-d

Debug flag.

-p <port>

LDAP server port number.

-D <LDAPadminDN>

LDAP administrator DN.

-p <LDAPadminPassword>

LDAP administrator password.

-f <exportfilename>.ldif

Specifies the name of the input file. This file must be in the LDIF format.

Before importing, prepare the LDAP directory as follows:

ldapsearch

Description Queries an LDAP directory and returns the results.

Syntax

ldapsearch [options] filter [attributes] -d

Parameter

Description

options

See the options attributes below.

filter

RFC-1558 compliant LDAP search filter. For example, objectclass=fw1host.

attributes

The list of attributes to be retrieved. If no attributes are given, all attributes are retrieved.

-d

Debug flag.

The following are the attributes for options:

Example:

ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

The LDAP directory will be queried for fw1host objects using port number 18185 with DN common name omi. For each object found, the value of its objectclass attribute is printed.

queryDB_util

Description Enables the search of the object database according to search parameters.

Syntax

# queryDB_util [-t <table_name>] [-o <object_name>] [-a]
[-mu <modified_by>] [-mh <modified_from>]
[-ma <modified_after>] [-mb <modified_before>] [-p{m|u|h|t|f}]
[-f <filename>] [-h] [-q]

Parameter

Description

-t <table_name>

The name of the table.

-o <object_name>

The name of the object.

[-a]

All objects.

-mu <modified_by>

The name of the administrator who last modified the object.

-mh <modified_from>

The host from which the object was last modified.

-ma <modified_after>

The date after which the object was modified <[hh:mm:ss][ddmmmyyyy]>. Either or both options may be used. Omitting hh:mm:ss defaults to today at midnight, omitting ddmmmyyyyy defaults to today's date on the client.

-mb <modified_before>

The date before which the object was modified <[hh:mm:ss][ddmmmyyyy]>. Either or both options may be used. Omitting hh:mm:ss defaults to today at midnight, omitting ddmmmyyyyy defaults to today's date on the client.

-p{m|u|h|t|f}

Short print options:

  • c - Creation details.
  • m - Last_modification details.
  • u - Administrator name (create/modify).
  • h - Host name (create/modify).
  • t - Time (create/modify).
  • f - Field details.

-f <filename>

The name of the output file

-h

Display command help

-q

Quit.

Example:

Print modification details of all objects modified by administrator aa

query> -a -mu Bob -pm

Object Name:my_object

Last Modified by:Bob

Last Modified from:london

Last Modification time:Mon Jun 19 11:44:27 2000

 

Object Name:internal_ca

Last Modified by:Bob

Last Modified from:london

Last Modification time:Tue Jun 20 11:32:58 2000

 

A total of 2 objects match the query.

rs_db_tool

Description Manages DAIP gateways in a DAIP database.

Syntax

# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >

# rs_db_tool [-d] <-operation fetch <-name object_name> >

# rs_db_tool [-d] <-operation <delete <-name object_name> >

# rs_db_tool [-d] <-operation <list> >

# rs_db_tool [-d] <-operation <sync> >

Parameter

Description

-d

debug file.

-operation add

Add entry to database.

<-name object_name>

Enter the name of the gateway object.

<-ip module_ip>

Enter the IP Address of the gateway.

<-TTL Time-To-Live>

The relative time interval (in seconds) during which the entry is valid.
A value of zero specifies unlimited.

- operation fetch

Get entry from database.

- operation delete

Delete entry from database.

- operation list

List all the database entries.

- operation sync

Synchronize the database.

11 February 2021
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2017 Check Point Software Technologies Ltd. All rights reserved.