Security Management Server Commands

In This Section:

For more information about Security Management Server, see the R80.10 Security Management Administration Guide.

cpca_client

Description Executes operations on the ICA (Internal Certificate Authority).

Syntax:

> cpca_client

cpca_client revoke_cert

Description Revokes a certificate issued by the ICA.

Syntax:

> cpca_client [-d] revoke_cert [-p <ca_port>] -n "CN=<common name>"

Parameter	Description
`-d`	Runs the command in debug Mode.
`-p <`ca_port`>`	Specifies the port which is used to connect to the CA (if the CA was not run from the default port 18209).
`-n "CN=<`common name`>"`	Sets the CN to `<`common name`>`

cpca_client lscert

Description Shows all certificates issued by the ICA.

Syntax:

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}] [-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter	Description
`-d`	Runs the command in debug Mode.
`-dn substring`	Filters results to those with a DN that matches this `<`substring`>`
`-stat`	Filters results to the specified certificate status: `Pending`, `Valid`, `Revoke`, `Expire`, or `Renewed`
`-kind`	Filters results for specified kind: `SIC, IKE, User`, or `LDAP`
`-ser <`serial`>`	Filters results for this serial number.
`-dp <`dp`>`	Filters results from this CDP (certificate distribution point).

cpca_client init_certs

Description Imports a list of DNs for users and creates a file with registration keys for each user.

Syntax:

> cpca_client init certs [-p <ca_port>] -i <input_file> -o <output_file>

Parameter

Description

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265

-i <input_file>

Imports the specified file. Make sure to use the full path.

Make sure that there is an empty line between each DN in the file:

CN=test1,OU=users

CN=test2,OU=users

-o <output_file>

Saves the registration keys to the specified file.

cpca_client set_mgmt_tool

Description Starts or stops the ICA Management Tool.

Syntax:

> cpca_client [-d] set_mgmt_tool {on|off|add|remove|clean|print} [-p <ca_port>] [-no_ssl] {-a <administrator DN>, -u <user DN>, -c <custom user DN>, ...}

Parameter	Description
`-d`	Runs the command in debug mode.
`set_mgmt_tool {on\|off\|add\|remove\|` `clean\|print}`	`on` - Starts ICA management tool. `off` - Stops ICA management tool. `add` - Adds an administrator, user, or custom user. `remove` - Removes an administrator, user, or custom user. `clean` - Removes all the administrators, users, or custom users. `print` - Shows the administrators, users, or custom users.
`-p <`ca_port`>`	Specifies the port which is used to connect to the CA. The default port is `18265`
`-no_ssl`	Configures the server to use HTTP instead of HTTPS.
`-a <`administrator DN`>`	Sets the DNs of the administrators that are permitted to use the ICA management tool.
`-u <`user DN`>`	Sets the DNs of the users that are permitted to use the ICA management tool.
`-c <`custom user DN`>`	Sets the DN for custom users that can use the ICA management tool.

Notes

If the command is run without -a or -u the list of the permitted users and administrators isn't changed. The server can be stopped or started with the previously defined permitted users and administrators.
If two consecutive start operations are initiated, the ICA management tool will not respond, unless you change the SSL mode. After the SSL Mode has been modified, the server can be stopped and restarted.

cpca_client set_sign_hash

Description Sets the hash algorithm that the CA uses to sign the file hash. The default algorithm is sha1

Syntax:

> cpca_client set_sign_hash {sha1|sha256|sha384|sha512}

cpca_client search

Description Searches for certificates in the ICA (Internal Certificate Authority).

Syntax:

> cpca_client search <string> [-where {dn|comment|serial}] [-kind [SIC|IKE|User|LDAP]] [-stat [Pending|Valid|Revoked|Expired|Renewed]] [-max <max results>] [-showfp {y|n}]

Parameter	Description
`-where {dn\|comment\|serial}`	Where to search for the string, in the dn, serial number, or comment field. The default is all locations.
`-kind [SIC\|IKE\|User\|LDAP]`	The type of certificate. You can enter multiple values in this format: `-kind value1 value2 value3`. The default is `all values`
`-stat [Pending\|Valid\|Revoked\|Expired\|Renewed]`	Filters according to the status of the certificate. You can enter multiple values in this format: `-stat value1 value2 value3`. The default is all values.
`-max <`max results`>`	Enter the maximum number of results to show. The default setting is `200`
`-showfp {y\|n}`	Shows the certificate's fingerprint: `yes` or `no`. The default iss `yes`

Example:

> cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending Valid Renewed

cpca_client get_crldp

Description Defines how to access a CRL file from a distribution point.

Syntax:

> cpca_client get_crldp [-p <ca_port>]

Parameter	Description
`-p <`ca_port`>`	Specifies the port which is used to connect to the CA. The default port is `18265s`

cpca_client get_pubkey

Description Saves the encoding of the public key for the ICA to a file.

Syntax:

> cpca_client [-p <ca_port>] get_pubkey <output>

Parameter	Description
`-p <`ca_port`>`	Specifies the port which is used to connect to the CA. The default port is `18265`
`<`output`>`	Name of the file where the public key is saved.

cpca_client double_sign

Description Creates a second signature for a certificate.

Syntax:

> cpca_client [-p <ca_port>] -i <cert file> [-o <output file>]

Parameter	Description
`-p <`ca_port`>`	Specifies the port which is used to connect to the CA. The default port is `18265`
`-i <`cert file`>`	Imports the specified certificate only in PEM format.
`[-o <`output file>`]`	Saves the certificate to the specified file.

cp_conf

Description

Configures or reconfigures a Check Point product installation. The configuration options for each ‎machine depend on the configuration and installed products.

Syntax

cp_conf

-h

admin

add [<UserName> <Password> {a | w | r}]

add -gaia [{a | w | r}]

del <UserName1> <UserName2> ...

get

auto

{enable | disable} <Product1> <Product2> ...

get all

fqdn <FQDN Name>

init

client

add <GUI Client>

createlist <GUI Client 1> <GUI Client 2> ...

del <GUI Client 1> <GUI Client 2> ...

get

finger get

lic

add -f <Full Path to License File>

add -m <Host> <Date> <Signature Key> <SKU/Features>

del <Signature Key>

get

sic

cert_pull <Management Server> <DAIP GW object>

init <Activation Key> [norestart]

state

snmp

{activate | deactivate} [norestart]

get

Parameters

Item	Description
`-h`	Shows the entire built-in usage.
`admin {add \| del \| get}`	Configures Check Point system administrators for the Security Management Server: `add` - Adds a system administrator `del` - Deletes the specified system administrators `get` - Shows the list of the configured system administrators Notes: Multi-Domain Server does not support this command. This command corresponds to the option "`(2) Administrator`" in the `cpconfig` menu.
`auto {get all \| {enable \| disable} ...}`	Shows and configures the automatic start of Check Point products during boot: Check Point Security Gateway QoS (former FloodGate-1) SmartEvent Suite Note - This command corresponds to the option "`(8) Automatic start of Check Point Products`" in the `cpconfig` menu.
`ca {fqdn \| init}`	Configures the Certificate Authority's (CA) Fully Qualified Domain Name (FQDN). Initializes the Internal Certificate Authority (ICA). Note - This command corresponds to the option "`(6) Certificate Authority`" in the `cpconfig` menu.
`client {add \| createlist \| del \| get}`	Configures the GUI clients that can use SmartConsoles to connect to the Security Management Server. `add` - Adds a GUI client `createlist` - Deletes all the current GUI clients and adds the new GUI clients `del` - Deletes the specified GUI clients `get` - Shows the list of the allowed GUI clients Notes: Multi-Domain Server does not support this command. This command corresponds to the option "`(3) GUI Clients`" in the `cpconfig` menu.
`finger get`	Shows the ICA's Fingerprint. Note - This command corresponds to the option "`(7) Certificate's Fingerprint`" in the `cpconfig` menu.
`lic {add \| del \| get}`	Manages Check Point licenses: `add` - Adds a license (from a file, or manually) `del` - Deletes the specified license `get` - Shows the list of the installed local licenses Note - This command corresponds to the option "`(1) Licenses and contracts`" in the `cpconfig` menu.
`snmp {{activate \| deactivate} ... \| get}`	Do not use these commands anymore. To configure SNMP, see the R80.10 Gaia Administration Guide - Chapter System Management - Section SNMP.

cp_conf admin

Description Manages Check Point system administrators for the Security Management Server

Syntax:

> cp_conf admin get # Get the list of administrators.
> cp_conf admin add <user> <pass> {a|w|r}
> cp_conf admin del <admin1> <admin2>...

Parameter	Description
`get`	Shows a list of the administrators.
`add <`user`> <`pass`>`	Adds a new administrator <user> with password <pass>.
`{a\|w\|r}`	Sets the permissions for the new administrator: `a` - Read, write and manage administrators `w` - Read and write `r` - Read only
`del <`admin1`>`	Deletes one or more administrators <admin1>, <admin2>, and so on.

cp_conf ca

Description Initializes the Certificate Authority on the Security Management Server

Syntax:

> cp_conf ca init
> cp_conf ca fqdn <name>

Parameter	Description
`init`	Initializes the internal CA.
`fqdn <`name`>`	Sets the FQDN of the internal CA to `<`name`>.`

cp_conf finger

Description Displays the fingerprint which will be used on first-time launch. This verifies the identity of the Security Management Server being accessed by SmartConsole. This fingerprint is a text string derived from the Security Management Server certificate.

Syntax:

> cp_conf finger get

cp_conf lic

Description Shows the installed licenses and lets you manually add new ones.

Syntax:

> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>

Parameter	Description
`get`	Shows the installed licenses.
`add -f <`file`>`	Adds the license from `<`file`>.`
`add -m`	Manually adds a license with these parameters: `<`host`>` - name of the Security Management Server `<`Date`>` - Date of the license `<`Key`>` - License key `<`SKU`>` - License SKU
`del <`Key`>`	Deletes license `<`key`>.`

cp_conf client

Description Manages the GUI clients that can use SmartConsoles to connect to the Security Management Server.

Syntax:

> cp_conf client get # Get the GUI clients list
> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del <GUI client 1> <GUI client 2>... # Delete GUI Clients
> cp_conf client createlist <GUI client 1> <GUI client 2>... # Create new list.

Parameter	Description
`get`	Shows the IP addresses of the allowed GUI clients.
`add <`GUI client`>`	Adds the `<`GUI client`>` IP address to the list of allowed GUI clients.
`del <`GUI client1`> <`GUI client 2`>`	Deletes one or more IP addresses from the list of allowed GUI clients.
`createlist <`GUI client1`> <`GUI client 2`>`	Deletes allowed GUI clients and creates a new list. The new list allows `<`GUI client 1`>`, `<`GUI client 2`>`, and so on.

cp_conf snmp

Description Activates or deactivates SNMP.

Syntax:

> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP Extension.

Parameter	Description
`get`	Shows the SNMP status.
`{activate\|deactivate}`	Enables or disables SNMP.
`[no restart]`	By default, the Security Gateway runs `cpstop` and `cpstart` when you enable or disable SNMP. Use the `norestart` parameter to configure SNMP and to not run `cpstop` and `cpstart`.

cp_conf auto

Description Configures the Security Gateway and Security Management Server products that start automatically when the appliance or server reboots.

Syntax

> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable} <product1> <product2>...

Parameter	Description
`get`	Shows which products start automatically
`{enable\|disable} <`product1`> <`product2`>`	Enables or disables the one or more products that start automatically