Print Download PDF Send Feedback

Previous

Next

Security Management Server Commands

In This Section:

cpca_client

cp_conf

cpconfig

cpinfo

cplic

cppkg

cprinstall

cpstart and cpstop

cpstat

dbedit

dynamic objects

fw logswitch

fwm

inet_alert

ldap

queryDB_util

rs_db_tool

For more information about Security Management Server, see the R80.10 Security Management Administration Guide.

cpca_client

Description Executes operations on the ICA (Internal Certificate Authority).

Syntax:

> cpca_client

cpca_client revoke_cert

Description Revokes a certificate issued by the ICA.

Syntax:

> cpca_client [-d] revoke_cert [-p <ca_port>] -n "CN=<common name>"

Parameter

Description

-d

Runs the command in debug Mode.

-p <ca_port>

Specifies the port which is used to connect to the CA (if the CA was not run from the default port 18209).

-n "CN=<common name>"

Sets the CN to <common name>

cpca_client lscert

Description Shows all certificates issued by the ICA.

Syntax:

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}] [-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter

Description

-d

Runs the command in debug Mode.

-dn substring

Filters results to those with a DN that matches this <substring>

-stat

Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed

-kind

Filters results for specified kind: SIC, IKE, User, or LDAP

-ser <serial>

Filters results for this serial number.

-dp <dp>

Filters results from this CDP (certificate distribution point).

cpca_client init_certs

Description Imports a list of DNs for users and creates a file with registration keys for each user.

Syntax:

> cpca_client init certs [-p <ca_port>] -i <input_file> -o <output_file>

Parameter

Description

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265

-i <input_file>

Imports the specified file. Make sure to use the full path.

Make sure that there is an empty line between each DN in the file:

CN=test1,OU=users

<empty line>

CN=test2,OU=users

-o <output_file>

Saves the registration keys to the specified file.

cpca_client set_mgmt_tool

Description Starts or stops the ICA Management Tool.

Syntax:

> cpca_client [-d] set_mgmt_tool {on|off|add|remove|clean|print} [-p <ca_port>] [-no_ssl] {-a <administrator DN>, -u <user DN>, -c <custom user DN>, ...}

Parameter

Description

-d

Runs the command in debug mode.

set_mgmt_tool {on|off|add|remove|
clean|print}

  • on - Starts ICA management tool.
  • off - Stops ICA management tool.
  • add - Adds an administrator, user, or custom user.
  • remove - Removes an administrator, user, or custom user.
  • clean - Removes all the administrators, users, or custom users.
  • print - Shows the administrators, users, or custom users.

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265

-no_ssl

Configures the server to use HTTP instead of HTTPS.

-a <administrator DN>

Sets the DNs of the administrators that are permitted to use the ICA management tool.

-u <user DN>

Sets the DNs of the users that are permitted to use the ICA management tool.

-c <custom user DN>

Sets the DN for custom users that can use the ICA management tool.

Notes

  1. If the command is run without -a or -u the list of the permitted users and administrators isn't changed. The server can be stopped or started with the previously defined permitted users and administrators.
  2. If two consecutive start operations are initiated, the ICA management tool will not respond, unless you change the SSL mode. After the SSL Mode has been modified, the server can be stopped and restarted.

cpca_client set_sign_hash

Description Sets the hash algorithm that the CA uses to sign the file hash. The default algorithm is sha1

Syntax:

> cpca_client set_sign_hash {sha1|sha256|sha384|sha512}

cpca_client search

Description Searches for certificates in the ICA (Internal Certificate Authority).

Syntax:

> cpca_client search <string> [-where {dn|comment|serial}] [-kind [SIC|IKE|User|LDAP]] [-stat [Pending|Valid|Revoked|Expired|Renewed]] [-max <max results>] [-showfp {y|n}]

Parameter

Description

-where {dn|comment|serial}

Where to search for the string, in the dn, serial number, or comment field.

The default is all locations.

-kind [SIC|IKE|User|LDAP]

The type of certificate. You can enter multiple values in this format: -kind value1 value2 value3. The default is all values

-stat [Pending|Valid|Revoked|Expired|Renewed]

Filters according to the status of the certificate. You can enter multiple values in this format: -stat value1 value2 value3. The default is all values.

-max <max results>

Enter the maximum number of results to show. The default setting is 200

-showfp {y|n}

Shows the certificate's fingerprint: yes or no. The default iss yes

Example:

> cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending Valid Renewed

cpca_client get_crldp

Description Defines how to access a CRL file from a distribution point.

Syntax:

> cpca_client get_crldp [-p <ca_port>]

Parameter

Description

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265s

cpca_client get_pubkey

Description Saves the encoding of the public key for the ICA to a file.

Syntax:

> cpca_client [-p <ca_port>] get_pubkey <output>

Parameter

Description

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265

<output>

Name of the file where the public key is saved.

cpca_client double_sign

Description Creates a second signature for a certificate.

Syntax:

> cpca_client [-p <ca_port>] -i <cert file> [-o <output file>]

Parameter

Description

-p <ca_port>

Specifies the port which is used to connect to the CA. The default port is 18265

-i <cert file>

Imports the specified certificate only in PEM format.

[-o <output file>]

Saves the certificate to the specified file.

cp_conf

Description

Configures or reconfigures a Check Point product installation. The configuration options for each ‎machine depend on the configuration and installed products.

Syntax

cp_conf

-h

admin

add [<UserName> <Password> {a | w | r}]

add -gaia [{a | w | r}]

del <UserName1> <UserName2> ...

get

auto

{enable | disable} <Product1> <Product2> ...

get all

ca

fqdn <FQDN Name>

init

client

add <GUI Client>

createlist <GUI Client 1> <GUI Client 2> ...

del <GUI Client 1> <GUI Client 2> ...

get

finger get

lic

add -f <Full Path to License File>

add -m <Host> <Date> <Signature Key> <SKU/Features>

del <Signature Key>

get

sic

cert_pull <Management Server> <DAIP GW object>

init <Activation Key> [norestart]

state

snmp

{activate | deactivate} [norestart]

get

Parameters

Item

Description

-h

Shows the entire built-in usage.

admin {add | del | get}

Configures Check Point system administrators for the Security Management Server:

  • add - Adds a system administrator
  • del - Deletes the specified system administrators
  • get - Shows the list of the configured system administrators

Notes:

  • Multi-Domain Server does not support this command.
  • This command corresponds to the option "(2) Administrator" in the cpconfig menu.

auto {get all | {enable | disable} ...}

Shows and configures the automatic start of Check Point products during boot:

  • Check Point Security Gateway
  • QoS (former FloodGate-1)
  • SmartEvent Suite

Note - This command corresponds to the option "(8) Automatic start of Check Point Products" in the cpconfig menu.

ca {fqdn | init}

  • Configures the Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).
  • Initializes the Internal Certificate Authority (ICA).

Note - This command corresponds to the option "(6) Certificate Authority" in the cpconfig menu.

client {add | createlist | del | get}

Configures the GUI clients that can use SmartConsoles to connect to the Security Management Server.

  • add - Adds a GUI client
  • createlist - Deletes all the current GUI clients and adds the new GUI clients
  • del - Deletes the specified GUI clients
  • get - Shows the list of the allowed GUI clients

Notes:

  • Multi-Domain Server does not support this command.
  • This command corresponds to the option "(3) GUI Clients" in the cpconfig menu.

finger get

Shows the ICA's Fingerprint.

Note - This command corresponds to the option "(7) Certificate's Fingerprint" in the cpconfig menu.

lic {add | del | get}

Manages Check Point licenses:

  • add - Adds a license (from a file, or manually)
  • del - Deletes the specified license
  • get - Shows the list of the installed local licenses

Note - This command corresponds to the option "(1) Licenses and contracts" in the cpconfig menu.

snmp {{activate | deactivate} ... | get}

Do not use these commands anymore.

To configure SNMP, see the R80.10 Gaia Administration Guide - Chapter System Management - Section SNMP.

cp_conf admin

Description Manages Check Point system administrators for the Security Management Server

Syntax:

> cp_conf admin get # Get the list of administrators.
> cp_conf admin add <user> <pass> {a|w|r}
> cp_conf admin del <admin1> <admin2>...

Parameter

Description

get

Shows a list of the administrators.

add <user> <pass>

Adds a new administrator <user> with password <pass>.

{a|w|r}

Sets the permissions for the new administrator:

a - Read, write and manage administrators

w - Read and write

r - Read only

del <admin1>

Deletes one or more administrators <admin1>, <admin2>, and so on.

cp_conf ca

Description Initializes the Certificate Authority on the Security Management Server

Syntax:

> cp_conf ca init
> cp_conf ca fqdn <name>

Parameter

Description

init

Initializes the internal CA.

fqdn <name>

Sets the FQDN of the internal CA to <name>.

cp_conf finger

Description Displays the fingerprint which will be used on first-time launch. This verifies the identity of the Security Management Server being accessed by SmartConsole. This fingerprint is a text string derived from the Security Management Server certificate.

Syntax:

> cp_conf finger get

cp_conf lic

Description Shows the installed licenses and lets you manually add new ones.

Syntax:

> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>

Parameter

Description

get

Shows the installed licenses.

add -f <file>

Adds the license from <file>.

add -m

Manually adds a license with these parameters:

<host> - name of the Security Management Server

<Date> - Date of the license

<Key> - License key

<SKU> - License SKU

del <Key>

Deletes license <key>.

cp_conf client

Description Manages the GUI clients that can use SmartConsoles to connect to the Security Management Server.

Syntax:

> cp_conf client get # Get the GUI clients list
> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del <GUI client 1> <GUI client 2>... # Delete GUI Clients
> cp_conf client createlist <GUI client 1> <GUI client 2>... # Create new list.

Parameter

Description

get

Shows the IP addresses of the allowed GUI clients.

add <GUI client>

Adds the <GUI client> IP address to the list of allowed GUI clients.

del <GUI client1> <GUI client 2>

Deletes one or more IP addresses from the list of allowed GUI clients.

createlist <GUI client1> <GUI client 2>

Deletes allowed GUI clients and creates a new list. The new list allows <GUI client 1>, <GUI client 2>, and so on.

cp_conf snmp

Description Activates or deactivates SNMP.

Syntax:

> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP Extension.

Parameter

Description

get

Shows the SNMP status.

{activate|deactivate}

Enables or disables SNMP.

[no restart]

By default, the Security Gateway runs cpstop and cpstart when you enable or disable SNMP. Use the norestart parameter to configure SNMP and to not run cpstop and cpstart.

cp_conf auto

Description Configures the Security Gateway and Security Management Server products that start automatically when the appliance or server reboots.

Syntax

> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable} <product1> <product2>...

Parameter

Description

get

Shows which products start automatically

{enable|disable} <product1> <product2>

Enables or disables the one or more products that start automatically