Threat Prevention CLI Commands

How to run commands from the CLI (Command Line Interface) to install Threat Prevention policy and for IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and advanced Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. management.

In any case of conflict between the CLI commands and the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. configuration, the CLI commands will be enforced.

mgmt_cli install-policy <options>

Description: Run this command on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to install the Threat Prevention policy on the specified Security Gateways.

Syntax: mgmt_cli install-policy <options>

Note: For more information, see Check Point Management API Reference.

te_add_file

Description: Use this command to manually send files for threat emulation. The command has to be run from expert mode. For a complete explanation of all the available parameters, run te_add_file.

Syntax: te_add_file -f= <file path> -d= <directory path>

Parameter

Description

-f=

Specifies the path to the file. You must include the file name at the end of the path.

-d=

Specifies the path to a directory. The command takes all the files in the directory and sends them for emulation.

 
[Expert@GW:0]# te_add_file -f=/home/admin/test.pdf
# Sending files... Wait for response: True
# Trying to connect to ted...
# Connected to ted...Ready to send...
# File path: /home/admin/test.pdf
# File type: pdf
# Got response from ted...
(
        :event_id ("{000000A5-006D-0045-9D15-D6896862D148}")
        :action (drop)
        :confidence (high)
        :done (0)
        :file_path ("/home/admin/test.pdf")
        :md5_string (61baabd6fc12e01ff73ceacc07c84f9a)
)
# Got response from ted...
(
        :event_id ("{000000A5-006D-0045-9D15-D6896862D148}")
        :action (drop)
        :confidence (high)
        :done (1)
        :file_path ("/home/admin/test.pdf")
        :md5_string (61baabd6fc12e01ff73ceacc07c84f9a)
)
/home/admin/test.pdf
Verdict: drop Time: 1 *
Total Files: 1
Verdicts distribution:
drop: 1
# Done 1 files in 1 seconds...Bye Bye...

Comments: ted is the Threat Emulation daemon.

tecli

The tecli commands:

  • Control local cache

  • Show information about the Threat Emulation system

  • Run advanced options

  • Show status of emulation downloads, statistics and processes

  • Configure affinity for TED (Threat Emulation Daemon)

Description: Resets the emulation statistics for the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or appliance.

Syntax: tecli advanced clear

Description: Deletes all the records in the local cache.

Syntax: tecli cache clean

Description: Controls the sizing mode tool that lets you estimate the resources that will use in your network (see sk93598).

Syntax: tecli control sizing {enable|disable|status}

Note - For more about using sizing mode, see sk93598.

Description: Enable and disable debug mode for Threat Emulation.

Syntax: tecli debug {on|off|scan local {enable|disable}}

Parameter

Description

on

Enables debug mode

off

Disables debug mode

scan local enable

Enables the appliance or Security Gateway to scan local connection

scan local disable

Disables the appliance or Security Gateway to scan local connection

tecli d o

tecli debug on

tecli d s l e

tecli debug scan local enable

tecli show commands show data and statistics about the Threat EmulationSoftware BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.. You can also use abbreviated parameters to run tecli show commands. These are some useful command combinations:

Command

Description

tecli s s

Shows emulation statistics

tecli s c i

Shows information about ThreatCloudClosed The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. emulation

tecli s c q

Shows the quota for ThreatCloud emulation

tecli s e e

Shows the current status of the emulation queue

tecli s u a

Shows all the parts of file emulation

Description: Shows data and statistics about your ThreatCloud account.

Syntax: tecli show cloud {identity|info|quota}

Parameter

Description

identity

Shows data about how the Security Gateway or Threat Emulation appliance connects to the ThreatCloud

info

Shows data about your file emulation in the ThreatCloud

quota

Shows data about your ThreatCloud monthly emulation quota

tecli s c id

tecli show cloud identity

tecli s c in

tecli show cloud info

Description: Shows data about Threat Emulation queue and VMs (Virtual Machines).

Syntax: tecli show emulator {emulations|vm {synopsis|detailed|id <ID>}}

Parameter

Description

emulations

Shows the current status of the emulation queue

synopsis

Shows a summary of the VMs

detailed

Shows data and details of the VMs

id <ID>

Shows data for the VM with this ID

tecli s e e

tecli show emulator emulations

tecli s e v s

tecli show emulator vm synopsis

Description: Shows data and statistics about files and rules that Threat Emulation is downloading.

Syntax: tecli show downloads {all|images|dr|sa|raw|types}

Parameter

Description

all

Shows the status of all downloads

images

Shows download status of operating system images

dr

Shows download status of malware detection rules

sa

Shows download status of static analysis rules

raw

Shows download status of general Threat Emulation files

types

Shows the file extensions that are being sent for emulation

tecli s d a

tecli show downloads all

tecli s d i

tecli show downloads images

Description: Shows data and statistics about the Threat Emulation appliance

Syntax: tecli s r i or tecli show remote information

Description: Shows statistics to the Threat Emulation appliance or Security Gateway.

Syntax: tecli s s or tecli show statistics

Description: Shows data about file emulation for each time interval.

Syntax: tecli show throughput {minute|hour|day|month}

Parameter

Description

minute

Shows how many files completed emulation for each minute

hour

Shows how many files completed emulation for each hour

day

Shows how many files completed emulation for each day

month

Shows how many files completed emulation for each month

tecli s t mi

tecli show throughput minute

tecli s t mo

tecli show throughput month

Description: Shows all the parts of file emulation:

  • Prepare

  • Processing

  • Finalizing

The output shows the number of files for each task in the emulation part.

Syntax: tecli u a or tecli show unit all

# tecli s u a

[prepare]

      - system state (15)

      - policy (15)

      - file (1)

      - contract (1)

      - cache inquirer (1)

[processing]

      - duplicate (1)

      - static analysis (1)

      - emulator (1)

      - cloud emulation (1)

      - remote emulation (1)

[finalizing]

      - forensics (15)

      - cache updater (15)

      - threat cloud sharing (15)

      - threat cloud statistics (15)

      - file saver (15)

      - logger (15)

      - local filter counter (15)

Managing IPS Security Gateways through CLI

See the R81.10 CLI Reference Guide > Chapter IPS Commands > Section ips.

How to use the Threat Prevention CLI commands to manage IPS on your Security Gateways.