fw fetch

Description

Fetches the Security Policy from the specified host and installs it to the kernel.

Important:

  • You can run this command in the Expert mode or in Gaia Clish (Gaia gClish on Scalable Platforms).

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

Syntax

  • To fetch the policy from the Management Server:

    fw [-d] fetch -f [-i] [-n] [-r]

  • To fetch the policy from a peer Cluster Member, and, if it fails, then from the Management Server:

    fw [-d] fetch -f -c [-i] [-n] [-r]

  • To fetch the policy from the specified Check Point computer(s):

    fw [-d] fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

  • To fetch the policy stored locally on the Security Gateway in the default directory $FWDIR/state/:

    fw [-d] fetch local [-nu]

    fw [-d] fetch localhost [-nu]

  • To fetch the policy stored locally on the Security Gateway in the specified directory:

    fw [-d] fetchlocal -d <Full Path to Directory>

Parameters

Parameter

Description

fw -d fetch...

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-a

Installs policy on non-SMO Security Group Members.

-c

Specifies that you fetch the policy from a peer Cluster Member.

Notes:

  • Must also use the "-f" parameter.

  • Works only in cluster.

-f

Specifies that you fetch the policy from a Management Server listed in the $FWDIR/conf/masters file.

-i

On a Security Gateway with dynamically assigned IP address (DAIP), specifies to ignore the SIC name and object name.

-n

Specifies not to load the fetched policy, if it is the same as the policy already located on the Security Gateway.

-nu

Specifies not to update the currently installed policy.

-r

On a Cluster Member, specifies to ignore this option in SmartConsole Install Policy window:

For gateway clusters, if installation on a cluster member fails, do not install on that cluster

Best Practice - Use this parameter if a peer Cluster Member is Down.

-s

Installs policy on a Scalable Platform Security Group.

<Master 1> [<Master 2> ...]

Specifies the Check Point computer(s), from which to fetch the policy.

You can fetch the policy from the Management Server, or a peer Cluster Member.

Notes:

  • If you fetch the policy from the Management Server, you can enter one of these:

    • The main IP address of the Management Server object.

    • The object name of the Management Server.

    • The hostname that the Security Gateway resolves to the main IP address of the Management Server.

  • If you fetch the policy from a peer Cluster Member, you can enter one of these:

    • The main IP address of the Cluster Member object.

    • The IP address of the Sync interface on the Cluster Member.

  • If the fetch from the first specified <Master> fails, the Security Gateway fetches the policy from the second specified <Master> , and so on. If the Security Gateway fails to connect to each specified <Masters>, the Security Gateway fetches the policy from the localhost.

  • If you do not specify the <Masters> explicitly, the Security Gateway fetches the policy from the localhost.

-d <Full Path to Directory>

Specifies the local directory on the Security Gateway, from which to fetch the policy files.