Documente Academic
Documente Profesional
Documente Cultură
The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.
fw monitor SecurePlatform Provider-1
fw monitor, Check Points packet sniffing tool, is part of every FW-1 installation, sysconfig Menu based SecurePlatform OS configuration tool. mds_backup Backup binaries and data to current directory.
independent from the underlying platform. Also the syntax is the same for all webui <enable| Enable the WebUI on HTTPS port 443 or port [port] or You can exclude files by specifying them in
available platforms. Read the Check Point guide (http://bit.ly/fwmonref) or see my disable> [port] disable the WebUI. $MDSDIR/conf/mds_exclude.dat.
fw monitor cheat sheet (http://bit.ly/cpfwmon) for detailed info on this topic. mds_restore <file> Restore MDS backup from file.
showusers Display a list of configured SecurePlatform administrators.
fw monitor Examples: Notice: you may need to copy mds_backup
adduser <user> Add an admin account. Delete with deluser <user>.
from $MDSDIR/scripts/ as well as gtar and
# packets with IP 192.168.1.12 as SRC or DST
fw monitor -e 'accept host(192.168.1.12);'
backup Backup system config to /var/CPbackup/backups file gzip from $MDS_SYSTEM/shared/ to the
backup_host.domain_DD_MM_YYYY_hh_mm.tgz. directory with the backup file. Normally,
# all packets from 192.168.1.12 to 192.168.3.3 backup also works with the following switches: mds_backup does this during backup.
fw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;' --scp <ip> <user> <pass> -path <path> <file>
--tftp <ip> -path <tftpboot/subdir> file VPN & VPN Debugging
# UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
fw monitor -pi ipopt_strip -e 'accept udpport(53);' --ftp <ip> <user> <pass> -path <path> <file> vpn ver [-k] Check VPN-1 major and minor version as well as build
If you do not specify file or path the default naming number and latest hotfix. Use -k for kernel version.
# UPD traffic from or to unprivileged ports, only show post-out scheme and/or the homedir of the account will be used. A
fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);' vpn tu Start a menu based VPN TunnelUtil program where you
relative path results in a backup to a subdirectory of home.
can list and delete Security Associations (SAs) for peers.
# Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12 restore <file> Restores a backup from file <file>. Pretty much works with
fw monitor -e 'accept host(192.168.1.12) and tracert;' vpn shell Start the VPN shell.
the same switches as backup.
vpn debug ikeon| Debug IKE into $FWDIR/log/ike.elg.
# Capture web traffic for VSX virtual system ID 23 snapshot Take a snapshot of the entire system. Without options it's ikeoff
fw monitor -vs 23 -e 'accept tcpport(80);' menu based. Note: cpstop is issued! Examples:
snapshot --file <file> vpn debug on|off Debug VPN into $FWDIR/log/vpnd.elg.
# Capture traffic on a SecuRemote/SecureClient client into a file.
# srfw.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)
snapshot --tfpt <ip> <file> vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug.
srfw monitor -o output_file.cap snapshot --scp <ip> <user> <pass> <file>
vpn drv stat Show status of VPN-1 kernel module.
snapshot --ftp <ip> <user> <pass> <file>
vpn overlap_encdom Show, if any, overlapping VPN domains.
VSX revert Reboot system from a snapshot file. Same switches as
snapshot. vpn macutil <user> Show MAC for Secure Remote user <user>.
vsx stat [-v] [-l] [id] Display VSX status. Verbose output with -v,
interface list with -l or status of single system patch add cd Install the patch <patch> from CD. IPSO clish (Better go and read the docu. Clish is mighty ;)
with VS ID <id>. <patch>
You can enter clish commands either in the clish itself or from the shell using
vsx get View current shell context. cd_ver or ver View SecurePlatform build number. clish [-s] -c "<command>". The -s option runs save config afterwards.
vsx set <id> Set context to VS with the ID <id>. addarp <ip> Add a static ARP entry for ip. Survives a reboot. Use show summary Show system configuration summary.
<MAC> delarp with the same syntax to delete a ARP entry.
vsx sic reset <id> Reset SIC for VS ID <id>. show asset hardware Show hardware information. See also output of
fw -vs <id> getifs dns [add|del View DNS server setting or add/delete DNS servers. ipsctl -a and cat /var/etc/.nvram .
View driver interface list for a VS. You can also
<ip>]
use the VS name instead of -vs <id>. show images Show available IPSO images.
log list Show index of available system and error log files.
fw tab -vs <id> -t View state tables for virtual system <id>. show image current Show current IPSO image.
<table> log show <nr> View log file number <nr> from the log list index.
show package all|active Show all available/active packages.
fw monitor -vs <id> -e View traffic for virtual system with ID <id>. passwd Change login password. In expert mode it changes the
set package name <name> Activate or deactivate a package.
'accept;' expert pass, in standard mode it changes the admin pass.
<on|off>
In general, a lot of Check Point's commands do understand the -vs <id> switch. Use /usr/bin/passwd <user> in expert mode.
set ssh server log-level Set sshd log verbosity to quiet, fatal, error,
Provider-1 <level> info (default), verbose or debug.
ClusterXL
cp_conf ha enable| mdsenv [cma_name] Set the environment variables for MDS oder show vrrp [interfaces] View VRRP (interface) status.
Enable or disable HA.
disable [norestart] CMA level. reboot image <img> save Reboot into <img> and run save before booting.
cphastop mdsstart [-m|-s] Starts the MDS and all CMAs (10 at a time).
Disable ClusterXL on the cluster member. Issued on rm /config/active Kind of factory default reset. Reboot afterwards.
a cluster member running in HA Legacy Mode Start only the MDS with -m or the CMAs
subsequently with -s. set voyager daemon- Enable (or disable) Voyager on SSL port 8443
cphastop might stop the entire cluster. enable <1|0> ssl-port using 3DES crypto. Also works with true,
cphastart Activate ClusterXL on this cluster member. mdsstop [-m] Stop MDS and all CMAs or with -m just the 8443 ssl-level 168 false, on or off. save config afterwards.
MDS.
fw hastat View HA state of local machine.
mdsstat [cma_name]|[-m] Show status of the MDS and all CMAs or a Edge Appliances CLI and Sofaware SmartCenter Commands*
cphaprob state View HA state of all cluster members.
certain customer's CMA. Use -m for only MDS help [command] Show help topics. Also works with all commands.
cphaprob -a if View interface status. status.
info fw [rules] Show firewall statistics (in/out packets) or policy.
cphaprob -ia list View list and state of critical cluster devices. cpinfo -c <cma> Create a cpinfo for the customer cma <cma>.
info nat Display active nat policy.
cphaprob syncstat View sync transport layer statistics. Reset with Remember to run mdsenv <cma> in advance.
-reset. info device Show hardware information.
mcd <directory> Quick cd to $FWDIR/<directory> of the
cphaconf set_ccp Configure Cluster Control Protocol (CCP) to use current CMA. show net wan Show configuration of wan device.
<broadcast| unicast or multicast messages. By default set to mdsstop_customer <cma> Stop CMA. Run mdsenv <cma> in advance. export Export complete system configuration.
multicast> multicast. Setting survives reboot.
mdsstart_customer <cma> Start CMA. Run mdsenv <cma> in advance. swcmd Reboot <edge> Reboot <edge> from SmartCenter Console.*
Note: DO NOT run any cphaconf commands other than set_ccp. smsstart and smsstop
mdsconfig MDS replacement for cpconfig. Start/stop the Sofaware Management Server.*
The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.