Check Point CLI Reference Card & Cheat Sheet– v 1.

2 Basic firewall information gathering View and manage logfiles

by Jens Roesen – email – www - twitter fw ctl arp [-n] Display proxy arp table. -n disables name resolution. fw log -b <starttime> View today's log entries between <starttime>
<endtime> and <endtime> with time format being
Preface and small warning fw ctl pstat Display internal statistics including information about
memory, inspect, connections and NAT. HH:MM:SS. Example: fw log -b 09:00:00
This small cheat sheet is intended as a brief reference with some practical 09:15:00.
examples for your daily work. Although most of the commands mentioned are fw ctl chain Displays in and out chain of CP Modules. Useful for
placing fw monitor into the chain with the -p option. fw fetchlogs -f file Fetch a logfile from a remote CP module.
meant for information gathering purposes or troubleshooting rather than
module NOTICE: The log will be moved, hence deleted
configuration issues you should be careful and know what you are doing. A full fw ctl zdebug drop Real time listing of dropped packets.
from the remote module. Does not work with
reference to the Check Point CLI can be found at the Check Point Support Center: cpstat <app_flag> Display status of the CP applications. Command has to
http://www.checkpoint.com/support/technical/documents current fw.log.
[-f flavour] be used with a application flag app_flag and an
I've sorted the commands and examples mostly by purpose or product and not fwm logexport -i Export logfile in.log to file out.csv, use ,
optional flavour. Issue cpstat without any options to in.log -o out.csv -d
alphabetically. Some may reoccur. (comma) as delimiter (CSV) and do not resolve
see all possible application flags and corresponding ',' -p -n services or hostnames.
Environment variables flavours. Examples:
cpstat fw -f policy – verbose policy info
It's useful to know some of the environment variables set and needed by FW-1. Display and manage licenses
cpstat fw -f sync – Synchronisation statistics
Below are some of the most commonly used. Depending on your installation there cp_conf lic get View licenses. Same info as cplic db_print
will be more. Check the env output for more information. cpstat os -f cpu – CPU utilization statistics
cpstat os -f memory – Memory usage info -all -x.
$FWDIR FW-1 installation directory, with f.i. the conf, log, lib, bin cpstat os -f ifconfig – Interface table cplic print Display more detailed license information.
and spool directories. You will mostly work in this tree.
cp_conf sic state Display current SIC trust state. fw lichosts List protected hosts with limited hosts licenses.
$CPDIR SVN Foundation / cpshared tree.
cp_conf lic get View licenses. dtps lic SecureClient Policy Server license summary.
$CPMDIR Management server installation directory.
cp_conf finger get Display fingerprint on the management module. cplic del <sig> Delete CP license with signature sig from object
$FGDIR FloodGate-1 installation directory. <obj>
cp_conf client get Display GUI clients list. obj.
$MDSDIR MDS installation directory. Same as $FWDIR on MDS level.
fwm -p List administrator accounts. cplic get <ip host|- Retrieve all licenses from a certain gateway or all
$FW_BOOT_DIR Directory with files needed at boot time. all> gateways in order to synchronize license repository
cp_conf admin get Display admin accounts and permissions.
on the SmartCenter server with the gateway(s).
Basic starting and stopping cp_conf auto get Display auto state of all products. Also works with fw1, cplic put <-l file> Install local license from file to an local machine.
cpstop Stop all Check Point services except cprid. You can also all fg1 and rm instead of all.
stop specific services by issuing an option with cpstop. cplic put <obj> <-l Attach one or more central or local licenses from
cpinfo -z -o <file> Create a compressed cpinfo file to open with the file> file remotely to obj.
For instance cpstop FW1 stops FW-1/VPN-1 or use InfoView utility or to send to Check Point support.
cpstop WebAccess to stop WebAccess. cprlic Remote license management tool.
fw hastat View HA state of local machine.
cpstart Start all Check Point services except cprid. cpstart cphaprob state View HA state of all cluster members. Basic configuration tasks, Admins, Users, SIC
works with the same options as cpstop.
vpn overlap_encdom Show, if any, overlapping VPN domains. cpconfig Menu based configuration tool for the most
cprestart Combined cpstop and cpstart. Complete restart. common tasks like adding/removing admin
fw tab –t <tbl> View kernel table contents. Make output short with -s
cpridstop Stop cprid, the Check Point Remote installation Daemon. [–s] switch. List all available tables with fw tab -s. E.g. accounts or GUI clients, managing licenses,
SIC and so on. Options depend on the installed
cpridstart Start cprid, the Check Point Remote installation fw tab -t connections -s – Connections table.
products and packages.
Daemon. avsu_client [-app Get local signature version and status of content cp_conf -h Display cp_conf help. Options depend on the
cpridrestart Combined cpridstop and cpridstart. <app>] get_version security <app> where <app> can be “Edge AV”,
installed products and packages.
“URL Filtering” and “ICS”. Without the -app
fw kill [-t sig] Kill a Firewall process. PID file in $FWDIR/tmp/ must be cp_conf admin add <user> Add admin user with password pass and
<app> option “Anti Virus” is used by default.
proc_name present. Per default sends signal 15 (SIGTERM). <pass> <perm> permissions perm where w is read/write access
Example: fw kill -t 9 fwm avsu_client [-app Check if signature for <app> is up-to-date. See and r is read only. Note: permission w does not
<app>] fetch_remote previous command for the possible values of <app>.
fw unloadlocal Uninstall local security policy. allow administration of admin accounts.
-fi
cp_admin_convert Export admin definitions created in cpconfig
Basic firewall information gathering show asset hardware View hw info like serial numbers in Nokia clish. See
to SmartDashboard.
fw ver Check FW-1/VPN-1 major and minor version as well as also ipsctl -a and cat /var/etc/.nvram.
cp_conf admin del <user> Delete the admin account user.
build number and latest installed hotfix. info device View Edge Appliance information (hw, fwl, license..)
fwm expdate <dd-mmm-yyy> Set new expiration date for all users or with -f
fwm ver Check management module major and minor version info computers List active devices behind Edge Appliance. [-f <dd-mmm-yyyy>] for all users matching the expiration date filter:
as well as build number and latest installed hotfix.
View and manage logfiles fwm expdate 31-Dec-2020 -f 31-Dec-2010.
vpn ver Check VPN-1 major and minor version as well as build
fw lslogs View a list of available fw logfiles and their size. cp_conf client get Display GUI clients list.
number and latest installed hotfix. Use the switch -k
for additional kernel version. fwm logexport Export/display current fw.log to stdout. cp_conf client add <ip> Add GUI client with IP ip.
cpshared_ver Show the version of the SVN Foundation. fw logswitch [-audit] Write the current (audit) logfile to YY-MM-DD- cp_conf client del <ip> Delete the GUI client with IP ip. You can delete
fw stat Show the name of the currently installed policy as well HHMMSS.log and start a new fw.log. multiple clients at once.
as a brief interface list. Can be used with the -long or fw log -c <action> cp_conf sic state Display current SIC trust state.
Show only records with action <action>, e.g.
-short switch for more information. accept, drop, reject etc. Starts from the top of cp_conf sic reset Reset SIC.
cpwd_admin list Display process information about CP processes the log, use -t to start a tail at the end. cp_conf sic init <key> Initialize SIC.
monitored by the CP WatchDog. fw log -f -t Tail the actual log file from the end of the log.
fw ctl iflist Display interface list. Without the -t switch it starts from the beginning.

The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.
fw monitor SecurePlatform Provider-1
fw monitor, Check Points packet sniffing tool, is part of every FW-1 installation, sysconfig Menu based SecurePlatform OS configuration tool. mds_backup Backup binaries and data to current directory.
independent from the underlying platform. Also the syntax is the same for all webui <enable| Enable the WebUI on HTTPS port 443 or port [port] or You can exclude files by specifying them in
available platforms. Read the Check Point guide (http://bit.ly/fwmonref) or see my disable> [port] disable the WebUI. $MDSDIR/conf/mds_exclude.dat.
fw monitor cheat sheet (http://bit.ly/cpfwmon) for detailed info on this topic. mds_restore <file> Restore MDS backup from file.
showusers Display a list of configured SecurePlatform administrators.
fw monitor Examples: Notice: you may need to copy mds_backup
adduser <user> Add an admin account. Delete with deluser <user>.
from $MDSDIR/scripts/ as well as gtar and
# packets with IP 192.168.1.12 as SRC or DST
fw monitor -e 'accept host(192.168.1.12);'
backup Backup system config to /var/CPbackup/backups file gzip from $MDS_SYSTEM/shared/ to the
backup_host.domain_DD_MM_YYYY_hh_mm.tgz. directory with the backup file. Normally,
# all packets from 192.168.1.12 to 192.168.3.3 backup also works with the following switches: mds_backup does this during backup.
fw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;' --scp <ip> <user> <pass> -path <path> <file>
--tftp <ip> -path <tftpboot/subdir> file VPN & VPN Debugging
# UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
fw monitor -pi ipopt_strip -e 'accept udpport(53);' --ftp <ip> <user> <pass> -path <path> <file> vpn ver [-k] Check VPN-1 major and minor version as well as build
If you do not specify file or path the default naming number and latest hotfix. Use -k for kernel version.
# UPD traffic from or to unprivileged ports, only show post-out scheme and/or the homedir of the account will be used. A
fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);' vpn tu Start a menu based VPN TunnelUtil program where you
relative path results in a backup to a subdirectory of home.
can list and delete Security Associations (SAs) for peers.
# Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12 restore <file> Restores a backup from file <file>. Pretty much works with
fw monitor -e 'accept host(192.168.1.12) and tracert;' vpn shell Start the VPN shell.
the same switches as backup.
vpn debug ikeon| Debug IKE into $FWDIR/log/ike.elg.
# Capture web traffic for VSX virtual system ID 23 snapshot Take a snapshot of the entire system. Without options it's ikeoff
fw monitor -vs 23 -e 'accept tcpport(80);' menu based. Note: cpstop is issued! Examples:
snapshot --file <file> vpn debug on|off Debug VPN into $FWDIR/log/vpnd.elg.
# Capture traffic on a SecuRemote/SecureClient client into a file.
# srfw.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)
snapshot --tfpt <ip> <file> vpn debug trunc Truncate and stamp logs, enable IKE & VPN debug.
srfw monitor -o output_file.cap snapshot --scp <ip> <user> <pass> <file>
vpn drv stat Show status of VPN-1 kernel module.
snapshot --ftp <ip> <user> <pass> <file>
vpn overlap_encdom Show, if any, overlapping VPN domains.
VSX revert Reboot system from a snapshot file. Same switches as
snapshot. vpn macutil <user> Show MAC for Secure Remote user <user>.
vsx stat [-v] [-l] [id] Display VSX status. Verbose output with -v,
interface list with -l or status of single system patch add cd Install the patch <patch> from CD. IPSO clish (Better go and read the docu. Clish is mighty ;)
with VS ID <id>. <patch>
You can enter clish commands either in the clish itself or from the shell using
vsx get View current shell context. cd_ver or ver View SecurePlatform build number. clish [-s] -c "<command>". The -s option runs save config afterwards.
vsx set <id> Set context to VS with the ID <id>. addarp <ip> Add a static ARP entry for ip. Survives a reboot. Use show summary Show system configuration summary.
<MAC> delarp with the same syntax to delete a ARP entry.
vsx sic reset <id> Reset SIC for VS ID <id>. show asset hardware Show hardware information. See also output of
fw -vs <id> getifs dns [add|del View DNS server setting or add/delete DNS servers. ipsctl -a and cat /var/etc/.nvram .
View driver interface list for a VS. You can also
<ip>]
use the VS name instead of -vs <id>. show images Show available IPSO images.
log list Show index of available system and error log files.
fw tab -vs <id> -t View state tables for virtual system <id>. show image current Show current IPSO image.
<table> log show <nr> View log file number <nr> from the log list index.
show package all|active Show all available/active packages.
fw monitor -vs <id> -e View traffic for virtual system with ID <id>. passwd Change login password. In expert mode it changes the
set package name <name> Activate or deactivate a package.
'accept;' expert pass, in standard mode it changes the admin pass.
<on|off>
In general, a lot of Check Point's commands do understand the -vs <id> switch. Use /usr/bin/passwd <user> in expert mode.
set ssh server log-level Set sshd log verbosity to quiet, fatal, error,
Provider-1 <level> info (default), verbose or debug.
ClusterXL
cp_conf ha enable| mdsenv [cma_name] Set the environment variables for MDS oder show vrrp [interfaces] View VRRP (interface) status.
Enable or disable HA.
disable [norestart] CMA level. reboot image <img> save Reboot into <img> and run save before booting.
cphastop mdsstart [-m|-s] Starts the MDS and all CMAs (10 at a time).
Disable ClusterXL on the cluster member. Issued on rm /config/active Kind of factory default reset. Reboot afterwards.
a cluster member running in HA Legacy Mode Start only the MDS with -m or the CMAs
subsequently with -s. set voyager daemon- Enable (or disable) Voyager on SSL port 8443
cphastop might stop the entire cluster. enable <1|0> ssl-port using 3DES crypto. Also works with true,
cphastart Activate ClusterXL on this cluster member. mdsstop [-m] Stop MDS and all CMAs or with -m just the 8443 ssl-level 168 false, on or off. save config afterwards.
MDS.
fw hastat View HA state of local machine.
mdsstat [cma_name]|[-m] Show status of the MDS and all CMAs or a Edge Appliances CLI and Sofaware SmartCenter Commands*
cphaprob state View HA state of all cluster members.
certain customer's CMA. Use -m for only MDS help [command] Show help topics. Also works with all commands.
cphaprob -a if View interface status. status.
info fw [rules] Show firewall statistics (in/out packets) or policy.
cphaprob -ia list View list and state of critical cluster devices. cpinfo -c <cma> Create a cpinfo for the customer cma <cma>.
info nat Display active nat policy.
cphaprob syncstat View sync transport layer statistics. Reset with Remember to run mdsenv <cma> in advance.
-reset. info device Show hardware information.
mcd <directory> Quick cd to $FWDIR/<directory> of the
cphaconf set_ccp Configure Cluster Control Protocol (CCP) to use current CMA. show net wan Show configuration of wan device.
<broadcast| unicast or multicast messages. By default set to mdsstop_customer <cma> Stop CMA. Run mdsenv <cma> in advance. export Export complete system configuration.
multicast> multicast. Setting survives reboot.
mdsstart_customer <cma> Start CMA. Run mdsenv <cma> in advance. swcmd Reboot <edge> Reboot <edge> from SmartCenter Console.*
Note: DO NOT run any cphaconf commands other than set_ccp. smsstart and smsstop
mdsconfig MDS replacement for cpconfig. Start/stop the Sofaware Management Server.*

The latest version of this PDF is available at http://bit.ly/fw1cli. Licensed under Creative Commons BY – NC – SA License. SecurePlatform, SofaWare, SmartCenter, ClusterXL, Provider-1, VSX, IPSO and VPN-1/UTM-1 Edge are a registered trademarks of Check Point Software Technologies, Ltd.