Checkpoint is not a cli based firewall, the cli is generally (in the daily life) not used. What the admin wants, can do through the GUI. For troubleshooting purposes or just query something there are some useful commands. In this list I tried to collect what I already had to use (or wanted to try out).
Table 1.
| General checkpoint, IPSO commands | Description |
| ipsctl hw:eeprom:product_id | Show Product Id. on IPSO |
| ipsctl hw:eeprom:serial_number | Show Serial No. on IPSO |
| uname -a | Show IPSO Version |
| ipsofwd list | show forwarding option on IPSO |
| [admin]# ipsofwd list net:ip:forward:noforwarding = 0 net:ip:forward:noforwarding_author = fwstart net:ip:forward:switch_mode = flowpath net:ip:forwarding = 1 |
example for forwarding options |
| ipsofwd on username | set forwarding on if firewall stopped |
| ipsctl -w net:log:partner:status:debug 1 | enable interface debugging (sk41089) |
| ipsctl -w net:log:sink:console 0 | disable debugging |
Table 2.
| Firewall Commands | |
| fw ver | Show Firewall Version |
| vpn macutil | Generate MAC Address for users. This can be used to fix an IP in DHCP Server. |
| cpstat polsrv -f all | Show the connected and the licensed users |
| cpstat fw -f http, ftp, telnet, rlogin, smtp, pop3 | Check protocol states. |
| fw stat | Show policy name and the interfaces that have already seen any traffic. |
| fw stat -long | Shows the policy and the stats for the policy |
| cpstat os -f cpu -o 3 | Monitor CPU state every 3 seconds |
| -o Polling interval (seconds) specifies the pace of the results. Default is 0, meaning the results are shown only once. -c Specifying how many times the results are shown. Default is 0, meaning the results are repeatedly shown. |
cpstat useful parameters |
| cpstat os | Show SVN Foundation and OS Version |
| cpstat fw -f all | Product, Policy und Status informations |
| cpstat fw -f policy | Show Installed Policy name |
| fw tab -t connections -s | Show active connections |
| fw fetch | Install Policy from MGM server |
| cplic print | Print licenses |
| fwha_mac_magic | Connecting multiple clusters to the same network segment (same VLAN, same switch) – sk25977 |
| cp_conf sic state |
SIC test on the firewall |
| cp_conf sic init <Activation Key> [norestart] |
SIC reset on the firewall |
| fw ctl zdebug drop | grep 1.1.1.1 |
check dropped packets on the firewall for host 1.1.1.1 |
Table 3.
| Sniffer on the Firewall | |
| fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” | Monitor traffic between host with IP IP_S and host with IP IP_D |
| fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” -ow monitor_cat.cap” | not just monitor but save as capture to a file |
| fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” -p all -a -o Datei.cap | not just monitor but save capture to a file + deeper debug |
| fw monitor -m iIoO -e “accept (sport=5200 or sport=5100 or sport=5000);” | Monitor traffic on the source port 5200, 5100 or 5000 |
Table 4.
| Remote Access and S2S VPN commands | |
| vpn tu | vpn tunnel util, for VPN checking, delete |
| fw tab -t inbound_SPI -f | List SPI and users (external IP, office mode IP, username, DN of a user in case of certificate auth) |
| fw tab -t om_assigned_ips -f | List users and assigned Office mode IPs |
| fw tab -t marcipan_ippool_users -f | List Office Mode used IPs |
| fw tab -t om_assigned_ips -f -m 2000 | awk ‘{print $7,$11}’ | grep -v ‘^ ‘ | Lists office mode Ip fore 2000 users (use -u for unlimited number) |
| fw tab -t marcipan_ippool_users -x | used to manually clear the Office Mode connections table on the Gateway |
| vpn debug trunc | initiates both vpn debug and ike debug |
| vpn debug on TDERROR_ALL_ALL=5 | initiates vpn debug on the level of detail provided by TDERROR_ALL_ALL=5. Output file is $FWDIR/log/vpnd.elg |
| vpn debug ikeon | initiates vpn ike debug. Output file is $FWDIR/log/ike.elg |
| vpn debug mon | Writes ike traffic unecrypted to a file. The output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear |
| vpn debug ikeoff | Stops ike debug. Get ikeviewer to check the ike traffic and log. |
| vpn debug off | Stops vpn debug |
| vpn debug moff | Stops ike sniffer |
vpn export_12 -obj <objectname> -cert <certificatename> -file <filename> -passwd <passw> Example: vpn export_p12 -obj Office_GW -cert defaultCert –file office_cert.p12 -passwd mypassword |
export a certificate using the Security Management server. certificate object is the Certificakte Nickname from the GUI. |
Table 5.
| Clustering commands | |
| cphaprob list | Show processes monitored by HA |
| cpstat fw -f sync | Show counters for sync traffic |
| cphaprob state | Show cluster mode and status |
| cpstat ha -f all | Show HA process and HA IP status |
| fw ctl pstat | Show memory, kernel stacks, connections, fragments,…, SYNC status |
| cphaprob -a if | Show Sync interface(s) and HA IP(s) |
| cphaprob syncstat | Show Sync statistics |
| fw hastat | Show HA stat ONLY by ClusterXL! not with VRRP |
Table 6.
| General commands | |
| ps -aux | Report all active processes in the kernel IPSO |
| kill -9 prozessid | Stop a process |
| dmesg | show boot logs |
| vmstat 5 5 | show memory, cpu usage |
| ifconfig bge1:xx down | set virtual Interface on Provider1 down |
| fsck | Filsystemcheck |
Table 7.
| Administrate CMA/MDS processes | |
| mdsstop_customer | Stop a CMA |
| mdsstart_customer | Start a CMA |
| mdsstat | Shows MDS and CMA Status |
| mdsstop | Stops all CMAs und Server processes |
| mdsstart | Start all CMAs und Server processes |
| mdsenv CMANAME | Change the Enviroment to selected CMA |
| echo $FWDIR | This displays the correct path for the CMA. |
| cpstat mg | check the connected clients (with Provider1 in the CMA Level: mdsenv <CMA-IP>) |
| fwm -a | Change admin password (or cpconfig delete admin and add admin) |
| fwm dbload | Install database |
| watch -d “cpstat os -f cpu” | Monitor cpu state with watch |
Table 8.
| Searching for objects | What you cannot find whit cross CMA search |
| cd $FWDIR/conf grep subdomain objects.C | grep -v Name | awk ‘{print $2}’ | grep “^(” | sed -e ‘s/(//’ |
Searching all objects with subdomain ‘subdomain’ in their name |
| cd $FWDIR/conf grep subdomain /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/objects.C | grep -v Name | awk ‘{print $1, $3}’ | grep “(” | sed -e ‘s/(//’ |
Searching all objects in all firewalls (in MDS) with subdomain ‘subdomain’ in their name |
| grep “2.2.2.2\|3.3.3.3” /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/objects_5_0.C | find the 2 IP Address in the firewall configs |
| grep hostimiss.com /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/rulebases_5_0.fws | find the hostname in the firewall rulebase configs |
Table 9.
| Archive commands | |
| tar tfv [ARCHIVNAME].tar | Show the content of an archive |
| tar cfvz [ARCHIVNAME].tar.gz [VERZEICHNIS1] [DATEI1] | Archive files |
| tar xfvz [ARCHIVNAME].tar.gz | open archive |
| SCP command | |
| scp root@provider1:/opt/CPmds-R65/customers/cma1/CPsuite-R65/fw1/conf/objects_5_0.C . | copy the objects_5_0.C file to the lokal folder from where the command was issued |
Collect info for Checkpoint TAC
| cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c cma … | -x vs]* -z: Output gzipped (effective with -o option). * -r: Includes the registry (Windows – very large output). * -v: Prints version information. * -l: Embeds log records (very large output). * -n: Does not resolve network addresses (faster) * -t: Output consists of tables only (SR only). * -c: Get information about the specified CMA (Provider-1). * -x: Get information about the specified VS (VSX). |
And some example for cpinfo.
| CPinfo Options: cpinfo [-v] [-l] [-n] [-o output_file] [-r | -t [tablename]] [-c cma/ctx]-o output_file (Redirect output into file output_file) -r (Include the registry in the output) -v (Print version information) -l (Embed Log records) -n (Do not resolve network addresses) -t (Output consists of tables only (SR only) -c (Get information about the specified cma/ctx) (No parameters): Redirects output to the standard output (the command window).Required steps to get the cpinfo from mds:1. Back to MDS # mdsenv 2. Verify the correct environment # echo $FWDIR /opt/CPmds-R65/ 3. Run cpinfo # cpinfo -z -n -o /var/mds.cpinfoRequired steps for cpinfo from the relevant CMA (sk10176)1. List of all Customers (CMAs) # mdsstat 2. Set the environment for the Customer # mdsenv CMANAME 3. Verify the correct environment # echo $FWDIR /opt/CPmds-R65/customers//CPsuite-R65/fw1/ 4. Run cpinfo # cpinfo -c CMANAME -z -n -o FILENAME |
Checkpoint logging in short.
| VPN-1/FireWall-1 NG includes the following log type files:- FWDIR/log/xx.log – stores the log records. – FWDIR/log/xx.logptr – provides pointers to the beginning of each log record. – FWDIR/log/xx.loginitial_ptr – provides pointers to the beginning of each log chain (logs that share the same connection ID – LUUID). – FWDIR/log/xx.logaccount_ptr – provides pointers to the beginning of each accounting record. – Note: the NG log directory also includes an additional temporary pointer file, named xx.logLuuidDB.To purge/delete the current log files without saving it to a backup file, run: # fw logswitch “”The VPN-1/FireWall-1 NG audit log type files are:- xx.adtlog – stores the audit log records. – xx.adtlogptr – provides pointers to the beginning of each log records. – xx.adtloginitial_ptr – provides pointers to the beginning of each log chain (logs that shared the same connection ID – LUUID). – xx.adtlogaccount_ptr – provides pointers to the beginning of each accounting record.To purge/delete the current audit log files without saving it to a backup file, run: # fw logswitch -audit “” |
This is an example how to collect the same info (the fw version here) from all of our firewall with a script.
We need to collect the firewalls with their IPs or with their hostnames in a file I call iplist and run the srcipt with ‘sh ./get_fwversion.sh’
root@myserver # cat get_fwversion.sh #!/bin/bash for HOST in $(cat iplist | grep -v "^#" | grep -v "^$") do echo $HOST ssh admin@$HOST 'fw ver' # Some example. Just delete the # for the required command # ssh admin@$HOST 'ipsctl hw:eeprom:product_id' # ssh admin@$HOST 'fwaccel stat' # ssh admin@$HOST 'clish -c "show vrrp"' # ssh admin@$HOST 'grep buffer /var/log/messages' | tail -n 2 # ssh admin@$HOST 'grep "Log buffer is full\|log/trap messages" /var/log/messages' # ssh admin@$HOST 'cpstat os -f cpu' done root@myserver # cat iplist #R55 myfirewall1 myfirewall2 myfirewall3 myfirewall4 myfirewallcluster1_A myfirewallcluster1_B #R60 myfirewall5 myfirewall6 #R65 myfirewall7 myfirewall8 myfirewallcluster2_A myfirewallcluster2_B |
Important Files:
On the Management Server:
$FWDIR/conf/classes.C – scheme file. Each object in objects.c, rulebases.fws, fwauth.ndb or whatever must match one of the classes listed below.
$FWDIR/conf/objects_5_0.C – object file.
$FWDIR/conf/rulebases_5_0.fws – Rulebase file.
$FWDIR/conf/fwauth.NDB – userdatabase
$FWDIR/conf/.W – The policy file
$FWDIR/conf/user.def.NGX_FLO – User defined inspect code (sk30919)
On the Firewall:
$FWDIR/conf/masters – On the firewalls shows who is the management server
$FWDIR/conf/initial_module.pf – Initial Policy of the firewall
$FWDIR/conf/discntd.if – Add the interface-name in this file to disable monitoring in Secureplatform.
itsecworks 
stujordan
August 9, 2013
nice, thank you