Useful Checkpoint commands

Posted on November 25, 2010


Checkpoint is not a cli based firewall, the cli is generally (in the daily life) not used. What the admin wants, can do through the GUI. For troubleshooting purposes or just query something there are some useful commands. In this list I tried to collect what I already had to use (or wanted to try out).
Table 1.

General checkpoint, IPSO commands Description
ipsctl hw:eeprom:product_id Show Product Id. on IPSO
ipsctl hw:eeprom:serial_number Show Serial No. on IPSO
uname -a Show IPSO Version
ipsofwd list show forwarding option on IPSO
[admin]# ipsofwd list
net:ip:forward:noforwarding = 0
net:ip:forward:noforwarding_author = fwstart
net:ip:forward:switch_mode = flowpath
net:ip:forwarding = 1
example for forwarding options
ipsofwd on username set forwarding on if firewall stopped
ipsctl -w net:log:partner:status:debug 1 enable interface debugging (sk41089)
ipsctl -w net:log:sink:console 0 disable debugging

Table 2.

Firewall Commands
fw ver Show Firewall Version
vpn macutil Generate MAC Address for users. This can be used to fix an IP in DHCP Server.
cpstat polsrv -f all Show the connected and the licensed users
cpstat fw -f http, ftp, telnet, rlogin, smtp, pop3 Check protocol states.
fw stat Show policy name and the interfaces that have already seen any traffic.
fw stat -long Shows the policy and the stats for the policy
cpstat os -f cpu -o 3 Monitor CPU state every 3 seconds
-o Polling interval (seconds) specifies the pace of the results. Default is 0, meaning the results are shown only once.
-c Specifying how many times the results are shown. Default is 0, meaning the results are repeatedly shown.
cpstat useful parameters
cpstat os Show SVN Foundation and OS Version
cpstat fw -f all Product, Policy und Status informations
cpstat fw -f policy Show Installed Policy name
fw tab -t connections -s Show active connections
fw fetch Install Policy from MGM server
cplic print Print licenses
fwha_mac_magic Connecting multiple clusters to the same network segment (same VLAN, same switch) – sk25977
cp_conf sic state
SIC test on the firewall
cp_conf sic init <Activation Key> [norestart]
SIC reset on the firewall
fw ctl zdebug drop | grep
check dropped packets on the firewall for host

Table 3.

Sniffer on the Firewall
fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” Monitor traffic between host with IP IP_S and host with IP IP_D
fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” -ow monitor_cat.cap” not just monitor but save as capture to a file
fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” -p all -a -o Datei.cap not just monitor but save capture to a file + deeper debug
fw monitor -m iIoO -e “accept (sport=5200 or sport=5100 or sport=5000);” Monitor traffic on the source port 5200, 5100 or 5000

Table 4.

Remote Access and S2S VPN commands
vpn tu vpn tunnel util, for VPN checking, delete
fw tab -t inbound_SPI -f List SPI and users (external IP, office mode IP, username, DN of a user in case of certificate auth)
fw tab -t om_assigned_ips -f List users and assigned Office mode IPs
fw tab -t marcipan_ippool_users -f List Office Mode used IPs
fw tab -t om_assigned_ips -f -m 2000 | awk ‘{print $7,$11}’ | grep -v ‘^ ‘ Lists office mode Ip fore 2000 users (use -u for unlimited number)
fw tab -t marcipan_ippool_users -x used to manually clear the Office Mode connections table on the Gateway
vpn debug trunc initiates both vpn debug and ike debug
vpn debug on TDERROR_ALL_ALL=5 initiates vpn debug on the level of detail provided by TDERROR_ALL_ALL=5. Output file is $FWDIR/log/vpnd.elg
vpn debug ikeon initiates vpn ike debug. Output file is $FWDIR/log/ike.elg
vpn debug mon Writes ike traffic unecrypted to a file. The output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear
vpn debug ikeoff Stops ike debug. Get ikeviewer to check the ike traffic and log.
vpn debug off Stops vpn debug
vpn debug moff Stops ike sniffer
vpn export_12 -obj <objectname> -cert <certificatename> 
-file <filename> -passwd <passw> 
vpn export_p12 -obj Office_GW -cert defaultCert
–file office_cert.p12 -passwd mypassword
export a certificate using the Security Management server. certificate object is the Certificakte Nickname from the GUI.

Table 5.

Clustering commands
cphaprob list Show processes monitored by HA
cpstat fw -f sync Show counters for sync traffic
cphaprob state Show cluster mode and status
cpstat ha -f all Show HA process and HA IP status
fw ctl pstat Show memory, kernel stacks, connections, fragments,…, SYNC status
cphaprob -a if Show Sync interface(s) and HA IP(s)
cphaprob syncstat Show Sync statistics
fw hastat Show HA stat ONLY by ClusterXL! not with VRRP

Table 6.

General commands
ps -aux Report all active processes in the kernel IPSO
kill -9 prozessid Stop a process
dmesg show boot logs
vmstat 5 5 show memory, cpu usage
ifconfig bge1:xx down set virtual Interface on Provider1 down
fsck Filsystemcheck

Table 7.

Administrate CMA/MDS processes
mdsstop_customer Stop a CMA
mdsstart_customer Start a CMA
mdsstat Shows MDS and CMA Status
mdsstop Stops all CMAs und Server processes
mdsstart Start all CMAs und Server processes
mdsenv CMANAME Change the Enviroment to selected CMA
echo $FWDIR This displays the correct path for the CMA.
cpstat mg check the connected clients (with Provider1 in the CMA Level: mdsenv <CMA-IP>)
fwm -a Change admin password (or cpconfig delete admin and add admin)
fwm dbload Install database
watch -d “cpstat os -f cpu” Monitor cpu state with watch

Table 8.

Searching for objects What you cannot find whit cross CMA search
cd $FWDIR/conf
grep subdomain objects.C | grep -v Name | awk ‘{print $2}’ | grep “^(” | sed -e ‘s/(//’
Searching all objects with subdomain ‘subdomain’ in their name
cd $FWDIR/conf
grep subdomain /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/objects.C | grep -v Name | awk ‘{print $1, $3}’ | grep “(” | sed -e ‘s/(//’
Searching all objects in all firewalls (in MDS) with subdomain ‘subdomain’ in their name
grep “\|” /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/objects_5_0.C find the 2 IP Address in the firewall configs
grep /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/rulebases_5_0.fws find the hostname in the firewall rulebase configs

Table 9.

Archive commands
tar tfv [ARCHIVNAME].tar Show the content of an archive
tar cfvz [ARCHIVNAME].tar.gz [VERZEICHNIS1] [DATEI1] Archive files
tar xfvz [ARCHIVNAME].tar.gz open archive
SCP command
scp root@provider1:/opt/CPmds-R65/customers/cma1/CPsuite-R65/fw1/conf/objects_5_0.C . copy the objects_5_0.C file to the lokal folder from where the command was issued

Collect info for Checkpoint TAC

cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c cma … | -x vs]* -z: Output gzipped (effective with -o option).
* -r: Includes the registry (Windows – very large output).
* -v: Prints version information.
* -l: Embeds log records (very large output).
* -n: Does not resolve network addresses (faster)
* -t: Output consists of tables only (SR only).
* -c: Get information about the specified CMA (Provider-1).
* -x: Get information about the specified VS (VSX).

And some example for cpinfo.

CPinfo Options:
cpinfo [-v] [-l] [-n] [-o output_file] [-r | -t [tablename]] [-c cma/ctx]-o output_file (Redirect output into file output_file)
-r (Include the registry in the output)
-v (Print version information)
-l (Embed Log records)
-n (Do not resolve network addresses)
-t (Output consists of tables only (SR only)
-c (Get information about the specified cma/ctx)
(No parameters): Redirects output to the standard output (the command window).Required steps to get the cpinfo from mds:1. Back to MDS
# mdsenv
2. Verify the correct environment
# echo $FWDIR
3. Run cpinfo
# cpinfo -z -n -o /var/mds.cpinfoRequired steps for cpinfo from the relevant CMA (sk10176)1. List of all Customers (CMAs)
# mdsstat
2. Set the environment for the Customer
# mdsenv CMANAME
3. Verify the correct environment
# echo $FWDIR
4. Run cpinfo
# cpinfo -c CMANAME -z -n -o FILENAME

Checkpoint logging in short.

VPN-1/FireWall-1 NG includes the following log type files:- FWDIR/log/xx.log – stores the log records.
– FWDIR/log/xx.logptr – provides pointers to the beginning of each log record.
– FWDIR/log/xx.loginitial_ptr – provides pointers to the beginning of each log chain (logs that share the same connection ID – LUUID).
– FWDIR/log/xx.logaccount_ptr – provides pointers to the beginning of each accounting record.
– Note: the NG log directory also includes an additional temporary pointer file, named xx.logLuuidDB.To purge/delete the current log files without saving it to a backup file, run:
# fw logswitch “”The VPN-1/FireWall-1 NG audit log type files are:- xx.adtlog – stores the audit log records.
– xx.adtlogptr – provides pointers to the beginning of each log records.
– xx.adtloginitial_ptr – provides pointers to the beginning of each log chain (logs that shared the same connection ID – LUUID).
– xx.adtlogaccount_ptr – provides pointers to the beginning of each accounting record.To purge/delete the current audit log files without saving it to a backup file, run:
# fw logswitch -audit “”

This is an example how to collect the same info (the fw version here) from all of our firewall with a script.

We need to collect the firewalls with their IPs or with their hostnames in a file I call iplist and run the srcipt with ‘sh ./’

root@myserver # cat
for HOST in $(cat iplist | grep -v "^#" | grep -v "^$")
echo $HOST
ssh admin@$HOST 'fw ver'
# Some example. Just delete the # for the required command
# ssh admin@$HOST 'ipsctl hw:eeprom:product_id'
# ssh admin@$HOST 'fwaccel stat'
# ssh admin@$HOST 'clish -c "show vrrp"'
# ssh admin@$HOST 'grep buffer /var/log/messages' | tail -n 2
# ssh admin@$HOST 'grep "Log buffer is full\|log/trap messages" /var/log/messages'
# ssh admin@$HOST 'cpstat os -f cpu'
root@myserver # cat iplist

Important Files:
On the Management Server:
$FWDIR/conf/classes.C – scheme file. Each object in objects.c, rulebases.fws, fwauth.ndb or whatever must match one of the classes listed below.
$FWDIR/conf/objects_5_0.C – object file.
$FWDIR/conf/rulebases_5_0.fws – Rulebase file.
$FWDIR/conf/fwauth.NDB – userdatabase
$FWDIR/conf/.W – The policy file
$FWDIR/conf/user.def.NGX_FLO – User defined inspect code (sk30919)

On the Firewall:
$FWDIR/conf/masters – On the firewalls shows who is the management server
$FWDIR/conf/ – Initial Policy of the firewall
$FWDIR/conf/discntd.if – Add the interface-name in this file to disable monitoring in Secureplatform.