Check Point Commands

By | 26/10/2015

Basic setup

set expert-password
set management interface eth1
set interface eth1 ipv4-address IP mask-lenght MASK
set interface eth1 state on
save-config

Operating

Reboot / shutdown

expert> shutdown -h now
reboot

CPConfig – Reset SIC. Admin users. Enable functions. Cluster membership

cpconfig

Start and stop CP services

cpstop
cpstart

Initial setup reconfiguration tool

cpconfig

FTP

ftp IP
bin
hash
put FILENAME
get FILENAME
ls

Mount CD

dmseg | grep -i dvd
mount /dev/hdc DestinationFolder

Unloads the current security policy and implements default one

fw unloadlocal

From SG, resets the last installed policy

fw fetch localhost

From SMS. Send a policy to a SW

fwm load standard POLICYNAME

Obtaining information

To paginate on the expert mode –  command | less

Logs are saved at $FWDIR/log with the readable extension .elg

Name of the security policy installed on the gateway

fw stat

Version information

fw ver

Network commands

show interfaces
fw getifs
show interface eth0
show route

Shows routing table

netstat -rn

Shows open ports

netstat -an

See current connections

watch fw tab -t connections -s

Check who is connected to SMS

cpstat mg

Show License

cplic print

VPN CLI tool – allows to list SAs and clear SAs

Vpn tu

Partition information:

Expert> fdisk -l

See how many connections are in the firewall and the peak:

Expert>fw tab -t connections -s

Shows ceretificates:

cpca_clinet lscert -kind [ike/sic]

Tech info

cpinfo -o FILENAME
cpinfo -l -z FILENAME

Processes info

fw ctl pstat

User management

add user
add user USER uid 200 homedir /home/USER
set user USER newpass PASSWORD
add rba user USER roles adminRole
show users
delete user sam

Backup/Restore:

add backup local
show backup status

Backup will be restored and system restartes

set backup restore local SOURCE (use <tab>)

Backups are stored at /var/CPbackup/backups accessible from the expert CLI

Monitor

Tcpdump – OS level – TCP/IP stack – won’t see rejected traffic
Fw monitor – Before the TCP/IP stack – looks at the 4 points of inspection – doesn’t provide MAC information

SecureXL needs to be disabled before monitoring to make packets go through the Kernel.

fwaccel off
fw monitor
fwaccel on
fwaccel stat

Filter – Filter packets to monitor

-e "accept FILTER;"
fw monitor -e "accept host(10.1.1.101) and host(172.22.102.1);"
fw monitor -e "host (8.8.8.8) and port(21);"

Output – Create a pcap file for Wireshark

-o OUTFILENAME
fw monitor -o hide_nat.out

TCPDump

expert> tcpdump -nni eth1
tcpdump -i eth1 icmp -w dumpfile.out

Upgrade

Upgrade tools: $FWDIR/bin/upgrade_tools

./migrate export PATH_FILENAME 
./migrate import PATH_FILENAME

On the CD, the tools are in the folder linux/actrions

./pre_upgrade_verifier -p $FWDIIR -c R77 -t R77.30

Processes

lsmod
Ps -ef | grep PROCESSNAME

List table names

Expert> fw tab | grep -e "---" | more
Expert> fw tab -s

Get table information

Expert> fw tab -t TABLENAME

Empty a table

Expert> fw tab -x TABLENAME

Cluster Commands

Check cluster node status

cphaprob stat
cphaprob list

Debug information, information save at /var/log/messages

cphaconf debug_data

Provoke a failover:

cphaprob -d STOP -s problem -t 0 register
cphaprob -d STOP unregister

Makes cluster node Down or Up

clusterXL_admin [down/up]