My personal collection of CheckPoint Commands.
Most of them work best in expert mode.
[Expert@gateway:0]#
| Command | Description |
|---|---|
| cpconfig | change SIC, licenses and more |
| cpview -t | show top style performance counters |
| cphaprob stat | list the state of the high availability cluster members. Should show active and standby devices. |
| cphaprob -a if | display status of monitored interfaces in a cluster |
| cphaprob -l list | display registered cluster devices and status |
| cphaprob syncstat | display sync transport layer statistics |
| cphaprob ldstat | display sync serialization statistics |
| cphastop | stop a cluster member from passing traffic. Stops synchronization. (emergency only) |
| clusterXL_admin down –p | disable this node from cluster membership |
| cphaconf cluster_id get | get cluster Global ID membership |
| cphaconf set_ccp broadcast/multicast | set cluster mode |
| cplic print | license information |
| cpstart | start all checkpoint services |
| cpstat fw | show policy name, policy install time and interface table |
| cpstat ha | high availability state |
| cpstat blades | top rule hits and amount of connections |
| cpstat os -f all | checkpoint interface table, routing table, version, memory status, cpu load, disk space |
| cpstat os -f cpu | checkpoint cpu status |
| cpstat os -f multi_cpu | checkpoint cpu load distribution |
| cpstat os -f sensors | hardware environment (temperature/fan/voltage) |
| cpstat os -f routing | checkpoint routing table |
| cpstat mg -f log_server | monitor log servers performance (events/sec) |
| cpstop | stop all checkpoint services |
| cpwd_admin monitor_list | list processes actively monitored. Firewall should contain cpd and vpnd. |
| show sysenv all | show hardware sensors (fans,power supply,temp,volt) |
| show asset all | show serial numbers and hardware info |
| show route destination xx.xx.xx.xx | show routing for specific host |
| ip route get xx.xx.xx.xx | show routing for specific host |
| iclid / show cluster state | show cluster fail over history |
| promote_util | promote the Secondary Management server to become the Primary server |
| cp_conf sic init key123 norestart | reset SIC without restarting the firewall process |
| fw ver | firewall version |
| fw ctl iflist | show interface names |
| fw ctl pstat | show control kernel memory and connections |
| fwaccel stat | show SecureXL status |
| fw fetch | get the policy from the firewall manager |
| fwm load | compile and install a policy on the target’s gateways. |
| fw getifs | list interfaces and IP addresses |
| fw log | show the content of the connections log |
| fw log -b “MMM DD, YYYY HH:MM:SS” “MMM DD, YYYY HH:MM:SS” | search the current log for activity between specific times |
| fw log -c drop | search for dropped packets in the active log; also can use accept or reject to search |
| fw log -f | tail the current log |
| fwm logexport -i -o -n -p | export an old log file on the firewall manager |
| fw logswitch | rotate logs |
| fw lslogs | list firewall logs |
| fw stat | firewall status, should contain the name of the policy and the relevant interfaces. |
| fw stat -l | show which policy is associated with which interface and package drop, accept and reject |
| fw tab | displays firewall tables |
| fw tab -s -t connections | number of connections in state table |
| fw tab -f -t vpn_routing -u | routing for remote vpns |
| fw tab -s -t userc_users | number of remote users connected (VPN) |
| fw tab -t xlate -x | clear all translated entries |
| fw unloadlocal | clear local firewall policy |
| fw monitor -e “accept host(10.1.1.10);” | trace the packet flow to/from the specified host |
| fw ctl zdebug + drop | grep ‘x.x.x.x\|y.y.y.y’ | Check reason of your packet being dropped |
One-liner for Address Spoofing Troubleshooting
One-liner (Bash) to show a summary about each interfaces’ calculated topology and address spoofing setting.
$FWDIR/state/local/FW1/local.set contains all required information regarding interfaces and their topology.
echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed 's/[\x22\t()<>-]//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | tac | sed '/ifindex 0/I,+2 d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo
Links
- http://www.tech-wiki.net/index.php?title=Useful_Check_Point_CLI_commands
- https://community.checkpoint.com/t5/General-Topics/My-Top-3-Check-Point-CLI-commands/td-p/4649
- https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/One-liner-for-Address-Spoofing-Troubleshooting/td-p/33204
- https://www.roesen.org/files/cp_cli_ref_card.pdf
Patrick Marc's Networks 