CheckPoint CLI troubleshooting & management commands (often used)
CheckPoint Firewall (basic troubleshooting commands incl. clustering)
| cphaprob stat | List cluster status |
| cphaprob -a if | List status of interfaces |
| cphaprob syncstat | shows the sync status |
| cphaprob list | Shows a status in list form |
| cphastart/stop | Stops clustering on the specfic node |
| cp_conf sic | SIC stuff |
| cpconfig | config util |
| cplic print | prints the license |
| cprestart | Restarts all Check Point Services |
| cpstart | Starts all Check Point Services |
| cpstop | Stops all Check Point Services |
| cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
| cpwd_admin list | List checkpoint processes |
| cplic print | Print all the licensing information. |
| cpstat -f all polsrv | Show VPN Policy Server Stats |
| cpstat | Shows the status of the firewall |
| fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
| fw tab -t connections -s | Show connection stats |
| fw tab -t connections -f | Show connections with IP instead of HEX |
| fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
| fw tab -t peers_count -s | Shows VPN stats |
| fw tab -t userc_users -s | Shows VPN stats |
| fw checklic | Check license details |
| fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
| fw ctl set int [global kernel parameter] [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
| fw ctl arp | Shows arp table |
| fw ctl install | Install hosts internal interfaces |
| fw ctl ip_forwarding | Control IP forwarding |
| fw ctl pstat | System Resource stats |
| fw ctl uninstall | Uninstall hosts internal interfaces |
| fw exportlog .o | Export current log file to ascii file |
| fw fetch | Fetch security policy and install |
| fw fetch localhost | Installs (on gateway) the last installed policy. |
| fw hastat | Shows Cluster statistics |
| fw lichosts | Display protected hosts |
| fw log -f | Tail the current log file |
| fw log -s -e | Retrieve logs between times |
| fw logswitch | Rotate current log file |
| fw lslogs | Display remote machine log-file list |
| fw monitor | Packet sniffer |
| fw printlic -p | Print current Firewall modules |
| fw printlic | Print current license details |
| fw putkey | Install authenication key onto host |
| fw stat -l | Long stat list, shows which policies are installed |
| fw stat -s | Short stat list, shows which policies are installed |
| fw unloadlocal | Unload policy |
| fw ver -k | Returns version, patch info and Kernal info |
| fwstart | Starts the firewall |
| fwstop | Stop the firewall |
| fwm lock_admin -v | View locked admin accounts |
| fwm dbexport -f user.txt | used to export users , can also use dbimport |
| fwm_start | starts the management processes |
| fwm -p | Print a list of Admin users |
| fwm -a | Adds an Admin |
| fwm -r | Delete an administrator |
PROVIDER 1 Management
| mdsenv [cma name] | Sets the mds environment |
| mcd | Changes your directory to that of the environment. |
| mds_setup | To setup MDS Servers |
| mdsconfig | Alternative to cpconfig for MDS servers |
| mdsstat | To see the processes status |
| mdsstart_customer [cma name] | To start cma |
| mdsstop_customer [cma name] | To stop cma |
| cma_migrate | To migrate an Smart center server to CMA |
| cmamigrate_assist | If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
VPN Troubleshooting
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail | Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
DEBUGGING PACKETFLOW
| fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
- CheckPoint article for performance troubleshooting on gateways (sk33781) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781
- CheckPoint article on how to troubleshoot cluster failovers (sk62570) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62570#ROUTED
- Like a cheat sheet for CLI commands? Go to http://www.roesen.org/files/cp_cli_ref_card.pdf
- Even more troubleshooting commands for GAIA available under: http://www.51sec.org/2015/10/21/advanced-checkpoint-gaia-cli-commands-tips-and-tricks/
- More CheckPoint related topics/articles https://blog.lachmann.org/?cat=20
CHECKPOINT GAIA CLISH COMMANDS
show commands
| save config | save the current configuration |
| show commands | shows all commands |
| show allowed-client all | show allowed clients |
| show arp dynamic all | displays the dynamic arp entries |
| show arp proxy all | shows proxy arp |
| show arp static all | displays all the static arp entry |
| show as | displays autonomous system number |
| show assets all | display hardware information |
| show bgp stats | shows bgp statistics |
| show bgp summary | shows summary information about bgp |
| show vrrp stats | show vrrp statistics |
| show bootp stats | shows bootp/dhcp relay statistics |
| show bootp interface | show all bootp/dhcp relay interfaces |
| show bonding group | show all bonding groups |
| show bridging groups | show all bridging groups |
| show backups | shows a list of local backups |
| show backup status | show the status of a backup or restore operation being performed |
| show backup last-successful | show the latest successful backup |
| show backup logs | show the logs of the recent backups/restores performed |
| show clock | show current clock |
| show configuration | show configuration |
| show-config state | shows the state of configuration either saved or unsaved |
| show date | shows date |
| show dns primary | shows primary dns server |
| show dns secondary | shows secondary dns server |
| show extended commands | shows all extended commands |
| show groups | shows all user groups |
| show hostname | show host name |
| show inactivity-timeout | shows inactivity-timeout settings |
| show interfaces | shows all interfaces |
| show interfaces ethx | shows settings related to an interface “x |
| show interfaces | show detailed information about all interfaces |
| show ipv6-state | shows ipv6 status as enabled or disabled |
| show management interface | shows management interface configuration |
| show ntp active | shows ntp status as enabled or disabled |
| show ntp servers | shows ntp servers |
| show ospf database | shows ospf database information |
| show ospf neighbors | shows ospf neighbors information |
| show ospf summary | shows ospf summary information |
| show pbr rules | shows policy based routing rules |
| show pbr summary | shows policy based routing summary information |
| show pbr tables | show pbr tables |
| show route | shows routing table |
| show routed version | shows information about routed version |
| show snapshots | shows a list of local snapshots |
| show snmp agent-version | shows whether the version is v1/v2/v3 |
| show snmp interfaces | shows snmp agent interface |
| show snmp traps receivers | shows snmp trap receivers |
| show time | shows local machine time |
| show timezone | show configured timezone |
| show uptime | show system uptime |
| show users | show configured users and their homedir, uid/gid and shell |
| show user <username> | shows settings related to a particular user |
| show version all | shows version related to os edition, kernel version, product version etc |
| show virtual-system all | show virtual-systems configured |
| show vpn tunnels | use to show the vpn tunnels |
| show vrrp stats | shows vrrp status |
| show vrrp interfaces | shows vrrp enabled interfaces |
set commands
| add allowed-client host any-host / add allowed-client host <ip address> | add any host to the allowed clients list/ add allowed client by ipv4 address |
| add backup local | create and store a backup file in /var/cpbackups/backups/( on open servers) or /var/log/cpbackup/backups/ ( on checkpoint appliances) |
| add backup scp ip value path value username value | adds backup to scp server |
| add backup tftp ip value [ interactive ] | adds backup to tftp server |
| add snapshot | create snapshots which backs up everything like os configuration, checkpoint configuration, versions, patch level), including the drivers |
| add syslog log-remote-address <ip address> level <emerg/alert/crit/err/warning/notice/info/debug/all> | specifies syslog parameters |
| add user <username> uid <user-id-value> homedir | creates a user |
| expert | executes system shell |
| halt | put system to halt |
| history | shows command history |
| lock database override | overrides the config-lock settings |
| quit | exits out of a shell |
| reboot | reboots a system |
| restore backup local [value] | restores local backup interactively |
| rollback | ends the transaction mode by reverting the changes made during transaction |
| save config | save the current configuration |
| set backup restore local <filename> | restores a local backup |
| set core-dump <enable/disable> | enable/disable core dumps |
| set date yyyy-mm-dd | sets system date |
| set dhcp server enable | enable dhcp server |
| set dns primary <x.x.x.x> | sets primary dns ip address |
| set dns secondary <x.x.x.x> | sets secondary dns ip address |
| set expert-password | set or change password for entering into expert mode |
| set edition default <value> | set the default edition to 32-bit or 64-bit |
| set hostname <value> | sets system hostname |
| set inactivity-timeout <value> | sets the inactivity timeout |
| set interface ethx ipv4-address x.x.x.x mask-length 24 | adds ip address to an interface |
| set ipv6-state on/off | sets ipv6 status as on or off |
| set kernel-routes on/off | sets kernel routes to on/off state |
| set management interface <interface name> | sets an interface as management interface |
| set message motd value | sets message of the day |
| set ntp active on/off | activates ntp on/off |
| set ntp server primary x.x.x.x version <1/2/3/4> | sets primary ntp server |
| set ntp server secondary x.x.x.x version <1/2/3/4> | sets secondary ntp server |
| set snapshot revert<filename> | revert the machine to the selected snapshot |
| set snmp agent on/off | sets the snmp agent daemon on/off |
| set snmp agent-version <value> | sets snmp agent version |
| set snmp community <value> read-only | sets snmp readonly community string |
| add snmp interface <interface name> | sets snmp agent interface |
| set snmp traps receiver <ip address> version v1 community value | specifies trap receiver |
| set snmp traps trap <value> | set snmp traps |
| set static-route x.x.x.x/24 nexthop gateway address x.x.x.x on | adds specific static route |
| set time <value> | sets system time |
| set time zone <time-zone> | sets the time zone |
| set vsx off | sets vsx mode on |
| set vsx on | sets vsx mode off |
| set user <username> password | sets users password |
| set web session-timeout <value> | sets web configuration session time-out in minutes |
| set web ssl-port <value> | sets the web ssl-port for the system |
