CheckPoint Firewall (basic troubleshooting commands incl. clustering)
cphaprob stat | List cluster status |
cphaprob -a if | List status of interfaces |
cphaprob syncstat | shows the sync status |
cphaprob list | Shows a status in list form |
cphastart/stop | Stops clustering on the specfic node |
cp_conf sic | SIC stuff |
cpconfig | config util |
cplic print | prints the license |
cprestart | Restarts all Check Point Services |
cpstart | Starts all Check Point Services |
cpstop | Stops all Check Point Services |
cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
cpwd_admin list | List checkpoint processes |
cplic print | Print all the licensing information. |
cpstat -f all polsrv | Show VPN Policy Server Stats |
cpstat | Shows the status of the firewall |
fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
fw tab -t connections -s | Show connection stats |
fw tab -t connections -f | Show connections with IP instead of HEX |
fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
fw tab -t peers_count -s | Shows VPN stats |
fw tab -t userc_users -s | Shows VPN stats |
fw checklic | Check license details |
fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
fw ctl set int [global kernel parameter]Â [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
fw ctl arp | Shows arp table |
fw ctl install | Install hosts internal interfaces |
fw ctl ip_forwarding | Control IP forwarding |
fw ctl pstat | System Resource stats |
fw ctl uninstall | Uninstall hosts internal interfaces |
fw exportlog .o | Export current log file to ascii file |
fw fetch | Fetch security policy and install |
fw fetch localhost | Installs (on gateway) the last installed policy. |
fw hastat | Shows Cluster statistics |
fw lichosts | Display protected hosts |
fw log -f | Tail the current log file |
fw log -s -e | Retrieve logs between times |
fw logswitch | Rotate current log file |
fw lslogs | Display remote machine log-file list |
fw monitor | Packet sniffer |
fw printlic -p | Print current Firewall modules |
fw printlic | Print current license details |
fw putkey | Install authenication key onto host |
fw stat -l | Long stat list, shows which policies are installed |
fw stat -s | Short stat list, shows which policies are installed |
fw unloadlocal | Unload policy |
fw ver -k | Returns version, patch info and Kernal info |
fwstart | Starts the firewall |
fwstop | Stop the firewall |
fwm lock_admin -v | View locked admin accounts |
fwm dbexport -f user.txt | used to export users , can also use dbimport |
fwm_start | starts the management processes |
fwm -p | Print a list of Admin users |
fwm -a | Adds an Admin |
fwm -r | Delete an administrator |
PROVIDER 1 Management
mdsenv [cma name] | Sets the mds environment |
mcd | Changes your directory to that of the environment. |
mds_setup | To setup MDS Servers |
mdsconfig | Alternative to cpconfig for MDS servers |
mdsstat | To see the processes status |
mdsstart_customer [cma name] | To start cma |
mdsstop_customer [cma name] | To stop cma |
cma_migrate | To migrate an Smart center server to CMA |
cmamigrate_assist | If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
VPN Troubleshooting
vpn tu | VPN utility, allows you to rekey vpn |
vpn ipafile_check ipassignment.conf detail†| Verifies the ipassignment.conf file |
dtps lic | show desktop policy license status |
cpstat -f all polsrv | show status of the dtps |
vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
vpn shell show interface detailed [VTI name] | show VTI detail |
DEBUGGING PACKETFLOW
fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
- CheckPoint article for performance troubleshooting on gateways (sk33781) Â https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33781
- CheckPoint article on how to troubleshoot cluster failovers (sk62570)Â https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62570#ROUTED
- Like a cheat sheet for CLI commands? Go to http://www.roesen.org/files/cp_cli_ref_card.pdf
- Even more troubleshooting commands for GAIA available under:Â http://www.51sec.org/2015/10/21/advanced-checkpoint-gaia-cli-commands-tips-and-tricks/
- More CheckPoint related topics/articles https://blog.lachmann.org/?cat=20
CHECKPOINT GAIA CLISH COMMANDS
show commands
save config | save the current configuration |
show commands | shows all commands |
show allowed-client all | show allowed clients |
show arp dynamic all | displays the dynamic arp entries |
show arp proxy all | shows proxy arp |
show arp static all | displays all the static arp entry |
show as | displays autonomous system number |
show assets all | display hardware information |
show bgp stats | shows bgp statistics |
show bgp summary | shows summary information about bgp |
show vrrp stats | show vrrp statistics |
show bootp stats | shows bootp/dhcp relay statistics |
show bootp interface | show all bootp/dhcp relay interfaces |
show bonding group | show all bonding groups |
show bridging groups | show all bridging groups |
show backups | shows a list of local backups |
show backup status | show the status of a backup or restore operation being performed |
show backup last-successful | show the latest successful backup |
show backup logs | show the logs of the recent backups/restores performed |
show clock | show current clock |
show configuration | show configuration |
show-config state | shows the state of configuration either saved or unsaved |
show date | shows date |
show dns primary | shows primary dns server |
show dns secondary | shows secondary dns server |
show extended commands | shows all extended commands |
show groups | shows all user groups |
show hostname | show host name |
show inactivity-timeout | shows inactivity-timeout settings |
show interfaces | shows all interfaces |
show interfaces ethx | shows settings related to an interface “x |
show interfaces | show detailed information about all interfaces |
show ipv6-state | shows ipv6 status as enabled or disabled |
show management interface | shows management interface configuration |
show ntp active | shows ntp status as enabled or disabled |
show ntp servers | shows ntp servers |
show ospf database | shows ospf database information |
show ospf neighbors | shows ospf neighbors information |
show ospf summary | shows ospf summary information |
show pbr rules | shows policy based routing rules |
show pbr summary | shows policy based routing summary information |
show pbr tables | show pbr tables |
show route | shows routing table |
show routed version | shows information about routed version |
show snapshots | shows a list of local snapshots |
show snmp agent-version | shows whether the version is v1/v2/v3 |
show snmp interfaces | shows snmp agent interface |
show snmp traps receivers | shows snmp trap receivers |
show time | shows local machine time |
show timezone | show configured timezone |
show uptime | show system uptime |
show users | show configured users and their homedir, uid/gid and shell |
show user <username> | shows settings related to a particular user |
show version all | shows version related to os edition, kernel version, product version etc |
show virtual-system all | show virtual-systems configured |
show vpn tunnels | use to show the vpn tunnels |
show vrrp stats | shows vrrp status |
show vrrp interfaces | shows vrrp enabled interfaces |
set commands
add allowed-client host any-host / add allowed-client host <ip address> | add any host to the allowed clients list/ add allowed client by ipv4 address |
add backup local | create and store a backup file in /var/cpbackups/backups/( on open servers) or /var/log/cpbackup/backups/ ( on checkpoint appliances) |
add backup scp ip value path value username value | adds backup to scp server |
add backup tftp ip value [ interactive ] | adds backup to tftp server |
add snapshot | create snapshots which backs up everything like os configuration, checkpoint configuration, versions, patch level), including the drivers |
add syslog log-remote-address <ip address> level <emerg/alert/crit/err/warning/notice/info/debug/all> | specifies syslog parameters |
add user <username> uid <user-id-value> homedir | creates a user |
expert | executes system shell |
halt | put system to halt |
history | shows command history |
lock database override | overrides the config-lock settings |
quit | exits out of a shell |
reboot | reboots a system |
restore backup local [value] | restores local backup interactively |
rollback | ends the transaction mode by reverting the changes made during transaction |
save config | save the current configuration |
set backup restore local <filename> | restores a local backup |
set core-dump <enable/disable> | enable/disable core dumps |
set date yyyy-mm-dd | sets system date |
set dhcp server enable | enable dhcp server |
set dns primary <x.x.x.x> | sets primary dns ip address |
set dns secondary <x.x.x.x> | sets secondary dns ip address |
set expert-password | set or change password for entering into expert mode |
set edition default <value> | set the default edition to 32-bit or 64-bit |
set hostname <value> | sets system hostname |
set inactivity-timeout <value> | sets the inactivity timeout |
set interface ethx ipv4-address x.x.x.x mask-length 24 | adds ip address to an interface |
set ipv6-state on/off | sets ipv6 status as on or off |
set kernel-routes on/off | sets kernel routes to on/off state |
set management interface <interface name> | sets an interface as management interface |
set message motd value | sets message of the day |
set ntp active on/off | activates ntp on/off |
set ntp server primary x.x.x.x version <1/2/3/4> | sets primary ntp server |
set ntp server secondary x.x.x.x version <1/2/3/4> | sets secondary ntp server |
set snapshot revert<filename> | revert the machine to the selected snapshot |
set snmp agent on/off | sets the snmp agent daemon on/off |
set snmp agent-version <value> | sets snmp agent version |
set snmp community <value> read-only | sets snmp readonly community string |
add snmp interface <interface name> | sets snmp agent interface |
set snmp traps receiver <ip address> version v1 community value | specifies trap receiver |
set snmp traps trap <value> | set snmp traps |
set static-route x.x.x.x/24 nexthop gateway address x.x.x.x on | adds specific static route |
set time <value> | sets system time |
set time zone <time-zone> | sets the time zone |
set vsx off | sets vsx mode on |
set vsx on | sets vsx mode off |
set user <username> password | sets users password |
set web session-timeout <value> | sets web configuration session time-out in minutes |
set web ssl-port <value> | sets the web ssl-port for the system |