Difference between revisions of "Useful Check Point CLI commands"
From Tech-Wiki
(40 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:Check Point]] | [[Category:Check Point]] | ||
+ | '''[[Check Point#Gaia|Back to Gaia]]''' | ||
− | Useful Check Point commands. Check Point commands generally come under '''cp''' (general) and '''fw''' (firewall) | + | Useful Check Point commands. Check Point commands generally come under '''cp''' (general) and '''fw''' (firewall). Both of them must be used on expert mode (bash shell) |
− | + | ||
− | '''Useful | + | |
− | + | '''Useful Check Point Commands''' | |
− | {|border="1" | + | |
+ | {|border="1" cellpadding="5" cellspacing="0" | ||
+ | |+ align="bottom" |''Table 1. Useful CP Commands'' | ||
|- | |- | ||
− | !Command | + | !scope="col" style="background:#97CAFF;" |Command |
− | !Description | + | !scope="col" style="background:#97CAFF;" |Description |
|- | |- | ||
|cpconfig | |cpconfig | ||
|change SIC, licenses and more | |change SIC, licenses and more | ||
|- | |- | ||
− | | | + | |cpview -t |
− | | | + | |show top style performance counters |
|- | |- | ||
|cphaprob stat | |cphaprob stat | ||
|list the state of the high availability cluster members. Should show active and standby devices. | |list the state of the high availability cluster members. Should show active and standby devices. | ||
+ | |- | ||
+ | |cphaprob -a if | ||
+ | |display status of monitored interfaces in a cluster | ||
+ | |- | ||
+ | |cphaprob -l list | ||
+ | |display registered cluster devices and status | ||
|- | |- | ||
|cphaprob syncstat | |cphaprob syncstat | ||
|display sync transport layer statistics | |display sync transport layer statistics | ||
+ | |- | ||
+ | |cphaprob ldstat | ||
+ | |display sync serialization statistics | ||
|- | |- | ||
|cphastop | |cphastop | ||
|stop a cluster member from passing traffic. Stops synchronization. (emergency only) | |stop a cluster member from passing traffic. Stops synchronization. (emergency only) | ||
+ | |- | ||
+ | |clusterXL_admin down –p | ||
+ | |disable this node from cluster membership | ||
+ | |- | ||
+ | |cphaconf cluster_id get | ||
+ | |get cluster Global ID membership | ||
+ | |- | ||
+ | |cphaconf set_ccp broadcast/multicast | ||
+ | |set cluster mode | ||
|- | |- | ||
|cplic print | |cplic print | ||
Line 36: | Line 57: | ||
|cpstat ha | |cpstat ha | ||
|high availability state | |high availability state | ||
+ | |- | ||
+ | |cpstat blades | ||
+ | |top rule hits and amount of connections | ||
|- | |- | ||
|cpstat os -f all | |cpstat os -f all | ||
Line 42: | Line 66: | ||
|cpstat os -f cpu | |cpstat os -f cpu | ||
|checkpoint cpu status | |checkpoint cpu status | ||
+ | |- | ||
+ | |cpstat os -f multi_cpu | ||
+ | |checkpoint cpu load distribution | ||
+ | |- | ||
+ | |cpstat os -f sensors | ||
+ | |hardware environment (temperature/fan/voltage) | ||
|- | |- | ||
|cpstat os -f routing | |cpstat os -f routing | ||
|checkpoint routing table | |checkpoint routing table | ||
+ | |- | ||
+ | |cpstat mg -f log_server | ||
+ | |monitor log servers performance (events/sec) | ||
+ | |- | ||
+ | | cpstat -f log_connection fw | ||
+ | |monitor log servers settings | ||
|- | |- | ||
|cpstop | |cpstop | ||
Line 51: | Line 87: | ||
|cpwd_admin monitor_list | |cpwd_admin monitor_list | ||
|list processes actively monitored. Firewall should contain cpd and vpnd. | |list processes actively monitored. Firewall should contain cpd and vpnd. | ||
+ | |- | ||
+ | |show sysenv all | ||
+ | |show hardware sensors (fans,power supply,temp,volt) | ||
+ | |- | ||
+ | |show asset all | ||
+ | |show serial numbers and hardware info | ||
+ | |- | ||
+ | |show route destination xx.xx.xx.xx | ||
+ | |show routing for specific host | ||
+ | |- | ||
+ | |ip route get xx.xx.xx.xx | ||
+ | |show routing for specific host | ||
+ | |- | ||
+ | |iclid / show cluster state | ||
+ | |show cluster fail over history | ||
+ | |- | ||
+ | |promote_util | ||
+ | |promote the Secondary Management server to become the Primary server | ||
+ | |- | ||
+ | |cp_conf sic init key123 norestart | ||
+ | |reset SIC without restarting the firewall process | ||
|} | |} | ||
− | + | ||
+ | |||
+ | |||
'''Useful FW Commands''' | '''Useful FW Commands''' | ||
− | + | {|border="1" cellpadding="5" cellspacing="0" | |
− | {|border="1" | + | |+ align="bottom" |''Table 2. Useful FW Commands'' |
|- | |- | ||
− | !Command | + | !scope="col" style="background:#97CAFF;" |Command |
− | !Description | + | !scope="col" style="background:#97CAFF;" |Description |
+ | |- | ||
+ | |fw ver | ||
+ | |firewall version | ||
|- | |- | ||
|fw ctl iflist | |fw ctl iflist | ||
Line 66: | Line 128: | ||
|show control kernel memory and connections | |show control kernel memory and connections | ||
|- | |- | ||
− | | | + | |fwaccel stat |
− | | | + | |show SecureXL status |
|- | |- | ||
|fw fetch <manager IP> | |fw fetch <manager IP> | ||
|get the policy from the firewall manager | |get the policy from the firewall manager | ||
+ | |- | ||
+ | |fwm load <policy name> <gateway name> | ||
+ | |compile and install a policy on the target's gateways. | ||
+ | |- | ||
+ | |fw getifs | ||
+ | |list interfaces and IP addresses | ||
|- | |- | ||
|fw log | |fw log | ||
|show the content of the connections log | |show the content of the connections log | ||
|- | |- | ||
− | |fw log -b | + | |fw log -b "MMM DD, YYYY HH:MM:SS" "MMM DD, YYYY HH:MM:SS" |
− | |search the current log for activity between specific times | + | |search the current log for activity between specific times |
|- | |- | ||
|fw log -c drop | |fw log -c drop | ||
Line 84: | Line 152: | ||
|tail the current log | |tail the current log | ||
|- | |- | ||
− | |fwm logexport -i <log name> -o <output name> | + | |fwm logexport -i <log name> -o <output name> -n -p |
|export an old log file on the firewall manager | |export an old log file on the firewall manager | ||
|- | |- | ||
Line 104: | Line 172: | ||
|fw tab -s -t connections | |fw tab -s -t connections | ||
|number of connections in state table | |number of connections in state table | ||
+ | |- | ||
+ | |fw tab -f -t vpn_routing -u | ||
+ | |routing for remote vpns | ||
+ | |- | ||
+ | |fw tab -s -t userc_users | ||
+ | |number of remote users connected (VPN) | ||
|- | |- | ||
|fw tab -t xlate -x | |fw tab -t xlate -x | ||
Line 111: | Line 185: | ||
|clear local firewall policy | |clear local firewall policy | ||
|- | |- | ||
− | |fw | + | |fw monitor -e "accept host(10.1.1.10);" |
− | | | + | |trace the packet flow to/from the specified host |
+ | |- | ||
+ | |fw ctl zdebug + drop <nowiki>|</nowiki> grep 'x.x.x.x\<nowiki>|</nowiki>y.y.y.y' | ||
+ | |Check reason of your packet being dropped | ||
|} | |} |
Latest revision as of 19:03, 19 February 2023
Useful Check Point commands. Check Point commands generally come under cp (general) and fw (firewall). Both of them must be used on expert mode (bash shell)
Useful Check Point Commands
Command | Description |
---|---|
cpconfig | change SIC, licenses and more |
cpview -t | show top style performance counters |
cphaprob stat | list the state of the high availability cluster members. Should show active and standby devices. |
cphaprob -a if | display status of monitored interfaces in a cluster |
cphaprob -l list | display registered cluster devices and status |
cphaprob syncstat | display sync transport layer statistics |
cphaprob ldstat | display sync serialization statistics |
cphastop | stop a cluster member from passing traffic. Stops synchronization. (emergency only) |
clusterXL_admin down –p | disable this node from cluster membership |
cphaconf cluster_id get | get cluster Global ID membership |
cphaconf set_ccp broadcast/multicast | set cluster mode |
cplic print | license information |
cpstart | start all checkpoint services |
cpstat fw | show policy name, policy install time and interface table |
cpstat ha | high availability state |
cpstat blades | top rule hits and amount of connections |
cpstat os -f all | checkpoint interface table, routing table, version, memory status, cpu load, disk space |
cpstat os -f cpu | checkpoint cpu status |
cpstat os -f multi_cpu | checkpoint cpu load distribution |
cpstat os -f sensors | hardware environment (temperature/fan/voltage) |
cpstat os -f routing | checkpoint routing table |
cpstat mg -f log_server | monitor log servers performance (events/sec) |
cpstat -f log_connection fw | monitor log servers settings |
cpstop | stop all checkpoint services |
cpwd_admin monitor_list | list processes actively monitored. Firewall should contain cpd and vpnd. |
show sysenv all | show hardware sensors (fans,power supply,temp,volt) |
show asset all | show serial numbers and hardware info |
show route destination xx.xx.xx.xx | show routing for specific host |
ip route get xx.xx.xx.xx | show routing for specific host |
iclid / show cluster state | show cluster fail over history |
promote_util | promote the Secondary Management server to become the Primary server |
cp_conf sic init key123 norestart | reset SIC without restarting the firewall process |
Useful FW Commands
Command | Description |
---|---|
fw ver | firewall version |
fw ctl iflist | show interface names |
fw ctl pstat | show control kernel memory and connections |
fwaccel stat | show SecureXL status |
fw fetch <manager IP> | get the policy from the firewall manager |
fwm load <policy name> <gateway name> | compile and install a policy on the target's gateways. |
fw getifs | list interfaces and IP addresses |
fw log | show the content of the connections log |
fw log -b "MMM DD, YYYY HH:MM:SS" "MMM DD, YYYY HH:MM:SS" | search the current log for activity between specific times |
fw log -c drop | search for dropped packets in the active log; also can use accept or reject to search |
fw log -f | tail the current log |
fwm logexport -i <log name> -o <output name> -n -p | export an old log file on the firewall manager |
fw logswitch | rotate logs |
fw lslogs | list firewall logs |
fw stat | firewall status, should contain the name of the policy and the relevant interfaces. |
fw stat -l | show which policy is associated with which interface and package drop, accept and reject |
fw tab | displays firewall tables |
fw tab -s -t connections | number of connections in state table |
fw tab -f -t vpn_routing -u | routing for remote vpns |
fw tab -s -t userc_users | number of remote users connected (VPN) |
fw tab -t xlate -x | clear all translated entries |
fw unloadlocal | clear local firewall policy |
fw monitor -e "accept host(10.1.1.10);" | trace the packet flow to/from the specified host |
fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y' | Check reason of your packet being dropped |