Useful Check Point CLI commands

From Tech-Wiki
Revision as of 18:28, 24 January 2018 by Fabricio.Lima (Talk | contribs)

Jump to: navigation, search

Back to Gaia

Useful Check Point commands. Check Point commands generally come under cp (general) and fw (firewall)

Useful CP Commands

Table 1. Useful CP Commands
Command Description
cpconfig change SIC, licenses and more
cpview -t show top style performance counters
cphaprob stat list the state of the high availability cluster members. Should show active and standby devices.
cphaprob -a if display status of monitored interfaces in a cluster
cphaprob -l list display registered cluster devices and status
cphaprob syncstat display sync transport layer statistics
cphaprob ldstat display sync serialization statistics
cphastop stop a cluster member from passing traffic. Stops synchronization. (emergency only)
cplic print license information
cpstart start all checkpoint services
cpstat fw show policy name, policy install time and interface table
cpstat ha high availability state
cpstat os -f all checkpoint interface table, routing table, version, memory status, cpu load, disk space
cpstat os -f cpu checkpoint cpu status
cpstat -f multi_cpu os checkpoint cpu load distribution
cpstat os -f routing checkpoint routing table
cpstop stop all checkpoint services
cpwd_admin monitor_list list processes actively monitored. Firewall should contain cpd and vpnd.
clusterXL_admin down –p disable this node from cluster membership
show asset all show serial numbers and hardware info
show route destination xx.xx.xx.xx show routing for specific host
ip route get xx.xx.xx.xx show routing for specific host
iclid / show cluster state show cluster fail over history

Useful FW Commands

Table 2. Useful FW Commands
Command Description
fw ver firewall version
fw ctl iflist show interface names
fw ctl pstat show control kernel memory and connections
fwaccel stat show SecureXL status
fw fetch <manager IP> get the policy from the firewall manager
fwm load <policy name> <gateway name> compile and install a policy on the target's gateways.
fw log show the content of the connections log
fw log -b <MMM DD, YYYY HH:MM:SS> <MMM DD, YYYY HH:MM:SS> search the current log for activity between specific times
fw log -c drop search for dropped packets in the active log; also can use accept or reject to search
fw log -f tail the current log
fwm logexport -i <log name> -o <output name> -n -p export an old log file on the firewall manager
fw logswitch rotate logs
fw lslogs list firewall logs
fw stat firewall status, should contain the name of the policy and the relevant interfaces.
fw stat -l show which policy is associated with which interface and package drop, accept and reject
fw tab displays firewall tables
fw tab -s -t connections number of connections in state table
fw tab -t xlate -x clear all translated entries
fw unloadlocal clear local firewall policy
fw monitor -e "accept host(10.1.1.10);" trace the packet flow to/from the specified host
fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y' Check reason of your packet being dropped