Command Line Interface Reference Guide R77 CP CLI

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 145

DownloadCommand Line Interface Reference Guide R77 CP CLI
Open PDF In BrowserView PDF
14 September 2016

Command Line Interface
R77

Classification: [Protected]

Reference Guide

© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest
functional improvements, stability fixes, security enhancements and protection against new and
evolving attacks.

Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=24833
To learn more, visit the Check Point Support Center http://supportcenter.checkpoint.com.
For more about this release, see the R77 home page
http://supportcontent.checkpoint.com/solutions?id=sk104859.

Revision History
Date

Description

13 September 2016

Updated sample script for Adding a Rule (on page 17)

10 March 2016

Updated fwm getpcap (on page 94)

25 February 2016

Updated fw monitor Filters (on page 80)

6 August 2014

Updated fwm dbload (on page 93) and cplic check (on
page 31)

10 June 2014

Corrected example for the cp_merge list_policy (on page
42) command

6 June 2014

Cover changed to be relevant for all R77 versions

9 December 2013

•

Added Running CLI Commands in Automation Scripts (on
page 10)

•

General updates

27 August 2013

First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Command Line Interface R77
Reference Guide.

Contents
Important Information................................................................................................... 3
CLI Commands for Software Blades ............................................................................. 9
CLI Commands in Other Guides ................................................................................ 9
Running CLI Commands in Automation Scripts .......................................................... 10
Introduction to Automation Scripts ......................................................................... 10
Creating a Domain Management Server ........................................................................10

Working with dbedit ................................................................................................ 11
Introduction to dbedit ....................................................................................................11
Using Automation Scripts ..............................................................................................12
Create or Modify Policy Objects (Hosts, Networks) ........................................................13
Changing a Rule Base ....................................................................................................17
Pushing the Security Policy to Security Gateways .........................................................19
Error Codes in dbedit.....................................................................................................20

Using XML to Export Settings for a Domain Management Server ........................... 20
Security Management Server and Firewall Commands .............................................. 21
comp_init_policy ..................................................................................................... 22
cp_admin_convert .................................................................................................. 22
cpca_client .............................................................................................................. 22
cpca_client create_cert .................................................................................................22
cpca_client revoke_cert ................................................................................................23
cpca_client lscert ..........................................................................................................23
cpca_client init_certs ....................................................................................................24
cpca_client set_mgmt_tool ...........................................................................................24
cpca_client set_sign_hash ............................................................................................25
cpca_client search.........................................................................................................25
cpca_client get_crldp ....................................................................................................26
cpca_client get_pubkey .................................................................................................26
cpca_client double_sign ................................................................................................26

cp_conf.................................................................................................................... 26
cp_conf sic.....................................................................................................................27
cp_conf admin ...............................................................................................................27
cp_conf ca .....................................................................................................................27
cp_conf finger ...............................................................................................................28
cp_conf lic .....................................................................................................................28
cp_conf client ................................................................................................................28
cp_conf ha .....................................................................................................................29
cp_conf snmp ................................................................................................................29
cp_conf auto ..................................................................................................................29
cp_conf sxl ....................................................................................................................30

cpconfig ................................................................................................................... 30
cpinfo ...................................................................................................................... 30
cplic ......................................................................................................................... 31
cplic check .....................................................................................................................31
cplic db_add ..................................................................................................................32
cplic db_print ................................................................................................................33
cplic db_rm ...................................................................................................................33
cplic del .........................................................................................................................34

cplic del  .................................................................................................34
cplic get .........................................................................................................................34
cplic put .........................................................................................................................35
cplic put  ... .............................................................................................36
cplic print ......................................................................................................................37
cplic upgrade .................................................................................................................38

cp_merge ................................................................................................................ 39
cp_merge delete_policy ................................................................................................39
cp_merge export_policy ................................................................................................40
cp_merge import_policy and cp_merge restore_policy ................................................41
cp_merge list_policy .....................................................................................................42

cppkg ....................................................................................................................... 42
cppkg add ......................................................................................................................42
cppkg delete ..................................................................................................................43
cppkg get .......................................................................................................................44
cppkg getroot ................................................................................................................44
cppkg print ....................................................................................................................44
cppkg setroot.................................................................................................................44

cpridrestart ............................................................................................................. 45
cpridstart ................................................................................................................ 45
cpridstop ................................................................................................................. 45
cprinstall ................................................................................................................. 46
cprinstall boot ...............................................................................................................46
cprinstall cpstart ...........................................................................................................46
cprinstall cpstop ............................................................................................................46
cprinstall get .................................................................................................................47
cprinstall install ............................................................................................................47
cprinstall uninstall ........................................................................................................48
cprinstall verify .............................................................................................................49
cprinstall snapshot ........................................................................................................50
cprinstall show ..............................................................................................................50
cprinstall revert ............................................................................................................50
cprinstall transfer .........................................................................................................51

cpstart ..................................................................................................................... 51
cpstat ...................................................................................................................... 51
cpstop...................................................................................................................... 53
cpwd_admin ............................................................................................................ 54
cpwd_admin start ..........................................................................................................54
cpwd_admin stop...........................................................................................................54
cpwd_admin list ............................................................................................................55
cpwd_admin exist ..........................................................................................................55
cpwd_admin kill ............................................................................................................55
cpwd_admin config ........................................................................................................55

disconnect_client .................................................................................................... 57
dbedit ...................................................................................................................... 57
dbver ....................................................................................................................... 59
dbver create ..................................................................................................................59
dbver export ..................................................................................................................60
dbver import ..................................................................................................................60
dbver print .....................................................................................................................60
dbver print_all ...............................................................................................................60

dynamic_objects ..................................................................................................... 61

fw ............................................................................................................................ 61
fw -i ...............................................................................................................................61
fw ctl..............................................................................................................................62
fw ctl debug ...................................................................................................................63
fw ctl affinity ..................................................................................................................64
fw ctl engine ..................................................................................................................66
fw ctl multik stat............................................................................................................67
fw ctl sdstat ...................................................................................................................67
fw fetch ..........................................................................................................................68
fw fetchlogs ...................................................................................................................69
fw hastat ........................................................................................................................70
fw isp_link .....................................................................................................................70
fw kill.............................................................................................................................70
fw lea_notify ..................................................................................................................71
fw lichosts .....................................................................................................................71
fw log .............................................................................................................................71
fw logswitch ..................................................................................................................74
fw lslogs ........................................................................................................................75
fw mergefiles ................................................................................................................76
fw monitor .....................................................................................................................77
fw putkey .......................................................................................................................83
fw repairlog ...................................................................................................................84
fw sam ...........................................................................................................................84
fw stat............................................................................................................................88
fw tab.............................................................................................................................88
fw ver.............................................................................................................................90

fwm ......................................................................................................................... 90
fwm dbimport ................................................................................................................90
fwm expdate ..................................................................................................................92
fwm dbexport ................................................................................................................92
fwm dbload ....................................................................................................................93
fwm ikecrypt ..................................................................................................................94
fwm getpcap ..................................................................................................................94
fwm load ........................................................................................................................95
fwm lock_admin ............................................................................................................95
fwm logexport ...............................................................................................................95
fwm sic_reset ................................................................................................................97
fwm unload  ....................................................................................................97
fwm ver .........................................................................................................................97
fwm verify ......................................................................................................................97

GeneratorApp .......................................................................................................... 98
inet_alert ................................................................................................................ 98
ldapcmd ................................................................................................................ 100
ldapcompare ......................................................................................................... 101
ldapconvert ........................................................................................................... 102
ldapmodify ............................................................................................................ 104
ldapsearch ............................................................................................................ 105
log_export ............................................................................................................. 106
queryDB_util ......................................................................................................... 109
rs_db_tool ............................................................................................................. 110
sam_alert .............................................................................................................. 111
svr_webupload_config .......................................................................................... 112

VPN Commands......................................................................................................... 113
Overview................................................................................................................ 113
vpn crl_zap ............................................................................................................ 113
vpn crlview ............................................................................................................ 113
vpn debug .............................................................................................................. 114
vpn drv .................................................................................................................. 115
vpn export_p12 ..................................................................................................... 115
vpn macutil............................................................................................................ 116
vpn nssm_toplogy ................................................................................................. 116
vpn overlap_encdom ............................................................................................. 117
vpn sw_topology.................................................................................................... 118
vpn tu .................................................................................................................... 118
vpn ver................................................................................................................... 119
SmartView Monitor Commands................................................................................. 120
Overview................................................................................................................ 120
rtm debug.............................................................................................................. 120
rtm drv .................................................................................................................. 120
rtm monitor ........................................................................................................... 121
rtm rtmd................................................................................................................ 123
rtm stat ................................................................................................................. 123
rtm ver .................................................................................................................. 123
rtmstart................................................................................................................. 124
rtmstop ................................................................................................................. 124
ClusterXL Commands ............................................................................................... 125
cphaconf ................................................................................................................ 125
cphaprob ............................................................................................................... 126
cphastart ............................................................................................................... 126
cphastop ................................................................................................................ 127
Identity Awareness Commands ................................................................................. 128
Introduction........................................................................................................... 128
pdp ........................................................................................................................ 128
pdp monitor .................................................................................................................129
pdp connections...........................................................................................................130
pdp control ..................................................................................................................130
pdp network ................................................................................................................130
pdp debug ....................................................................................................................131
pdp tracker ..................................................................................................................131
pdp status ....................................................................................................................132
pdp update ...................................................................................................................132
pdp ad associate ..........................................................................................................132
pdp ad disassociate .....................................................................................................132

pep ........................................................................................................................ 133
pep show .....................................................................................................................133
pep debug ....................................................................................................................135

adlog ..................................................................................................................... 135
adlog query..................................................................................................................135
adlog dc .......................................................................................................................136
adlog statistics ............................................................................................................136
adlog debug .................................................................................................................136
adlog control ...............................................................................................................136

adlog service_accounts ...............................................................................................137

test_ad_connectivity ............................................................................................. 137
IPS Commands .......................................................................................................... 139
Overview................................................................................................................ 139
ips bypass stat ....................................................................................................... 139
ips bypass on|off ................................................................................................... 139
ips bypass set ........................................................................................................ 140
ips debug ............................................................................................................... 140
ips pmstats ............................................................................................................ 141
ips pmstats reset .................................................................................................. 141
ips refreshcap ....................................................................................................... 141
ips stat................................................................................................................... 141
ips stats ................................................................................................................. 142
Index.......................................................................................................................... 143

CHAPTE R 1

CLI Commands for Software Blades
In This Section:
CLI Commands in Other Guides.....................................................................................9

This guide documents CLI (Command Line Interface) commands for Check Point Software Blades
and features. For more about CLI commands for Check Point operating systems:
•

R77 Gaia Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24828

•

R77 Gaia Advanced Routing Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24803

•

R77 SecurePlatform Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24810

•

R77 SecurePlatform Advanced Routing Suite CLI Reference Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24835

CLI Commands in Other Guides
•
•

For CoreXL and Multi-queue commands, see the R77 Performance Tuning Administration
Guide http://supportcontent.checkpoint.com/documentation_download?ID=24808.
For SmartProvisioning and SmartLSM Security Gateway commands, see the R77

SmartProvisioning Administration Guide

http://supportcontent.checkpoint.com/documentation_download?ID=24829.

•

For Multi-Domain Security Management commands, see the R77 Multi-Domain Security

Management Administration Guide

http://supportcontent.checkpoint.com/documentation_download?ID=24807.

•

For QoS commands, see the R77 QoS Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24809.

Command Line Interface Reference Guide R77

|

9

CHAPTE R 2

Running CLI Commands in Automation
Scripts
In This Section:
Introduction to Automation Scripts .............................................................................10
Working with dbedit ......................................................................................................11
Using XML to Export Settings for a Domain Management Server .............................20

Introduction to Automation Scripts
Use these CLI commands and tools to create automation scripts:
•

dbedit - Creates and configures objects and rules in the database for the Security Policy.

•

fwm load - Installs the specified Security Policy on Security Gateways. The Security Policy is
validated, and only valid Policies are installed.

•

send_command - Runs functions which are not included with standard Check Point CLI
commands and tools.

We recommend that you use a separate SmartConsole administrator account for automation
scripts. This additional account lets you easily monitor automatic changes and ones made by
system administrators.

Creating a Domain Management Server
Prerequisites
•

Name or Identifier of the domain, for example MyDomain

•

Name or Identifier of the new Domain Management Server, for example MyDMS

•

IPv4 address for the new Domain Management Server

•

IPv4 Address for the Multi-Domain Server

•

The Multi-Domain Server username and password for a Multi-Domain Superuser who has
permission to create the new Domain Management Server.

To create a new Domain Management Server:
1. Open a terminal emulation program (such as PuTTY).
2. Open an SSH connection to the Multi-Domain Server.
3. Log in with the superuser credentials.
4. Enter expert mode.
5. Run these commands.
mdscmd addmanagement  [-n  | -i  | -a
]
> mdscmd addcma Cust_ID -n Cust_CMA -i 192.0.2.61 -t 192.0.2.50 -m
192.0.2.50 -u admin -p vpn123
Command Line Interface Reference Guide R77

|

10

Running CLI Commands in Automation Scripts

> mdscmd startcma Cust_ID -n Cust_CMA -m 192.0.2.50 -u fwadmin -p vpn123
The Domain Management Server is created. Log in to 192.0.2.61 to configure the settings.

Working with dbedit
Introduction to dbedit
dbedit is a CLI utility that lets you make changes to objects in the Check Point databases. Run
dbedit in these modes:
•

Interactive - For a few changes to the database

•

Batch - Import many changes at one time

We recommend that you use batch mode (dbedit -f) for automation scripts. You can write the
script on the Security Management Server or Multi-Domain Server with standard Linux
commands, or import a text file with the script.

Launching the dbedit Utility
When the dbedit prompt is showing, you can run dbedit commands or scripts. Before you use
the dbedit utility, make sure that you can log in to Expert mode on the Security Management
Server or Multi-Domain Server.

To launch the dbedit utility:
1. Log in to the CLI of the Security Management Server or Multi-Domain Server.
2. Enter Expert mode, run expert
The Expert prompt is shown.
3. Run dbedit
4. Enter the name of the Security Management Server or Multi-Domain Server:
•

For localhost, press Enter

•

For a remote connection, enter the hostname or IP address

The dbedit prompt is shown.
Please enter a command, -h for help or -q to quit:
dbedit>

Using dbedit Commands in a Script
Use these dbedit commands to create and configure objects and rules:
•

create - Creates the object

•

modify - Changes the applicable object

•

update - Commits the most recent change to the Security Management Server database

•

update_all - Commits all the changes to the Security Management Server database

This table shows sample commands and the results.
Example

Result

create network net-internal

Creates the object for the network net-internal
Command Line Interface Reference Guide R77

|

11

Running CLI Commands in Automation Scripts

Example

Result

modify network_objects
Changes the IP address of the gateway-10 object to
gateway-10 ipaddr 192.0.2.100 192.0.2.100
update network_objects
net-internal

Saves the changes for the net-internal objects and
updates the Security Management Server database

Locking the Database
We recommend that you use the -globallock option when you use dbedit to make changes to
the Security Management Server database. dbedit partially locks the database, if a user
configures objects with SmartDashboard, there can be problems in the database. The
-globallock option does not let SmartDashboard or a dbedit user make changes to the
database.
When the -globallock option is enabled, dbedit commands run on a copy of the database.
After you change the database and run the savedb command, it is saved and committed on the
actual database. You can use the savedb command multiple times in a dbedit script.
At the end of a script, it is a best practice to run these commands:
# update_all
# savedb

Showing Parameters for a Sample Object
You can create sample objects in SmartDashboard that have the parameters that you are using in
a script or dbedit command. Export these objects to help make sure that you are using the
correct names for the parameters. You can show the parameters in plain or XML format.

To show the parameters for a sample SmartDashboard object:
1. In SmartDashboard, create the object that uses the necessary parameters and settings.
2. From the dbedit prompt ("Launching the dbedit Utility" on page 11), run one of these
commands:
•

print network_objects 

•

printxml network_objects 

Using Automation Scripts
You can use dbedit to configure the initial settings for a Security Gateway and the Security
Policy, then update and change the settings when necessary.
Note - Make sure that the script in the text files does not contain blank lines.
Otherwise the script will stop with an error.

Initial Configuration
1. Create a text file with an automation script ("Create or Modify Policy Objects (Hosts,
Networks)" on page 13). The script can create and configure the necessary objects and rules
for the Security Policy.
2. Make a database revision of the management. Use this revision if there is a problem with the
script and to identify unauthorized changes to the database.
Command Line Interface Reference Guide R77

|

12

Running CLI Commands in Automation Scripts

3. Run fwm load and install the policy on one or more Security Gateways ("Pushing the Security
Policy to Security Gateways" on page 19).

Updating and Changing the Policy
1. Make sure that the automation administrator changed the database most recently.
a) Run send_command -s  –u  –p  –o
db_change_since_last_save
The Last modifier field shows the administrator name.
b) If a different administrator changed the database, do not continue to use the automation
script. A system administrator must do an analysis of the database.
2. Edit the automation script, create and configure objects and rules for the Security Policy
("Changing a Rule Base" on page 17).
3. Run fwm load and install the policy on one or more Security Gateways ("Installing Policy with
a Multi-Domain Server" on page 20).

To update and change the commands for a Domain Management Server:
This sample script installs the Standard policy from Domain Management Server Cust_CMA on
the Security Gateway examplegw.
mdsenv Cust_CMA
send_command –s Cust_CMA –u admin –p admin –o db_change_since_last_save
dbedit –globallock -s Cust_CMA -u admin -p admin -f dbedit_modifiability_objects.txt
fwm load Standard examplegw

Create or Modify Policy Objects (Hosts, Networks)
This section shows sample scripts that create one or more new network or service objects. You
can combine one or more of these samples into one script file.
We recommend that you add the update_all command to the end of the script file.

Networks
You can use a script to manage database objects that include:
•

Networks

•

Hosts

•

Address Ranges

These are sample scripts that show how to create and configure the database objects.
Creating a Network
Create an object for the database that represents a network. This sample script creates the
network net-internal with the IP address 190.0.2.0.
Create the object (of type network)
create network net-internal
Configure the network IP address
modify network_objects net-internal ipaddr 192.0.2.0
Configure the netmask (in dotted decimal notation) of the network
modify network_objects net-internal netmask 255.255.255.0
Add a comment to describe what the object is for (optional)
modify network_objects net-internal comments "Created by fwadmin with dbedit"
Command Line Interface Reference Guide R77

|

13

Running CLI Commands in Automation Scripts

Configuring Automatic NAT
If your network uses NAT (Network Address Translation), you can use dbedit to configure an
Automatic NAT rule. Add these lines to a script only for a network that uses Automatic NAT rules.
This sample script creates an Automatic NAT rule for the net-internal network that starts with
the IP address 190.0.2.100.
The next four modify lines are optional and are only needed if you want
to do an automatic NAT rule for this object.
modify network_objects net-internal add_adtr_rule true
modify network_objects net-internal NAT NAT
Set the NAT type, adtr_static or adtr_hide
modify network_objects net-internal NAT:netobj_adtr_method adtr_hide
Set the "valid" IP address for this object.
For a static NAT on a network, the assumption is there is a 1-to-1 ratio
between untranslated and translated addresses and the valid range is
contiguous. This setting is the first IP address in this range.
modify network_objects net-internal NAT:valid_ipaddr 192.0.2.100

Creating a Host
This sample script creates the host host-10 with the IP address 192.0.2.10.
Create the actual object (of type host_plain)
create host_plain host-10
Modify the host IP address
modify network_objects host-10 ipaddr 192.0.2.10
Add a comment to describe what the object is for (optional)
modify network_objects host-10 comments "Created by fwadmin with dbedit"

You can also add the lines to this script to configure Automatic NAT for the host ("Configuring
Automatic NAT" on page 14). The modify commands for this sample rule starts with: modify
network_objects host-10
Creating an Address Range
This sample script creates the address range object addr-range with the IP addresses
192.0.2.150 to 190.0.2.200.
Create the actual object (of type address_range)
create address_range addr-range
Modify the first IP address in the range
modify network_objects addr-range ipaddr_first 192.0.2.150
Modify the last IP address in the range
modify network_objects addr-range ipaddr_last 192.0.2.200
Add a comment to describe what the object is for (optional)
modify network_objects addr-range comments "Created by fwadmin with dbedit"

You can also add the lines to this script to configure Automatic NAT for the address range object
("Configuring Automatic NAT" on page 14). The modify commands for this sample rule starts
with: modify network_objects addr-range
Renaming and Deleting Objects
You can change the name of an object or delete it from the database. When you change the name
of an object the Security Policy is also updated with the new name.
Rename the network object addr-range to IPv4-range
rename network_objects addr-range IPv4-range

When you delete an object, the references to it are also deleted from the Rule Base. The delete
command fails if there is a different object that is dependent on it.
Delete the network object addr-range
Command Line Interface Reference Guide R77

|

14

Running CLI Commands in Automation Scripts

delete network_objects addr-range

Network Groups
You can create and use a group object as a container for network and host objects.
Creating a Network Group
Create a network group that uses networks and hosts. Make sure that these objects are in the
management database before you create a network group.
This sample script creates the object host-group for the hosts host-100 and host-101.
Create a group object
create network_object_group host-group
Add the individual elements to the group
addelement network_objects host-group '' network_objects:host-100
addelement network_objects host-group '' network_objects:host-101

Configuring and Deleting a Network Group
You can remove a network or host from a network group. This sample script removes host-100
from host-group.
Remove individual elements from the group
rmelement network_objects host-group '' network_objects:host-100

You can rename or remove a network group almost the same as objects ("Renaming and Deleting
Objects" on page 14).
Rename
Rename
Delete
delete

the network object host-group to host-ipaddrs
network_objects host-group host-ipaddrs
the network object host-ipaddrs
network_objects host-ipaddrs

Services
Services are objects that are used for network protocols.
Creating a Service
This sample script creates these services:
•

tcp_8081 - TCP protocol port 8081

•

udp_8082 - UDP protocol port 8082

•

inspect_svc - Inspect SVC protocol 6 and with an optional feature that uses the INSPECT
expression
Create a TCP service
create tcp_service tcp_8081
Set port 8081 for TCP service
modify services tcp_8081 port 8081
Create a UDP service
create udp_service udp_8082
Set port 8082 for UDP service
modify services udp_8082 port 8082
Create a service of type "other." This can be used for random IP protocols
as well as services that require more complex INSPECT code for matching.
Create
create
Modify
modify

the service of type other
other_service inspect_svc
the IP Protocol that matches the service
services inspect_svc protocol 6
Command Line Interface Reference Guide R77

|

15

Running CLI Commands in Automation Scripts

(Optional) Modify the INSPECT expression that matches this service.
modify services inspect_svc exp "dport=123”

Renaming and Deleting a Service
You can rename or remove a service almost the same as objects ("Renaming and Deleting
Objects" on page 14).
Rename
rename
Delete
delete

inspect_svc to inspect_tcp123
services inspect_svc inspect_tcp123
the network object inspect_tcp123
services inspect_tcp123

Service Groups
You can create and use a group object as a container for service objects.
Creating a Service Group
Create a service group for more than one service. Make sure that the service objects are in the
management database before you create a service group.
This sample script creates the object mysvc-group for the services SSH and HTTPS.
Create a group object
create service_group mysvc-group
Add the individual elements to the group
addelement services mysvc-group '' services:ssh
addelement services mysvc-group '' services:https

Configuring and Deleting a Service Group
You can remove a network or host from a network group. This sample script removes the SSH
service from mysvc-group.
Remove individual elements from the group
rmelement services mysvc-group '' services:ssh

You can rename or remove a network group almost the same as objects ("Renaming and Deleting
Objects" on page 14).
Rename
rename
Delete
delete

the service group mysvc-group to myservices
services mysvc-group myservices
the network object my services
services myservices

Object Naming Restrictions
These are some of the restrictions for object names:
•

Objects names can contain only ASCII letters, numbers, and dashes. Other characters such as
a plus sign, asterisk, parenthesis, square brackets, and so on, are not supported.

•

Object names can have a maximum of 100 characters.

•

You cannot use reserved words for objects names and they include words that are policy
elements. For example, names of colors, common networks terms (ipv6, nets, routers,
servers, and so on).

To see a full list of the naming restrictions, go to sk40179
(http://supportcontent.checkpoint.com/solutions?id=sk40179).

Command Line Interface Reference Guide R77

|

16

Running CLI Commands in Automation Scripts

Changing a Rule Base
This section shows sample scripts that change the Policy on a Domain Management Server named
Standard. We recommend that you write the scripts in a text file and then you import the file to
dbedit.

Adding a Rule
When you use dbedit to add a rule, the rule must be added to the bottom of the rule base by
manually specifying the rule number. If the policy contains no other rules, the rule becomes the
policy’s first rule.
Note - Rules in SmartDashboard start with rule number 1. Rules in dbedit start with
rule number 0.
This sample script creates a new policy called DemoPolicy with a Rule Base that contains this rule
at the bottom:
Source

Destination

Service

Action

Any

Any

Any

Accept

create policies_collection ##DemoPolicy
modify policies_collections ##DemoPolicy comments "Demo"
modify policies_collections ##DemoPolicy default 1
update policies_collections ##DemoPolicy
create firewall_policy ##DemoPolicy
modify fw_policies ##DemoPolicy default 0
modify fw_policies ##DemoPolicy collection policies_collections:##DemoPolicy
addelement fw_policies ##DemoPolicy rule security_rule
modify fw_policies ##DemoPolicy rule:0:name "AcceptAll"
rmbyindex fw_policies ##DemoPolicy rule:0:track 0
addelement fw_policies ##DemoPolicy rule:0:track tracks:None
addelement fw_policies ##DemoPolicy rule:0:time globals:Any
addelement fw_policies ##DemoPolicy rule:0:install:'' globals:Any
addelement fw_policies ##DemoPolicy rule:0:action accept_action:accept
addelement fw_policies ##DemoPolicy rule:0:src:'' globals:Any
modify fw_policies ##DemoPolicy rule:0:src:op ''
addelement fw_policies ##DemoPolicy rule:0:dst:'' globals:Any
modify fw_policies ##DemoPolicy rule:0:dst:op ''
addelement fw_policies ##DemoPolicy rule:0:services:'' globals:Any
modify fw_policies ##DemoPolicy rule:0:services:op ''
update_all

Changing a Rule
This sample script changes this rule:
Source

Destination

Service

Action

Original rule 4

Any

Any

Any

Accept

New rule 4

Any

DMZ

SSH

Accept

Modify Rule 4
Previous rule was any any any accept, it will now be any dmz ssh accept
modify fw_policies ##Standard rule:3:comments "Allow SSH to firewall with
logging"
Command Line Interface Reference Guide R77

|

17

Running CLI Commands in Automation Scripts

modify fw_policies ##Standard rule:3:disabled false
rmbyindex fw_policies ##Standard rule:3:track 0
addelement fw_policies ##Standard rule:3:track tracks:Log
rmbyindex fw_policies ##Standard rule:3:action 0
addelement fw_policies ##Standard rule:3:action accept_action:accept
rmelement fw_policies ##Standard rule:3:src:'' globals:Any
addelement fw_policies ##Standard rule:3:src:'' globals:Any
modify fw_policies ##Standard rule:3:src:op ''
rmelement fw_policies ##Standard rule:3:dst:'' globals:Any
addelement fw_policies ##Standard rule:3:dst:'' network_objects:DMZ
modify fw_policies ##Standard rule:3:dst:op ''
rmelement fw_policies ##Standard rule:3:services:'' globals:Any
addelement fw_policies ##Standard rule:3:services:'' services:ssh
modify fw_policies ##Standard rule:3:services:op ''

Adding a Rule - Middle of Rule Base
When it is necessary to add a rule to the middle of a Rule Base, you cannot use dbedit to simply
insert a rule.
1. Delete all the rules that are after the new rule you are adding.
2. Create one or more new rules.
3. Add again the rules that you deleted in step 1.
This sample script adds a new rule number 2 in a Rule Base that has three rules.
Note - Rules in SmartDashboard start with rule number 1. Rules in dbedit start
with rule number 0.
Delete rule 2 and 3 (delete in reverse order)
rmbyindex fw_policies ##Standard rule 2
rmbyindex fw_policies ##Standard rule 1
Add new rule 2
addelement fw_policies ##Standard rule security_rule
modify fw_policies ##Standard rule:1:comments "Firewall stealth rule"
modify fw_policies ##Standard rule:1:disabled false
rmbyindex fw_policies ##Standard rule:1:track 0
addelement fw_policies ##Standard rule:1:track tracks:Log
addelement fw_policies ##Standard rule:1:time globals:Any
addelement fw_policies ##Standard rule:1:install:'' globals:Any
rmbyindex fw_policies ##Standard rule:1:action 0
addelement fw_policies ##Standard rule:1:action drop_action:drop
addelement fw_policies ##Standard rule:1:src:''
network_objects:net-internal
modify fw_policies ##Standard rule:1:src:op 'not in'
addelement fw_policies ##Standard rule:1:dst:'' globals:Any
modify fw_policies ##Standard rule:1:dst:op ''
addelement fw_policies ##Standard rule:1:services:'' globals:Any
modify fw_policies ##Standard rule:1:services:op ''

Command Line Interface Reference Guide R77

|

18

Running CLI Commands in Automation Scripts

Add New Rule 3 (Old Rule 2)
addelement fw_policies ##Standard rule security_rule
modify fw_policies ##Standard rule:2:comments "Allow selected hosts
outbound"
modify fw_policies ##Standard rule:2:disabled false
rmbyindex fw_policies ##Standard rule:2:track 0
addelement fw_policies ##Standard rule:2:track tracks:Log
addelement fw_policies ##Standard rule:2:time globals:Any
addelement fw_policies ##Standard rule:2:install:'' globals:Any
rmbyindex fw_policies ##Standard rule:2:action 0
addelement fw_policies ##Standard rule:2:action accept_action:accept
addelement fw_policies ##Standard rule:2:src:'' network_objects:flamer-100
addelement fw_policies ##Standard rule:2:src:'' network_objects:flamer-101
modify fw_policies ##Standard rule:2:src:op ''
addelement fw_policies ##Standard rule:2:dst:''
network_objects:net-internal
modify fw_policies ##Standard rule:2:dst:op 'not in'
addelement fw_policies ##Standard rule:2:services:'' globals:Any
modify fw_policies ##Standard rule:2:services:op ''
Add New Rule 4 (Old Rule 3)
addelement fw_policies ##MyPolicy rule security_rule
modify fw_policies ##MyPolicy rule:3:comments "Drop all"
modify fw_policies ##MyPolicy rule:3:disabled false
rmbyindex fw_policies ##MyPolicy rule:3:track 0
addelement fw_policies ##MyPolicy rule:3:track tracks:Log
addelement fw_policies ##MyPolicy rule:3:time globals:Any
addelement fw_policies ##MyPolicy rule:3:install:'' globals:Any
rmbyindex fw_policies ##MyPolicy rule:3:action 0
addelement fw_policies ##MyPolicy rule:3:action drop_action:drop
addelement fw_policies ##MyPolicy rule:3:src:'' globals:Any
modify fw_policies ##MyPolicy rule:3:src:op ''
addelement fw_policies ##MyPolicy rule:3:dst:'' globals:Any
modify fw_policies ##MyPolicy rule:3:dst:op ''
addelement fw_policies ##MyPolicy rule:3:services:'' globals:Any
modify fw_policies ##MyPolicy rule:3:services:op ''

Pushing the Security Policy to Security Gateways
After you change or update the Security policy, you can use fwm load command to push the
configuration to the Security Gateways. This command validates the policy and makes sure that
rules agree with each other.
In this example, the fwm load command successfully pushes the policy (Standard) to the
Security Gateway (samplegw).
# fwm load Standard samplegw
Installing policy on R77 compatible targets:
Standard.W: Security Policy Script generated into
CustomerPolicy.pf
Standard:
Compiled OK.
Installing Security Gateway policy on: examplegw ...
Security Gateway policy installed successfully on examplegw...
Security Gateway policy installation complete
Security Gateway policy installation succeeded for:
examplegw

Command Line Interface Reference Guide R77

|

19

Running CLI Commands in Automation Scripts

If the policy did not install successfully, the output of the fwm load command shows an error
message. The Security Gateway continues to enforce the policy that was installed before you ran
the script.

Installing Policy with a Multi-Domain Server
To install the policy for a Domain Management Server, run the necessary Multi-Domain Server CLI
commands. You can run them individually or as part of a script.
This sample script installs the Standard policy from Domain Management Server Cust_CMA on
the Security Gateway examplegw.
mdsenv Cust_CMA
dbedit –globallock -s Cust_CMA -u admin -p admin -f
dbedit_createpolicy_objects.txt
fwm load Standard examplegw

Error Codes in dbedit
•

If there is a syntax error in the dbedit script, this error is shown:
“syntax error in line 1 Aborting.”
The script stops running at the error.

•

When a script uses tables or objects that are not in the database, dbedit stops the script and
shows this message:
“Object Not Found”
“Error in line: 2”

•

You can use the parameter ignore_script_failure to continue running the script and
ignore errors

•

You can use the parameter continue_updating to ignore errors and run the update_all
command at the end of the script

Using XML to Export Settings for a Domain
Management Server
You can export the settings for a Domain Management Server to an XML file that you can use with
external automation systems. You can include the printxml commands in a script or run them
individually from the CLI.
This sample script exports these settings to XML:
•

Security policy Rule Base

•

Network objects

•

Services
printxml fw_policies ##Standard
printxml network_objects
printxml services

Command Line Interface Reference Guide R77

|

20

CHAPTE R 3

Security Management Server and
Firewall Commands
In This Section:
comp_init_policy ...........................................................................................................22
cp_admin_convert ........................................................................................................22
cpca_client ....................................................................................................................22
cp_conf ..........................................................................................................................26
cpconfig .........................................................................................................................30
cpinfo .............................................................................................................................30
cplic ...............................................................................................................................31
cp_merge ......................................................................................................................39
cppkg .............................................................................................................................42
cpridrestart ...................................................................................................................45
cpridstart .......................................................................................................................45
cpridstop .......................................................................................................................45
cprinstall .......................................................................................................................46
cpstart ...........................................................................................................................51
cpstat .............................................................................................................................51
cpstop ............................................................................................................................53
cpwd_admin ..................................................................................................................54
disconnect_client ..........................................................................................................57
dbedit .............................................................................................................................57
dbver ..............................................................................................................................59
dynamic_objects ...........................................................................................................61
fw ...................................................................................................................................61
fwm ................................................................................................................................90
GeneratorApp ................................................................................................................98
inet_alert .......................................................................................................................98
ldapcmd .......................................................................................................................100
ldapcompare ...............................................................................................................101
ldapconvert .................................................................................................................102
ldapmodify ...................................................................................................................104
ldapsearch ..................................................................................................................105
log_export ...................................................................................................................106
queryDB_util ...............................................................................................................109
rs_db_tool ...................................................................................................................110
sam_alert ....................................................................................................................111
svr_webupload_config................................................................................................112

Command Line Interface Reference Guide R77

|

21

Security Management Server and Firewall Commands

comp_init_policy
Description Use the comp_init_policy command to generate and load, or to remove, the
Initial Policy.
The Initial Policy offers protection to the gateway before the administrator has installed a Policy
on the gateway.
Syntax
> $FWDIR/bin/comp_init_policy [-u] [-g]
Parameter

Description

-u

Removes the current Initial Policy, and ensures that it will not be generated in
future when cpconfig is run.

-g

Can be used if there is no Initial Policy. If there is, make sure that after
removing the policy, you delete the $FWDIR\state\local\FW1\ folder.
Generates the Initial Policy and ensures that it will be loaded the next time a
policy is fetched (at cpstart, or at next boot, or via the fw fetch localhost
command). After running this command, cpconfig will add an Initial Policy
when needed.
The comp_init_policy -g command will only work if there is no previous
Policy. If you perform the following commands:
comp_init_policy -g + fw fetch localhost
comp_init_policy -g + cpstart
comp_init_policy -g + reboot
The original policy will still be loaded.

cp_admin_convert
Description Automatically export administrator definitions that were created in cpconfig to
SmartDashboard.
Syntax
> cp_admin_convert

cpca_client
Description

These commands execute operations on the ICA (Internal Certificate Authority).

Syntax
> cpca_client

cpca_client create_cert
Description

Prompt the ICA to issue a SIC certificate for the Security Management server.

Syntax
> cpca_client [-d] create_cert [-p ] -n "CN=" -f

Command Line Interface Reference Guide R77

|

22

Security Management Server and Firewall Commands

Parameter

Description

-d

Runs the command in debug mode

-p 

Specifies the port used to connect to the CA (if the CA was not run
from the default port 18209)

-n "CN=" Sets the CN to 
-f 

Specifies the file name, , that stores the certificate and
keys.

cpca_client revoke_cert
Description

Revoke a certificate issued by the ICA.

Syntax
> cpca_client [-d] revoke_cert [-p ] -n "CN="
Parameter

Description

-d

Runs the command in debug mode

-p 

Specifies the port which is used to connect to the CA (if the CA was
not run from the default port 18209)

-n "CN=" Sets the CN to 

cpca_client lscert
Description

Show all certificates issued by the ICA.

Syntax
> cpca_client [-d] lscert [-dn ] [-stat
{Pending|Valid|Revoked|Expired|Renewed}] [-kind SIC|IKE|User|LDAP] [-ser
] [-dp ]
Parameter

Description

-d

Runs the command in debug mode

-dn substring

Filters results to those with a DN that matches this 

-stat

Filters results to the specified certificate status: Pending, Valid,
Revoke, Expire, or Renewed

-kind

Filters results for specified kind: SIC, IKE, User, or LDAP

-ser 

Filters results for this serial number

-dp 

Filters results from this CDP (certificate distribution point)

Command Line Interface Reference Guide R77

|

23

Security Management Server and Firewall Commands

cpca_client init_certs
Description
user.

Imports a list of DNs for users and creates a file with registration keys for each

Syntax
> cpca_client init certs [-p ] -i  -o 
Parameter

Description

-p 

Specifies the port which is used to connect to the CA. The
default port is 18265.

-i 

Imports the specified file. Make sure to use the full path.
Make sure that there is an empty line between each DN in
the file:
CN=test1,OU=users

CN=test2,OU=users

-o 

Saves the registration keys to the specified file.

cpca_client set_mgmt_tool
Description

Starts or stops the ICA Management Tool.

Syntax
> cpca_client [-d] set_mgmt_tool {on|off|add|remove|clean|print} [-p
] [-no_ssl] {-a , -u , -c , ...}
Parameter

Description

-d

Runs the command in debug mode.

set_mgmt_tool
{on|off|add|remove|
clean|print}

•

on - Starts ICA Management Tool

•

off - Stops ICA Management Tool

•

add - Adds an administrator, user, or custom user

•

remove - Removes an administrator, user, or custom user

•

clean - Removes all the administrators, users, or custom users

•

print - Shows the administrators, users, or custom users

-p 

Specifies the port which is used to connect to the CA. The default
port is 18265.

-no_ssl

Configures the server to use HTTP instead of HTTPS.

-a  Sets the DNs of the administrators that are permitted to use the ICA
Management Tool.

Command Line Interface Reference Guide R77

|

24

Security Management Server and Firewall Commands

Parameter

Description

-u 

Sets the DNs of the users that are permitted to use the ICA
Management Tool.

-c 

Sets the DN for custom users that can use the ICA Management
Tool.

Comments
1. If the command is run without -a or -u the list of the permitted users and administrators isn't
changed. The server can be stopped or started with the previously defined permitted users and
administrators.
2. If two consecutive start operations are initiated, the ICA Management Tool will not respond,
unless you change the SSL mode. After the SSL mode has been modified, the server can be
stopped and restarted.

cpca_client set_sign_hash
Description
is sha1.

Sets the hash algorithm that the CA uses to sign the file has. The default algorithm

Syntax
> cpca_client set_sign_hash {sha1|sha256|sha384|sha512}

cpca_client search
Description

Searches for certificates in the ICA (Internal Certificate Authority).

Syntax
> cpca_client search  [-where {dn|comment|serial}] [-kind
[SIC|IKE|User|LDAP]] [-stat [Pending|Valid|Revoked|Expired|Renewed]] [-max
] [-showfp {y|n}]
Parameter

Description

-where
{dn|comment|serial}

Where to search for the string, in the dn, serial number,
or comment field.
The default is all locations.

-kind
[SIC|IKE|User|LDAP]

The type of certificate. You can enter multiple values in
this format: -kind value1 value2 value3. The
default is all values.

-stat
[Pending|Valid|Revok
ed|Expired|Renewed]

Filters according to the status of the certificate. You can
enter multiple values in this format: -stat value1
value2 value3. The default is all values.

-max 

Enter the maximum number of results to show. The
default setting is 200.

-showfp {y|n}

Show the certificate's fingerprint: yes or no. The default is
yes.
Command Line Interface Reference Guide R77

|

25

Security Management Server and Firewall Commands

Example
> cpca_client search samplecompany -where comment -kind SIC LDAP
-stat Pending Valid Renewed

cpca_client get_crldp
Description

Shows the name that the computer or server uses to initialize with the CA.

Syntax
> cpca_client get_crldp [-p ]
Parameter

Description

-p 

Specifies the port which is used to connect to the CA. The
default port is 18265.

cpca_client get_pubkey
Description

Saves the encoding of the public key for the ICA to a file.

Syntax
> cpca_client [-p ] get_pubkey 
Parameter

Description

-p 

Specifies the port which is used to connect to the CA. The default
port is 18265.



Name of the file where the public key is saved

cpca_client double_sign
Description

Creates a second signature for a certificate.

Syntax
> cpca_client [-p ] -i  [-o ]
Parameter

Description

-p 

Specifies the port which is used to connect to the CA. The default
port is 18265.

-i 

Imports the specified certificate only in PEM format.

[-o ]

Saves the certificate to the specified file.

cp_conf
Description Configure/reconfigure a Security Gateway installation. The configuration available
options for any machine depend on the installed configuration and products.
Syntax
> cp_conf
Command Line Interface Reference Guide R77

|

26

Security Management Server and Firewall Commands

cp_conf sic
Description
Server.

Use the cp_conf sic commands to manage SIC on the Security Management

Syntax
> cp_conf sic state
> cp_conf sic init  [norestart]
> cp_conf sic cert_pull  
Parameter

Description

state

Shows the SIC trust state.

init 

Restarts SIC with the Activation Key .

[no restart]

By default, the Security Gateway runs cpstop and cpstart when
you restart SIC. Use the norestart parameter to restart SIC and to
not run cpstop and cpstart.

cert_pull

For DAIP Security Gateways, pulls a certificate from the Security
Management Server for the 



Name or IP address of the Security Management Server

cp_conf admin
Description

Manage Check Point system administrators for the Security Management Server

Syntax
> cp_conf admin get # Get the list of administrators.
> cp_conf admin add   {a|w|r}
> cp_conf admin del  ...
Parameter

Description

get

Shows a list of the administrators

add  

Adds a new administrator  with password 

{a|w|r}

Sets the permissions for the new administrator:
a - Read, write and manage administrators
w - Read and write
r - Read only

del 

Deletes one or more administrators , , and so on

cp_conf ca
Description

Initialize the Certificate Authority

Syntax
> cp_conf ca init
> cp_conf ca fqdn 
Command Line Interface Reference Guide R77

|

27

Security Management Server and Firewall Commands

Parameter

Description

init

Initializes the internal CA

fqdn 

Sets the FQDN of the internal CA to 

cp_conf finger
Description Displays the fingerprint which will be used on first-time launch to verify the identity
of the Security Management server being accessed by the SmartConsole. This fingerprint is a text
string derived from the Security Management server's certificate
Syntax
> cp_conf finger get

cp_conf lic
Description

Shows the installed licenses and lets you manually add new ones.

Syntax
>
>
>
>

cp_conf
cp_conf
cp_conf
cp_conf

lic
lic
lic
lic

get
add -f 
add -m    
del 

Parameter

Description

get

Shows the installed licenses

add -f 

Adds the license from 

add -m

Manually adds a license with these parameters:
 - name of the Security Management Server
 - Date of the license
 - License key
 - License SKU
Deletes license 

del 

cp_conf client
Description Manage the GUI clients that can use SmartConsoles to connect to the Security
Management Server.
Syntax
> cp_conf
> cp_conf
> cp_conf
> cp_conf
list.

client get # Get the GUI clients list
client add  # Add one GUI Client
client del < GUI client 1> < GUI client 2>... # Delete GUI Clients
client createlist < GUI client 1> < GUI client 2>... # Create new

Command Line Interface Reference Guide R77

|

28

Security Management Server and Firewall Commands

Parameter

Description

get

Shows the IP addresses of the allowed GUI clients.

add 

Adds the  IP address to the list of allowed GUI
clients.

del  
clients.
createlist  , , and so on.
2>

cp_conf ha
Description

Enable or disable High Availability.

Syntax
> cp_conf ha {enable|disable} [norestart]

cp_conf snmp
Description

Activate or deactivate SNMP.

Syntax
> cp_conf snmp get # Get SNMP Extension status.
> cp_conf snmp {activate|deactivate} [norestart] # Deactivate SNMP
Extension.
Parameter

Description

get

Shows the SNMP status.

{activate|deactivate Enables or disables SNMP.
}
[no restart]

By default, the Security Gateway runs cpstop and cpstart when
you enable or disable SNMP. Use the norestart parameter to
configure SNMP and to not run cpstop and cpstart.

cp_conf auto
Description Configure the Security Gateway and Security Management Server products that
start automatically when the appliance or server reboots.
Syntax
> cp_conf auto get [fw1] [fg1] [rm] [all]
> cp_conf auto {enable|disable}  ...
Parameter

Description

get

Shows which products start automatically

Command Line Interface Reference Guide R77

|

29

Security Management Server and Firewall Commands

Parameter

Description

{enable|disable}
Enables or disables the one or more products that start
  automatically

cp_conf sxl
Description

Enable or disable SecureXL acceleration.

Syntax
> cp_conf sxl {enable|disable}

cpconfig
Description Run a command line version of the Check Point Configuration Tool. This tool is
used to configure an installed Check Point product. The options shown depend on the installed
configuration and products. Amongst others, these options include:
•

Licenses and contracts - Modify the necessary Check Point licenses and contracts.

•

Administrator - Modify the administrator authorized to connect to the Security Management
server.

•

GUI Clients - Modify the list of SmartConsole Client machines from which the administrators
are authorized to connect to a Security Management server.

•

SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables SecurePlatform
to export its status to external network management tools.

•

PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform; see details of
the token, and test its functionality.

•

Random Pool - Configure the RSA keys, to be used by SecurePlatform.

•

Certificate Authority - Install the Certificate Authority on the Security Management server in a
first-time installation.

•

Secure Internal Communication - Set up trust between the gateway on which this command is
being run and the Security Management server.

•

Certificate's Fingerprint - Display the fingerprint which will be used on first-time launch to
verify the identity of the Security Management server being accessed by the SmartConsole.
This fingerprint is a text string derived from the Security Management server's certificate.

•

Automatic Start of Check Point Products - Specify whether Check Point Security Gateways will
start automatically at boot time.

Syntax `
> cpconfig
Further Info. See the R77 Installation and Upgrade Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24831.

cpinfo
Description - CPinfo is a utility that collects data on a machine at the time of execution. The CPinfo
output file enables Check Point's support engineers to analyze setups from a remote location.
Command Line Interface Reference Guide R77

|

30

Security Management Server and Firewall Commands

Engineers can open the CPinfo file in demo mode, while viewing real Security Policies and objects.
This allows for in-depth analysis of all of configuration options and environment settings.
Syntax
> cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c  ... | -x
]
Parameter

Description

-z

Output gzipped (effective with -o option)

-r

Includes the registry (for Windows servers - shows a large output)

-v

Prints version information

-l

Embeds log records (very large output)

-n

Does not resolve network addresses (faster)

-o

Output to a file and to the screen

-t

Output consists of tables only (SR only)

-c 

Get information about the specified  Domain Management Server
(Multi-Domain Security Management)

-x 

Get information about the specified  Virtual System (VSX)

Further Info: SecureKnowledge solution sk30567
http://supportcontent.checkpoint.com/solutions?id=sk30567.

cplic
The cplic command and all its derivatives relate to Check Point license management.
Note - SmartUpdate GUI is the recommended way of managing licenses.
All cplic commands are located in $CPDIR/bin. License Management is divided into three
types of commands:
•

Local licensing commands are executed on local machines.

•

Remote licensing commands are commands which affect remote machines are executed on
the Security Management Server.

•

License repository commands are executed on the Security Management Server.

cplic check
Description Makes sure that the license includes the feature on the local gateway or Security
Management Server.
Syntax
gw> cplic check [-p ] [-v ] [-c|-count] [-t ]
[-r|-routers] [-S|-SRusers] 
Command Line Interface Reference Guide R77

|

31

Security Management Server and Firewall Commands

Parameter

Description

-p 

Product for which license information is requested. For example
fw1, netso

-v 

Product version for which license information is requested

-c|-count

Output the number of licenses connected to this feature

-t 

Check license status on future date. Use the format ddmmmyyyy. A
feature may be valid on a given date on one license, but invalid in
another

-r|-routers

Check how many routers are allowed. The feature option is not
needed

-S|-SRusers

Check how many SecuRemote users are allowed.



 for which license information is requested

cplic db_add
Description Used to add one or more licenses to the license repository on the Security
Management server. When local license are added to the license repository, they are
automatically attached to its intended Check Point gateway, central licenses need to undergo the
attachment process.
This command is a license repository command, and can only be executed on the Security
Management server.
Syntax
> cplic db_add -l  [] [] []
[]
Parameter

Description

-l


Name of the file that contains the license



Security Management Server hostname or IP address




The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (The string is case
sensitive and the hyphens are optional)



The SKU of the license summarizes the features included in the license.
For example: CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command: cplic
db_add -l 192.0.2.11.lic will produce output similar to the following:

Command Line Interface Reference Guide R77

|

32

Security Management Server and Firewall Commands

Adding license to database ...
Operation Done

cplic db_print
Description Displays the details of Check Point licenses stored in the license repository on the
Security Management Server.
Syntax
> cplic db_print  [-n noheader] [-x print signatures]
[-t type] [-a attached]
Parameter

Description

Object name

Print only the licenses attached to Object name. Object name is the
name of the Check Point Security Gateway object, as defined in
SmartDashboard.

-all

Print all the licenses in the license repository

-noheader

Print licenses with no header.

(or -n)
-x

Print licenses with their signature

-t

Print licenses with their type: Central or Local.

(or -type)
-a

Show which object the license is attached to. Useful if the -all option is
specified.

(or -attached)

Comments
This command is a license repository command, and can only be executed on the
Security Management server.

cplic db_rm
Description The cplic db_rm command removes a license from the license repository on the
Security Management server. It can be executed ONLY after the license was detached using the
cplic del command. Once the license has been removed from the repository, it can no longer be
used.
Syntax
> cplic db_rm 
Parameter

Description

Signature

The signature string within the license.

Example

cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

Comments
This command is a license repository command, and can only be executed on the
Security Management server.
Command Line Interface Reference Guide R77

|

33

Security Management Server and Firewall Commands

cplic del
Description Delete a single Check Point license on a host, including unwanted evaluation,
expired, and other licenses. Used for both local and remote machines
Syntax
> cplic del [-F ]  
Parameter

Description

-F  Send the output to  instead of the screen.


The signature string within the license.

cplic del 
Description Detach a Central license from a Check Point Security Gateway. When this command
is executed, the license repository is automatically updated. The Central license remains in the
repository as an unattached license. This command can be executed only on a Security
Management server.
Syntax
> cplic del  [-F ] [-ip ] 
Parameter

Description



The name of the Check Point Security Gateway object, as defined in
SmartDashboard.

-F 

Divert the output to outputfile rather than to the screen.

-ip  Delete the license on the Check Point Security Gateway with the specified
IP address. This parameter is used for deleting a license on a DAIP Check
Point Security Gateway.
Note - If this parameter is used, then object name must be a DAIP
gateway.


The signature string within the license.

Comments
This is a Remote Licensing command which affects remote machines that is
executed on the Security Management server.

cplic get
Description The cplic get command retrieves all licenses from a Security Gateway (or from
all Security Gateways) into the license repository on the Security Management Server. This
command helps you to synchronize the repository with the Check Point Security Gateways. When
the command is run, all local changes are updated.
Syntax
> cplic get {||-all} [-v41]

Command Line Interface Reference Guide R77

|

34

Security Management Server and Firewall Commands

Parameter

Description



The IP address of the Check Point Security Gateway from which licenses are to
be retrieved.



The name of the Check Point Security Gateway object (as defined in
SmartDashboard) from which licenses are to be retrieved.

-all

Retrieve licenses from all Check Point gateways in the managed network.

-v41

Retrieve version 4.1 licenses from the NF Check Point gateway. Used to upgrade
version 4.1 licenses.

Example
If the Check Point Security Gateway with the object name caruso contains four
Local licenses, and the license repository contains two other Local licenses, the command: cplic
get caruso produces output similar to the following:
Get retrieved 4 licenses.
Get removed 2 licenses.
Comments
This is a Remote Licensing Command which affects remote machines that is
executed on the Security Management Server.

cplic put
Description

Install one or more Local licenses on a local machine.

Syntax
> cplic put [-o|-overwrite] [-c|-check-only] [-s|-select] [-F ]
[-P|-Pre-boot] [-k|-kernel-only] -l  [] [] [] []
Parameter

Description

-o|-overwrite

On a Security Management server this will erase all existing licenses and
replace them with the new license(s). On a Check Point Security Gateway this
will erase only Local licenses but not Central licenses, that are installed
remotely.

-c|-check-only Verify the license. Checks if the IP of the license matches the machine, and if
the signature is valid
-s|-select

Select only the Local licenses whose IP address matches the IP address of
the machine.

-F


Outputs the result of the command to the designated file rather than to the
screen.

-P|-Pre-boot

Use this option after upgrading and before rebooting the machine. Use of this
option will prevent certain error messages.

-K|-kernel-onl Push the current valid licenses to the kernel. For Support use only.
y

Command Line Interface Reference Guide R77

|

35

Security Management Server and Firewall Commands

Parameter

Description

-l
Name of the file that contains the license

Security Management Server hostname or IP address






The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (The string is case
sensitive and the hyphens are optional)



The SKU of the license summarizes the features included in the license. For
example: CPSUITE-EVAL-3DES-vNG

Comments
Center.
•

Copy and paste the following parameters from the license received from the User

host - One of the following:

All platforms - The IP address of the external interface (in dot notation); last part cannot be 0 or
255.
Solaris2 - The response to the hostid command (beginning with 0x).
•

expiration date - The license expiration date. Can be never.

•

signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are
optional.)

•

SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of
the license summarizes the features included in the license. For example:
CPMP-EVAL-1-3DES-NG CK0123456789ab

Example

cplic put -l 215.153.142.130.lic produces output similar to the following:

Host
215.153.142.130

Expiration SKU
26Dec2001 CPMP-EVAL-1-3DES-NG CK0123456789ab

cplic put  ...
Description Use the cplic put command to attach one or more central or local license
remotely. When this command is executed, the license repository is also updated.
Syntax
> cplic put  [-ip dynamic ip] [-F ]
-l  [] [] [] [
Parameter

Description

object name

The name of the Check Point Security Gateway object, as defined in
SmartDashboard.

Command Line Interface Reference Guide R77

|

36

Security Management Server and Firewall Commands

Parameter

Description

-ip dynamic ip

Install the license on the Check Point Security Gateway with the specified
IP address. This parameter is used for installing a license on a DAIP
Check Point gateway.
NOTE: If this parameter is used, then object name must be a DAIP Check
Point gateway.

-F 

Divert the output to  rather than to the screen.

-l


Installs the license(s) from .

-l


Name of the file that contains the license



Security Management Server hostname or IP address




The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (The string is case
sensitive and the hyphens are optional)



The SKU of the license summarizes the features included in the license.
For example: CPSUITE-EVAL-3DES-vNG

Comments
This is a Remote Licensing Command which affects remote machines that is
executed on the Security Management server.
Copy and paste the following parameters from the license received from the User Center. More
than one license can be attached.
•

host - the target hostname or IP address.

•

expiration date - The license expiration date. Can be never.

•

signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are
optional)

•

SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of
the license summarizes the features included in the license. For example:
CPMP-EVAL-1-3DES-NG CK0123456789ab

cplic print
Description The cplic print command (located in $CPDIR/bin) prints details of Check Point
licenses on the local machine.
Syntax
> cplic print [-n|-noheader][-x prints signatures][-t type][-F ]
[-p preatures]

Command Line Interface Reference Guide R77

|

37

Security Management Server and Firewall Commands

Parameter

Description

-n|-noheader

Print licenses with no header.

-x

Print licenses with their signature

-t|-type

Prints licenses showing their type: Central or Local.

-F


Divert the output to outputfile.

-p|-preatures

Print licenses resolved to primitive features.

Comments
On a Check Point gateway, this command will print all licenses that are installed on
the local machine — both Local and Central licenses.

cplic upgrade
Description Use the cplic upgrade command to upgrade licenses in the license repository
using licenses in a license file obtained from the User Center.
Syntax
> cplic upgrade –l 
Parameter

Description

–l 

Upgrades the licenses in the license repository and Check Point gateways
to match the licenses in 

Example
The following example explains the procedure which needs to take place in order to
upgrade the licenses in the license repository.
•

Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the
Security Gateways with the previous version products.

•
•

Import all licenses into the license repository. This can also be done after upgrading the
products on the remote gateways.
Run the command: cplic get –all. For example:
Getting licenses from all modules ...
count:root(su) [~] # cplic get -all
golda:
Retrieved 1 licenses.
Detached 0 licenses.
Removed 0 licenses.
count:
Retrieved 1 licenses.
Detached 0 licenses.
Removed
0 licenses.

•

To see all the licenses in the repository, run the command cplic db_print -all –a

Command Line Interface Reference Guide R77

|

38

Security Management Server and Firewall Commands

count:root(su) [~] # cplic db_print -all -a
Retrieving license information from database ...
The following licenses appear in the database:
==================================================
Host
192.0.2.11
192.0.2.11

Expiration Features
Never
CPFW-FIG-25-53
CK-49C3A3CC7121 golda
26Nov2012 CPSUITE-EVAL-3DES-NGX CK-1234567890
count

•

In the User Center http://usercenter.checkpoint.com, view the licenses for the products that
were upgraded from version NGX to a Software Blades license and create new upgraded
licenses.

•

Download a file containing the upgraded licenses. Only download licenses for the products that
were upgraded from version NGX to Software Blades.

•

If you did not import the version NGX licenses into the repository, import the version NGX
licenses now using the command cplic get -all

•

Run the license upgrade command: cplic upgrade –l 
- The licenses in the downloaded license file and in the license repository are compared.
- If the certificate keys and features match, the old licenses in the repository and in the
remote Security Gateways are updated with the new licenses.
- A report of the results of the license upgrade is printed.

•

In the example, there are two Software Blades licenses in the file. One does not match any
license on a remote Security Gateway, the other matches a version NGX license on a Security
Gateway that should be upgraded:

Comments
This is a Remote Licensing Command which affects remote Security Gateways, that
is executed on the Security Management Server.
Further Info. For more about managing licenses, see the R77 Installation and Upgrade Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24831.

cp_merge
Description

The cp_merge utility has two main functionalities

•

Export and import of policy packages.

•

Merge of objects from a given file into the Security Management server database.

Syntax
> cp_merge help
Parameter

Description

help

Displays the usage for cp_merge.

cp_merge delete_policy
Description Provides the options of deleting an existing policy package. Note that the default
policy can be deleted by delete action.
Command Line Interface Reference Guide R77

|

39

Security Management Server and Firewall Commands

Syntax
> cp_merge delete_policy [-s ] [-u  | -c ]
[-p ] -n 
Parameter

Description

-s 

Specify the database server IP Address or DNS name.2

-u 

The administrator's name.1,2

-c  The path to the certificate file.1
-p 

The administrator's password.1

-n 

The policy package to export.2,3

Comments

Further considerations:

1. Either use certificate file or user and password
2. Optional
Example

Delete the policy package called standard.

> cp_merge delete_policy -n Standard

cp_merge export_policy
Description Provides the options of leaving the policy package in the active repository, or
deleting it as part of the export process. The default policy cannot be deleted during the export
action.
Syntax
> cp_merge export_policy [-s ] [-u  | -c ]
[-p ] [-n  | -l ] [-d ] [-f ] [-r]
Parameter

Description

-s 

Specify the database server IP Address or DNS name.2

-u 

The database administrator's name.1

-c 

The path to the certificate file.1

-p 

The administrator's password.1

-n 

The policy package to export.2,3

-l 

Export the policy package which encloses the policy name.2,3,4

-d 

Specify the output directory.2

-f 

Specify the output file name (where the default file name is
.pol).2
Command Line Interface Reference Guide R77

|

40

Security Management Server and Firewall Commands

Parameter

Description

-r

Remove the original policy from the repository.2

Comments

Further considerations:

1. Either use certificate file or user and password.
2. Optional.
3. If both -n and -l are omitted all policy packages are exported.
4. If both -n and -l are present -l is ignored.
Example

Export policy package Standard to file:

> cp_merge export_policy -n Standard -f
StandardPolicyPackageBackup.pol -d C:\bak

cp_merge import_policy and cp_merge restore_policy
Description Provides the options to overwrite an existing policy package with the same name,
or preventing overwriting when the same policy name already exists.
Syntax
> cp_merge import_policy|restore_policy [-s ] [-u  | -c
] [-p ] [-n ] [-d ] -f  [-v]
Parameter

Description

-s 

Specify the database server IP address or DNS name.2

-u 

The administrator's name.1,2

-c  The path to the certificate file.1
-p 

The administrator's password.1,2

-n 

Rename the policy package to  when importing.2

-d  Specify the input directory.2
-f 

Specify the input file name.

-v

Override an existing policy if found.2

Comments

Further considerations

1. Either use certificate file or user and password
2. Optional
The cp_mergerestore_policy works only locally on the Security Management server and it
will not work from remote machines.
Caution: A Security policy from .W file can be restored using this utility; however,
important information may be lost when the policy is translated into .W format. This restoration
should be used only if there is no other backup of the policy.
Command Line Interface Reference Guide R77

|

41

Security Management Server and Firewall Commands

Example
Import the policy package saved in file Standard.pol into the repository and
rename it to StandardCopy.
> cp_merge import_policy -f Standard.pol -n StandardCopy

cp_merge list_policy
Syntax
cp_merge list_policy [-s ] [-u  | -c ]
[-p ]
Parameter

Description

-s 

Specify the database server IP Address or DNS name.2

-u 

The administrator's name.1,2

-c  The path to the certificate file.1,2
-p 
Comments

The administrator's password.1,2

Further considerations:

1. Either use certificate file or user and password.
2. Optional.
Example: List all policy packages which reside in the specified repository:
> cp_merge list_policy -s localhost

cppkg
Description
server.

Manage the product repository. It is always executed on the Security Management

cppkg add
Description Add a product package to the product repository. Only SmartUpdate packages can
be added to the product repository.
Products can be added to the Repository as described in the following procedures, by importing a
file downloaded from the Download Center. The package file can be added to the Repository
directly from the DVD or from a local or network drive.
Syntax
> cppkg add {| [product]}
Parameter

Description

package-full-pat If the package to be added to the repository is on a local disk or network
h
drive, type the full path to the package.

Command Line Interface Reference Guide R77

|

42

Security Management Server and Firewall Commands

Parameter

Description

CD drive

If the package to be added to the repository is on a DVD:
•

For Windows machines type the DVD drive letter, e.g. d:\

•

For UNIX machines, type the DVD root path, e.g.
/caruso/image/CPsuite-R77

You are asked to specify the product and appropriate operating system
(OS).
Comments
cppkg add does not overwrite existing packages. To overwrite existing packages,
you must first delete existing packages.
Example

[d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-R77\
Enter package name:
---------------------(1) SVNfoundation
(2) firewall
(3) floodgate
(4) rtm
(e) Exit
Enter your choice : 1
Enter package OS :
---------------------(1) win32
(2) linux
(3) ipso
(e) Exit
Enter your choice : 1
You choose to add 'SVNfoundation' for 'win32' OS. Is this correct? [y/n] : y

cppkg delete
Description Delete a product package from the repository. To delete a product package you
must specify a number of options. To see the format of the options and to view the contents of the
product repository, use the cppkg print command.
Syntax
> cppkg delete     [sp]
Parameter

Description

vendor

Package vendor (for example, checkpoint)

product

Package name

version

Package version

os

Package Operating System. Options are:
win32, solaris, ipso, linux
Command Line Interface Reference Guide R77

|

43

Security Management Server and Firewall Commands

Parameter

Description

sp

Package minor version

Comments

It is not possible to undo the cppkg del command.

cppkg get
Description Synchronizes the Package Repository database with the content of the actual
package repository under $SUROOT.
Syntax
> cppkg get

cppkg getroot
Description Find out the location of the product repository. The default product repository
location on Windows machines is C:\SUroot. On UNIX it is /var/SUroot.
Syntax
> cppkg getroot
Example
> cppkg getroot
Current repository root is set to : /var/suroot/

cppkg print
Description

List the contents of the product repository.

Use cppkg print to see the product and OS strings required to install a product package using
the cprinstall command, or to delete a package using the cppkg delete command.
Syntax
> cppkg print

cppkg setroot
Description Create a new repository root directory location, and to move existing product
packages into the new repository.
The default product repository location is created when the Security Management server is
installed. On Windows machines the default location is C:\SUroot and on UNIX it is
/var/SUroot. Use this command to change the default location.
When changing repository root directory:
•

The content of the old repository is copied into the new repository.

•

The $SUROOT environment variable gets the value of the new root path.

•

A product package in the new location will be overwritten by a package in the old location, if
the packages are the same (that is, they have the same ID strings).

The repository root directory should have at least 200 Mbyte of free disk space.
Command Line Interface Reference Guide R77

|

44

Security Management Server and Firewall Commands

Syntax
> cppkg setroot 
Parameter

Description



The full path for the desired location for the
product repository.

Comments
It is important to reboot the Security Management server after performing this
command, in order to set the new $SUROOT environment variable.
Example
cppkg setroot /var/new_suroot
Repository root is set to : /var/new_suroot/
Note: When changing repository root directory :
1. Old repository content will be copied into the new repository.
2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name.
Change the current repository root ? [y/n] : y
The new repository directory does not exist. Create it ? [y/n] : y
Repository root was set to : /var/new_suroot
Notice : To complete the setting of your directory, reboot the machine!

cpridrestart
Description Stops and starts the Check Point Remote Installation Daemon (cprid). This is the
daemon that is used for remote upgrade and installation of products. In Windows it is a service.

cpridstart
Description Start the Check Point Remote Installation Daemon (cprid). This is the service that
allows for the remote upgrade and installation of products. In Windows it is a service.
Syntax
> cpridstart

cpridstop
Description Stop the Check Point Remote installation Daemon (cprid). This is the service that
allows for the remote upgrade and installation of products. In Windows it is a service.
Syntax
> cpridstop

Command Line Interface Reference Guide R77

|

45

Security Management Server and Firewall Commands

cprinstall
Description Use cprinstall commands to perform remote installation of product packages,
and associated operations.
On the Security Management server, cprinstall commands require licenses for SmartUpdate
On the remote Check Point gateways the following are required:
•

Trust must be established between the Security Management server and the Check Point
gateway.

•

cpd must run.

•

cprid remote installation daemon must run.

cprinstall boot
Description

Boot the remote computer.

Syntax
> cprinstall boot 
Parameter

Description



Object name of the Check Point Security Gateway defined in SmartDashboard

Example

> cprinstall boot harlin

cprinstall cpstart
Description

Enable cpstart to be run remotely.

All products on the Check Point Security Gateway must be of the same version.
Syntax
> cprinstall cpstart 
Parameter

Description

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

cprinstall cpstop
Description

Enables cpstop to be run remotely.

All products on the Check Point Security Gateway must be of the same version.
Syntax
> cprinstall cpstop {-proc|-nopolicy} 
Parameter

Description

-proc

Kills Check Point daemons and Security servers while maintaining the active
Security Policy running in the kernel. Rules with generic allow/reject/drop
rules, based on services continue to work.
Command Line Interface Reference Guide R77

|

46

Security Management Server and Firewall Commands

Parameter

Description

-nopolicy
Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

cprinstall get
Description Obtain details of the products and the operating system installed on the specified
Check Point Security Gateway, and to update the database.
Syntax
> cprinstall get 
Parameter

Description



The name of the Check Point Security Gateway object defined in
SmartDashboard.

Example
cprinstall get gw1
Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system
Major Version
Minor Version
-----------------------------------------------------------------------SecurePlatform
R75.20
R75.20
Vendor
Product
Major Version
Minor Version
-----------------------------------------------------------------------Check Point
VPN-1 Power/UTM
R75.20
R75.20
Check Point
SecurePlatform
R75.20
R75.20
Check Point
SmartPortal
R75.20
R75.20

cprinstall install
Description Install Check Point products on remote Check Point Security Gateways. To install a
product package you must specify a number of options. Use the cppkg print command and copy
the required options.
Syntax
> cprinstall install [-boot]     [sp]
Parameter

Description

-boot

Boot the remote computer after installing the package.
Only boot after ALL products have the same version. Boot will be canceled in
certain scenarios.

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

vendor

Package vendor (e.g. checkpoint)
Command Line Interface Reference Guide R77

|

47

Security Management Server and Firewall Commands

Parameter

Description

product

Package name

version

Package version

sp

Package minor version

Comments
Before transferring any files, this command runs the cprinstall verify
command to verify that the Operating System is appropriate and that the product is compatible
with previously installed products.

Example
# cprinstall install -boot fred checkpoint firewall R70
Installing firewall R75.20 on fred...
Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.

cprinstall uninstall
Description Uninstall products on remote Check Point Security Gateways. To uninstall a
product package you must specify a number of options. Use the cppkg print command and copy
the required options.
Syntax
> cprinstall uninstall [-boot]    
[sp]
Parameter

Description

-boot

Boot the remote computer after installing the package.
Only boot after ALL products have the same version. Boot will be canceled in
certain scenarios. See the Release Notes for details.

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

vendor

Package vendor (e.g. checkpoint)

product

Package name

version

Package version

sp

Package minor version.

Command Line Interface Reference Guide R77

|

48

Security Management Server and Firewall Commands

Comments Before uninstalling any files, this command runs the cprinstall verify command
to verify that the Operating System is appropriate and that the product is installed.

After uninstalling, retrieve the Check Point Security Gateway data by running cprinstall get.

Example
# cprinstall uninstall fred checkpoint firewall R75.20
Uninstalling firewall R75.20 from fred...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.

cprinstall verify
Description

Makes sure these operations were successful:

•

If a specific product can be installed on the remote Check Point Security Gateway

•

That the operating system and currently installed products are appropriate for the package

•

That there is enough disk space to install the product

•

That there is a CPRID connection

Syntax
> cprinstall verify     [sp]
Parameter

Description

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

vendor

Package vendor (for example checkpoint).

product

Package name
Options are: SVNfoundation, firewall, floodgate

version

Package version.

sp

Package minor version. This parameter is optional.

Example

The following examples show a successful and a failed verify operation:

Verify succeeds:
cprinstall verify harlin checkpoint SVNfoundation R75.20
Verifying installation of SVNfoundation R75.20 on jimmy...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Verify fails:

Command Line Interface Reference Guide R77

|

49

Security Management Server and Firewall Commands

cprinstall verify harlin checkpoint SVNfoundation R75.20
Verifying installation of SVNfoundation R75.20 on jimmy...
Info : Testing Check Point Gateway
Info : SVN Foundation R70 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

cprinstall snapshot
Description

Creates a snapshot  on the Check Point Security Gateway.

Syntax
> cprinstall snapshot  
Parameter

Description

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard

filename

Name of the snapshot file

Comments

Supported on SecurePlatform only

cprinstall show
Description

Displays all snapshot (backup) files on the Check Point Security Gateway.

Syntax
> cprinstall show 
Parameter

Description

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

Comments

Supported on SecurePlatform only

Example
# cprinstall show GW1
SU_backup.tzg

cprinstall revert
Description

Restores the Check Point Security Gateway from a snapshot.

Syntax
> cprinstall revert  
Parameter

Description



Object name of the Check Point Security Gateway defined in SmartDashboard.



Name of the snapshot file.

Comments

Supported on SecurePlatform only.
Command Line Interface Reference Guide R77

|

50

Security Management Server and Firewall Commands

cprinstall transfer
Description Transfers a package from the repository to a Check Point Security Gateway without
installing the package.
Syntax
> cprinstall transfer     [sp]
Parameter

Description

Object name

Object name of the Check Point Security Gateway defined in SmartDashboard.

vendor

Package vendor (for example, checkpoint)

product

Package name

version

Package version.

sp

Package minor version. This parameter is optional.

cpstart
Description

Start all Check Point processes and applications running on an appliance or server.

Syntax
> cpstart
Comments
This command cannot be used to start cprid. cprid is invoked when the machine
is booted and it runs independently.

cpstat
Description cpstat displays the status of Check Point applications, either on the local or on
another appliance or server, in various formats.
Syntax
> cpstat [-h ][-p ][-s ][-f ][-o ][-c
][-e ][-d] 
Parameter

Description

-h 

A resolvable hostname, a dot-notation address (for example: 192.0.2.23), or a
DAIP object name. The default is localhost.

-p 

Port number of the AMON server. The default is the standard AMON port
(18192).

-s  Secure Internal Communication (SIC) name of the AMON server.
-f 

The flavor of the output (as it appears in the configuration file). The default is the
first flavor found in the configuration file.

Command Line Interface Reference Guide R77

|

51

Security Management Server and Firewall Commands

Parameter

Description

-o  Polling interval (seconds) specifies the pace of the results.
The default is 0, meaning the results are shown only once.
-c 

Specifies how many times the results are shown. The default is 0, meaning the
results are repeatedly shown.

-e 

Specifies the interval (seconds) over which 'statistical' olds are computed.
Ignored for regular olds.

-d

Debug mode.



One of the following:
•

fw — Firewall component of the Security Gateway

•

vpn — VPN component of the Security Gateway

•

fg — QoS (formerly FloodGate-1)

•

ha — ClusterXL (High Availability)

•

os — OS Status

•

mg — for the Security Management server

•

persistency - for historical status values

•

polsrv

•

uas

•

svr

•

cpsemd

•

cpsead

•

asm

•

ls

•

ca

The following parameters can be added to the application flags:
•

fw — "default", "interfaces", "all", "policy", "perf", "hmem", "kmem",
"inspect",
"cookies", "chains", "fragments", "totals", "ufp", "http", "ftp",
"telnet", "rlogin",
"smtp", "pop3", "sync"

•

vpn — "default", "product", "IKE", "ipsec", "traffic", "compression",
"accelerator",
"nic", "statistics", "watermarks", "all"

•

fg — "all"

•

ha — "default", "all"

•

os — "default", "ifconfig", "routing", "memory", "old_memory", "cpu",
"disk", "perf",
Command Line Interface Reference Guide R77

|

52

Security Management Server and Firewall Commands

"multi_cpu", "multi_disk", "all", "average_cpu", "average_memory",
"statistics"
•

mg — "default"

•

persistency — "product", "Tableconfig", "SourceConfig"

•

polsrv — "default", "all"

•

uas — "default"

•

svr — "default"

•

cpsemd — "default"

•

cpsead — "default"

•

asm — "default", "WS"

•

ls — "default"

•

ca — "default", "crl", "cert", user", "all"

Example
> cpstat fw
Policy name: Standard
Install time: Wed Nov 1 15:25:03 2000
Interface table
----------------------------------------------------------------|Name|Dir|Total *|Accept**|Deny|Log|
----------------------------------------------------------------|hme0|in |739041*|738990**|51 *|7**|
----------------------------------------------------------------|hme0|out|463525*|463525**| 0 *|0**|
----------------------------------------------------------------*********|1202566|1202515*|51**|7**|

cpstop
Description
server.

Terminate all Check Point processes and applications, running on an appliance or

Syntax
> cpstop
> cpstop -fwflag {-proc|-default}
Parameter

Description

-fwflag -proc

Kills Check Point daemons and Security servers while maintaining the
active Security Policy running in the kernel. Rules with generic
allow/reject/drop rules, based on services continue to work.

-fwflag -default Kills Check Point daemons and Security servers. The active Security
Policy running in the kernel is replaced with the default filter.
Comments
This command cannot be used to terminate cprid. cprid is invoked when the
appliance or server is booted and it runs independently.
Command Line Interface Reference Guide R77

|

53

Security Management Server and Firewall Commands

cpwd_admin
Description cpwd (also known as WatchDog) is a process that invokes and monitors critical
processes such as Check Point daemons on the local machine, and attempts to restart them if
they fail. Among the processes monitored by Watchdog are cpd, fwd, fwm.
fwd does not work in a Security Management Only machine. To work with fwd in a Security
Management Only machine add -n (for example, fwd -n).
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file. In addition,
monitoring information is written to the console on UNIX platforms, and to the Windows Event
Viewer.
The cpwd_admin utility is used to show the status of processes, and to configure cpwd.
Syntax
> cpwd_admin

cpwd_admin start
Description

Start a new process by cpwd.

Syntax
> cpwd_admin start -name  -path "" -command
""
Parameter

Description

-name  A name for the process to be watched by WatchDog.
-path ""

The full path to the executable including the executable name

-command ""
Example

To start and monitor the fwm process.

> cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"

cpwd_admin stop
Description

Stop a process which is being monitored by cpwd.

Syntax
> cpwd_admin stop -name  [-path <"full path">] [-command
<"executable name">]
Parameter

Description

-name  A name for the process to be watched by WatchDog.
-path <"full path">

The full path to the executable (including the executable name) that
is used to stop the process.

-command <"executable The name of the executable file mentioned in -path
name">
Command Line Interface Reference Guide R77

|

54

Security Management Server and Firewall Commands

Comments
process.

If -path and -command are not stipulated, cpwd will abruptly terminate the

Example

Stops the FWM process using fw kill

> cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"

cpwd_admin list
Description

Print a status of the selected processes being monitored by cpwd.

Syntax
> cpwd_admin list
Output The status report output includes the following information:
•

APP — Application. The name of the process.

•

PID — Process Identification Number.

•

STAT — Whether the process Exists (E) or has been Terminated (T).

•

#START —How many times the process has been started since cpwd took control of the
process.

•

START TIME — The last time the process was run.

•

COMMAND — The command that cpwd used to start the process.

For example:
#cpwd_admin list
APP PID
STAT #START
CPD 463
E
1
FWD 440
E
1
FWM 467
E
1

START_TIME
[20:56:10] 21/5/2001
[20:56:24] 21/5/2001
[20:56:25] 21/5/2001

COMMAND
cpd
fwd
fwm

cpwd_admin exist
Description

Check whether cpwd is alive.

Syntax
> cpwd_admin exist

cpwd_admin kill
Description

Terminate cpwd.

Syntax
> cpwd_admin kill

cpwd_admin config
Description Set cpwd configuration parameters. When parameters are changed, these changes
do not take effect until cpwd has been stopped and restarted.
Syntax
> cpwd_admin config {-p|-a |-d |-r}
Command Line Interface Reference Guide R77

|

55

Security Management Server and Firewall Commands

Parameter

Description

-p

Shows the cpwd parameters added using the config -a option.

-a

Add one or more monitoring parameters to the cpwd configuration.

-d

Delete one or more parameters from the cpwd configuration

-r

Restore the default cpwd parameters.

These are the descriptions of the  parameters:
Value

Description

timeout
If rerun_mode=1, how much time passes from process failure to rerun.
(any value in seconds) The default is 60 seconds.
no_limit
Maximum number of times that cpwd will try to restart a process. The
(any value in seconds) default is 5.
zero_timeout
After failing no_limit times to restart a process, cpwd will wait
(any value in seconds) zero_timeout seconds before retrying. The default is 7200 seconds.
Should be greater than timeout.
sleep_mode

dbg_mode

rerun_mode

•

1 - wait timeout

•

0 - ignore timeout. Rerun the process immediately

•

1 - Accept pop-up error messages (with exit-code#0) displayed when a
process terminates abruptly (Windows NT only).

•

0 -Do not receive pop-up error messages. This is useful if pop-up
error messages freeze the machine. This is the default (Windows NT
only).

•

1 - Rerun a failed process. This is the default.

•

0 - Do not rerun a failed process. Perform only monitoring.

stop_timeout

The time in seconds that the cpwd will wait for a stop command to be
completed. Default is 60 seconds.

reset_startups

Indicates the time in seconds that the cpwd waits after the process begins
before it resets the startup_counter. Default value is 1 hour, meaning
that an hour after the process begins its startup counter is reset to 0.

Example
The following example shows two configuration parameters being changed:
timeout to 120 seconds, and no_limit to 10.
C:\>cpwd_admin config -p
WD doesn't have configuration parameters
C:\>cpwd_admin config -a timeout=120 no_limit=12
C:\>cpwd_admin config -p
WD Configuration parameters are:
timeout : 120
no_limit : 12cpwd_admin config -a timeout=120 no_limit=10
Command Line Interface Reference Guide R77

|

56

Security Management Server and Firewall Commands

config -a and cpwd_adminconfig -d have no effect if cpwd is running. They will affect cpwd
the next time it is run.

disconnect_client
SmartDashboard can connect to a Security Management Server using one of these modes:
•

Read/Write - Administrators have full permissions to create or change all objects, settings
and policies.

•

Read Only - Administrators can see all objects, settings and policies, but cannot add, change
or delete them.

Only one administrator can use SmartDashboard to connect to a Security Management Server in
the read/write mode at one time. When an administrator connects in the Read/Write mode, this
prevents other administrators from doing these actions:
•

Connecting to the same management in the read/write mode

•

Creating or changing objects, settings and policies

•

Backing up the management server database

•

Installing a Security Policy

You can use a special command line utility to disconnect a different SmartDashboard client that is
open in the Read/Write mode.
To remove the database lock, run disconnect_client from the Security Management Server
command line.
For more information, see sk65146 http://supportcontent.checkpoint.com/solutions?id=sk65146

dbedit
Description Edit the objects file on the Security Management server. Editing the objects.C
file on the gateway is not required or desirable, since it will be overwritten the next time a Policy is
installed.
Syntax
> dbedit [-s ] [- u |-c ] [-p ] [-f
] [-r ] [-help]
Parameter

Description

-s server

The Security Management server on which the objects_5_0.C file
to be edited is located. If this is not specified in the command line,
then the user will be prompted for it.
If the server is not localhost, the user will be required to
authenticate.

-u user |
-c certificate

The user's name (the name used for the SmartConsole) or the full
path to the certificate file.

-p password

The user's password (the password used for the SmartConsole).

Command Line Interface Reference Guide R77

|

57

Security Management Server and Firewall Commands

Parameter

Description

-f filename

The name of the file containing the commands. If filename is not
given, then the user will be prompted for commands.

-r db-open-reason

A non-mandatory flag used to open the database with a string that
states the reason. This reason will be attached to audit logs on
database operations.

-help

Print usage and short explanation.

dbedit commands:
Parameter

Description

create
[object_type]
[object_name]

Create an object with its default values.
The create command may use an extended (or "owned") object.
Changes are committed to the database only by an update or quit
command.

modify
[table_name]
[object_name]
[field_name] [value]

Modify fields of an object which is:
•

stored in the database (the command will lock the object in such
case).

•

newly created by dbedit

Extended Formats for owned objects can be used:
For example, [field_name] = Field_A:Field_B
update
[table_name]
[object_name]

Update the database with the object. This command will check the
object validity and will issue an error message if appropriate.

delete
[table_name]
[object_name]

Delete an object from the database and from the client implicit
database.

addelement
[table_name]
[object_name]
[field_name] [value]

Add an element (of type string) to a multiple field.

rmelement
Remove an element (of type string) from a multiple field.
[table_name]
[object_name]
[field_name] [value]
rename
[table_name][object_na Assign a new name for a given object. The operation also performs
me]
an update.
[new_object_name]

Example:

Rename network object London to Chicago.
rename network_objects london chicago
quit

Quit dbedit and update the database with modified objects not yet
committed.

Command Line Interface Reference Guide R77

|

58

Security Management Server and Firewall Commands

Example
Replace the owned object with a new null object, where NULL is a reserved word
specifying a null object:
modify network_objects my_obj firewall_setting NULL
Example

Extended Format

firewall_properties owns the object floodgate_preferences.
floodgate_preferences has a Boolean attribute turn_on_logging, which will be set to
true.
modify properties firewall_properties
floodgate_preferences:turn_on_logging true
comments is a field of the owned object contained in the ordered container. The 0 value indicates
the first element in the container (zero based index).
modify network_objects my_networkObj interfaces:0:comments my_comment
Replace the owned object with a new one with its default values.
modify network_objects my_net_obj interfaces:0:security interface_security

dbver
Description The dbver utility is used to export and import different revisions of the database.
The properties of the revisions (last time created, administrator responsible for, etc) can be
reviewed. The utility can be found in $FWDIR/bin. Run these commands from Expert mode.
Syntax
dbver>
dbver>
dbver>
dbver>
dbver>
dbver>

export  
import 
create  
delete 
print 
print_all

dbver create
Description Create a revision from the current state of $fwdir/conf, including current
objects, rule bases, and so on.
Syntax
dbver> create  
Parameter

Description

version_name

the name of the revision

version_comment

append a comment to the revision

Command Line Interface Reference Guide R77

|

59

Security Management Server and Firewall Commands

dbver export
Description Archive the revision as an archive file in the revisions repository:
$fwdir/conf/db_versions/export.
Syntax
dbver> export  
Parameter

Description



The file name of the exported version.



•

delete removes the revision from the revisions repository

•

keep maintains the revision in the revisions repository

dbver import
Description Add an exported revision to the repository a version from
$fwdir/conf/db_versions/export. Give filename of revision as input.
Syntax
dbver> import 
Parameter

Description



The file name of the exported version.

dbver print
Description

Print the properties of the revision.

Syntax
dbver> print 
Parameter

Description



The full name and path on the local machine of the revision.

Output
dbver> print c:\rwright_2002-04-01_160810.tar.gz
Version Id: 1
Version Date: Mon Apr 1 16:08:10 2009
Version Name: save
Created by Administrator: jbrown
Major Version: R75.20
Minor Version: R75.20

dbver print_all
Description Print the properties of all revisions to be found on the server side:
$fwdir/conf/db_versions
Syntax
dbver> print_all
Command Line Interface Reference Guide R77

|

60

Security Management Server and Firewall Commands

dynamic_objects
Description dynamic_objects specifies an IP address to which the dynamic object will be
resolved on this machine. First, define the dynamic object in the SmartDashboard. Then create the
same object with the CLI (-n parameter). After the new object is created on the gateway with the
CLI, you can use the dynamic_objects command to specify an IP address for the object.
Syntax
# dynamic_objects -o  [-r   ...] [-a 
 ...] [-d   ...] [-l] [-n ] [-c]
Parameter

Description

-o 

The name of the object, as defined in SmartDashboard and the
dynamic_objects -n  command.

-r   ... Address ranges — one or more "from IP address to IP address"
pairs
-a   ... Add ranges to object
-d   ... Delete range from object
-l

List dynamic objects

-n 

Create new object (if Security Gateway is not running)

-c

Compare the objects in the dynamic objects file and in objects.C.

-do object_name

Delete object

Example
Create a new dynamic object named "bigserver" and add to it the IP address range
192.0.2.1-192.0.2.40: dynamic_objects -n bigserver -r 192.0.2.1 192.0.2.40 -a

fw
Description The fw commands are used for working with various aspects of the firewall. All fw
commands are executed on the Check Point Security Gateway.
Typing fw at the command prompt sends a list of available fw commands to the standard output.
Syntax
> fw

fw -i
Description Generally, when Check Point Security gateway commands are executed on a
Security gateway they will relate to the gateway as a whole, rather than to an individual kernel
instance. For example, the fw tab command will enable viewing or editing of a single table of
information aggregated for all kernel instances.
Command Line Interface Reference Guide R77

|

61

Security Management Server and Firewall Commands

This command specifies that certain commands apply to an individual kernel instance. By adding
-i  after fw in the command, where  is the kernel instance's number.
Syntax
> fw -i applies to the following commands:
> fw ctl debug (when used without the -buf parameter)
>
>
>
>
>
>

fw
fw
fw
fw
fw
fw

ctl get
ctl set
ctl leak
ctl pstat
monitor
tab

For details and additional parameters for any of these commands, refer to the command's entry.
Example

To view the connections table for kernel instance #1 use the following command:

> fw -i 1 tab -t connections

fw ctl
Description

The fw ctl command controls the Firewall kernel module.

Syntax
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw

ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl

{install|uninstall}
debug [-m ] [+|-] {options | all | 0}
debug -buf [buffer size]
kdebug
pstat [-h][-k][-s][-n][-l]
iflist
arp [-n]
block {on|off}
chain
conn

Parameter

Description

{Install|
Uninstall}

•

Uninstall — tells the operating system to stop passing packets to the
Security Gateway, and unloads the Security Policy. The networks behind it
become unprotected.

•

Install — tells the operating system to start passing packets to the
Security Gateway. The command fw ctl install runs automatically when
cpstart is performed.

Note - If you run fw ctl uninstall followed by fw ctl install, the
Security Policy is not restored.
debug

Generate debug messages to a buffer. See fw ctl debug (on page 63).

Command Line Interface Reference Guide R77

|

62

Security Management Server and Firewall Commands

Parameter

Description

kdebug

Reads the debug buffer and obtains the debug messages. If there is no debug
buffer, the command will fail.

pstat [-h]
[-k][-s]
[-n][-l]

•

[-f] read the buffer every second and print the messages, until Ctrl-C is
pressed. Otherwise, read the current buffer contents and end.

•

[-t/-T] print the time field (seconds/microseconds)

•

[-p] to print specific fields
all|proc|pid|date|mid|type|freq|topic|time|ticks|tid|tex
t|err|host|vsid|cpu

•

[-m] - number of cyclic files, [-s] - size of each

Displays Security Gateway internal statistics:
-h — Generates additional hmem details.
-k — Generates additional kmem details.
-s — Generates additional smem details.
-n — Generates NDIS information (Windows only).
-l — Generates general Security Gateway statistics.

iflist

Displays the IP interfaces known to the kernel, by name and internal number.

arp [-n]

Displays ARP proxy table.
-n — Do not perform name resolution.

block
{on|off}

on — Blocks all traffic.

chain

Prints the names of internal Security Gateways that deal with packets. Use to
ensure that a gateway is loaded. The names of these gateways can be used in
the fw monitor -p command.

conn

Prints the names of the connection modules.

off — Restores traffic and the Security Policy.

fw ctl debug
Description

Generate debug messages to a buffer.

Syntax A number of debug options are available:
fw
fw
fw
fw
fw
fw
fw
fw

ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl

debug
debug
debug
debug
debug
debug
debug
debug

-buf [buffer size]
[-m ] [+ | -] {options|all|0}
0
[-d ]
[-d ]
[-s ]
-h
-x

Command Line Interface Reference Guide R77

|

63

Security Management Server and Firewall Commands

Parameter

Description

-buf [buffer size]

Allocates a buffer of size kilobytes (default 128) and starts collecting
messages there. If the -buf argument is not set, the debug
messages are printed to the console.

-m 

Specify the Security Gateway module you wish to debug. The default
module is fw.
For example: fw ctl debug –m VPN all

[+ | -]


Sets or resets debug flags for the requested gateway).
•

If + is used, the specified flags are set, and the rest remain as
they were.

•

If - is used, the specified flags are reset, and the rest remain as
they were.

•

If neither + nor - are used, the specified flags are set and the
rest are reset.

-h

Print a list of debug modules and flags.

0

Returns all flags in all gateways to their default values, releases the
debug buffer (if there was one).

-d 

Only lines containing these strings are included in the output.
(Available in R70 or higher)

-d 

Lines containing these strings are omitted from the output
(Available in R70 or higher)
For example:
fw ctl debug –d error,failed,^packet
Output shows only lines containing the words "error" or "failed" and
not the word "packet"

-s 

Stop debug messages when a certain string is issues (Available in
R70 or higher)
For example: fw ctl debug –s error

-x

Shuts down the debug.

fw ctl affinity
fw ctl affinity -s
Description Sets CoreXL affinities when using multiple processors. For an explanation of
kernel, daemon and interface affinities, see the R77 Performance Tuning Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24808.
fw ctl affinity -s settings are not persistent through a restart of the Security Gateway. If you
want the settings to be persistent, either use:
Command Line Interface Reference Guide R77

|

64

Security Management Server and Firewall Commands

•

sim affinity (a Performance Pack command)

•

Or edit the fwaffinity.conf configuration file

To set interface affinities, you should use fw ctl affinity only if Performance Pack is not
running. If Performance Pack is running, you should set affinities by using the Performance Pack
sim affinity command. These settings will be persistent. If Performance Pack's sim
affinity is set to Automatic mode (even if Performance Pack was subsequently disabled), you
will not be able to set interface affinities by using fw ctl affinity -s.
Note - The fw ctl affinity command is different for a VSX Gateway and a
Security Gateway:
VSX Gateway - Use the -d parameter to save the CoreXL affinity settings after
you reboot it
•

Security Gateway - The CoreXL affinity settings are not saved after you reboot
it

Syntax
> fw ctl affinity -s  
 is one of the following parameters:
Parameter

Description

-p 

Sets affinity for a particular process, where  is the process ID#.

-n 

Sets affinity for a Check Point daemon, where  is the Check
Point daemon name (for example: fwd).

-k 

Sets affinity for a kernel instance, where  is the instance's
number.

-i


Sets affinity for an interface, where  is the interface
name (for example: eth0).

 should be a processing core number or a list of processing core numbers. To have no
affinity to any specific processing core,  should be: all.
Note - Setting an Interface Affinity will set the affinities of all interfaces sharing the
same IRQ to the same processing core. To view the IRQs of all interfaces, run: fw ctl
affinity -l -v -a .
Example

To set kernel instance #3 to run on processing core #5, run:

> fw ctl affinity -s -k 3 5

fw ctl affinity -l
Description Lists existing CoreXL affinities when using multiple processors. For an explanation
of kernel, daemon and interface affinities, see the R77 Performance Tuning Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=24808.
Syntax
> fw ctl affinity -l [] []
Command Line Interface Reference Guide R77

|

65

Security Management Server and Firewall Commands

If  is omitted, fw ctl affinity -l lists affinities of all Check Point
daemons, kernel instances and interfaces. Otherwise,  is one of the
following parameters:
Parameter

Description

-p 

Displays the affinity of a particular process, where  is the
process ID#.

-n 

Displays the affinity of a Check Point daemon, where  is the
Check Point daemon name (for example: fwd).

-k 

Displays the affinity of a kernel instance, where  is the
instance's number.

-i  Displays the affinity of an interface, where  is the
interface name (for example: eth0).
If  is omitted, fw ctl affinity -l lists items with specific affinities, and their
affinities. Otherwise,  is one or more of the following parameters:
Parameter

Description

-a

All: includes items without specific affinities.

-r

Reverse: lists each processing core and the items that have it as their
affinity.

-v

Verbose: list includes additional information.

Example
To list complete affinity information for all Check Point daemons, kernel instances
and interfaces, including items without specific affinities, and with additional information, run:
> fw ctl affinity -l -a -v

fw ctl engine
Description
code.

Enables the INSPECT2C engine, which dynamically converts INSPECT code to C

Run the command on the Check Point Security Gateway.
Syntax
> fw ctl engine {on|off|stat|setdefault}
Parameter

Description

on

Compile the engine if necessary, and activate it.
Because the engine may not have been previously compiled, turning the engine
ON may not activate it immediately. Instead, the engine is activated in the
background after the compilation.
After turning the engine ON, the engine recompiles and reactivates itself every
policy installation regardless of the values of inspect2c_compile and
inspect2c_activate.
Command Line Interface Reference Guide R77

|

66

Security Management Server and Firewall Commands

Parameter

Description

off

Deactivates the engine if active. Subsequent policy installation on the gateway
does NOT auto-activate the engine unless the command is used again.

stat

Print the status of the engine. For example: "During compilation", "Before
auto-activation", "Deactivated".

setdefault

Restore control to database settings. Security Management server settings are
ignored.
At the next policy installation, return the control of the engine to the values of
the following gateway database attributes:
•

inspect2c_compile (true/false) - controls whether or not the engine is
compiled on the gateway during policy installation. Compilation is performed
in the background and may take a few minutes.

•

inspect2c_activate (true/false) - controls whether the engine is
automatically activated after it is compiled. When set to true, the engine is
compiled regardless of the value of inspect2c_compile.

Use GuiDBEdit to change the values of the attributes.

fw ctl multik stat
Description Displays multi-kernel statistics for each kernel instance. The state and processing
core number of each instance is displayed, along with:
•

The number of connections currently being handled

•

The peak number of concurrent connections the instance has handled since its inception

fw ctl sdstat
Description The IPS performance counters measure the percentage of CPU consumed by each
IPS protection. The measurement itself is divided according to the type of protection: Pattern
based protections or INSPECT based protections. In addition, the IPS counters measure the
percentage of CPU used by each section ("context") of the protocol, and each protocol parser.
Syntax
> fw ctl zdebug >& outputfile
> fw ctl sdstat start
> fw ctl sdstat stop
Parameter

Description

fw ctl zdebug >&
outputfile

Turn on debug mode and specify an output file.

fw ctl sdstat start

Activate the IPS counters

fw ctl sdstat stop

Print a report and stop the counters.

Example

The workflow is as follows:

Run the following commands on the Check Point Security Gateway (version R70 or higher):
Command Line Interface Reference Guide R77

|

67

Security Management Server and Firewall Commands

On the Check Point Security Gateway:
•

Run fw ctl zdebug >& outputfile

•

Run fw ctl sdstat start

Let the counters run. However- do not leave the counters on for more than 10 minutes.
•

Run fw ctl sdstat stop

It is important to stop the counters explicitly, otherwise there may be performance penalty
This generates the output file outputfile that must be processed on the (SecurePlatform only)
Security Management Server.
On the Security Management Server:
•

From $FWDIR/script, run the script
./sdstat_analyse.csh outputfile

The output of the script is a report in csv format that can be viewed in Microsoft Excel.
If there is a problem in the report, or if more details are needed, a debug flag is available which
prints extra information to outputfile.
•

Run fw ctl zdebug + spii >& outputfile

Example Debug Message

Explanation

sdstat_get_stats_all_ins
tances : Smart Defense
report objects are not
initalized, hence no
report can be done.

User tried to create a report without initializing the counters,
or an error occurred during initialization and the user then
tried to print a report.

FW-1 The measurement process failed and the total time units for
sdstats_print_report:
IPS is zero.
Failed to calculate Smart
Defense
(total_smart_defense is
0)
Comments
1. A value in the report of "< 1" means that the percentage of CPU used by a protection is less
than 1%.
2. The report generated by the sdstat_analyse script may contain a number instead of a
protection name. This is because the original output contains a signature id, but the id is
missing from the Security Policy on the Gateway.

fw fetch
Description

Fetches the Inspection Code from the specified host and installs it to the kernel.

Syntax
> fw fetch [-n] [-f ] [-c] [-i] master1 [master2] ...

Command Line Interface Reference Guide R77

|

68

Security Management Server and Firewall Commands

Parameter

Description

-n

Fetch the Security Policy from the Security Management server to the
local state directory, and install the Policy only if the fetched Policy is
different from the Policy already installed.

-f 

Fetch the Security Policy from the Security Management server listed in
. If filename is not specified, the list in
conf/masters is used.

-c

Cluster mode, get policy from one of the cluster members, from the
Check Point High Availability (CPHA) kernel list.

-i

Ignore SIC information (for example, SIC name) in the database and use
the information in conf/masters. This option is used when a Security
Policy is fetched for the first time by a DAIP gateway from a Security
Management server with a changed SIC name.

master1

Execute command on the designated master.
The IP address of the Security Management Server from which to fetch
the Policy. You can specify one or more servers, which will be searched in
the order listed.
If no targets is not specified, or if targets is inaccessible, the Policy is
fetched from localhost.

fw fetchlogs
Description fw fetchlogs fetches Log Files from a remote machine. You can use the fw
fetchlogs command to transfer Log Files to the machine on which the fw fetchlogs
command is executed. The Log Files are read from and written to the directory $FWDIR/log.
Syntax
> fw fetchlogs [[-f ] ... ] 
Parameter

Description

-f


The Log Files to be transferred. The file name can include wildcards. In
Solaris, any file containing wildcards should be enclosed in quotes.
The default parameter is *.log.
Related pointer files will automatically be fetched.



The name of the remote machine from where you transfer the Log Files.

Comments
The files transferred by the fw fetchlogs command are MOVED from the source
machine to the target machine. This means that they are deleted from the source machine once
they have been successfully copied.
Fetching Current Log Data
The active Log File (fw.log) cannot be fetched. If you want to fetch the most recent log data,
proceed as follows:
Command Line Interface Reference Guide R77

|

69

Security Management Server and Firewall Commands

•

Run \ to close the currently active Log File and open a new one.

•

Run fw lslogs to see the newly-generated file name.

•

Run fw fetchlogs -f filename to transfer the file to the machine on which the fw
fetchlogs command is executed. The file is now available for viewing in the SmartView
Tracker.

After a file has been fetched, it is renamed. The gateway name and the original Log File name are
concatenated to create a new file name. The new file name consists of the gateway name and the
original file name separated by two (underscore) _ _ characters.
Example
The following command:
> fw fetchlogs -f 2001-12-31_123414.log module3
fetches the Log File 2001-12-31_123414.log from Module3.
After the file has been fetched, the Log File is renamed:
module3_ _2001-12-31_123414.log

fw hastat
Description The fw hastat command displays information about High Availability machines
and their states.
Syntax
> fw hastat []
Parameter

Description



A list of machines whose status will be displayed. If target is not specified, the
status of the local machine will be displayed.

fw isp_link
Description

Takes down (or up) a redundant ISP link.

Syntax
> fw isp_link []  {up|down}
Parameter

Description

target

The name of the Check Point Security Gateway.

link-name

The name of the ISP link as defined in the ISP-redundancy tab.

Comments
This command can be executed locally on the Check Point Security Gateway or
remotely from the Security Management server. In the latter case, the target argument must be
supplied. For this command to work, the Check Point Security Gateway should be using the ISP
redundancy feature.

fw kill
Description Prompts the kernel to shut down all firewall daemon processes. The command is
located in the $FWDIR/bin directory on the Security Management server or gateway machine.
Command Line Interface Reference Guide R77

|

70

Security Management Server and Firewall Commands

The firewall daemons and Security servers write their pids to files in the $FWDIR/tmp
directory upon startup. These files are named $FWDIR/tmp/daemon_name.pid. For
example, the file containing the pid of the firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.
Syntax
> fw kill [-t ] 
Parameter

Description

-t 

This Unix only command specifies that if the file
$FWDIR/tmp/proc-name.pid exists, send signal sig_no to the pid given
in the file.
If no signal is specified, signal 15 (sigterm or the terminate command) is sent.



Prompt the kernel to shut down specified firewall daemon processes.

Comments
In Windows, only the default syntax is supported: fw kill proc_name. If the -t
option is used it is ignored.

fw lea_notify
Description Send a LEA_COL_LOGS event to all connected lea clients, see the LEA Specification
documentation. It should be used after new log files have been imported (manually or
automatically) to the $FWDIR/log directory in order to avoid the scheduled update which takes 30
minutes.
This command should be run from the Security Management server.
Syntax
> fw lea_notify

fw lichosts
Description Print a list of hosts protected by Security Gateway products. The list of hosts is in
the file $fwdir/database/fwd.h
Syntax
> fw lichosts [-x] [-l]
Parameter

Description

-x

Use hexadecimal format

-l

Use long format

fw log
Description

fw log displays the content of Log files.

Syntax
> fw log [-f [-t]] [-n] [-l] [-o] [-c ] [-h ] [-s ]
[-e ] [-b  ] [-u ] [-m
{initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]
Command Line Interface Reference Guide R77

|

71

Security Management Server and Firewall Commands

Parameter

Description

-f [-t]

After reaching the end of the currently displayed file, do not exit (the
default behavior), but continue to monitor the Log file indefinitely
and display it while it is being written.
The -t parameter indicates that the display is to begin at the end of
the file, in other words, the display will initially be empty and only
new records added later will be displayed.
-t must come with a -f flag. These flags are relevant only for active
files.

-n

Do not perform DNS resolution of the IP addresses in the Log file
(the default behavior). This option significantly speeds up the
processing.

-l

Display both the date and the time for each log record (the default is
to show the date only once above the relevant records, and then
specify the time per log record).

-o

Show detailed log chains (all the log segments a log record consists
of).

-c 

Display only events whose action is action, that is, accept, drop,
reject, authorize, deauthorize, encrypt and decrypt.
Control actions are always displayed.

-h 

Display only log whose origin is the specified IP address or name.

-s 

Display only events that were logged after the specified time (see
time format below). starttime may be a date, a time, or both. If
date is omitted, then today's date is assumed.

-e 

Display only events that were logged before the specified time (see
time format below). endtime may be a date, a time, or both.

-b 


Display only events that were logged between the specified start and
end times (see time format below), each of which may be a date, a
time, or both. If date is omitted, then today's date is assumed. The
start and end times are expected after the flag.

-u


Unification scheme file name.

Command Line Interface Reference Guide R77

|

72

Security Management Server and Firewall Commands

Parameter

Description

-m

This flag specifies the unification mode.
•

initial - the default mode, specifying complete unification of
log records; that is, output one unified record for each id. This is
the default.
When used together with -f, no updates will be displayed, but
only entries relating to the start of new connections. To display
updates, use the semi parameter.

•

semi - step-by-step unification, that is, for each log record,
output a record that unifies this record with all
previously-encountered records with the same id.

•

raw - output all records, with no unification.

Output account log records only.

-a

-k {|all} Display only events that match a specific alert type. The default is
all, for any alert type.
Do not use a delimited style. The default is:

-g

•

: after field name

•

; after field value

Use logfile instead of the default Log file. The default Log File is
$FWDIR/log/fw.log.

logfile

Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999
14:20:00
It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format:
HH:MM:SS, where time only is specified, the current date is assumed.
Example
>
>
>
>
>

fw
fw
fw
fw
fw

log
log
log
log
log

| more
-c reject
-s "May 26, 1999"
-f -s 16:00:00

Output []