checkpoint r65 cli reference guide
Post on 06-Apr-2018
274 Views
Preview:
TRANSCRIPT
-
8/3/2019 Checkpoint R65 CLI Reference Guide
1/184
Command Line InterfaceReference Guide
Version NGX R65
February 2007
-
8/3/2019 Checkpoint R65 CLI Reference Guide
2/184
-
8/3/2019 Checkpoint R65 CLI Reference Guide
3/184
2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors oromissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check PointExpress CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity ClientlessSecurity, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, WebIntelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates. ZoneAlarm is a CheckPoint Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Theproducts described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected byother U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
4/184
-
8/3/2019 Checkpoint R65 CLI Reference Guide
5/184
Table of Contents 5
Contents
Preface Who Should Use This Guide.............................................................................. 12Summary of Contents ....................................................................................... 13Related Documentation .................................................................................... 14More Information ............................................................................................. 17Feedback ........................................................................................................ 18
Chapter 1 Introduction to the CLIIntroduction .................................................................................................... 20General Information ......................................................................................... 21
Debugging SmartConsole Clients .................................................................. 21
Chapter 2 SmartCenter and Firewall Commands
comp_init_policy ............................................................................................ 24
cp_admin_convert........................................................................................... 25cpca_client .................................................................................................... 25
cpca_client create_cert ............................................................................... 26cpca_client revoke_cert ............................................................................... 26cpca_client set_mgmt_tools......................................................................... 27
cp_conf ......................................................................................................... 28cp_conf sic ................................................................................................ 28cp_conf admin ........................................................................................... 29
cp_conf ca ................................................................................................. 29cp_conf finger ............................................................................................ 29cp_conf lic ................................................................................................. 29cp_conf client ............................................................................................ 30cp_conf ha ................................................................................................. 30cp_conf snmp............................................................................................. 30cp_conf auto .............................................................................................. 30cp_conf sxl................................................................................................. 30
cpconfig ........................................................................................................ 31
cplic.............................................................................................................. 31cplic check ................................................................................................ 32cplic db_add .............................................................................................. 33cplic db_print............................................................................................. 34cplic db_rm................................................................................................ 35cplic del .................................................................................................... 35cplic del .............................................................................. 36
cplic get .................................................................................................... 36cplic put .................................................................................................... 37
-
8/3/2019 Checkpoint R65 CLI Reference Guide
6/184
6
cplic put ... ......................................................................... 39cplic print .................................................................................................. 41cplic upgrade ............................................................................................. 41
cp_merge....................................................................................................... 43cp_merge delete_policy ............................................................................... 43cp_merge export_policy ............................................................................... 44cp_merge import_policy and cp_merge restore_policy..................................... 45cp_merge list_policy ................................................................................... 46
cppkg ............................................................................................................ 47cppkg add.................................................................................................. 47cppkg delete .............................................................................................. 49
cppkg get................................................................................................... 50cppkg getroot ............................................................................................. 50cppkg print ................................................................................................ 50cppkg setroot ............................................................................................. 51
cpridrestart .................................................................................................... 52
cpridstart ....................................................................................................... 52
cpridstop ....................................................................................................... 53
cprinstall ....................................................................................................... 53cprinstall boot ............................................................................................ 54cprinstall cprestart...................................................................................... 54cprinstall cpstart......................................................................................... 54cprinstall cpstop......................................................................................... 55cprinstall get .............................................................................................. 55cprinstall install.......................................................................................... 56cprinstall stop ............................................................................................ 57cprinstall uninstall ...................................................................................... 58
cprinstall upgrade....................................................................................... 59cprinstall verify........................................................................................... 59cprinstall verify_upgrade.............................................................................. 61
cpstart........................................................................................................... 61
cpstat............................................................................................................ 62
cpstop ........................................................................................................... 64
cpwd_admin................................................................................................... 65cpwd_admin start ....................................................................................... 66cpwd_admin stop........................................................................................ 66cpwd_admin list ......................................................................................... 67cpwd_admin exist ....................................................................................... 68cpwd_admin kill ......................................................................................... 68cpwd_admin config ..................................................................................... 68
dbedit ........................................................................................................... 70
dbver............................................................................................................. 74dbver create ............................................................................................... 74
-
8/3/2019 Checkpoint R65 CLI Reference Guide
7/184
Table of Contents 7
dbver export ............................................................................................... 75dbver import............................................................................................... 75dbver print ................................................................................................. 76dbver print_all ............................................................................................ 76
dynamic_objects............................................................................................. 76
fw ................................................................................................................. 77fw ctl......................................................................................................... 78fw expdate ................................................................................................. 81fw fetch ..................................................................................................... 81fw fetchlogs................................................................................................ 83fw isp_link ................................................................................................. 84
fw kill ........................................................................................................ 84fw lea_notify............................................................................................... 85fw lichosts.................................................................................................. 85fw log ........................................................................................................ 86fw logswitch .............................................................................................. 89fw mergefiles.............................................................................................. 92fw monitor.................................................................................................. 93fw lslogs .................................................................................................. 101fw putkey ................................................................................................. 103
fw repairlog .............................................................................................. 104fw sam..................................................................................................... 105fw stat ..................................................................................................... 110fw tab ...................................................................................................... 112fw ver ...................................................................................................... 113
fwm............................................................................................................. 113fwm dbimport........................................................................................... 114fwm dbexport ........................................................................................... 116
fwm dbload .............................................................................................. 119fw hastat.................................................................................................. 119fwm ikecrypt ............................................................................................ 119fwm load.................................................................................................. 120fwm lock_admin ....................................................................................... 121fwm logexport........................................................................................... 122fwm sic_reset ........................................................................................... 124fwm unload ............................................................................... 125fwm ver.................................................................................................... 125
GeneratorApp ............................................................................................... 126
inet_alert ..................................................................................................... 127
ldapcmd ...................................................................................................... 130
ldapcompare ................................................................................................ 131
ldapconvert .................................................................................................. 132
ldapmodify................................................................................................... 135
ldapsearch ................................................................................................... 136
-
8/3/2019 Checkpoint R65 CLI Reference Guide
8/184
-
8/3/2019 Checkpoint R65 CLI Reference Guide
9/184
Table of Contents 9
scc restartsc............................................................................................. 172scc passcert ............................................................................................. 172scc setmode ................................................................................ 172scc setpolicy ............................................................................................ 173scc sp...................................................................................................... 173scc startsc................................................................................................ 173scc status ................................................................................................ 173scc stopsc................................................................................................ 173scc suppressdialogs .................................................................................. 174scc userpass............................................................................................. 174scc ver..................................................................................................... 174
Chapter 6 ClusterXL Commandscphaconf...................................................................................................... 175
cphaprob ..................................................................................................... 176
cphastart ..................................................................................................... 177
cphastop...................................................................................................... 177
-
8/3/2019 Checkpoint R65 CLI Reference Guide
10/184
10
-
8/3/2019 Checkpoint R65 CLI Reference Guide
11/184
11
Preface PPreface
In This Chapter
Who Should Use This Guide page 12
Summary of Contents page 13
Related Documentation page 14
More Information page 17
Feedback page 18
-
8/3/2019 Checkpoint R65 CLI Reference Guide
12/184
Who Should Use This Guide
12
Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of
System administration.
The underlying operating system.
Internet protocols (IP, TCP, UDP etc.).
-
8/3/2019 Checkpoint R65 CLI Reference Guide
13/184
Summary of Contents
Preface 13
Summary of ContentsThis guide contains the following chapters:
Chapter Description
Chapter 1, Introduction tothe CLI
Purpose of this guide, and how to debugSmartConsole clients.
Chapter 2, SmartCenter andFirewall Commands
Commands for controlling the SmartCenterserver and the firewall components of theSmartCenter server and of Check Point gateways.
Chapter 3, VPN Commands The vpn command and its subcommands, usedfor controlling the VPN component of CheckPoint gateways.
Chapter 4, SmartViewMonitor Commands
The rtm command its subcommands, used toexecute SmartView Monitor operations.
Chapter 5, SecureClient
Commands
The scc command and its subcommands are
VPN commands that are executed onSecureClient. They are used to generate statusinformation, stop and start services, or connectto defined sites using specific user profiles.
Chapter 6, ClusterXLCommands
Commands used for controlling, monitoring andtroubleshooting ClusterXL gateway clusters.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
14/184
Related Documentation
14
Related DocumentationThe NGX R65 release includes the following documentation
TABLE P-1 VPN-1 Power documentation suite documentation
Title Description
Internet Security ProductSuite Getting StartedGuide
Contains an overview of NGX R65 and step by stepproduct installation and upgrade procedures. Thisdocument also provides information about WhatsNew, Licenses, Minimum hardware and softwarerequirements, etc.
Upgrade Guide Explains all available upgrade paths for Check Pointproducts from VPN-1/FireWall-1 NG forward. Thisguide is specifically geared towards upgrading toNGX R65.
SmartCenterAdministration Guide
Explains SmartCenter Management solutions. Thisguide provides solutions for control over
configuring, managing, and monitoring securitydeployments at the perimeter, inside the network, atall user endpoints.
Firewall andSmartDefenseAdministration Guide
Describes how to control and secure networkaccess; establish network connectivity; useSmartDefense to protect against network andapplication level attacks; use Web Intelligence toprotect web servers and applications; the integrated
web security capabilities; use Content VectoringProtocol (CVP) applications for anti-virus protection,and URL Filtering (UFP) applications for limitingaccess to web sites; secure VoIP traffic.
Virtual Private NetworksAdministration Guide
This guide describes the basic components of aVPN and provides the background for thetechnology that comprises the VPN infrastructure.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
15/184
Related Documentation
Preface 15
Eventia ReporterAdministration Guide Explains how to monitor and audit traffic, andgenerate detailed or summarized reports in theformat of your choice (list, vertical bar, pie chartetc.) for all events logged by Check Point VPN-1Power, SecureClient and SmartDefense.
SecurePlatform/SecurePlatform ProAdministration Guide
Explains how to install and configureSecurePlatform. This guide will also teach you howto manage your SecurePlatform and explainsDynamic Routing (Unicast and Multicast) protocols.
Provider-1/SiteManager-1Administration Guide
Explains the Provider-1/SiteManager-1 securitymanagement solution. This guide provides detailsabout a three-tier, multi-policy managementarchitecture and a host of Network Operating Centeroriented features that automate time-consumingrepetitive tasks common in Network Operating
Center environments.
TABLE P-2 Integrity Server documentation
Title Description
Integrity AdvancedServer InstallationGuide
Explains how to install, configure, and maintain theIntegrity Advanced Server.
Integrity AdvancedServer AdministratorConsole Reference
Provides screen-by-screen descriptions of userinterface elements, with cross-references to relevantchapters of the Administrator Guide. This documentcontains an overview of Administrator Consolenavigation, including use of the help system.
Integrity AdvancedServer AdministratorGuide
Explains how to managing administrators andendpoint security with Integrity Advanced Server.
Integrity AdvancedServer GatewayIntegration Guide
Provides information about how to integrating yourVirtual Private Network gateway device with IntegrityAdvanced Server. This guide also contains informationregarding deploying the unified SecureClient/Integrityclient package.
TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Title Description
-
8/3/2019 Checkpoint R65 CLI Reference Guide
16/184
Related Documentation
16
Integrity AdvancedServer SystemRequirements
Provides information about client and serverrequirements.
Integrity Agent for LinuxInstallation andConfiguration Guide
Explains how to install and configure Integrity Agentfor Linux.
Integrity XML Policy
Reference Guide
Provides the contents of Integrity client XML policy
files.Integrity ClientManagement Guide
Explains how to use of command line parameters tocontrol Integrity client installer behavior andpost-installation behavior.
TABLE P-2 Integrity Server documentation (continued)
Title Description
-
8/3/2019 Checkpoint R65 CLI Reference Guide
17/184
More Information
Preface 17
More Information For additional technical information about Check Point products, consult Check
Points SecureKnowledge at https://secureknowledge.checkpoint.com/.
See the latest version of this document in the User Center athttp://www.checkpoint.com/support/technical/documents
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttps://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/ -
8/3/2019 Checkpoint R65 CLI Reference Guide
18/184
-
8/3/2019 Checkpoint R65 CLI Reference Guide
19/184
19
Chapter 1
Introduction to the CLIIn This Chapter
Introduction page 20
General Information page 21
Introduction
-
8/3/2019 Checkpoint R65 CLI Reference Guide
20/184
Introduction
20
IntroductionThis guide documents the Command Line Interface (CLI) commands across
different Check Point Products and features. The commands are documentedaccording to the product for which they are used.
Within each product chapter, the commands are arranged alphabetically.
For Provider-1/SiteManager-1 line commands, see the Provider-1/SiteManager-1Administration Guide.
For QoS line commands, see the QoS Administration Guide.
For SmartLSM line commands, see the SmartLSM Administration Guide.
General Information
-
8/3/2019 Checkpoint R65 CLI Reference Guide
21/184
General Information
Chapter 1 Introduction to the CLI 21
General Information
Debugging SmartConsole ClientsIt is possible to obtain debugging information on any of the SmartConsole clientsby running these clients in a debug mode. You can save the debug information in adefault text file, or you can specify another file in which this information should besaved.
Usage: -d -o
Syntax:
parameter meaning
-d enter the debug mode. If -o is omitted,debug information is saved into a file
with the default name:_debug_output.txt.
-o This optional parameter, followed by afile name indicates in which text filedebug information should be saved.
General Information
-
8/3/2019 Checkpoint R65 CLI Reference Guide
22/184
General Information
22
-
8/3/2019 Checkpoint R65 CLI Reference Guide
23/184
23
Chapter 2
SmartCenter and FirewallCommandsIn This Chapter
comp_init_policy page 24
cp_admin_convert page 25
cpca_client page 25
cp_conf page 28
cpconfig page 31
cplic page 31cp_merge page 43
cppkg page 47
cpridrestart page 52
cpridstart page 52
cpridstop page 53
cprinstall page 53
cpstart page 61
cpstat page 62
cpstop page 64
cpwd_admin page 65
dbedit page 70
dbver page 74
comp_init_policy
-
8/3/2019 Checkpoint R65 CLI Reference Guide
24/184
24
comp_init_policy
Description Use the comp_init_policy command to generate and load, or to remove,the Initial Policy.
Usage $FWDIR/bin/comp_init_policy [-u | -g]
dynamic_objects page 76
fw page 77
fwm page 113
GeneratorApp page 126
inet_alert page 127
ldapcmd page 130
ldapcompare page 131
ldapconvert page 132
ldapmodify page 135ldapsearch page 136
log_export page 138
queryDB_util page 141
rs_db_tool page 143
sam_alert page 144
svr_webupload_config page 145
cp_admin_convert
-
8/3/2019 Checkpoint R65 CLI Reference Guide
25/184
Chapter 2 SmartCenter and Firewall Commands 25
Syntax
cp_admin_convert
Description Use this command to automatically export administrator definitions thatwere created in cpconfig to SmartDashboard.
Usage cp_admin_convert
After running the command, the system will allow you to chooseadministrators for export from among the defined administrators.
cpca_client
Description This command and all its derivatives are used to execute operations on
the ICA.
Argument Description
-u Removes the current Initial Policy, andensures that it will not be generated infuture when cpconfig is run.
-g Can be used if there is no Initial Policy.If there is, make sure that after removingthe policy, you delete the$FWDIR\state\local\FW1\ folder.Generates the Initial Policy and ensuresthat it will be loaded the next time a
policy is fetched (at cpstart, or at nextboot, or via the fw fetchlocalhostcommand). After running this command,cpconfig will add an Initial Policy whenneeded.
The comp_init_policy -g command willonly work if there is no previous Policy.
If you perform the following commands:comp_init_policy -g + fw fetchlocalhostcomp_init_policy -g + cpstartcomp_init_policy -g + rebootThe original policy will still be loaded.
cpca_client create_cert
-
8/3/2019 Checkpoint R65 CLI Reference Guide
26/184
26
Usage cpca_client
In This Section
cpca_client create_certDescription This command prompts the ICA to issue a SIC certificate for the
SmartCenter server.
Usage cpca_client [-d] create_cert [-p ] -n "CN=" -f
Syntax
cpca_client revoke_cert
Description This command is used to revoke a certificate issued by the ICA.
Usage cpca_client [-d] revoke_cert [-p ] -n "CN="
cpca_client create_cert page 26
cpca_client create_cert page 26
cpca_client create_cert page 26
Argument Description
-d Debug flag
-p Specifies the port which is used toconnect to the CA (if the CA was notrun from the default port 18209)
-n "CN=" sets the CN
-f specifies the file name where thecertificate and keys are saved.
cpca_client set_mgmt_tools
-
8/3/2019 Checkpoint R65 CLI Reference Guide
27/184
Chapter 2 SmartCenter and Firewall Commands 27
Syntax
cpca_client set_mgmt_toolsDescription This command is used to invoke or terminate the ICA Management
Tool.
Usage cpca_client [-d] set_mgmt_tools on|off [-p ][-no_ssl] [-a|-u "administrator|user DN" -a|-u"administrator|user DN" ... ]
Syntax
Comments Note the following:
1. If the command is run without -a or -u the list of the permitted users andadministrators isnt changed. The server can be stopped or started with the
previously defined permitted users and administrators.
Argument Description
-d debug flag
-p specifies the port which is used toconnect to the CA (if the CA was notrun from the default port 18209)
-n "CN=" sets the CN
Argument Description
-d debug flag
set_mgmt_tools on|off on - Start the ICA Managementtool
off - Stop the ICA Managementtool
-p Specifies the port which is used toconnect to the CA (if the appropriateservice was not run from the defaultport 18265)
-no_ssl Configures the server to use clearhttp rather than https.
-a|-u"administrator|user
DN"
Sets the DNs of the administrators or
user that permitted to use the ICAManagement tool
cp_conf
-
8/3/2019 Checkpoint R65 CLI Reference Guide
28/184
28
2. If two consecutive start operations are initiated the ICA Management Tool willnot respond, unless you change the SSL mode. Once the SSL mode has beenmodified, the server can be stopped and restarted.
cp_conf
Description This command is used to configure/reconfigure a VPN-1 installation viathe CLI. The configuration options shown depend on the installedconfiguration and products.
Usage cp_conf
In This Section
cp_conf sic
Description Enables the user to manage SIC.
Usage cp_conf sic state # Get the current Trust statecp_conf sic init [norestart] # InitializeSICcp_conf sic cert_pull # Pull certificate (DAIP only)
cp_conf sic page 28
cp_conf admin page 29
cp_conf ca page 29
cp_conf finger page 29
cp_conf lic page 29
cp_conf client page 30
cp_conf ha page 30
cp_conf snmp page 30
cp_conf auto page 30
cp_conf sxl page 30
cp_conf admin
-
8/3/2019 Checkpoint R65 CLI Reference Guide
29/184
Chapter 2 SmartCenter and Firewall Commands 29
cp_conf admin
Description Use this command to manage the Check Point Administrator.
Usage cp_conf admin get # Get the list of administrators.cp_conf admin add # Addadministratorwhere permissions:w - read/writer - read onlycp_conf admin del ... # Deleteadministrators.
cp_conf ca
Description Use this command to initialize the Certificate Authority
Usage cp_conf ca init # Initializes Internal CA.cp_conf ca fqdn # Sets the name of the Internal CA.
cp_conf finger
Description Displays the fingerprint which will be used on first-time launch toverify the identity of the SmartCenter server being accessed by theSmartConsole. This fingerprint is a text string derived from theSmartCenter servers certificate
Usage cp_conf finger get # Get Certificate's Fingerprint.
cp_conf lic
Description Use this command to enable the administrator to add a licensemanually and to view the license installed.
Usage cp_conf lic get # Get licenses installed.cp_conf lic add -f # Add license from file.cp_conf lic add -m # Add license manually.cp_conf lic del # Delete license.
cp_conf client
-
8/3/2019 Checkpoint R65 CLI Reference Guide
30/184
30
cp_conf client
Description Use this command to manage the GUI Clients allowed to connect tothe management.
Usage cp_conf client get # Get the GUI Clients listcp_conf client add < GUI Client > # Add one GUI Clientcp_conf client del < GUI Client 1> < GUI Client 2>... #Delete GUI Clientscp_conf client createlist < GUI Client 1> < GUI Client2>... # Create new list.
cp_conf ha
Description Use this command to enable or disable the High Availability module.
Usage cp_conf ha enable/disable [norestart] # Enable/DisableHA\n",
cp_conf snmp
Description Use this command activate or deactivate SNMP.
Usage cp_conf snmp get # Get SNMP Extension status.cp_conf snmp activate/deactivate [norestart] # DeactivateSNMP Extension.
cp_conf auto
Description Use this command to determine whether or not theFirewall/SmartCenter starts automatically after the machine restarts.
Usage cp_conf auto get [fw1] [fg1] [rm] [all] # Get the autostate of products.cp_conf auto ... #Enable/Disable auto start.
cp_conf sxl
Description Use this command to enable or disable the SecureXL acceleration
module.
cpconfig
-
8/3/2019 Checkpoint R65 CLI Reference Guide
31/184
Chapter 2 SmartCenter and Firewall Commands 31
Usage cp_conf sxl # Enable/Disable SecureXL.
cpconfig
Description This command is used to run a Command Line version of the CheckPoint Configuration Tool. This tool is used to configure/reconfigure aVPN-1 installation. The configuration options shown depend on theinstalled configuration and products. Amongst others, these optionsinclude:
Licenses - modify the necessary Check Point licenses
Administrators - modify the administrators authorized to connect tothe SmartCenter server via the SmartConsole
GUI Clients - modify the list of GUI Client machines from which theadministrators are authorized to connect to a SmartCenter server
Certificate Authority - install the Certificate Authority on theSmartCenter server in a first-time installation
Key Hit Session - enter a random seed to be used for cryptographicpurposes.
Secure Internal Communication - set up trust between the gateway onwhich this command is being run and the SmartCenter server
Fingerprint - display the fingerprint which will be used on first-timelaunch to verify the identity of the SmartCenter server being accessedby the SmartConsole. This fingerprint is a text string derived from theSmartCenter servers certificate.
Usage cpconfig
Further Info. See the Getting StartedGuide and the SmartCenterAdministration Guide.
cplic
Description This command and all its derivatives relate to the subject of Check Pointlicense management. All cplic commands are located in $CPDIR/bin.License Management is divided into three types of commands:
Local licensing commandsare executed on local machines.
Remote licensing commandsare commands which affect remotemachines are executed on the SmartCenter server.
License repository commandsare executed on the SmartCenter server.
Usage cplic
cplic check
-
8/3/2019 Checkpoint R65 CLI Reference Guide
32/184
32
In This Section
cplic check
Description Use thiscommand to check whether the license on the local machinewill allow a given feature to be used.
Usage cplic check [-p ] [-v ] [-ccount] [-t ] [-r routers] [-S SRusers]
Syntax
cplic check page 32
cplic db_add page 33cplic db_print page 34
cplic db_rm page 35
cplic del page 35
cplic del page 36
cplic get page 36
cplic put page 37
cplic put ... page 39
cplic print page 41
cplic upgrade page 41
Argument Description
-p The product for which licenseinformation is requested. Forexample fw1, netso.
-v The product version for whichlicense information is requested.For example 4.1, 5.0
-c count Count the licenses connected tothis feature
-t Check license status on futuredate. Use the format ddmmmyyyy.A given feature may be valid on agiven date on one license, but
invalid in another.
cplic db_add
-
8/3/2019 Checkpoint R65 CLI Reference Guide
33/184
Chapter 2 SmartCenter and Firewall Commands 33
cplic db_add
Description The cplic db_add command is used to add one or more licenses tothe license repository on the SmartCenter server. When local licenseare added to the license repository, they are automatically attached to
its intended Check Point gateway, central licenses need to undergothe attachment process.
Usage cplic db_add < -l license-file | host expiration-datesignature SKU/features >
Syntax
Comments This command is a license repository command, it can only be
executed on the SmartCenter server.
Copy/paste the following parameters from the license received fromthe User Center. More than one license can be added.
host - the target hostname or IP address
expiration date - The license expiration date.
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)
-r routers Check how many routers areallowed. The feature option is notneeded.
-S SRusers Check how many SecuRemoteusers are allowed. The featureoption is not needed
The for which licenseinformation is requested.
Argument Description
-l license-file adds the license(s) from
license-file. The followingoptions are NOT needed:Host Expiration-Date SignatureSKU/feature
Argument Description
cplic db_print
-
8/3/2019 Checkpoint R65 CLI Reference Guide
34/184
34
SKU/features - The SKU of the license summarizes the featuresincluded in the license. For example: CPSUITE-EVAL-3DES-vNG
Example If the file 192.168.5.11.lic contains one or more licenses, the
command: cplic db_add -l 192.168.5.11.lic will produce outputsimilar to the following:
cplic db_print
Description The cplic db_print command displays the details of Check Pointlicenses stored in the license repository on the SmartCenter server.
Usage cplic db_print [-n noheader] [-x printsignatures] [-t type] [-a attached]
Syntax
Comments This command is a license repository command, it can only be
executed on the SmartCenter server.
Adding license to database ...Operation Done
Argument Description
Object name Print only the licenses attached toObject name. Object name is thename of the Check Point gatewayobject, as defined inSmartDashboard.
-all Print all the licenses in the licenserepository
-noheader(or -n)
Print licenses with no header.
-x Print licenses with their signature
-t(or -type)
Print licenses with their type:Central or Local.
-a(or -attached)
Show which object the license isattached to. Useful if the -alloption is specified.
cplic db_rm
li db
-
8/3/2019 Checkpoint R65 CLI Reference Guide
35/184
Chapter 2 SmartCenter and Firewall Commands 35
cplic db_rm
Description The cplic db_rm command removes a license from the licenserepository on the SmartCenter server. It can be executed ONLY after
the license was detached using the cplic del command. Once thelicense has been removed from the repository, it can no longer beused.
Usage cplic db_rm
Syntax
Example cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn
Comments This command is a license repository command, it can only be
executed on the SmartCenter server.
cplic del
Description Use this command to delete a single Check Point license on a host,including unwanted evaluation, expired, and other licenses. Thiscommand is used for both local and remote machines
Usage cplic del [-F ]
Syntax
Argument Description
SignatureThe signature string within thelicense.
Argument Description
-F Send the output to instead of the screen.
The signature string within thelicense.
cplic del
cplic del
-
8/3/2019 Checkpoint R65 CLI Reference Guide
36/184
36
cplic del
Description Use this command to detach a Central license from a Check Pointgateway. When this command is executed, the license repository is
automatically updated. The Central license remains in the repositoryas an unattached license. This command can be executed only on aSmartCenter server.
Usage cplic del [-F outputfile] [-ip dynamic ip]
Syntax
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
cplic get
Description The cplic get command retrieves all licenses from a Check Pointgateway (or from all Check Point gateways) into the license repositoryon the SmartCenter server. Do this to synchronize the repository withthe Check Point gateway(s). When the command is run, all localchanges will be updated.
Usage cplic get [-v41]
Argument Description
object name The name of the Check Pointgateway object, as defined inSmartDashboard.
-F outputfile Divert the output to outputfilerather than to the screen.
-ip dynamic ip Delete the license on the Check
Point gateway with the specified IPaddress. This parameter is used fordeleting a license on a DAIP CheckPoint gateway
Note - If this parameter is used, thenobject name must be a DAIP gateway.
Signature The signature string within thelicense.
cplic put
Syntax i i
-
8/3/2019 Checkpoint R65 CLI Reference Guide
37/184
Chapter 2 SmartCenter and Firewall Commands 37
Syntax
Example If the Check Point gateway with the object name caruso contains fourLocal licenses, and the license repository contains two other Locallicenses, the command: cplic get caruso produces output similar tothe followingGet retrieved 4 licenses.Get removed 2 licenses.
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
cplic put
Description The cplic put command is used to install one or more Local licenseson a local machine.
Usage cplic put [-o overwrite] [-c check-only] [-s select] [-F
][-P Pre-boot] [-k kernel-only]
Argument Description
ipaddr The IP address of the Check Pointgateway from which licenses are to
be retrieved.
hostname The name of the Check Pointgateway object (as defined inSmartDashboard) from whichlicenses are to be retrieved.
-all Retrieve licenses from all CheckPoint gateways in the managednetwork.
-v41 Retrieve version 4.1 licenses fromthe NF Check Point gateway. Used toupgrade version 4.1 licenses.
cplic put
Syntax A t D i ti
-
8/3/2019 Checkpoint R65 CLI Reference Guide
38/184
38
Syntax
Comments Copy and paste the following parameters from the license receivedfrom the User Center.
host - One of the following:
All platforms - The IP address of the external interface (in dotnotation); last part cannot be 0 or 255.
Sun OS4 and Solaris2 - The response to the hostid command
(beginning with 0x).
Argument Description
-overwrite(or-o)
On a SmartCenter server this willerase all existing licenses and
replace them with the newlicense(s). On a Check Point gatewaythis will erase only Local licensesbut not Central licenses, that areinstalled remotely.
-check-only(or-c)
Verify the license. Checks if the IP ofthe license matches the machine,
and if the signature is valid
select(or-s)
Select only the Local licenses whoseIP address matches the IP addressof the machine.
-F outputfile Outputs the result of the commandto the designated file rather than tothe screen.
-Preboot(or-P)
Use this option after upgrading toVPN-1/FireWall-1 NG FP2 and beforerebooting the machine. Use of thisoption will prevent certain errormessages.
-kernel-only
(or -k)
Push the current valid licenses to
the kernel. For Support use only.-l license-file Installs the license(s) in
license-file, which can be amulti-license file. The followingoptions are NOT needed:host expiration-date signature
SKU/features
cplic put ...
HP-UX - The response to the uname -i command (beginning with 0d).
-
8/3/2019 Checkpoint R65 CLI Reference Guide
39/184
Chapter 2 SmartCenter and Firewall Commands 39
HP UX The response to the uname i command (beginning with 0d).
AIX - The response to the uname -l command (beginning with 0d), orthe response to the uname -m command (beginning and ending with
00). expiration date - The license expiration date. Can be never
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)
SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the features
included in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab
Example cplic put -l 215.153.142.130.lic produces output similar to thefollowing:
cplic put ...
Description Use the cplic put command to attach one or more central or locallicense remotely.When this command is executed, the license
repository is also updated.Usage cplic put [-ip dynamic ip] [-F ]
< -l license-file | host expiration-date signatureSKU/features >
Host Expiration SKU215.153.142.130 26Dec2001 CPMP-EVAL-1-3DES-NG
CK0123456789ab
cplic put ...
-
8/3/2019 Checkpoint R65 CLI Reference Guide
40/184
40
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
This is a Copy and paste the following parameters from the license
received from the User Center. More than one license can be attached host - the target hostname or IP address
expiration date - The license expiration date. Can be never
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)
SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the featuresincluded in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab
Argument Description
Object name The name of the Check Point
gateway object, as defined inSmartDashboard.
-ip dynamic ip Install the license on the CheckPoint gateway with the specified IPaddress. This parameter is used forinstalling a license on a DAIP CheckPoint gateway.
NOTE: If this parameter is used,then object name must be a DAIPCheck Point gateway.
-F outputfile Divert the output to outputfilerather than to the screen.
-l license-file Installs the license(s) fromlicense-file. The following optionsare NOT needed:Host Expiration-Date SignatureSKU/features
cplic print
cplic print
-
8/3/2019 Checkpoint R65 CLI Reference Guide
41/184
Chapter 2 SmartCenter and Firewall Commands 41
p p
Description The cplic print command (located in $CPDIR/bin) prints details ofCheck Point licenses on the local machine.
Usage cplic print [-n noheader][-x prints signatures][-t type][-F] [-p preatures]
Syntax
Comments On a Check Point gateway, this command will print all licenses thatare installed on the local machine both Local and Central licenses.
cplic upgrade
Description Use the cplic upgrade command to upgrade licenses in the licenserepository using licenses in a license file obtained from the UserCenter.
Usage cplic upgrade
Syntax
Example The following example explains the procedure which needs to takeplace in order to upgrade the licenses in the license repository.
Upgrade the SmartCenter server to the latest version.
Ensure that there is connectivity between the SmartCenter serverand the remote workstations with the version 4.1 products.
Argument Description
-noheader(or-n)
Print licenses with no header.
-x Print licenses with their signature-type(or -t)
Prints licenses showing their type:Central or Local.
-F Divert the output to outputfile.
-preatures
(or-p)
Print licenses resolved to primitive
features.
Argument Description
l inputfile Upgrades the licenses in the licenserepository and Check Point gatewaysto match the licenses in
cplic upgrade
Import all licenses into the license repository. This can also be
-
8/3/2019 Checkpoint R65 CLI Reference Guide
42/184
42
done afterupgrading the products on the remote workstations toNG
Run the command: cplic get all. For example
To see all the licenses in the repository, run the command:
cplic db_print -all a
Upgrade the version 4.1 products on the remote Check Pointgateways.
In the User Center (http://www.checkpoint.com/usercenter), viewthe licenses for the products that were upgraded from version 4.1to NG and create new upgraded licenses.
Download a file containing the upgraded NG licenses. Onlydownload licenses for the products that were upgraded fromversion 4.1 to NG.
If you did not import the version 4.1 licenses into the repository instep , import the version 4.1 licenses now using the commandcplic get -all -v41
Run the license upgrade command: cplic upgrade l
Getting licenses from all modules ...
count:root(su) [~] # cplic get -allgolda:Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.count:
Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.
count:root(su) [~] # cplic db_print -all -a
Retrieving license information from database ...
The following licenses appear in the database:==================================================
Host Expiration Features192.168.8.11 Never CPFW-FIG-25-41 CK-49C3A3CC7121 golda192.168.5.11 26Nov2002 CPSUITE-EVAL-3DES-NG CK-1234567890 count
cp_merge
- The licenses in the downloaded license file and in the licenseit d
http://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenter -
8/3/2019 Checkpoint R65 CLI Reference Guide
43/184
Chapter 2 SmartCenter and Firewall Commands 43
repository are compared.
- If the certificate keys and features match, the old licenses in therepository and in the remote workstations are updated with thenew licenses.
- A report of the results of the license upgrade is printed.
In the following example, there are two NG licenses in the file.One does not match any license on a remote workstation, the othermatches a version 4.1 license on a remote workstation that shouldbe upgraded:
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
Further Info. See the SmartUpdatechapter of the SmartCenterAdministrationGuide.
cp_merge
Description The cp_merge utility has two main functionalities
Export and import of policy packages
Merge of objects from a given file into SmartCenter database
Usage cp_merge help
Syntax
In This Section
cp_merge delete_policy
Description This command provides the options of deleting an existing policypackage. Note that the default policy can be deleted by delete action.
Argument Description
help Displays the usage for cp_merge.
cp_merge delete_policy page 43
cp_merge export_policy page 44
cp_merge import_policy and cp_merge restore_policy page 45
cp_merge list_policy page 46
cp_merge export_policy
Usage cp_merge delete_policy [-s ] [-u | -c] [-p ] -n
-
8/3/2019 Checkpoint R65 CLI Reference Guide
44/184
44
] [ p ] n
Syntax
Comments Further considerations:
1. Either use certificate file or user and password
2. Optional
Example Delete the policy package called standard.
cp_merge delete_policy -n Standard
cp_merge export_policy
Description This command provides the options of leaving the policy package inthe active repository, or deleting it as part of the export process. The
default policy cannot be deleted during the export action.Usage cp_merge export_policy [-s ] [-u | -c
] [-p ][-n | -l ] [-d ] [-f] [-r]
Syntax
Argument Description
-s Specify the database server IPAddress or DNS name.2
-u The administrators name.1,2
-c The path to the certificate file.1
-p The administrators password.1
-n The policy package to export.2,3
Argument Description
-s Specify the database server IPAddress or DNS name.2
-u The database administrators name.1
-c The path to the certificate file.1
-p The administrators password.1
-n
-
8/3/2019 Checkpoint R65 CLI Reference Guide
45/184
Chapter 2 SmartCenter and Firewall Commands 45
Comments Further considerations:
1. Either use certificate file or user and password
2. Optional
3. If both -n and -l are omitted all policy packages are exported.
4. If both -n and -l are present -l is ignored.
Example Export policy package Standard to filecp_merge export_policy -n Standard -fStandardPolicyPackageBackup.pol -d C:\bak
cp_merge import_policy and cp_merge restore_policy
Description This command provides the options to overwrite an existing policypackage with the same name, or preventing overwriting when thesame policy name already exists
Usage cp_merge import_policy|restore_policy [-s ] [-u | -c ] [-p ][-n ] [-d ] -f [-v]
Syntax
-l Export the policy package whichencloses the policy name.2,3,4
-d Specify the output directory.2
-f Specify the output file name (wherethe default file name is .pol).2
-r Remove the original policy from therepository.2
Argument Description
-s Specify the database server IPaddress or DNS name.2
-u The administrators name.1,2
-c The path to the certificate file.1
-p The administrators password.1,2
cp_merge list_policy
Argument Description
-
8/3/2019 Checkpoint R65 CLI Reference Guide
46/184
46
Comments Further considerations
1. Either use certificate file or user and password
2. Optional
The cp_mergerestore_policy works only locally on the SmartCenterserver and it will not work from remote machines.
Caution: A FireWall-1 policy from .W file can be restoredusing this utility; however, important information may be lost when
the policy is translated into .W format. This restoration should beused only if there is no other backup of the policy.
Example Import the policy package saved in file Standard.pol into therepository and rename it to StandardCopy.cp_merge import_policy -f Standard.pol -n StandardCopy
cp_merge list_policy
Usage cp_merge list_policy [-s ] [-u | -c] [-p ]
Syntax
Comments Further considerations:
1. Either use certificate file or user and password
-n
-
8/3/2019 Checkpoint R65 CLI Reference Guide
47/184
Chapter 2 SmartCenter and Firewall Commands 47
Example List all policy packages which reside in the specified repository:cp_merge list -s localhost
cppkg
Description This command is used to manage the product repository. It is alwaysexecuted on the SmartCenter server.
In This Section
cppkg add
Description The cppkg addcommand is used to add a product package to the
product repository. Only SmartUpdate packages can be added to theproduct repository.
Products can be added to the Repository as described in the followingprocedures, by importing a file downloaded from the Download Centerweb site athttp://www.checkpoint.com/techsupport/downloads/downloads.html.The package file can be added to the Repository directly from the CDor from a local or network drive.
Usage cppkg add
cppkg add page 47
cppkg delete page 49
cppkg get page 50
cppkg getroot page 50
cppkg print page 50
cppkg setroot page 51
cppkg add
Syntax Argument Description
http://www.checkpoint.com/techsupport/downloads/downloads.htmlhttp://www.checkpoint.com/techsupport/downloads/downloads.html -
8/3/2019 Checkpoint R65 CLI Reference Guide
48/184
48
Comments cppkg add does not overwrite existing packages. To overwrite existingpackages, you must first delete existing packages.
Example [d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-NG_FP2\
Enter package name:
----------------------
(1) SVNfoundation
(2) firewall
(3) floodgate
(4) rtm
(e) Exit
Enter you choice : 1
Enter package OS :
----------------------
(1) win32
(2) solaris
(3) linux
package-full-path If the package to be added to therepository is on a local disk or
network drive, type the full path tothe package.
CD drive If the package to be added to therepository is on a CD:For Windows machines type the CDdrive letter, e.g.d:\
For UNIX machines, type the CD rootpath, e.g./caruso/image/CPsuite-NG/FP2
You will be asked to specify theproduct and appropriate OperatingSystem (OS).
cppkg delete
(4) hpux
(5) ipso
-
8/3/2019 Checkpoint R65 CLI Reference Guide
49/184
Chapter 2 SmartCenter and Firewall Commands 49
(5) ipso
(6) aix
(e) Exit
Enter your choice : 1
You choose to add SVNfoundation for win32 OS. Is thiscorrect? [y/n] : y
Adding package from CD ...Package added to repository.
cppkg delete
Description The command is used to delete a product package from the
repository. To delete a product package you must specify a number ofoptions. To see the format of the options and to view the contents ofthe product repository, use the cppkg print command.
Usage cppkg delete [ [sp]]
Syntax Argument Description
vendor Package vendor (e.g. checkpoint).product Package name
Options are: SVNfoundation,firewall, floodgate.
version Package version (e.g. NG).
os Package Operating System. Optionsare:win32 for Windows NT and Windows2000, solaris, hpux, ipso, aix,linux.
sp Package service pack (e.g. fcs forNG R54 initial release, FP1, FP2 etc.)This parameter is optional. Itsdefault is fcs.
cppkg get
Comments It is not possible to undo the cppkg del command.
Example [d: \winnt\fw1\ng\bin]cppkg del
-
8/3/2019 Checkpoint R65 CLI Reference Guide
50/184
50
p [ \ \ \ g\ ] pp g
Getting information from package repository. Please wait...
Select package:
-----------------------
(1) checkpoint SVNfoundation NG win32 FCS_FP1
(2) checkpoint SVNfoundation NG win32 FP1
(e) Exit
Enter your choice : 2
You choose to delete checkpoint SVNfoundation NG win32 FP1Is this correct? [y/n] : y
Package removed from repository.
cppkg get
Description This command synchronizes the Package Repository database withthe content of the actual package repository under $SUROOT.
Usage cppkg get
cppkg getroot
Description The command is used to find out the location of the productrepository. The default product repository location on Windowsmachines is C:\SUroot. On UNIX it is /var/SUroot
Usage cppkg getroot
Example # cppkg getrootCurrent repository root is set to : /var/suroot/
cppkg print
Description The command is used to list the contents of the product repository.
cppkg setroot
Use cppkg print to see the product and OS strings required to installa product package using the cprinstall command, or to delete apackage sing the k d l t command
-
8/3/2019 Checkpoint R65 CLI Reference Guide
51/184
Chapter 2 SmartCenter and Firewall Commands 51
package using the cppkg delete command.
Usage cppkg print
Example
cppkg setroot
Description The command is used to create a new repository root directorylocation, and to move existing product packages into the newrepository.
The default product repository location is created when theSmartCenter server is installed. On Windows machines the defaultlocation is C:\SUroot and on UNIX it is /var/SUroot. Use thiscommand to change the default location.
When changing repository root directory:
The contents of the old repository is copied into the newrepository.
The $SUROOT environment variable gets the value of the new rootpath.
A product package in the new location will be overwritten by apackage in the old location, if the packages are the same (that is,they have the same ID strings).
The repository root directory should have at least 200 Mbyte of freedisk space.
Usage cppkg setroot
[d:\winnt\fw1\ng\bin]cppkg print
Getting information from package repository. Please wait...
Vendor Product Version OS SP Descript
ion-------------------------------------------------------------checkpoint SVNfoundation NG win32 FCS_FP1 SVNfoundation NG Feature Pack 1 for 4.1 upgradecheckpoint SVNfoundation NG win32 FP1 SVNfoundation Feature Pack 1 for NG upgrade
cpridrestart
Syntax Argument Description
repository-root-directo The desired location for the product
-
8/3/2019 Checkpoint R65 CLI Reference Guide
52/184
52
Comments It is important to reboot the SmartCenter server after performing thiscommand, in order to set the new $SUROOT environment variable.
Example # cppkg setroot /var/new_surootRepository root is set to : /var/new_suroot/
Note: When changing repository root directory :
1. Old repository content will be copied into the newrepository.
2. A package in the new location will be overwritten by apackage in the old location, if the packages have the samename.
Change the current repository root ? [y/n] : y
The new repository directory does not exist. Create it ?[y/n] : y
Repository root was set to : /var/new_suroot
Notice : To complete the setting of your directory, rebootthe machine!
cpridrestart
Description Stops and starts the Check Point Remote Installation Daemon (cprid).This is the daemon that is used for remote upgrade and installation ofproducts. It is part of the SVN Foundation. In Windows it is a service.
cpridstart
Description Start the Check Point Remote Installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. Itis part of the SVN Foundation. In Windows it is a service.
Usage cpridstart
repository root directory-full-path
The desired location for the productrepository.
cpridstop
cpridstop
Description Stop the Check Point Remote installation Daemon (cprid). This is the
-
8/3/2019 Checkpoint R65 CLI Reference Guide
53/184
Chapter 2 SmartCenter and Firewall Commands 53
Description Stop the Check Point Remote installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. It
is part of the SVN Foundation. In Windows it is a service.Usage cpridstop
cprinstall
Description Use cprinstall commands to perform remote installation of product
packages, and associated operations.
On the SmartCenter server, cprinstall commands require licensesfor SmartUpdate
On the remote Check Point gateways the following are required:
Trust must be established between the SmartCenter server and theCheck Point gateway.
cpd must run. cprid remote installation daemon must run. cprid is available on
VPN-1/FireWall-1 4.1 SP2 and higher, and as part of SVN Foundation
for NG and higher.
In This Section
cprinstall boot page 54cprinstall cprestart page 54
cprinstall cpstart page 54
cprinstall cpstop page 55
cprinstall get page 55
cprinstall install page 56
cprinstall stop page 57cprinstall uninstall page 58
cprinstall upgrade page 59
cprinstall verify page 59
cprinstall verify_upgrade page 61
cprinstall boot
cprinstall boot
Description The command is used to boot the remote computer.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
54/184
54
p p
Usage cprinstall boot
Syntax
Example # cprinstall boot harlin
cprinstall cprestart
Description This command enables cprestart to be run remotely.
All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall cprestart
Syntax
cprinstall cpstart
Description This command enables cpstart to be run remotely.
All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall cpstart
Syntax
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
cprinstall cpstop
cprinstall cpstop
Description This command enables cpstop to be run remotely.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
55/184
Chapter 2 SmartCenter and Firewall Commands 55
All products on the Check Point gateway must be of the same version
of NG.
Usage cprinstall cpstop
Syntax
cprinstall get
Description The cprinstall get command is used to obtain details of theproducts and the Operating System installed on the specified CheckPoint gateway, and to update the database.
Usage cprinstall get
Syntax
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
-proc Kills Check Point daemons andSecurity servers while maintainingthe active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.
-nopolicy
Argument Description
Object name The name of the Check Point gateway objectdefined in SmartDashboard.
cprinstall install
Example [c:\winnt\fw1\5.0\bin]cprinstall get fred
Getting information from fred...
-
8/3/2019 Checkpoint R65 CLI Reference Guide
56/184
56
cprinstall install
Description The cprinstall install command is used to install Check Pointproducts on remote Check Point gateways. To install a productpackage you must specify a number of options. Use the cppkg printcommand and copy the required options.
Usage cprinstall install [-boot] [sp]
Syntax
Operating system Version SP----------------------------------------------------------solaris 5.7 fcs
Vendor Product Version SP---------------------------------------------------------CheckPoint VPN-1 Power NG fcsCheckPoint SVNfoundation NG fcs
Argument Description
-boot Boot the remote computer afterinstalling the package.
Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the ReleaseNotes for details.
Object name Object name of the Check Pointgateway defined in SmartDashboard.
vendor Package vendor (e.g. checkpoint)
cprinstall stop
product Package nameO ti i
Argument Description
-
8/3/2019 Checkpoint R65 CLI Reference Guide
57/184
Chapter 2 SmartCenter and Firewall Commands 57
Comments Before transferring any files, this command runs the cprinstall
verify command to verify that the Operating System is appropriateand that the product is compatible with previously installed products.
Example
cprinstall stop
Description This command is used to stop the operation of other cprinstallcommands. In particular, this command stops the remote installationof a product - even during transfer of files, file extraction, andpre-installation verification. The operation can be stopped at any timeup to the actual installation.
cprinstall stop can be run from one command prompt to stop arunning operation at another command prompt.
Usage cprinstall stop
Options are: SVNfoundation,
firewall, floodgate.version Package version (e.g. NG FP2)
sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)
# cprinstall install -boot fred checkpoint firewall NG FP1
Installing firewall NG FP1 on fred...Info : Testing Check Point GatewayInfo : Test completed successfully.
Info : Transferring Package to Check Point GatewayInfo : Extracting package on Check Point GatewayInfo : Installing package on Check Point GatewayInfo : Product was successfully applied.Info : Rebooting the Check Point GatewayInfo : Checking boot statusInfo : Reboot completed successfully.Info : Checking Check Point Gateway
Info : Operation completed successfully.
cprinstall uninstall
Syntax Argument Description
object name Object name of the Check Pointgateway defined in SmartDashboard
-
8/3/2019 Checkpoint R65 CLI Reference Guide
58/184
58
Example
cprinstall uninstall
Description The cprinstall uninstall command is used to uninstall products onremote Check Point gateways. To uninstall a product package youmust specify a number of options. Use the cppkg print commandand copy the required options.
Usage cprinstall uninstall [-boot] [sp]
Syntax
gateway, defined in SmartDashboard.
[c:\winnt\fw1\5.0\bin] cprinstall stop Check PointGateway01Info : Stop request sent
Argument Description
-boot Boot the remote computer afterinstalling the package.Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the Release
Notes for details.Object name Object name of the Check Point
gateway defined in SmartDashboard.
vendor Package vendor (e.g. checkpoint)
product Package nameOptions are: SVNfoundation,
firewall, floodgate.version Package version (e.g. NG FP2)
sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)
cprinstall upgrade
Comments Beforeuninstalling any files, this command runs the cprinstallverify command to verify that the Operating System is appropriateand that the product is installed.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
59/184
Chapter 2 SmartCenter and Firewall Commands 59
Afteruninstalling, retrieve the Check Point gateway data by runningcprinstall get.
Example
cprinstall upgrade
Description Use the cprinstall upgrade command to upgrade all products on aCheck Point gateway to the latest version.
All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall upgrade [-boot]
Syntax
Comments When cprinstall upgrade is run, the command first verifies whichproducts are installed on the Check Point gateway, and that there is a
matching product package in the product repository with the sameOS, and then installs the product package on the remote Check Pointgateway.
cprinstall verify
Description The cprinstall verifycommand is used to verify:
# cprinstall uninstall fred checkpoint firewall NG FP1
Uninstalling firewall NG FP1 from fred...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success.Please get network object data to complete the
operation.
Argument Description
-boot Boot the remote Check Point
gateway after completing the remoteinstallation.
object name Object name of the Check Pointgateway, defined in SmartDashboard.
cprinstall verify
If a specific product can be installed on the remote Check Pointgateway.
That the Operating System and currently installed products areappropriate for the package
-
8/3/2019 Checkpoint R65 CLI Reference Guide
60/184
60
appropriate for the package.
That there is enough disk space to install the product. That there is a CPRID connection.
Usage cprinstall verify [sp]
Syntax
Example The following examples show a successful and a failed verify
operation:
Verify succeeds:
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
vendor Package vendor (e.g. checkpoint).
product Package nameOptions are: SVNfoundation,firewall, floodgate.
version Package version (e.g. NG).
sp Package service pack (e.g. fcs for NGwith Application Intelligenceinitial release, FP1, FP2 etc.) Thisparameter is optional. Its default isfcs.
cprinstall verify harlin checkpoint SVNfoundation NG_FP4
Verifying installation of SVNfoundation NG FP4 on harlin...Info : Testing Check Point Gateway.Info : Test completed successfully.
Info : Installation Verified, The product can be installed.
cprinstall verify_upgrade
Verify fails:cprinstall verify harlin checkpoint SVNfoundation NGFCS_FP4
-
8/3/2019 Checkpoint R65 CLI Reference Guide
61/184
Chapter 2 SmartCenter and Firewall Commands 61
cprinstall verify_upgrade
Description Use the cprinstall verify_upgrade command to verify the successof the upgrade of all products on a Check Point gateway to the latestversion, before performing the upgrade. This command isautomatically performed by the cprinstall upgrade command.
All products on the Check Point gateway must be of the same version
of NG.
Usage cprinstall verify_upgrade
Syntax
Comments When the command is run, the command verifies which products areinstalled on the Check Point gateway, and that there is a matchingproduct package in the product repository with the same OS.
cpstart
Description This command is used to start all Check Point processes andapplications running on a machine.
Usage cpstart
Comments This command cannot be used to start cprid. cprid is invoked when themachine is booted and it runs independently.
Verifying installation of SVNfoundation NG FCS_FP4 onharlin...Info : Testing Check Point GatewayInfo : SVN Foundation NG is already installed on192.168.5.134Operation Success.Product cannot be installed, did not passdependency check.
Argument Description
object name Object name of the Check Pointgateway, defined in SmartDashboard.
cpstat
cpstat
Description cpstat displays the status of Check Point applications, either on the localmachine or on another machine, in various formats.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
62/184
62
Usage cpstat [-h host][-p port][-s SICname][-f flavor][-opolling][-c count][-e period][-d] application_flag
Syntax Argument Description
-h host A resolvable hostname, adot-notation address (forexample:192.168.33.23), or a DAIP
object name. The default islocalhost.
-p port Port number of the AMON server.The default is the standard AMONport (18192)
-s Secure Internal Communication(SIC) name of the AMON server.
-f flavor The flavor of the output (as itappears in the configuration file).The default is the first flavor foundin the configuration file.
-o Polling interval (seconds) specifies the
pace of the results.
The default is 0, meaning the resultsare shown only once.
-c Specifies how many times the resultsare shown. The default is 0, meaningthe results are repeatedly shown.
cpstat
-e Specifies the interval (seconds) overwhich statistical olds are
Argument Description
-
8/3/2019 Checkpoint R65 CLI Reference Guide
63/184
Chapter 2 SmartCenter and Firewall Commands 63
The following flavors can be added to the application flags: fw "default", "interfaces", "all", "policy", "perf",
"hmem", "kmem", "inspect", "cookies", "chains", "fragments","totals", "ufp", "http", "ftp", "telnet", "rlogin", "smtp","pop3", "sync"
vpn default, product, IKE, ipsec, traffic,compression, accelerator, nic, statistics,watermarks, all
fg all
ha default, all
os default, "ifconfig", routing, "memory, "old_memory","cpu", "disk", "perf", "multi_cpu", "multi_disk", "all","average_cpu", "average_memory", "statistics"
mg default
persistency product, Tableconfig, SourceConfig
computed. Ignored for regular olds.-d Debug mode.
application_flag One of the following: fw FireWall-1 vpn VPN fg FloodGate-1 (QoS) ha ClusterXL (High
Availability) os SVN Foundation and OS
Status mg for SmartCenter persistency - for historical
status values polsrv
uas svr cpsemd cpsead asm ls ca
cpstop
polsrv default, all
uas default
svr default
cpsemd default
-
8/3/2019 Checkpoint R65 CLI Reference Guide
64/184
64
cpsemd default
cpsead default
asm default, WS
ls default
ca default, crl, cert, user, all
Example
cpstop
Description This command is used to terminate all Check Point processes andapplications, running on a machine.
Usage cpstop
cpstop -fwflag [-proc | -default]
> cpstat fw
Policy name: StandardInstall time: Wed Nov 1 15:25:03 2000
Interface table-----------------------------------------------------------------|Name|Dir|Total *|Accept**|Deny|Log|
-----------------------------------------------------------------|hme0|in |739041*|738990**|51 *|7**|-----------------------------------------------------------------|hme0|out|463525*|463525**| 0 *|0**|-----------------------------------------------------------------*********|1202566|1202515*|51**|7**|
cpwd_admin
Syntax Argument Description
-fwflag -proc Kills Check Point daemons andSecurity servers while maintaining
-
8/3/2019 Checkpoint R65 CLI Reference Guide
65/184
Chapter 2 SmartCenter and Firewall Commands 65
Comments This command cannot be used to terminate cprid. cprid is invokedwhen the machine is booted and it runs independently.
cpwd_admin
Description cpwd (also known as WatchDog) is a process that invokes and monitorscritical processes such as Check Point daemons on the local machine,and attempts to restart them if they fail. Among the processes monitoredby Watchdog are cpd, fwd, fwm. cpwd is part of the SVN Foundation.
fwd does not work in a Management Only machine. To work with fwd in aManagement Only machine add -n (for example, fwd -n).
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file.In addition, monitoring information is written to the console on UNIXplatforms, and to the Windows Event Viewer.
The cpwd_admin utility is used to show the status of processes, and toconfigure cpwd.
Usage cpwd_admin
In This Section
the active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.
-fwflag -default Kills Check Point daemons andSecurity servers. The active SecurityPolicy running in the kernel isreplaced with the default filter..
cpwd_admin start page 66
cpwd_admin stop page 66
cpwd_admin list page 67
cpwd_admin start
cpwd_admin exist page 68
cpwd_admin kill page 68
cpwd_admin config page 68
-
8/3/2019 Checkpoint R65 CLI Reference Guide
66/184
66
cpwd_admin start
Description Start a new process by cpwd.
Usage cpwd_admin start -name -path -command
Syntax
Example To start and monitor the fwm process.cpwd_admin start -name FWM -path $FWDIR/bin/fwm -commandfwm
cpwd_admin stop
Description Stop a process which is being monitored by cpwd.
Usage cpwd_admin stop -name [-path -command ]
Argument Description
-name A name for the process to bewatched by WatchDog.
-path The full path to the executableincluding the executable name
-command
The name of the executable file.
cpwd_admin list
Syntax Argument Description
-name A name for the process to bewatched by WatchDog.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
67/184
Chapter 2 SmartCenter and Firewall Commands 67
Comments If -path and -command are not stipulated, cpwd will abruptlyterminate the process.
Example stop the FWM process using fw kill.cpwd_admin stop -name FWM -path $FWDIR/bin/fw -command fwkill fwm
cpwd_admin list
Description This command is used to print a status of the selected processesbeing monitored by cpwd.
Usage cpwd_admin list
Output The status report output includes the following information:
APP Application. The name of the process. PID Process Identification Number.
STAT Whether the process Exists (E) or has been Terminated(T).
#START How many times the process has been started since cpwdtook control of the process.
START TIME The last time the process was run.
COMMAND The command that cpwd used to start the process.For example:
-path Optional: the full path to theexecutable (including the executablename) that is used to stop theprocess.
-command
Optional: the name of the executablefile mentioned in -path
#cpwd_admin list APP PID STAT #START START_TIME COMMANDCPD 463 E 1 [20:56:10] 21/5/2001 cpdFWD 440 E 1 [20:56:24] 21/5/2001 fwdFWM 467 E 1 [20:56:25] 21/5/2001 fwm
cpwd_admin exist
cpwd_admin exist
Description This command is used to check whether cpwd is alive.
Usage cpwd_admin exist
-
8/3/2019 Checkpoint R65 CLI Reference Guide
68/184
68
cpwd_admin kill
Description This command is used to kill cpwd.
Usage cpwd_admin kill
cpwd_admin config
Description This command is used to set cpwd configuration parameters. Whenparameters are changed, these changes will not take affect until cpwdhas been stopped and restarted.
Usage cpwd_admin config -p
cpwd_admin config -a
cpwd_admin config -d
cpwd_admin config -r
Syntax
Where the values are as follows:
Argument Description
config -p Shows the cpwd parameters addedusing the config -a option.
config -a Add one or more monitoringparameters to the cpwd configuration.
config -d Delete one or more parameters fromthe cpwd configuration
config -r Restore the default cpwd parameters.
cpwd_admin config
Argument Description
timeout (any value in
seconds)
If rerun_mode=1, how much timepasses from process failure to rerun.
-
8/3/2019 Checkpoint R65 CLI Reference Guide
69/184
Chapter 2 SmartCenter and Firewall Commands 69
The default is 60 seconds.
no_limit(any value in seconds)
Maximum number of times that cpwdwill try to restart a process. Thedefault is 5.
zero_timeout(any value in seconds)
After failing no_limit times torestart a process, cpwd will wait
zero_timeout seconds beforeretrying. The default is 7200seconds. Should be greater thantimeout.
sleep_mode 1 - wait timeout 0 - ignore timeout. Rerun the
process immediately
dbg_mode 1 - Accept pop-up error messages(with exit-code#0) displayed when
a process terminates abruptly
(Windows NT only).
0 -Do not receive pop-up errormessages. This is useful if pop-up
error messages freeze the
machine. This is the default(Windows NT only).
dbedit
rerun_mode 1 - Rerun a failed process. Thisis the default.
Argument Description
-
8/3/2019 Checkpoint R65 CLI Reference Guide
70/184
70
Example The following example shows two configuration parameters beingchanged:
timeout to 120 seconds, and no_limit to 10.
config -a and cpwd_adminconfig -d have no effect if cpwd isrunning. They will affect cpwd the next time it is run.
dbedit
Description This command is used by administrators to edit the objects file on theSmartCenter server. From version NG, there is an objects fi
top related