cli r80.40 reference guide - infosec · 2020. 6. 29. · tableofcontents clir80.40referenceguide |...
TRANSCRIPT
-
[Classification:Protected]
22 January 2020
CLI
R80.40
Reference Guide
-
Check Point Copyright Notice©2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributedunder licensing restricting their use, copying, distribution, and decompilation. No part of this product orrelated documentation may be reproduced in any form or by any means without prior written authorizationof Check Point. While every precaution has been taken in the preparation of this book, Check Pointassumes no responsibility for errors or omissions. This publication and features described herein aresubject to change without notice.
RESTRICTEDRIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
https://www.checkpoint.com/copyright/https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/
-
CLI R80.40 Reference Guide
CLI R80.40 ReferenceGuide | 3
Important InformationLatest Software
We recommend that you install the most recent software release to stay up-to-date with thelatest functional improvements, stability fixes, security enhancements and protectionagainst new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check PointCertifications page.
Check Point R80.40
For more about this release, see the R80.40 home page.
Latest Version of this Document
Open the latest version of this document in aWeb browser.
Download the latest version of this document in PDF format.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
22 January 2020 First release of this document
https://www.checkpoint.com/products-solutions/certified-check-point-solutions/https://www.checkpoint.com/products-solutions/certified-check-point-solutions/http://supportcontent.checkpoint.com/solutions?id=sk160736https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Default.htmhttp://downloads.checkpoint.com/dc/download.htm?ID=96075mailto:[email protected]?subject=Feedback on CLI R80.40 Reference Guide
-
Table of Contents
CLI R80.40 ReferenceGuide | 4
Table of ContentsGlossary 30
Introduction 66
Syntax Legend 67
Gaia Commands 70
Security Management Server Commands 71
Managing Security through API 72
API 72
API Tools 72
Configuring the API Server 72
contract_util 74
contract_util check 76
contract_util cpmacro 77
contract_util download 78
contract_util mgmt 80
contract_util print 81
contract_util summary 82
contract_util update 83
contract_util verify 84
cp_conf 85
cp_conf admin 88
cp_conf auto 91
cp_conf ca 93
cp_conf client 95
cp_conf finger 99
cp_conf lic 101
cp_log_export 103
cpca_client 108
cpca_client create_cert 110
cpca_client double_sign 112
cpca_client get_crldp 114
-
Table of Contents
CLI R80.40 ReferenceGuide | 5
cpca_client get_pubkey 115
cpca_client init_certs 116
cpca_client lscert 117
cpca_client revoke_cert 120
cpca_client revoke_non_exist_cert 123
cpca_client search 124
cpca_client set_mgmt_tool 127
cpca_client set_sign_hash 130
cpca_create 132
cpconfig 133
cpinfo 136
cplic 137
cplic check 140
cplic contract 142
cplic db_add 144
cplic db_print 146
cplic db_rm 148
cplic del 149
cplic del 150
cplic get 151
cplic print 153
cplic put 155
cplic put 157
cplic upgrade 160
cppkg 162
cppkg add 164
cppkg delete 165
cppkg get 167
cppkg getroot 168
cppkg print 169
cppkg setroot 170
cpprod_util 171
cprid 175
-
Table of Contents
CLI R80.40 ReferenceGuide | 6
cprinstall 176
cprinstall boot 179
cprinstall cprestart 180
cprinstall cpstart 181
cprinstall cpstop 182
cprinstall delete 183
cprinstall get 184
cprinstall install 185
cprinstall revert 188
cprinstall show 189
cprinstall snapshot 190
cprinstall transfer 191
cprinstall uninstall 192
cprinstall verify 194
cpstart 196
cpstat 197
cpstop 205
cpview 206
Overview of CPView 206
CPView User Interface 206
Using CPView 207
cpwd_admin 208
cpwd_admin config 211
cpwd_admin del 214
cpwd_admin detach 215
cpwd_admin exist 216
cpwd_admin flist 217
cpwd_admin getpid 219
cpwd_admin kill 220
cpwd_admin list 221
cpwd_admin monitor_list 225
cpwd_admin start 226
cpwd_admin start_monitor 228
-
Table of Contents
CLI R80.40 ReferenceGuide | 7
cpwd_admin stop 229
cpwd_admin stop_monitor 231
dbedit 232
fw 245
fw fetchlogs 247
fw hastat 249
fw kill 250
fw log 251
fw logswitch 260
fw lslogs 264
fw mergefiles 267
fw repairlog 270
fw sam 271
fw sam_policy 279
fw sam_policy add 282
fw sam_policy batch 295
fw sam_policy del 297
fw sam_policy get 300
fwm 304
fwm dbload 307
fwm exportcert 309
fwm fetchfile 310
fwm fingerprint 311
fwm getpcap 313
fwm ikecrypt 315
fwm load 316
fwm logexport 317
fwm mds 322
fwm printcert 324
fwm sic_reset 329
fwm snmp_trap 330
fwm unload 333
fwm ver 337
-
Table of Contents
CLI R80.40 ReferenceGuide | 8
fwm verify 338
inet_alert 339
ldapcmd 342
ldapcompare 344
ldapmemberconvert 348
ldapmodify 353
ldapsearch 355
mgmt_cli 358
migrate 359
migrate_server 363
queryDB_util 367
rs_db_tool 368
sam_alert 370
stattest 374
threshold_config 377
Multi-Domain Security Management Commands 383
Managing Security through API 384
API 384
API Tools 384
Configuring the API Server 384
cma_migrate 386
contract_util 387
contract_util check 389
contract_util cpmacro 390
contract_util download 391
contract_util mgmt 393
contract_util print 394
contract_util summary 395
contract_util update 396
contract_util verify 397
cp_conf 398
cp_conf admin 401
cp_conf auto 404
-
Table of Contents
CLI R80.40 ReferenceGuide | 9
cp_conf ca 406
cp_conf client 408
cp_conf finger 412
cp_conf lic 414
cp_log_export 416
cpca_client 421
cpca_client create_cert 423
cpca_client double_sign 425
cpca_client get_crldp 427
cpca_client get_pubkey 428
cpca_client init_certs 429
cpca_client lscert 430
cpca_client revoke_cert 433
cpca_client revoke_non_exist_cert 436
cpca_client search 437
cpca_client set_mgmt_tool 440
cpca_client set_sign_hash 443
cpca_create 445
cpinfo 446
cplic 447
cplic check 450
cplic contract 452
cplic db_add 454
cplic db_print 456
cplic db_rm 458
cplic del 459
cplic del 460
cplic get 461
cplic print 463
cplic put 465
cplic put 467
cplic upgrade 470
cpmiquerybin 472
-
Table of Contents
CLI R80.40 ReferenceGuide | 10
cppkg 474
cppkg add 476
ppkg delete 477
cppkg get 479
cppkg getroot 480
cppkg print 481
cppkg setroot 482
cpprod_util 483
cprid 487
cprinstall 488
cprinstall boot 491
cprinstall cprestart 492
cprinstall cpstart 493
cprinstall cpstop 494
cprinstall delete 495
cprinstall get 496
cprinstall install 497
cprinstall revert 500
cprinstall show 501
cprinstall snapshot 502
cprinstall transfer 503
cprinstall uninstall 504
cprinstall verify 506
cpstat 508
cpview 516
Overview of CPView 516
CPView User Interface 516
Using CPView 517
cpwd_admin 518
cpwd_admin config 521
cpwd_admin del 524
cpwd_admin detach 525
cpwd_admin exist 526
-
Table of Contents
CLI R80.40 ReferenceGuide | 11
cpwd_admin flist 527
cpwd_admin getpid 529
cpwd_admin kill 530
cpwd_admin list 531
cpwd_admin monitor_list 535
cpwd_admin start 536
cpwd_admin start_monitor 538
cpwd_admin stop 539
cpwd_admin stop_monitor 541
dbedit 542
fw 555
fw fetchlogs 557
fw hastat 559
fw kill 560
fw log 561
fw logswitch 570
fw lslogs 574
fw mergefiles 577
fw repairlog 580
fw sam 581
fw sam_policy 589
fw sam_policy add 592
fw sam_policy batch 605
fw sam_policy del 607
fw sam_policy get 610
fwm 614
fwm dbload 617
fwm exportcert 619
fwm fetchfile 620
fwm fingerprint 621
fwm getpcap 623
fwm ikecrypt 625
fwm load 626
-
Table of Contents
CLI R80.40 ReferenceGuide | 12
fwm logexport 627
fwm mds 632
fwm printcert 634
fwm sic_reset 639
fwm snmp_trap 640
fwm unload 643
fwm ver 647
fwm verify 648
inet_alert 649
ldapcmd 652
ldapcompare 654
ldapmemberconvert 658
ldapmodify 663
ldapsearch 665
mcd 668
mds_backup 670
mds_restore 673
mdscmd 674
mdsconfig 676
mdsenv 680
mdsquerydb 682
mdsstart 684
mdsstart_customer 688
mdsstat 689
mdsstop 691
mdsstop_customer 695
mgmt_cli 696
migrate 697
migrate_server 701
migrate_global_policies 705
queryDB_util 706
rs_db_tool 707
sam_alert 709
-
Table of Contents
CLI R80.40 ReferenceGuide | 13
stattest 713
threshold_config 716
$MDSVERUTIL 722
$MDSVERUTIL AllCMAs 732
$MDSVERUTIL AllVersions 733
$MDSVERUTIL CMAAddonDir 736
$MDSVERUTIL CMACompDir 737
$MDSVERUTIL CMAFgDir 738
$MDSVERUTIL CMAFw40Dir 739
$MDSVERUTIL CMAFw41Dir 740
$MDSVERUTIL CMAFwConfDir 741
$MDSVERUTIL CMAFwDir 742
$MDSVERUTIL CMAIp 743
$MDSVERUTIL CMAIp6 744
$MDSVERUTIL CMALogExporterDir 745
$MDSVERUTIL CMALogIndexerDir 746
$MDSVERUTIL CMANameByFwDir 747
$MDSVERUTIL CMANameByIp 748
$MDSVERUTIL CMARegistryDir 749
$MDSVERUTIL CMAReporterDir 750
$MDSVERUTIL CMASmartLogDir 751
$MDSVERUTIL CMASvnConfDir 752
$MDSVERUTIL CMASvnDir 753
$MDSVERUTIL ConfDirVersion 754
$MDSVERUTIL CpdbUpParam 755
$MDSVERUTIL CPprofileDir 756
$MDSVERUTIL CPVer 757
$MDSVERUTIL CustomersBaseDir 758
$MDSVERUTIL DiskSpaceFactor 759
$MDSVERUTIL InstallationLogDir 760
$MDSVERUTIL IsIPv6Enabled 761
$MDSVERUTIL IsLegalVersion 762
$MDSVERUTIL IsOsSupportsIPv6 763
-
Table of Contents
CLI R80.40 ReferenceGuide | 14
$MDSVERUTIL LatestVersion 764
$MDSVERUTIL MDSAddonDir 765
$MDSVERUTIL MDSCompDir 766
$MDSVERUTIL MDSDir 767
$MDSVERUTIL MDSFgDir 768
$MDSVERUTIL MDSFwbcDir 769
$MDSVERUTIL MDSFwDir 770
$MDSVERUTIL MDSIp 771
$MDSVERUTIL MDSIp6 772
$MDSVERUTIL MDSLogExporterDir 773
$MDSVERUTIL MDSLogIndexerDir 774
$MDSVERUTIL MDSPkgName 775
$MDSVERUTIL MDSRegistryDir 776
$MDSVERUTIL MDSReporterDir 777
$MDSVERUTIL MDSSmartLogDir 778
$MDSVERUTIL MDSSvnDir 779
$MDSVERUTIL MDSVarCompDir 780
$MDSVERUTIL MDSVarDir 781
$MDSVERUTIL MDSVarFwbcDir 782
$MDSVERUTIL MDSVarFwDir 783
$MDSVERUTIL MDSVarSvnDir 784
$MDSVERUTIL MSP 785
$MDSVERUTIL OfficialName 786
$MDSVERUTIL OptionPack 787
$MDSVERUTIL ProductName 788
$MDSVERUTIL RegistryCurrentVer 789
$MDSVERUTIL ShortOfficialName 790
$MDSVERUTIL SmartCenterPuvUpgradeParam 791
$MDSVERUTIL SP 792
$MDSVERUTIL SVNPkgName 793
$MDSVERUTIL SvrDirectory 794
$MDSVERUTIL SvrParam 795
Creating a Domain Management Server with the 'mgmt_cli' Command 796
-
Table of Contents
CLI R80.40 ReferenceGuide | 15
SmartProvisioning Commands 797
Managing Security through API 798
API 798
API Tools 798
Configuring the API Server 798
Check Point LSMcli Overview 800
SmartLSM Security Gateway Management Actions 802
LSMcli AddROBO VPN1 803
LSMcli ModifyROBO VPN1 805
LSMcli ModifyROBOManualVPNDomain 807
LSMcli ModifyROBOTopology VPN1 808
LSMcli ModifyROBOInterface VPN1 809
LSMcli AddROBOInterface VPN1 810
LSMcli DeleteROBOInterface VPN1 811
LSMcli ExportIke 812
LSMcli ResetIke 813
LSMcli Remove 814
LSMcli ResetSic 815
LSMcli Show 816
LSMcli ShowROBOTopology 818
LSMcli UpdateCO 819
SmartUpdate Actions 820
LSMcli Install 821
LSMcli Uninstall 823
LSMcli Distribute 824
LSMcli VerifyInstall 825
LSMcli VerifyUpgrade 826
LSMcli Upgrade 827
LSMcli GetInfo 828
LSMcli ShowInfo 829
LSMcli ShowRepository 830
LSMcli Stop 831
LSMcli Start 832
-
Table of Contents
CLI R80.40 ReferenceGuide | 16
LSMcli Restart 833
LSMcli Reboot 834
LSMcli Push Actions 835
LSMcli PushPolicy 836
LSMcli PushDOs 837
LSMcli GetStatus 838
LSMcli Gateway Conversion Actions 839
LSMcli Convert ROBO VPN1 840
LSMcli Convert Gateway VPN1 842
Managing SmartLSM Clusters with LSMcli 844
LSMcli AddROBO VPN1Cluster 845
LSMcli ModifyROBO VPN1Cluster 847
LSMcli ModifyROBOTopology VPN1Cluster 848
LSMcli ModifyROBONetaccess VPN1Cluster 849
LSMcli AddClusterSubnetOverride VPN1Cluster 851
LSMcli ModifyClusterSubnetOverride VPN1Cluster 853
LSMcli DeleteClusterSubnetOverride VPN1Cluster 855
LSMcli AddPrivateSubnetOverride VPN1ClusterMember 857
LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember 859
LSMcli DeletePrivateSubnetOverride VPN1ClusterMember 861
LSMcli RemoveCluster 863
Using LSMcli Commands for Small Office Appliances 864
LSMcli AddROBO 865
LSMcli AddROBO Cluster 867
Other LSMcli Commands for Small Office Appliances 869
Security Gateway Commands 870
comp_init_policy 871
control_bootsec 874
cp_conf 878
cp_conf auto 881
cp_conf corexl 883
cp_conf fullha 885
cp_conf ha 886
-
Table of Contents
CLI R80.40 ReferenceGuide | 17
cp_conf intfs 887
cp_conf lic 888
cp_conf sic 890
cpconfig 892
cpinfo 895
cplic 896
cplic check 898
cplic contract 900
cplic del 902
cplic print 903
cplic put 905
cpprod_util 907
cpstart 911
cpstat 912
cpstop 920
cpview 921
Overview of CPView 921
CPView User Interface 921
Using CPView 922
dynamic_objects 923
cpwd_admin 927
cpwd_admin config 930
cpwd_admin del 936
cpwd_admin detach 937
cpwd_admin exist 938
cpwd_admin flist 939
cpwd_admin getpid 941
cpwd_admin kill 942
cpwd_admin list 943
cpwd_admin monitor_list 947
cpwd_admin start 948
cpwd_admin start_monitor 950
cpwd_admin stop 951
-
Table of Contents
CLI R80.40 ReferenceGuide | 18
cpwd_admin stop_monitor 953
fw 954
fw -i 958
fw amw 959
fw ctl 962
fw ctl arp 965
fw ctl bench 966
fw ctl block 968
fw ctl chain 969
fw ctl conn 971
fw ctl conntab 973
fw ctl cpasstat 977
'fw ctl debug' and 'fw ctl kdebug' 978
fw ctl dlpkstat 979
fw ctl get 980
fw ctl iflist 982
fw ctl install 983
fw ctl leak 984
fw ctl pstat 988
fw ctl set 991
fw ctl tcpstrstat 993
fw ctl uninstall 995
fw defaultgen 996
fw fetch 998
fw fetchlogs 1000
fw getifs 1002
fw hastat 1003
fw isp_link 1004
fw kill 1005
fw lichosts 1006
fw log 1007
fw logswitch 1016
fw lslogs 1020
-
Table of Contents
CLI R80.40 ReferenceGuide | 19
fw mergefiles 1023
fw monitor 1026
fw repairlog 1056
fw sam 1057
fw sam_policy 1065
fw sam_policy add 1068
fw sam_policy batch 1081
fw sam_policy del 1083
fw sam_policy get 1086
fw showuptables 1090
fw stat 1091
fw tab 1093
fw unloadlocal 1100
fw up_execute 1104
fw ver 1107
fwboot 1109
fwboot bootconf 1111
fwboot corexl 1116
fwboot cpuid 1123
fwboot default 1125
fwboot fwboot_ipv6 1126
fwboot fwdefault 1127
fwboot ha_conf 1128
fwboot ht 1129
fwboot multik_reg 1132
fwboot post_drv 1134
sam_alert 1135
stattest 1139
usrchk 1142
ClusterXL Commands 1147
ClusterXL Configuration Commands 1148
Configuring the Cluster Member IDMode in Local Logs 1152
Registering a Critical Device 1153
-
Table of Contents
CLI R80.40 ReferenceGuide | 20
Unregistering a Critical Device 1155
Reporting the State of a Critical Device 1156
Registering Critical Devices Listed in a File 1157
Unregistering All Critical Devices 1159
Configuring the Cluster Control Protocol (CCP) Settings 1160
Initiating Manual Cluster Failover 1161
Configuring the Minimal Number of Required Slave Interfaces for Bond Load Sharing 1165
Configuring Link Monitoring on the Cluster Interfaces 1166
Configuring the Multi-Version Cluster Mechanism 1169
ClusterXL Monitoring Commands 1170
Viewing Cluster State 1175
Viewing Critical Devices 1180
Viewing Cluster Interfaces 1187
Viewing Bond Interfaces 1192
Viewing Cluster Failover Statistics 1197
Viewing Software Versions on Cluster Members 1199
Viewing Delta Synchronization 1200
Viewing IGMPStatus 1207
Viewing Cluster Delta Sync Statistics for Connections Table 1208
Viewing Cluster IP Addresses 1209
Viewing the Cluster Member IDMode in Local Logs 1210
Viewing Interfaces Monitored by RouteD 1211
Viewing Roles of RouteD Daemon on Cluster Members 1212
Viewing Cluster Correction Statistics 1213
Viewing the Cluster Control Protocol (CCP) Settings 1215
Viewing Latency and Drop Rate of Interfaces 1216
Viewing the State of the Multi-Version Cluster Mechanism 1217
Viewing Full Connectivity Upgrade Statistics 1218
cpconfig 1219
cphastart 1222
cphastop 1223
cp_conf fullha 1224
cp_conf ha 1225
-
Table of Contents
CLI R80.40 ReferenceGuide | 21
fw hastat 1226
fwboot ha_conf 1227
The clusterXL_admin Script 1228
The clusterXL_monitor_ips Script 1232
The clusterXL_monitor_process Script 1236
SecureXL Commands 1240
'fwaccel' and 'fwaccel6' 1241
fwaccel cfg 1244
fwaccel conns 1247
fwaccel dbg 1251
fwaccel dos 1257
fwaccel dos blacklist 1259
fwaccel dos config 1261
fwaccel dos pbox 1267
fwaccel dos rate 1272
fwaccel dos stats 1274
fwaccel dos whitelist 1276
fwaccel feature 1281
fwaccel off 1284
fwaccel on 1288
fwaccel ranges 1292
fwaccel stat 1298
fwaccel stats 1304
Description of the Statistics Counters in the "fwaccel stats" Output 1306
Example Outputs on the "fwaccel stats" Commands 1312
fwaccel synatk 1327
fwaccel synatk -a 1330
fwaccel synatk -c 1331
fwaccel synatk -d 1332
fwaccel synatk -e 1333
fwaccel synatk -g 1334
fwaccel synatk -m 1335
fwaccel synatk -t 1336
-
Table of Contents
CLI R80.40 ReferenceGuide | 22
fwaccel synatk config 1337
fwaccel synatk monitor 1340
fwaccel synatk state 1345
fwaccel synatk whitelist 1347
fwaccel tab 1352
fwaccel templates 1356
fwaccel ver 1360
'sim' and 'sim6' 1361
sim affinity 1363
sim affinityload 1366
sim enable_aesni 1367
sim if 1368
sim nonaccel 1372
sim ver 1374
fw sam_policy 1375
fw sam_policy add 1378
fw sam_policy batch 1391
fw sam_policy del 1393
fw sam_policy get 1396
The /proc/ppk/ and /proc/ppk6/ entries 1400
/proc/ppk/affinity 1402
/proc/ppk/conf 1403
/proc/ppk/conns 1404
/proc/ppk/cpls 1405
/proc/ppk/cqstats 1406
/proc/ppk/drop_statistics 1407
/proc/ppk/ifs 1408
/proc/ppk/mcast_statistics 1412
/proc/ppk/nac 1413
/proc/ppk/notify_statistics 1414
/proc/ppk/profile_cpu_stat 1415
/proc/ppk/rlc 1416
/proc/ppk/statistics 1417
-
Table of Contents
CLI R80.40 ReferenceGuide | 23
/proc/ppk/stats 1419
/proc/ppk/viol_statistics 1420
SecureXL Debug 1421
fwaccel dbg 1422
SecureXL Debug Procedure 1428
SecureXL Debug Modules and Debug Flags 1432
CoreXL Commands 1440
cp_conf corexl 1441
dynamic_split 1443
fw ctl multik 1445
fw ctl multik add_bypass_port 1448
fw ctl multik del_bypass_port 1450
fw ctl multik dynamic_dispatching 1452
fw ctl multik gconn 1453
fw ctl multik get_instance 1458
fw ctl multik print_heavy_conn 1460
fw ctl multik prioq 1462
fw ctl multik show_bypass_ports 1463
fw ctl multik stat 1464
fw ctl multik start 1466
fw ctl multik stop 1467
fw ctl multik utilize 1468
fw ctl affinity 1469
Running the 'fw ctl affinity -l' command in Gateway Mode 1470
Running the 'fw ctl affinity -l' command in VSXMode 1474
Running the 'fw ctl affinity -s' command in Gateway Mode 1477
Running the 'fw ctl affinity -s' command in VSXMode 1481
fw -i 1485
fwboot bootconf 1486
fwboot corexl 1491
fwboot cpuid 1498
fwboot ht 1500
fwboot multik_reg 1503
-
Table of Contents
CLI R80.40 ReferenceGuide | 24
fwboot post_drv 1505
Multi-Queue Commands 1506
mq_mng 1507
Identity Awareness Commands 1510
adlog 1511
adlog control 1513
adlog dc 1515
adlog debug 1516
adlog query 1517
adlog statistics 1518
pdp 1519
pdp ad 1521
General Syntax 1521
The 'pdp ad associate' command 1521
The 'pdp ad disassociate' command 1522
pdp auth 1523
pdp broker 1527
pdp conciliation 1531
pdp connections 1533
pdp control 1534
pdp debug 1535
pdp idc 1538
pdp idp 1540
pdp ifmap 1541
pdp monitor 1543
pdp muh 1545
pdp nested_groups 1546
pdp network 1547
pdp radius 1548
pdp status 1552
pdp tasks_manager 1553
pdp timers 1554
pdp topology_map 1555
-
Table of Contents
CLI R80.40 ReferenceGuide | 25
pdp tracker 1556
pdp update 1557
pdp vpn 1558
pep 1559
pep control 1560
pep debug 1561
pep show 1563
pep tracker 1566
test_ad_connectivity 1567
VPNCommands 1571
vpn 1572
vpn check_ttm 1576
vpn compreset 1577
vpn compstat 1578
vpn crl_zap 1579
vpn crlview 1580
vpn debug 1582
vpn dll 1586
vpn drv 1587
vpn dump_psk 1588
vpn ipafile_check 1589
vpn ipafile_users_capacity 1590
vpn macutil 1591
vpn mep_refresh 1592
vpn neo_proto 1593
vpn nssm_toplogy 1594
vpn overlap_encdom 1595
vpn rim_cleanup 1596
vpn rll 1597
vpn set_slim_server 1598
vpn set_snx_encdom_groups 1599
vpn set_trac 1600
vpn shell 1601
-
Table of Contents
CLI R80.40 ReferenceGuide | 26
vpn show_tcpt 1608
vpn sw_topology 1609
vpn tu 1610
vpn tu del 1612
vpn tu list 1615
vpn tu mstats 1617
vpn tu tlist 1618
vpn ver 1620
mcc 1621
mcc add 1623
mcc add2main 1624
mcc del 1625
mcc lca 1626
mcc main2add 1627
mcc show 1628
Mobile Access Commands 1630
admin_wizard 1631
cvpnd_admin 1635
cvpnd_settings 1638
cvpn_ver 1640
cvpnrestart 1641
cvpnstart 1642
cvpnstop 1643
deleteUserSettings 1644
fwpush 1645
ics_updates_script 1649
listusers 1650
rehash_ca_bundle 1651
UserSettingsUtil 1652
Data Loss Prevention Commands 1654
dlpcmd 1655
VSX Commands 1658
cpconfig 1659
-
Table of Contents
CLI R80.40 ReferenceGuide | 27
vsenv 1662
vsx 1663
vsx fetch 1665
vsx fetch_all_cluster_policies 1667
vsx fetchvs 1668
vsx get 1669
vsx initmsg 1670
vsx mstat 1671
vsx resctrl 1675
vsx showncs 1678
vsx sicreset 1679
vsx stat 1680
vsx unloadall 1682
vsx vspurge 1683
vsx_util 1684
vsx_util add_member 1687
vsx_util change_interfaces 1689
vsx_util change_mgmt_ip 1692
vsx_util change_mgmt_subnet 1693
vsx_util change_private_net 1694
vsx_util convert_cluster 1695
vsx_util reconfigure 1696
vsx_util remove_member 1701
vsx_util show_interfaces 1702
vsx_util upgrade 1704
vsx_util view_vs_conf 1705
vsx_util vsls 1708
vsx_provisioning_tool 1709
Transactions 1712
vsx_provisioning_tool Commands 1713
Explicit Transaction Commands 1714
Adding a VSXGateway 1715
Adding a VSXCluster 1717
-
Table of Contents
CLI R80.40 ReferenceGuide | 28
Adding a Virtual Device 1720
Deleting a Virtual Device 1723
Modifying Settings of a Virtual Device 1724
Adding an Interface to a Virtual Device 1727
Removing an Interface from a Virtual Device 1731
Modifying Settings of an Interface 1733
Adding a Route 1736
Removing a Route 1738
Showing Virtual Device Data 1740
Script Examples 1741
Example 1 1741
Example 2 1742
Example 3 1742
QoS Commands 1743
etmstart 1744
etmstop 1745
fgate 1746
IPS Commands 1754
ips 1755
ips bypass 1757
ips debug 1759
ips off 1760
ips on 1761
ips pmstats 1762
ips refreshcap 1763
ips stat 1764
ips stats 1765
Running Check Point Commands in Shell Scripts 1768
Working with Kernel Parameters on Security Gateway 1769
Introduction to Kernel Parameters 1769
Firewall Kernel Parameters 1770
Working with Integer Kernel Parameters 1771
Working with String Kernel Parameters 1776
-
Table of Contents
CLI R80.40 ReferenceGuide | 29
SecureXL Kernel Parameters 1779
-
Glossary
CLI R80.40 ReferenceGuide | 30
Glossary3
3rd party ClusterCluster of Check Point Security Gateways that work together in a redundantconfiguration. These Check Point Security Gateways are installed on X-Series XOS, orIPSO OS. VRRP Cluster on Gaia OS is also considered a 3rd party cluster. The 3rdparty cluster handles the traffic, and Check Point Security Gateways perform only StateSynchronization.
A
Accelerated PathPacket flow on the Host appliance, when the packet is completely handled by theSecureXL device. It is processed and forwarded to the network.
Access RoleAccess Role objects let you configure network access according to: Networks, Usersand user groups, Computers and computer groups, Remote Access Clients. After youactivate the Identity Awareness Software Blade, you can create Access Role objectsand use them in the Source and Destination columns of Access Control Policy rules.
ActiveState of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to thestate of the Security Gateway component (2) In 3rd party / OPSEC cluster, this appliesto the state of the cluster State Synchronization mechanism.
Active-ActiveA cluster mode, where cluster members are located in different geographical areas(different sites, different availability zones). Administrator configures Dynamic Routingon each cluster member, so it becomes a router in the applicable area or autonomoussystem on the site. The IP addresses of the interfaces on each cluster member are ondifferent networks (including the Sync interfaces). Each cluster member inspects alltraffic routed to it and synchronizes the recorded connections to its peer clustermembers. The traffic is not balanced between the cluster members.
-
Glossary
CLI R80.40 ReferenceGuide | 31
Active DirectoryMicrosoft® directory information service. Stores data about user, computer, and serviceidentities for authentication and access. Acronym: AD.
Active Domain ServerThe only Domain Management Server in a High Availability deployment that canmanage a specified Domain.
Active UpClusterXL in High Availability mode that was configured as Maintain current activeCluster Member in the cluster object in SmartConsole: (1) If the current Active memberfails for some reason, or is rebooted (for example, Member_A), then failover occursbetween Cluster Members - another Standby member will be promoted to be Active (forexample, Member_B). (2) When former Active member (Member_A) recovers from afailure, or boots, the former Standby member (Member_B) will remain to be in Activestate (and Member_A will assume the Standby state).
Active(!)In ClusterXL, state of the Active Cluster Member that suffers from a failure. A problemwas detected, but the Cluster Member still forwards packets, because it is the onlymember in the cluster, or because there are no other Active members in the cluster. Inany other situation, the state of the member is Down. Possible states: ACTIVE(!),ACTIVE(!F) - Cluster Member is in the freeze state, ACTIVE(!P) - This is the PivotCluster Member in Load Sharing Unicast mode, ACTIVE(!FP) - This is the Pivot ClusterMember in Load Sharing Unicast mode and it is in the freeze state.
Active/ActiveSee "Load Sharing".
Active/StandbySee "High Availability".
AD QueryCheck Point clientless identity acquisition tool. It is based on Active Directoryintegration and it is completely transparent to the user. The technology is based onquerying the Active Directory Security Event Logs and extracting the user and computermapping to the network address from them. It is based on Windows ManagementInstrumentation (WMI), a standard Microsoft protocol. The Check Point SecurityGateway communicates directly with the Active Directory domain controllers and doesnot require a separate server. No installation is necessary on the clients, or on theActive Directory server.
-
Glossary
CLI R80.40 ReferenceGuide | 32
AdministratorA user with permissions to manage Check Point security products and the networkenvironment.
AffinityThe assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface,user space process, or IRQ to one or more specified CPU cores.
Anti-BotCheck Point Software Blade that inspects network traffic for malicious bot software.
Anti-VirusCheck Point Software Blade that protects networks against self-propagating programsor processes that can cause damage.
APIIn computer programming, an application programming interface (API) is a set ofsubroutine definitions, protocols, and tools for building application software. In generalterms, it is a set of clearly defined methods of communication between various softwarecomponents.
ApplianceA physical computer manufactured and distributed by Check Point.
ARP ForwardingForwarding of ARP Request and ARP Reply packets between Cluster Members byencapsulating them in Cluster Control Protocol (CCP) packets. Introduced in R80.10version. For details, see sk111956.
AskUserCheck rule action that blocks traffic and files and shows a UserCheck message.The user can agree to allow the activity.
Audit LogA record of an action that is done by an Administrator.
-
Glossary
CLI R80.40 ReferenceGuide | 33
B
Backup(1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to bepromoted to Master state (if Master member fails). (2) In VSX Cluster configured inVirtual System Load Sharing mode with three or more Cluster Members - State of aVirtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member orVirtual System in this state does not process any traffic passing through cluster.
Blocking ModeCluster operation mode, in which Cluster Member does not forward any traffic (forexample, caused by a failure).
BondA virtual interface that contains (enslaves) two or more physical interfaces forredundancy and load sharing. The physical interfaces share one IP address and oneMAC address. See "Link Aggregation".
BondingSee "Link Aggregation".
BotMalicious software that neutralizes Anti-Virus defenses, connects to a Command andControl center for instructions from cyber criminals, and carries out the instructions.
Bridge ModeA Security Gateway or Virtual System that works as a Layer 2 bridge device for easydeployment in an existing topology.
Browser-Based AuthenticationAuthentication of users in Check Point Identity Awareness web portal - Captive Portal,to which users connect with their web browser to log in and authenticate.
BurstinessData that is transferred or transmitted in short, uneven spurts. LAN traffic is typicallybursty. Opposite of streaming data.
-
Glossary
CLI R80.40 ReferenceGuide | 34
C
CACertificate Authority. Issues certificates to gateways, users, or computers, to identifyitself to connecting entities with Distinguished Name, public key, and sometimes IPaddress. After certificate validation, entities can send encrypted data using the publickeys in the certificates.
Captive PortalA Check Point Identity Awareness web portal, to which users connect with their webbrowser to log in and authenticate, when using Browser-Based Authentication.
CCPSee "Cluster Control Protocol".
CertificateAn electronic document that uses a digital signature to bind a cryptographic public keyto a specific identity. The identity can be an individual, organization, or software entity.The certificate is used to authenticate one identity to another.
Cisco ISECisco Identity Services Engine is a network administration product that enables thecreation and enforcement of security and access policies for endpoint devicesconnected to the company's routers and switches. The purpose is to simplify identitymanagement across diverse devices and applications.
ClusterTwo or more Security Gateways that work together in a redundant configuration - HighAvailability, or Load Sharing.
Cluster Control ProtocolProprietary Check Point protocol that runs between Cluster Members on UDP port8116, and has the following roles: (1) State Synchronization (Delta Sync), (2) Healthchecks (state of Cluster Members and of cluster interfaces): Health-status Reports,Cluster-member Probing, State-change Commands, Querying for cluster membership.Note: CCP is located between the Check Point Firewall kernel and the networkinterface (therefore, only TCPdump should be used for capturing this traffic). Acronym:CCP.
-
Glossary
CLI R80.40 ReferenceGuide | 35
Cluster Correction LayerProprietary Check Point mechanism that deals with asymmetric connections in CheckPoint cluster. The CCL provides connections stickiness by "correcting" the packets tothe correct Cluster Member: In most cases, the CCL makes the correction from theCoreXL SND; in some cases (like Dynamic Routing, or VPN), the CCL makes thecorrection from the Firewall or SecureXL. Acronym: CCL.
Cluster InterfaceAn interface on a Cluster Member, whose Network Type was set as Cluster inSmartConsole in cluster object. This interface is monitored by cluster, and failure on thisinterface will cause cluster failover.
Cluster MemberA Security Gateway that is part of a cluster.
Cluster ModeConfiguration of Cluster Members to work in these redundant modes: (1) One ClusterMember processes all the traffic - High Availability or VRRP mode (2) All traffic isprocessed in parallel by all Cluster Members - Load Sharing.
Cluster TopologySet of interfaces on all members of a cluster and their settings (Network Objective, IPaddress/Net Mask, Topology, Anti-Spoofing, and so on).
ClusterXLCluster of Check Point Security Gateways that work together in a redundantconfiguration. The ClusterXL both handles the traffic and performs StateSynchronization. These Check Point Security Gateways are installed on Gaia OS: (1)ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 ClusterMembers, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXLLoad Sharing mode, configuring more than 4 Cluster Members significantly decreasesthe cluster performance due to amount of Delta Sync traffic.
Cooperative EnforcementIntegration of Endpoint Security server compliance to verify internal networkconnections.
CoreXLA performance-enhancing technology for Security Gateways on multi-core processingplatforms. Multiple Check Point Firewall instances are running in parallel on multipleCPU cores.
-
Glossary
CLI R80.40 ReferenceGuide | 36
CoreXL Dynamic DispatcherImproved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXLFirewall instances. Traffic distribution between CoreXL Firewall instances isdynamically based on the utilization of CPU cores, on which the CoreXL Firewallinstances are running. The dynamic decision is made for first packets of connections, byassigning each of the CoreXL Firewall instances a rank, and selecting the CoreXLFirewall instance with the lowest rank. The rank for each CoreXL Firewall instance iscalculated according to its CPU utilization. The higher the CPU utilization, the higherthe CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is lesslikely to be selected by the CoreXL SND. See sk105261.
CoreXL Firewall InstanceAlso CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewallkernel is copied multiple times. Each replicated copy, or firewall instance, runs on oneprocessing CPU core. These firewall instances handle traffic at the same time, andeach firewall instance is a complete and independent firewall inspection kernel.
CoreXL SNDSecure Network Distributer. Part of CoreXL that is responsible for: Processing incomingtraffic from the network interfaces; Securely accelerating authorized packets (ifSecureXL is enabled); Distributing non-accelerated packets between Firewall kernelinstances (SND maintains global dispatching table, which maps connections that wereassigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewallinstances is statically based on Source IP addresses, Destination IP addresses, and theIP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision tostick to a particular FWK daemon is done at the first packet of connection on a very highlevel, before anything else. Depending on the SecureXL settings, and in most of thecases, the SecureXL can be offloading decryption calculations. However, in some othercases, such as with Route-Based VPN, it is done by FWK daemon.
Correlation UnitA SmartEvent software component that analyzes logs and detects events.
CPHAGeneral term in Check Point Cluster that stands for Check Point High Availability(historic fact: the first release of ClusterXL supported only High Availability) that is usedonly for internal references (for example, inside kernel debug) to designate ClusterXLinfrastructure.
-
Glossary
CLI R80.40 ReferenceGuide | 37
CPUSECheck Point Upgrade Service Engine for Gaia Operating System. With CPUSE, youcan automatically update Check Point products for the Gaia OS, and the Gaia OS itself.For details, see sk92449.
Critical DeviceAlso known as a Problem Notification, or pnote. A special software device on eachCluster Member, through which the critical aspects for cluster operation are monitored.When the critical monitored component on a Cluster Member fails to report its state ontime, or when its state is reported as problematic, the state of that member isimmediately changed to Down. The complete list of the configured critical devices(pnotes) is printed by the 'cphaprob -ia list' command or 'show cluster members pnotesall' command.
Custom ReportA user defined report for a Check Point product, typically based on a predefined report.
D
DAIP GatewayA Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where theIP address of the external interface is assigned dynamically by the ISP.
Data Loss PreventionCheck Point Software Blade that detects and prevents the unauthorized transmission ofconfidential information outside the organization. Acronym: DLP.
Data TypeA classification of data. The Firewall classifies incoming and outgoing traffic accordingto Data Types, and enforces the Policy accordingly.
DatabaseThe Check Point database includes all objects, including network objects, users,services, servers, and protection profiles.
DeadState reported by a Cluster Member when it goes out of the cluster (due to 'cphastop'command (which is a part of 'cpstop'), or reboot).
-
Glossary
CLI R80.40 ReferenceGuide | 38
Decision FunctionA special cluster algorithm applied by each Cluster Member on the incoming traffic inorder to decide, which Cluster Member should process the received packet. EachCluster Members maintains a table of hash values generated based on connectionstuple (source and destination IP addresses/Ports, and Protocol number).
Dedicated Management InterfaceA separate physical interface on VSX Gateway or VSX Cluster Members, through whichCheck Point Security Management Server or Multi-Domain Server connects directly toVSX Gateway or VSX Cluster Members. DMI is restricted to management traffic, suchas provisioning, logging and monitoring. Acronym: DMI.
Delta SyncSynchronization of kernel tables between all working Cluster Members - exchange ofCCP packets that carry pieces of information about different connections and operationsthat should be performed on these connections in relevant kernel tables. This DeltaSync process is performed directly by Check Point kernel. While performing Full Sync,the Delta Sync updates are not processed and saved in kernel memory. After Full Syncis complete, the Delta Sync packets stored during the Full Sync phase are applied byorder of arrival.
Delta Sync RetransmissionIt is possible that Delta Sync packets will be lost or corrupted during the Delta Syncoperations. In such cases, it is required to make sure the Delta Sync packet is re-sent.The Cluster Member requests the sending Cluster Member to retransmit thelost/corrupted Delta Sync packet. Each Delta Sync packet has a sequence number. Thesending member has a queue of sent Delta Sync packets. Each Cluster Member has aqueue of packets sent from each of the peer Cluster Members. If, for any reason, a DeltaSync packet was not received by a Cluster Member, it can ask for a retransmission ofthis packet from the sending member. The Delta Sync retransmission mechanism issomewhat similar to a TCP Window and TCP retransmission mechanism. When amember requests retransmission of Delta Sync packet, which no longer exists on thesending member, the member prints a console messages that the sync is not complete.
DetectUserCheck rule action that allows traffic and files to enter the internal network and logsthem.
Distributed DeploymentThe Check Point Security Gateway and Security Management Server products aredeployed on different computers.
-
Glossary
CLI R80.40 ReferenceGuide | 39
DomainA network or a collection of networks related to an entity, such as a company, businessunit or geographical location.
Domain Log ServerA Log Server for a specified Domain. It stores and processes logs from SecurityGateways that are managed by the corresponding Domain Management Server.Acronym: DLS.
Domain Management ServerA virtual Security Management Server that manages Security Gateways for oneDomain, as part of a Multi-Domain Security Management environment. Acronym: DMS.
DownState of a Cluster Member during a failure when one of the Critical Devices reports itsstate as "problem": In ClusterXL, applies to the state of the Security Gatewaycomponent; in 3rd party / OPSEC cluster, applies to the state of the StateSynchronization mechanism. A Cluster Member in this state does not process any trafficpassing through cluster.
DyingState of a Cluster Member as assumed by peer members, if it did not report its state for0.7 second.
E
EventA record of a security or network incident that is based on one or more logs, and on acustomizable set of rules that are defined in the Event Policy.
Event CorrelationA procedure that extracts, aggregates, correlates and analyzes events from the logs.
Event PolicyA set of rules that define the behavior of SmartEvent.
Expert ModeThe name of the full command line shell that gives full system root permissions in theCheck Point Gaia operating system.
-
Glossary
CLI R80.40 ReferenceGuide | 40
External NetworkComputers and networks that are outside of the protected network.
External UsersUsers defined on external servers. External users are not defined in the SecurityManagement Server database or on an LDAP server. External user profiles tell thesystem how to identify and authenticate externally defined users.
F
F2FDenotes non-VPN connections that SecureXL forwarded to firewall. See "FirewallPath".
Failback in ClusterAlso, Fallback. Recovery of a Cluster Member that suffered from a failure. The state of arecovered Cluster Member is changed from Down to either Active, or Standby(depending on Cluster Mode).
Failed MemberA Cluster Member that cannot send or accept traffic because of a hardware or softwareproblem.
FailoverAlso, Fail-over. Transferring of a control over traffic (packet filtering) from a ClusterMember that suffered a failure to another Cluster Member (based on internal clusteralgorithms).
FailureA hardware or software problem that causes a Security Gateway to be unable to serveas a Cluster Member (for example, one of cluster interface has failed, or one of themonitored daemon has crashed). Cluster Member that suffered from a failure is declaredas failed, and its state is changed to Down (a physical interface is considered Downonly if all configured VLANs on that physical interface are Down).
FirewallThe software and hardware that protects a computer network by analyzing the incomingand outgoing network traffic (packets).
-
Glossary
CLI R80.40 ReferenceGuide | 41
Firewall PathAlso Slow Path. Packet flow on the Host Security Appliance, when the SecureXLdevice is unable to process the packet (see sk32578). The packet is passed to theCoreXL layer and then to one of the CoreXL Firewall instances for full processing. Thispath also processes all packets when SecureXL is disabled.
FlappingConsequent changes in the state of either cluster interfaces (cluster interface flapping),or Cluster Members (Cluster Member flapping). Such consequent changes in the stateare seen in the 'Logs & Monitor' > 'Logs' (if in SmartConsole > cluster object, the clusteradministrator set the 'Track changes in the status of cluster members' to 'Log').
Flush and ACKAlso, FnA, F&A. Cluster Member forces the Delta Sync packet about the incomingpacket and waiting for acknowledgments from all other Active members and only thenallows the incoming packet to pass through. In some scenarios, it is required that someinformation, written into the kernel tables, will be Sync-ed promptly, or else a racecondition can occur. The race condition may occur if a packet that caused a certainchange in kernel tables left Member_A toward its destination and then the return packettries to go through Member_B. In general, this kind of situation is called asymmetricrouting. What may happen in this scenario is that the return packet arrives at Member_Bbefore the changes induced by this packet were Sync-ed to this Member_B. Example ofsuch a case is when a SYN packet goes through Member_A, causing multiple changesin the kernel tables and then leaves to a server. The SYN-ACK packet from a serverarrives at Member_B, but the connection itself was not Sync-ed yet. In this condition, theMember_B will drop the packet as an Out-of-State packet (First packet isn't SYN). Inorder to prevent such conditions, it is possible to use the"Flush and ACK" (F&A)mechanism. This mechanism can send the Delta Sync packets with all the changesaccumulated so far in the Sync buffer to the other Cluster Members, hold the originalpacket that induced these changes and wait for acknowledgment from all other (Active)Cluster Members that they received the information in the Delta Sync packet. When allacknowledgments arrived, the mechanism will release the held original packet. Thisensures that by the time the return packet arrived from a server at the cluster, all theCluster Members are aware of the connection. F&A is being operated at the end of theInbound chain and at the end of the Outbound chain (it is more common at theOutbound).
ForwardingProcess of transferring of an incoming traffic from one Cluster Member to anotherCluster Member for processing. There are two types of forwarding the incoming trafficbetween Cluster Members - Packet forwarding and Chain forwarding. Also see"Forwarding Layer in Cluster" and "ARP Forwarding in Cluster".
-
Glossary
CLI R80.40 ReferenceGuide | 42
Forwarding LayerThe Forwarding Layer is a ClusterXL mechanism that allows a Cluster Member to passpackets to peer Cluster Members, after they have been locally inspected by the firewall.This feature allows connections to be opened from a Cluster Member to an externalhost. Packets originated by Cluster Members are hidden behind the Cluster Virtual IPaddress. Thus, a reply from an external host is sent to the cluster, and not directly to thesource Cluster Member. This can pose problems in the following situations: (1) Thecluster is working in High Availability mode, and the connection is opened from theStandby Cluster Member. All packets from the external host are handled by the ActiveCluster Member, instead. (2) The cluster is working in a Load Sharing mode, and thedecision function has selected another Cluster Member to handle this connection. Thiscan happen since packets directed at a Cluster IP address are distributed betweenCluster Members as with any other connection. If a Cluster Member decides, upon thecompletion of the firewall inspection process, that a packet is intended for anotherCluster Member, it can use the Forwarding Layer to hand the packet over to that ClusterMember. In High Availability mode, packets are forwarded over a Synchronizationnetwork directly to peer Cluster Members. It is important to use secured networks only,as encrypted packets are decrypted during the inspection process, and are forwardedas clear-text (unencrypted) data. In Load Sharing mode, packets are forwarded over aregular traffic network. Packets that are sent on the Forwarding Layer use a specialsource MAC address to inform the receiving Cluster Member that they have alreadybeen inspected by another Cluster Member. Thus, the receiving Cluster Member cansafely hand over these packets to the local Operating System, without further inspection.
Full High AvailabilityAlso, Full HA Cluster Mode. A special Cluster Mode (supported only on Check Pointappliances running Gaia OS or SecurePlatform OS, where each Cluster Member alsoruns as a Security Management Server. This provides redundancy both betweenSecurity Gateways (only High Availability is supported) and between SecurityManagement Servers (only High Availability is supported - see sk39345).
-
Glossary
CLI R80.40 ReferenceGuide | 43
Full SyncProcess of full synchronization of applicable kernel tables by a Cluster Member from theworking Cluster Member(s) when it tries to join the existing cluster. This process ismeant to fetch a"snapshot" of the applicable kernel tables of already Active ClusterMember(s). Full Sync is performed during the initialization of Check Point software(during boot process, the first time the Cluster Member runs policy installation, during'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, thisCluster Member remains in the Down state, because until it is fully synchronized withother Cluster Members, it cannot function as a Cluster Member. Meanwhile, the DeltaSync packets continue to arrive, and the Cluster Member that tries to join the existingcluster, stores them in the kernel memory until the Full Sync completes. The whole FullSync process is performed by fwd daemons on TCP port 256 over the Sync network (if itfails over the Sync network, it tries the other cluster interfaces). The information is sentby fwd daemons in chunks, while making sure they confirm getting the informationbefore sending the next chunk. Also see "Delta Sync".
G
GaiaCheck Point security operating system that combines the strengths of bothSecurePlatform and IPSO operating systems.
Gaia ClishThe name of the default command line shell in Check Point Gaia operating system. Thisis a restrictive shell (role-based administration controls the number of commandsavailable in the shell).
Gaia PortalWeb interface for Check Point Gaia operating system.
Global DomainA Domain on a Multi-Domain Server, on which the Multi-Domain Server administratorcreates and manages objects, security policies and settings that apply to the entireMulti-Domain Security Management environment.
Global ObjectsFor Multi-Domain Management, all network and objects defined in the Global Domain.
Global PolicyAll Policies defined in the Global Domain that can be assigned to Domains, or tospecified groups of Domains.
-
Glossary
CLI R80.40 ReferenceGuide | 44
H
HA not startedOutput of the 'cphaprob ' command or 'show cluster ' command on theCluster Member. This output means that Check Point clustering software is not startedon this Security Gateway (for example, this machine is not a part of a cluster, or'cphastop' command was run, or some failure occurred that prevented the ClusterXLproduct from starting correctly).
High AvailabilityA redundant cluster mode, where only one Cluster Member (Active member) processesall the traffic, while other Cluster Members (Standby members) are ready to be promotedto Active state if the current Active member fails. In the High Availability mode, theCluster Virtual IP address (that represents the cluster on that network) is associated: (1)With physical MAC Address of Active member (2) With virtual MAC Address (seesk50840). Acronym: HA.
HotfixA piece of software installed on top of the current software in order to fix some wrong orundesired behavior.
HTUStands for "HA Time Unit". All internal time in ClusterXL is measured in HTUs (thetimes in cluster debug also appear in HTUs). Formula in the Check Point software: 1HTU = 10 x fwha_timer_base_res = 10 x 10 milliseconds = 100 ms.
HybridStarting in R80.20, on Security Gateways with 40 or more CPU cores, Software Bladesrun in the user space (as 'fwk' processes). The Hybrid Mode refers to the state when youupgrade Cluster Members from R80.10 (or below) to R80.20 (or above). The HybridMode is the state, in which the upgraded Cluster Members already run their SoftwareBlades in the user space (as fwk processes), while other Cluster Members still run theirSoftware Blades in the kernel space (represented by the fw_worker processes). In theHybrid Mode, Cluster Members are able to synchronize the required information.
I
ICAInternal Certificate Authority. A component on Check Point Management Server thatissues certificates for authentication.
-
Glossary
CLI R80.40 ReferenceGuide | 45
ICAP ClientThe ICAP Client functionality in your Security Gateway or Cluster enables it to interactwith an ICAP Server responses (see RFC 3507), modify their content, and block thematched HTTP connections.
ICAP ServerThe ICAP Server functionality in your Security Gateway or Cluster enables it to interactwith an ICAP Client requests, send the files for inspection, and return the verdict.
Identity AgentCheck Point dedicated client agent installed on Windows-based user endpointcomputers. This Identity Agent acquires and reports identities to the Check Point IdentityAwareness Security Gateway. The administrator configures the Identity Agents (not theend users). There are three types of Identity Agents - Full, Light and Custom. You candownload the Full, Light and Custom Identity Agent package from the Captive Portal -'https:///connect'. You can transfer the Full and Light IdentityAgent package from the Identity Awareness Agents -'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk134312'.
Identity Agent Configuration UtilityCheck Point utlity that creates custom Identity Agent installation packages. This utlity isinstalled as a part of the Identity Agent: go to the Windows Start menu > All Programs >Check Point > Identity Agent > right-click the 'Identity Agent' shortcut > select'Properties' > click 'Open File Location' ('Find Target' in some Windows versions >double-click 'IAConfigTool.exe').
Identity Agent Distributed Configuration ToolCheck Point Identity Agent control tool for Windows-based client computers that aremembers of an Active Directory domain. The Distributed Configuration tool lets youconfigure connectivity and trust rules for Identity Agents - to which Identity AwarenessSecurity Gateways the Identity Agent should connect, depending on its IPv4 / IPv6address, or Active Directory Site. This tool is installed a part of the Identity Agent: go tothe Windows Start menu > All Programs > Check Point > Identity Agent > open theDistributed Configuration. Note - You must have administrative access to this ActiveDirectory domain to allow automatic creation of new LDAP keys and writing.
Identity AwarenessCheck Point Software Blade that enforces network access and audits data based onnetwork location, the identity of the user, and the identity of the computer.
-
Glossary
CLI R80.40 ReferenceGuide | 46
Identity BrokerIdentity Sharing mechanism between Identity Servers (PDP): (1) Communicationchannel between PDPs based on Web-API (2) Identity Sharing capabilities betweenPDPs - ability to add, remove, and update the identity session.
Identity CollectorCheck Point dedicated client agent installed on Windows Servers in your network.Identity Collector collects information about identities and their associated IP addresses,and sends it to the Check Point Security Gateways for identity enforcement. For moreinformation, see sk108235. You can download the Identity Collector package from theIdentity Awareness Agents -'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk134312'.
Identity Collector Identity SourcesIdentity Sources for Check Point Identity Collector - Microsoft Active Directory DomainControllers, Cisco Identity Services Engine (ISE) Servers, or NetIQ eDirectory Servers.
Identity Collector Query PoolA list of Identity Sources for Check Point Identity Collector.
Identity ServerCheck Point Security Gateway with enabled Identity Awareness Software Blade.
IKEInternet Key Exchange. An Encryption key management protocol for IPSec that createsa shared key to encrypt and decrypt IP packets and establishes a VPN tunnel andSecurity Association.
IndicatorPattern of relevant observable malicious activity in an operational cyber domain, withrelevant information on how to interpret it and how to handle it.
InitState of a Cluster Member in the phase after the boot and until the Full Sync completes.A Cluster Member in this state does not process any traffic passing through cluster.
Inline LayerSet of rules used in another rule in Security Policy.
-
Glossary
CLI R80.40 ReferenceGuide | 47
Intelligent Queuing EngineA bandwidth allocation algorithm that guarantees high priority traffic takes precedenceover low priority traffic.
Internal NetworkComputers and resources protected by the Firewall and accessed by authenticatedusers.
IP TrackingCollecting and saving of Source IP addresses and Source MAC addresses fromincoming IP packets during the probing. IP tracking is a useful for Cluster Members todetermine whether the network connectivity of the Cluster Member is acceptable.
IP Tracking PolicyInternal setting that controls, which IP addresses should be tracked during IP tracking:(1) Only IP addresses from the subnet of cluster VIP, or from subnet of physical clusterinterface (this is the default) (2) All IP addresses, also outside the cluster subnet.
IPSIntrusion Prevention System. Check Point Software Blade that inspects and analyzespackets and data for numerous types of risks.
IPv4Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, eachset can be from 0 - 255. For example, 192.168.2.1.
IPv6Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets ofhexadecimal numbers, each set can be from 0 - ffff. For example,FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.
IRQ AffinityA state of binding an IRQ to one or more CPU cores.
-
Glossary
CLI R80.40 ReferenceGuide | 48
J
JitterVariation in the delay of received packets. On the sending side, packets are spacedevenly apart and sent in a continuous stream. On the receiving side, the delay betweeneach packet can vary according to network congestion, improper queuing orconfiguration errors.
Jumbo Hotfix AccumulatorCollection of hotfixes combined into a single package. Acronyms: JHA, JHF.
K
KerberosA computer network authentication protocol that works based on tickets to allow nodescommunicating over a non-secure network to prove their identity to one another in asecure manner. Kerberos builds on symmetric key cryptography and requires a trustedthird party, and optionally may use public-key cryptography during certain phases ofauthentication.
L
Link AggregationTechnology that joins multiple physical interfaces together into one virtual interface,known as a bond interface. Also known as Interface Bonding.
LLQLow Latency Queuing is a feature developed by Cisco to bring strict priority queuing(PQ) to class-based weighted fair queuing (CBWFQ). LLQ allows delay-sensitive data(such as voice) to be given preferential treatment over other traffic by letting the data tobe dequeued and sent first.
Load SharingAlso, Load Balancing mode. A redundant cluster mode, where all Cluster Membersprocess all incoming traffic in parallel. See "Load Sharing Multicast Mode" and "LoadSharing Unicast Mode". Acronym: LS.
-
Glossary
CLI R80.40 ReferenceGuide | 49
Load Sharing MulticastLoad Sharing Cluster Mode, where all Cluster Members process all traffic in parallel.Each Cluster Member is assigned the equal load of [ 100% / number_of_members ].The Cluster Virtual IP address (that represents the cluster on that network) is associatedwith Multicast MAC Address 01:00:5E:X:Y:Z (which is generated based on last 3 bytesof cluster Virtual IP address on that network). A ClusterXL decision algorithm (DecisionFunction) on all Cluster Members decides, which Cluster Member should process thegiven packet.
Load Sharing UnicastLoad Sharing Cluster Mode, where one Cluster Member (called Pivot) accepts all traffic.Then, the Pivot member decides to process this traffic, or to forward it to other non-PivotCluster Members. The traffic load is assigned to Cluster Members based on the hard-coded formula per the value of Pivot_overhead attribute (see sk34668). The ClusterVirtual IP address (that represents the cluster on that network) is associated with: (1)Physical MAC Address of Pivot member (2) Virtual MAC Address (see sk50840).
LogA record of an action that is done by a Software Blade.
Log ServerA dedicated Check Point computer that runs Check Point software to store and processlogs in Security Management Server or Multi-Domain Security Managementenvironment.
M
Mail Transfer AgentA gateway feature that intercepts SMTP traffic and forwards it to the applicableinspection component.
Main Domain Management ServerA Domain Management Server on a Multi-Domain Server, on which you defined theobject of your VSX Gateway or VSX Cluster. In this case, objects of your VirtualSystems are defined on different Domain Management Servers (Target DomainManagement Servers).
Malware DatabaseThe Check Point database of commonly used signatures, URLs, and their relatedreputations, installed on a Security Gateway and used by the ThreatSpect engine.
-
Glossary
CLI R80.40 ReferenceGuide | 50
Management High AvailabilityDeployment and configuration mode of two Check Point Management Servers, in whichthey automatically synchronize the management databases with each other. In thismode, one Management Server is Active, and the other is Standby. Acronyms:Management HA, MGMT HA.
Management InterfaceInterface on Gaia computer, through which users connect to Portal or CLI. Interface on aGaia Security Gateway or Cluster member, through which Management Serverconnects to the Security Gateway or Cluster member.
Management ServerA Check Point Security Management Server or a Multi-Domain Server.
MasterState of a Cluster Member that processes all traffic in cluster configured in VRRP mode.
Medium Path (PXL)Packet flow on the Host Security Appliance, when the packet is handled by theSecureXL device. The CoreXL layer passes the packet to one of the CoreXL Firewallinstances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXLinfrastructure to send the packet to the single CoreXL Firewall instance that stillfunctions. When the Medium Path is available, the SecureXL fully accelerates the TCPhandshake. Rule Base match is achieved for the first packet through an existingconnection acceleration template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK] packets. However, once data starts to flow, to stream it for ContentInspection, an FWK instance now handles the packets. The SecureXL sends allpackets that contain data to FWK for data extraction in order to build the data stream.Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets,because they do not contain data that needs to be streamed. This path is available onlywhen CoreXL is enabled. Exceptions are: IPS (some protections); VPN (in someconfigurations); Application Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPSInspection; Proxy mode; Mobile Access; VoIP; Web Portals.
Mirror and DecryptThe Mirror and Decrypt feature on your Security Gateway or Cluster performs theseactions: (1) Mirror only of all traffic - Clones all traffic (including HTTPS withoutdecryption) that passes through, and sends it out of the designated physical interface.(2) Mirror and Decrypt of HTTPS traffic - Clones all HTTPS traffic that passes through,decrypts it, and sends it in clear-text out of the designated physical interface.
-
Glossary
CLI R80.40 ReferenceGuide | 51
Multi-Domain Log ServerA computer that runs Check Point software to store and process logs in Multi-DomainSecurity Management environment. The Multi-Domain Log Server consists of DomainLog Servers that store and process logs from Security Gateways that are managed bythe corresponding Domain Management Servers. Acronym: MDLS.
Multi-Domain Security ManagementA centralized management solution for large-scale, distributed environments with manydifferent Domain networks.
Multi-Domain ServerA computer that runs Check Point software to host virtual Security Management Serverscalled Domain Management Servers. Acronym: MDS.
Multi-QueueAn acceleration feature on Security Gateway that lets you assign more than one packetqueue and CPU core to an interface.
Multi-Version ClusterThe Multi-Version Cluster (MVC) mechanism lets you synchronize connectionsbetween cluster members that run different versions. This lets you upgrade to a newerversion without a loss in connectivity and lets you test the new version on some of thecluster members before you decide to upgrade the rest of the cluster members.
MVCSee "Multi-Version Cluster".
N
NACNetwork Access Control. This is an approach to computer security that attempts to unifyendpoint security technology (such as Anti-Virus, Intrusion Prevention, and VulnerabilityAssessment), user or system authentication and network security enforcement. CheckPoint's Network Access Control solution is called Identity Awareness Software Blade.
Network ObjectLogical representation of every part of corporate topology (physical machine, softwarecomponent, IP Address range, service, and so on).
-
Glossary
CLI R80.40 ReferenceGuide | 52
Network ObjectiveDefines how the cluster will configure and monitor an interface - Cluster, Sync,Cluster+Sync, Monitored Private, Non-Monitored Private. Configured in SmartConsole >cluster object > 'Topology' pane > 'Network Objective'.
Non-Blocking ModeCluster operation mode, in which Cluster Member keeps forwarding all traffic.
Non-Dedicated Management InterfaceA shared physical interface on VSX Gateway or VSX Cluster Members, which carriesuser "production" traffic and through which Check Point Security Management Server orMulti-Domain Server connects to VSX Gateway or VSX Cluster Members. Non-DMIconfiguration requires the use of a Virtual Router or Virtual Switch. Acronym: Non-DMI.
Non-Monitored InterfaceAn interface on a Cluster Member, whose Network Type was set as Private inSmartConsole, in cluster object.
Non-PivotA Cluster Member in the Unicast Load Sharing cluster that receives all packets from thePivot Cluster Member.
Non-Sticky ConnectionA connection is called non-sticky, if the reply packet returns via a different ClusterMember, than the original packet (for example, if network administrator has configuredasymmetric routing). In Load Sharing mode, all Cluster Members are Active, and inStatic NAT and encrypted connections, the Source and Destination IP addresseschange. Therefore, Static NAT and encrypted connections through a Load Sharingcluster may be non-sticky.
O
ObservableAn event or a stateful property that can be observed in an operational cyber domain.
Open ServerA physical computer manufactured and distributed by a company, other than CheckPoint.
-
Glossary
CLI R80.40 ReferenceGuide | 53
P
Packet SelectionDistinguishing between different kinds of packets coming from the network, andselecting, which member should handle a specific packet (Decision Functionmechanism): CCP packet from another member of this cluster; CCP packet from anothercluster or from a Cluster; Member with another version (usually older version of CCP);Packet is destined directly to this member; Packet is destined to another member of thiscluster; Packet is intended to pass through this Cluster Member; ARP packets.
PDPCheck Point Identity Awareness Security Gateway that acts as Policy Decision Point:acquires identities from identity sources; shares identities with other gateways.
PEPCheck Point Identity Awareness Security Gateway that acts as Policy EnforcementPoint: receives identities via identity sharing; redirects users to Captive Portal.
Permission ProfileA predefined group of SmartConsole access permissions assigned to Domains andadministrators. With this feature you can configure complex permissions for manyadministrators with one definition.
Pingable HostSome host (that is, some IP address) that Cluster Members can ping during probingmechanism. Pinging hosts in an interface's subnet is one of the health checks thatClusterXL mechanism performs. This pingable host will allow the Cluster Members todetermine with more precision what has failed (which interface on which member). OnSync network, usually, there are no hosts. In such case, if switch supports this, an IPaddress should be assigned on the switch (for example, in the relevant VLAN). The IPaddress of such pingable host should be assigned per this formula: IP_of_pingable_host = IP_of_physical_interface_on_member + ~10. Assigning the IP address topingable host that is higher than the IP addresses of physical interfaces on the ClusterMembers will give some time to Cluster Members to perform the default health checks.Example: IP address of physical interface on a given subnet on Member_A is10.20.30.41; IP address of physical interface on a given subnet on Member_B is10.20.30.42; IP address of pingable host should be at least 10.20.30.5
-
Glossary
CLI R80.40 ReferenceGuide | 54
PivotA Cluster Member in the Unicast Load Sharing cluster that receives all packets. ClusterVirtual IP addresses are associated with Physical MAC Addresses of this ClusterMember. This Pivot Cluster Member distributes the traffic between other Non-PivotCluster Members.
PnoteSee "Critical Device".
Policy LayerA layer (set of rules) in a Security Policy.
Policy PackageA collection of different types of Security Policies, such as Access Control, ThreatPrevention, QoS, and Desktop Security. After installation, Security Gateways enforce allPolicies in the Policy Package.
Preconfigured ModeCluster Mode, where cluster membership is enabled on all Cluster Members to be.However, no policy had been yet installed on any of the Cluster Members - none ofthem is actually configured to be primary, secondary, and so on. The cluster cannotfunction, if one Cluster Member fails. In this scenario,the "preconfigured mode" takesplace. The preconfigured mode also comes into effect when no policy is yet installed,right after the Cluster Members came up after boot, or when running the 'cphaconf init'command.
Predefined ReportA default report included in a Check Point product that you can run right out of the box.
PreventUserCheck rule action that blocks traffic and files and can show a UserCheck message.
Primary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install as Primary.
-
Glossary
CLI R80.40 ReferenceGuide | 55
Primary UpClusterXL in High Availability mode that was configured as Switch to higher priorityCluster Member in the cluster object in SmartConsole: (1) Each Cluster Member isgiven a priority (SmartConsole > cluster object > 'Cluster Members' pane). ClusterMember with the highest priority appears at the top of the table, and Cluster Memberwith the lowest priority appears at the bottom of the table. (2) The Cluster Member withthe highest priority will assume the Active state. (3) If the current Active Cluster Memberwith the highest priority (for example, Member_A), fails for some reason, or is rebooted,then failover occurs between Cluster Members. The Cluster Member with the nexthighest priority will be promoted to be Active (for example, Member_B). (4) When theCluster Member with the highest priority (Member_A) recovers from a failure, or boots,then additional failover occurs between Cluster Members. The Cluster Member with thehighest priority (Member_A) will be promoted to Active state (and Member_B will returnto Standby state).
Private InterfaceAn interface on a Cluster Member, whose Network Type was set as 'Private' inSmartConsole in cluster object. This interface is not monitored by cluster, and failure onthis interface will not cause any changes in Cluster Member's state.
ProbingIf a Cluster Member fails to receive status for another member (does not receive CCPpackets from that member) on a given segment, Cluster Member will probe that segmentin an attempt to illicit a response. The purpose of such probes is to detect the nature ofpossible interface failures, and to determine which module has the problem. Theoutcome of this probe will determine what action is taken next (change the state of aninterface, or of a Cluster Member).
Problem NotificationSee "Critical Device".
-
Glossary
CLI R80.40 ReferenceGuide | 56
PSLPassive Streaming Library. Packets may arrive at Security Gateway out of order, or maybe legitimate retransmissions of packets that have not yet received an acknowledgment.In some cases, a retransmission may also be a deliberate attempt to evade IPSdetection by sending the malicious payload in the retransmission. Security Gatewayensures that only valid packets are allowed to proceed to destinations. It does this withthe Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer,which provides stream reassembly for TCP connections. (2) The Security Gatewaymakes sure that TCP data seen by the destination system is the same as seen by codeabove PSL. (3) The PSL handles packet reordering, congestion, and is responsible forvarious security aspects of the TCP layer, such as handling payload overlaps, someDoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewallchain and from the SecureXL. (5) The PSL serves as a middleman between the varioussecurity applications and the network packets. It provides the applications with acoherent stream of data to work with, free of various network problems or attacks. (6)The PSL infrastructure is wrapped with well-defined APIs called the Unified StreamingAPIs, which are used by the applications to register and access streamed data. Formore details, see sk95193.
PSLXLTechnology name for combination of SecureXL and PSL (Passive Streaming Library) inR80.20 and higher versions. In R80.10 and lower versions, this technology was calledPXL (PacketXL).
Publisher PDPCheck Point Identity Awareness Security Gateway that gets identities from an identitysource/remote PDP and shares identities to a remote PDP. The Publisher PDP: (1)Initiates an HTTPS connection to the Subscriber PDP for each Identity to be shared (2)Verifies the CN and OU present in the subject field of the certificate presented (3)Verifies that the CA's certificate matches the certificate that was approved in advance bythe administrator (4) Checks if the certificate presented is revoked (5) Shares identitiesincluding the information about user(s), machine(s) and Access Roles in the form ofHTTP POST requests.
PXLSee "PSLXL".
Q
QoSCheck Point Software Blade that guarantees quality of service for traffic.
-
Glossary
CLI R80.40 ReferenceGuide | 57
QoS Action PropertiesProperties that define bandwidth allocation, limits, and guarantees for a security rule.
R
RADIUSRemote Authentication Dial-In User Service (RADIUS) is a networking protocol thatprovides centralized Authentication, Authorization, and Accounting (AAA or Triple A)management for users who connect and use a network service. RADIUS is aclient/server protocol that runs in the application layer, and can use either TCP or UDPas transport.
RDEDRetransmit Detect Early Drop. The bottleneck that results from the connection of a LANto the WAN causes TCP to retransmit packets. RDED prevents inefficiencies bydetecting retransmits in TCP streams and preventing the transmission of redundantpackets when multiple copies of a packet are concurrently queued on the same flow.
ReadyState of a Cluster Member during after initialization and before promotion to the nextrequired state - Active / Standby / VRRP Master / VRRP Backup (depending on ClusterMode). A Cluster Member in this state does not process any traffic passing throughcluster. A member can be stuck in this state due to several reasons - see sk42096.
Remote Access VPNAn encryption tunnel between a Security Gateway and Remote Access clients.Provides secure, seamless access to corporate networks remotely, over IPsec VPN.
Remote Access VPN CommunityA group of computers, appliances, and devices that access, with authentication andencryption, the internal protected network from physically remote sites.
ReportA summary of network activity and Security Policy enforcement that is generated byCheck Point products such as SmartEvent.
RuleA set of traffic parameters and other conditions in a Rule Base that cause specifiedactions to be taken for a communication session.
-
Glossary
CLI R80.40 ReferenceGuide | 58
Rule BaseAlso Rulebase. All rules configured in a given Security Policy.
RX QueueReceive packet queue. See "Multi-Queue".
S
Secondary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install asSecondary.
SecureXLCheck Point product that accelerates IPv4 and IPv6 traffic. Installed on SecurityGateways for significant performance improvements.
Security GatewayA computer that runs Check Point software to inspect traffic and enforces SecurityPolicies for connected network resources.
Security Management ServerA computer that runs Check Point software to manage the objects and policies in CheckPoint environment.
Security PolicyA collection of rules that control network traffic and enforce organization guidelines fordata protection and access to resources with packet inspection.
SelectionThe packet selection mechanism is one of the central and most important componentsin the ClusterXL product and State Synchronization infrastructure for 3rd party clusteringsolutions. Its main purpose is to decide (to select) correctly what has to be done to theincoming and outgoing traffic on the Cluster Member. (1) In ClusterXL, the packet isselected by Cluster Member(s) depending on the cluster mode: In HA modes - by Activemember; In LS Unicast mode - by Pivot member; In LS Multicast mode - by all members.Then the Cluster Member applies the Decision Function (and the Cluster CorrectionLayer). (2) In 3rd party / OPSEC cluster, the 3rd party software selects the packet, andCheck Point software just inspects it (and performs State Synchronization).
-
Glossary
CLI R80.40 ReferenceGuide | 59
Service AccountIn Microsoft® Active Directory, a user account created explicitly to provide a securitycontext for services running on Microsoft® Windows® Server.
SICSecure Internal Communication. The Check Point proprietary mechanism with whichCheck Point computers that run Check Point software authenticate each other overSSL, for secure communication. This authentication is based on the certificates issuedby the ICA on a Check Point Management Server.
Single Sign-OnA property of access control of multiple related, yet independent, software systems. Withthis property, a user logs in with a single ID and password to gain access to aconnected system or systems without using different usernames or passwords, or insome configurations seamlessly sign on at each system. This is typically accomplishedusing the Lightweight Directory Access Protocol (LDAP) and stored LDAP databaseson (directory) servers. Acronym: SSO.
Site to Site VPNAn encryption tunnel between two Security Gateways.
Slow PathSee "Firewall Path".
SmartConsoleA Check Point GUI application used to manage Security Policies, monitor products andevents, install updates, provision new devices and appliances, and manage a multi-domain environment and each domain.
SmartDashboardA legacy Check Point GUI client used to create and manage the security settings inR77.30 and lower versions.
SmartEvent ServerServer with enabled SmartEvent Software Blade that hosts the events database.
Software BladeA software blade is a security solution based on specific business needs. Each blade isindependent, modular and centrally managed. To extend security, additional blades canbe quickly added.
-
Glossary
CLI R80.40 ReferenceGuide | 60
SSOSee "Single Sign-On".
StandaloneA Check Point computer, on which both the Security Gateway and SecurityManagement Server products are installed and configured.
StandbyState of a Cluster Member that is ready to be promoted to Active state (if the currentActive Cluster Member fails). Applies only to ClusterXL High Availability Mode.
Standby Domain ServerAll Domain Management Servers for a Domain that are not designated as the ActiveDomain Management Server.
State SynchronizationTechnology that synchronizes the relevant information about the current connections(stored in various kernel tables on Check Point Security Gateways) among all ClusterMembers over Synchronization Network. Due to State Synchronization, the currentconnections are not cut off during cluster failover.
Sticky ConnectionA connection is called sticky, if all packets are handled by a single Cluster Member (inHigh Availability mode, all packets reach the Active Cluster Member, so all connectionsare sticky).
STIXStructured Threat Information eXpression™. A language that describes cyber threatinformation in a standardized and structured way.
Subscriber PDPCheck Point Identity Awareness Security Gateway that gets identities from a remotePDP. The Subscriber PDP: (1) Presents the configured SSL certificate to the PublisherPDP (2) Receives the information from the Publisher PDP after verifying the pre-sharedsecret in the POST requests.
SubscribersUser Space processes that are made aware of the current state of the ClusterXL statemachine and other clustering configuration parameters. List of such subscribers can beobtained by running the 'cphaconf debug_data' command (see sk31499).
-
Glossary
CLI R80.40 ReferenceGuide | 61
Sync InterfaceAlso, Secured Interface, Trusted Interface. An interface on a Cluster Member, whoseNetwork Type was set as Sync or Cluster+Sync in SmartConsole