0% found this document useful (0 votes)

40 views1,902 pages

CP R80.40 CLI ReferenceGuide

Uploaded by

isabelle.mailto

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

40 views1,902 pages

CP R80.40 CLI ReferenceGuide

Uploaded by

isabelle.mailto

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1902

04 July 2024

CLI

R80.40

Reference Guide
Check Point Copyright Notice
© 2020 - 2024 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Check Point R80.40

For more about this release, see the R80.40 home page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

R80.40 CLI Reference Guide | 3

Important Information

Revision History

Date Description

26 October Updated:
2023
n "ClusterXL Monitoring Commands" on page 1232 - removed the
"cphaprob latency" command as not supported
n "fw ctl multik prioq" on page 1516
n "cpstart" on page 957 (for Security Gateway)
n "fw tab" on page 1152 - added "fw tab -t connections -z"

09 Updated:
September
2023
n "cp_conf ca" on page 63 - for Security Management Server
n "cpca_client get_crldp" on page 101 - for Security Management
Server
n "fwm dbload" on page 309 - for Security Management Server
n "cp_conf ca" on page 413 - for Multi-Domain Server
n "cpca_client get_crldp" on page 451 - for Multi-Domain Server
n "fwm dbload" on page 655 - for Multi-Domain Server
n "fw ctl conn" on page 1021

14 February Updated:
2023
n "cp_log_export" on page 74 for Security Management Server
n "ips stats" on page 1841

17 October Updated:
2022
n "cp_log_export" on page 74 - for Security Management Server
n "cp_log_export" on page 424 - for Multi-Domain Server

03 August Updated:
2022
n "Running Check Point Commands in Shell Scripts" on page 1862

04 July 2022 Updated:

n "pdp idc" on page 1594

R80.40 CLI Reference Guide | 4

Important Information

Date Description

16 June 2022 In the HTML version, added glossary terms in the text
Added:
n "Monitoring Commands" on page 1844
n "cpca_client set_mgmt_tool" on page 116 - for Security Management
Server
n "cpca_client set_mgmt_tool" on page 465 - for Multi-Domain Server
Updated:
n The syntax in all commands listed in the chapter "fwaccel dos" on
page 1322
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92:
l The term "allow-list" replaces the term "blacklist"

l The term "deny-list" replaces the term "whitelist"

n "fw ctl multik prioq" on page 1516

n "fw ctl set" on page 1040 - added the "-f" flag
n "fwaccel synatk allow / whitelist" on page 1403
n "fwaccel templates" on page 1421
n "fwboot ht" on page 1189 - for Security Gateway
n "fwboot ht" on page 1553 - for CoreXL
n "mds_backup" on page 711
n "migrate_server" on page 367 - for Security Management Server
n "migrate_server" on page 742 - for Multi-Domain Server
Removed:
n All "sim" and "sim6" commands as deprecated
n Information about the "vsx initmsg" command, as it is not
supported in Gaia 3.10.

26 June 2021 Updated formatting

R80.40 CLI Reference Guide | 5

Important Information

Date Description

30 May 2021 Updated:

n "migrate" on page 363 - for Security Management Server
n "migrate" on page 738 - for Multi-Domain Server
n "migrate_server" on page 367 - for Security Management Server
n "migrate_server" on page 742 - for Multi-Domain Server
n "pdp idc" on page 1594
n "vsx_util change_private_net" on page 1760
n "ClusterXL Monitoring Commands" on page 1232
n "Viewing Cluster IP Addresses" on page 1273
Removed:
n LSMcli Gateway Conversion Actions (Known Limitation PMTR-
49506)

21 December Updated:
2020
n "fw up_execute" on page 1165

23 August Added:
2020
n "vsx_util downgrade" on page 1763
Updated:
n "vsx_util" on page 1746
n "vsx_util convert_cluster" on page 1762
n "vsx_util upgrade" on page 1775

30 July 2020 Updated:

n "Configuring the Minimal Number of Required Subordinate Interfaces
for Bond Load Sharing" on page 1225

29 July 2020 Updated:

n "dynamic_split" on page 1498 - added link to sk164155
n "LSMcli AddROBO <Appliance_Model>Cluster" on page 909

10 March Updated:
2020
n "Registering a Critical Device" on page 1210

02 February Updated:
2020
n "vsx" on page 1727
n "vsx mstat" on page 1735

R80.40 CLI Reference Guide | 6

Important Information

Date Description

29 January Updated:
2020
n "dynamic_split" on page 1498

27 January First release of this document

2020

R80.40 CLI Reference Guide | 7

Table of Contents

Table of Contents
Introduction 36
Syntax Legend 37
Gaia Commands 39
Security Management Server Commands 40
Managing Security through API 41
API 41
API Tools 41
Configuring the API Server 42
contract_util 44
contract_util check 46
contract_util cpmacro 47
contract_util download 48
contract_util mgmt 50
contract_util print 51
contract_util summary 52
contract_util update 53
contract_util verify 54
cp_conf 55
cp_conf admin 58
cp_conf auto 61
cp_conf ca 63
cp_conf client 65
cp_conf finger 69
cp_conf lic 71
cp_log_export 74
cpca_client 95
cpca_client create_cert 97

R80.40 CLI Reference Guide | 8

Table of Contents

cpca_client double_sign 99
cpca_client get_crldp 101
cpca_client get_pubkey 103
cpca_client init_certs 104
cpca_client lscert 105
cpca_client revoke_cert 108
cpca_client revoke_non_exist_cert 111
cpca_client search 112
cpca_client set_cert_validity 114
cpca_client set_mgmt_tool 116
cpca_client set_sign_hash 121
cpca_create 123
cpconfig 124
cpinfo 127
cplic 128
cplic check 131
cplic contract 133
cplic db_add 135
cplic db_print 137
cplic db_rm 139
cplic del 140
cplic del <object name> 141
cplic get 142
cplic print 144
cplic put 146
cplic put <object name> 148
cplic upgrade 151
cppkg 154
cppkg add 156
cppkg delete 157

R80.40 CLI Reference Guide | 9

Table of Contents

cppkg get 159

cppkg getroot 160
cppkg print 161
cppkg setroot 162
cpprod_util 163
cprid 169
cprinstall 170
cprinstall boot 173
cprinstall cprestart 174
cprinstall cpstart 175
cprinstall cpstop 176
cprinstall delete 177
cprinstall get 178
cprinstall install 179
cprinstall revert 182
cprinstall show 183
cprinstall snapshot 184
cprinstall transfer 185
cprinstall uninstall 187
cprinstall verify 189
cpstart 191
cpstat 192
cpstop 201
cpview 202
Overview of CPView 202
CPView User Interface 202
Using CPView 203
cpwd_admin 204
cpwd_admin config 207
cpwd_admin del 211

R80.40 CLI Reference Guide | 10

Table of Contents

cpwd_admin detach 212

cpwd_admin exist 213
cpwd_admin flist 214
cpwd_admin getpid 216
cpwd_admin kill 217
cpwd_admin list 218
cpwd_admin monitor_list 223
cpwd_admin start 224
cpwd_admin start_monitor 227
cpwd_admin stop 228
cpwd_admin stop_monitor 230
dbedit 231
fw 244
fw fetchlogs 246
fw hastat 248
fw kill 249
fw log 250
fw logswitch 260
fw lslogs 264
fw mergefiles 267
fw repairlog 270
fw sam 271
fw sam_policy 279
fw sam_policy add 282
fw sam_policy batch 295
fw sam_policy del 297
fw sam_policy get 300
fwm 306
fwm dbload 309
fwm exportcert 310

R80.40 CLI Reference Guide | 11

Table of Contents

fwm fetchfile 311

fwm fingerprint 313
fwm getpcap 315
fwm ikecrypt 317
fwm load 318
fwm logexport 319
fwm mds 324
fwm printcert 326
fwm sic_reset 332
fwm snmp_trap 333
fwm unload 336
fwm ver 340
fwm verify 341
inet_alert 342
ldapcmd 345
ldapcompare 347
ldapmemberconvert 351
ldapmodify 357
ldapsearch 359
mgmt_cli 362
migrate 363
migrate_server 367
queryDB_util 373
rs_db_tool 374
sam_alert 376
stattest 380
threshold_config 383
Multi-Domain Security Management Commands 389
Managing Security through API 390
API 390

R80.40 CLI Reference Guide | 12

Table of Contents

API Tools 390

Configuring the API Server 391
cma_migrate 393
contract_util 394
contract_util check 396
contract_util cpmacro 397
contract_util download 398
contract_util mgmt 400
contract_util print 401
contract_util summary 402
contract_util update 403
contract_util verify 404
cp_conf 405
cp_conf admin 408
cp_conf auto 411
cp_conf ca 413
cp_conf client 415
cp_conf finger 419
cp_conf lic 421
cp_log_export 424
cpca_client 445
cpca_client create_cert 447
cpca_client double_sign 449
cpca_client get_crldp 451
cpca_client get_pubkey 453
cpca_client init_certs 454
cpca_client lscert 455
cpca_client revoke_cert 458
cpca_client revoke_non_exist_cert 461
cpca_client search 462

R80.40 CLI Reference Guide | 13

Table of Contents

cpca_client set_mgmt_tool 465

cpca_client set_sign_hash 470
cpca_create 472
cpinfo 473
cplic 474
cplic check 477
cplic contract 479
cplic db_add 481
cplic db_print 483
cplic db_rm 485
cplic del 486
cplic del <object name> 487
cplic get 488
cplic print 490
cplic put 492
cplic put <object name> 494
cplic upgrade 497
cpmiquerybin 500
cppkg 502
cppkg add 504
ppkg delete 505
cppkg get 507
cppkg getroot 508
cppkg print 509
cppkg setroot 510
cpprod_util 511
cprid 517
cprinstall 518
cprinstall boot 521
cprinstall cprestart 522

R80.40 CLI Reference Guide | 14

Table of Contents

cprinstall cpstart 523

cprinstall cpstop 524
cprinstall delete 525
cprinstall get 526
cprinstall install 527
cprinstall revert 530
cprinstall show 531
cprinstall snapshot 532
cprinstall transfer 533
cprinstall uninstall 535
cprinstall verify 537
cpstat 539
cpview 548
Overview of CPView 548
CPView User Interface 548
Using CPView 549
cpwd_admin 550
cpwd_admin config 553
cpwd_admin del 557
cpwd_admin detach 558
cpwd_admin exist 559
cpwd_admin flist 560
cpwd_admin getpid 562
cpwd_admin kill 563
cpwd_admin list 564
cpwd_admin monitor_list 569
cpwd_admin start 570
cpwd_admin start_monitor 573
cpwd_admin stop 574
cpwd_admin stop_monitor 576

R80.40 CLI Reference Guide | 15

Table of Contents

dbedit 577
fw 590
fw fetchlogs 592
fw hastat 594
fw kill 595
fw log 596
fw logswitch 606
fw lslogs 610
fw mergefiles 613
fw repairlog 616
fw sam 617
fw sam_policy 625
fw sam_policy add 628
fw sam_policy batch 641
fw sam_policy del 643
fw sam_policy get 646
fwm 652
fwm dbload 655
fwm exportcert 656
fwm fetchfile 657
fwm fingerprint 659
fwm getpcap 661
fwm ikecrypt 663
fwm load 664
fwm logexport 665
fwm mds 670
fwm printcert 672
fwm sic_reset 678
fwm snmp_trap 679
fwm unload 682

R80.40 CLI Reference Guide | 16

Table of Contents

fwm ver 686

fwm verify 687
inet_alert 688
ldapcmd 691
ldapcompare 693
ldapmemberconvert 697
ldapmodify 703
ldapsearch 705
mcd 708
mds_backup 711
mds_restore 714
mdscmd 715
mdsconfig 717
mdsenv 721
mdsquerydb 723
mdsstart 725
mdsstart_customer 729
mdsstat 730
mdsstop 732
mdsstop_customer 736
mgmt_cli 737
migrate 738
migrate_server 742
migrate_global_policies 748
queryDB_util 749
rs_db_tool 750
sam_alert 752
stattest 756
threshold_config 759
$MDSVERUTIL 765

R80.40 CLI Reference Guide | 17

Table of Contents

$MDSVERUTIL AllCMAs 776

$MDSVERUTIL AllVersions 777
$MDSVERUTIL CMAAddonDir 780
$MDSVERUTIL CMACompDir 781
$MDSVERUTIL CMAFgDir 782
$MDSVERUTIL CMAFw40Dir 783
$MDSVERUTIL CMAFw41Dir 784
$MDSVERUTIL CMAFwConfDir 785
$MDSVERUTIL CMAFwDir 786
$MDSVERUTIL CMAIp 787
$MDSVERUTIL CMAIp6 788
$MDSVERUTIL CMALogExporterDir 789
$MDSVERUTIL CMALogIndexerDir 790
$MDSVERUTIL CMANameByFwDir 791
$MDSVERUTIL CMANameByIp 792
$MDSVERUTIL CMARegistryDir 793
$MDSVERUTIL CMAReporterDir 794
$MDSVERUTIL CMASmartLogDir 795
$MDSVERUTIL CMASvnConfDir 796
$MDSVERUTIL CMASvnDir 797
$MDSVERUTIL ConfDirVersion 798
$MDSVERUTIL CpdbUpParam 799
$MDSVERUTIL CPprofileDir 800
$MDSVERUTIL CPVer 801
$MDSVERUTIL CustomersBaseDir 802
$MDSVERUTIL DiskSpaceFactor 803
$MDSVERUTIL InstallationLogDir 804
$MDSVERUTIL IsIPv6Enabled 805
$MDSVERUTIL IsLegalVersion 806
$MDSVERUTIL IsOsSupportsIPv6 807

R80.40 CLI Reference Guide | 18

Table of Contents

$MDSVERUTIL LatestVersion 808

$MDSVERUTIL MDSAddonDir 809
$MDSVERUTIL MDSCompDir 810
$MDSVERUTIL MDSDir 811
$MDSVERUTIL MDSFgDir 812
$MDSVERUTIL MDSFwbcDir 813
$MDSVERUTIL MDSFwDir 814
$MDSVERUTIL MDSIp 815
$MDSVERUTIL MDSIp6 816
$MDSVERUTIL MDSLogExporterDir 817
$MDSVERUTIL MDSLogIndexerDir 818
$MDSVERUTIL MDSPkgName 819
$MDSVERUTIL MDSRegistryDir 820
$MDSVERUTIL MDSReporterDir 821
$MDSVERUTIL MDSSmartLogDir 822
$MDSVERUTIL MDSSvnDir 823
$MDSVERUTIL MDSVarCompDir 824
$MDSVERUTIL MDSVarDir 825
$MDSVERUTIL MDSVarFwbcDir 826
$MDSVERUTIL MDSVarFwDir 827
$MDSVERUTIL MDSVarSvnDir 828
$MDSVERUTIL MSP 829
$MDSVERUTIL OfficialName 830
$MDSVERUTIL OptionPack 831
$MDSVERUTIL ProductName 832
$MDSVERUTIL RegistryCurrentVer 833
$MDSVERUTIL ShortOfficialName 834
$MDSVERUTIL SmartCenterPuvUpgradeParam 835
$MDSVERUTIL SP 836
$MDSVERUTIL SVNPkgName 837

R80.40 CLI Reference Guide | 19

Table of Contents

$MDSVERUTIL SvrDirectory 838

$MDSVERUTIL SvrParam 839
Creating a Domain Management Server with the 'mgmt_cli' Command 840
SmartProvisioning Commands 841
Managing Security through API 842
API 842
API Tools 842
Configuring the API Server 843
Check Point LSMcli Overview 845
SmartLSM Security Gateway Management Actions 847
LSMcli AddROBO VPN1 848
LSMcli ModifyROBO VPN1 850
LSMcli ModifyROBOManualVPNDomain 852
LSMcli ModifyROBOTopology VPN1 854
LSMcli ModifyROBOInterface VPN1 855
LSMcli AddROBOInterface VPN1 856
LSMcli DeleteROBOInterface VPN1 857
LSMcli ExportIke 858
LSMcli ResetIke 859
LSMcli Remove 860
LSMcli ResetSic 861
LSMcli Show 863
LSMcli ShowROBOTopology 865
LSMcli UpdateCO 866
SmartUpdate Actions 867
LSMcli Install 868
LSMcli Uninstall 870
LSMcli Distribute 871
LSMcli VerifyInstall 872
LSMcli VerifyUpgrade 873

R80.40 CLI Reference Guide | 20

Table of Contents

LSMcli Upgrade 874

LSMcli GetInfo 875
LSMcli ShowInfo 876
LSMcli ShowRepository 877
LSMcli Stop 878
LSMcli Start 879
LSMcli Restart 880
LSMcli Reboot 881
LSMcli Push Actions 882
LSMcli PushPolicy 883
LSMcli PushDOs 884
LSMcli GetStatus 885
Managing SmartLSM Clusters with LSMcli 886
LSMcli AddROBO VPN1Cluster 887
LSMcli ModifyROBO VPN1Cluster 889
LSMcli ModifyROBOTopology VPN1Cluster 890
LSMcli ModifyROBONetaccess VPN1Cluster 891
LSMcli AddClusterSubnetOverride VPN1Cluster 893
LSMcli ModifyClusterSubnetOverride VPN1Cluster 895
LSMcli DeleteClusterSubnetOverride VPN1Cluster 897
LSMcli AddPrivateSubnetOverride VPN1ClusterMember 899
LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember 901
LSMcli DeletePrivateSubnetOverride VPN1ClusterMember 903
LSMcli RemoveCluster 905
Using LSMcli Commands for Small Office Appliances 906
LSMcli AddROBO <Appliance_Model> 907
LSMcli AddROBO <Appliance_Model>Cluster 909
Other LSMcli Commands for Small Office Appliances 911
Security Gateway Commands 912
comp_init_policy 913

R80.40 CLI Reference Guide | 21

Table of Contents

control_bootsec 917
cp_conf 921
cp_conf auto 924
cp_conf corexl 926
cp_conf fullha 928
cp_conf ha 929
cp_conf intfs 930
cp_conf lic 931
cp_conf sic 934
cpconfig 936
cpinfo 939
cplic 940
cplic check 942
cplic contract 944
cplic del 946
cplic print 947
cplic put 949
cpprod_util 951
cpstart 957
cpstat 958
cpstop 967
cpview 968
Overview of CPView 968
CPView User Interface 968
Using CPView 969
dynamic_objects 970
cpwd_admin 974
cpwd_admin config 977
cpwd_admin del 984
cpwd_admin detach 985

R80.40 CLI Reference Guide | 22

Table of Contents

cpwd_admin exist 986

cpwd_admin flist 987
cpwd_admin getpid 989
cpwd_admin kill 990
cpwd_admin list 991
cpwd_admin monitor_list 996
cpwd_admin start 997
cpwd_admin start_monitor 1000
cpwd_admin stop 1001
cpwd_admin stop_monitor 1003
fw 1004
fw -i 1008
fw amw 1009
fw ctl 1012
fw ctl arp 1015
fw ctl bench 1016
fw ctl block 1018
fw ctl chain 1019
fw ctl conn 1021
fw ctl conntab 1023
fw ctl cpasstat 1027
'fw ctl debug' and 'fw ctl kdebug' 1028
fw ctl dlpkstat 1029
fw ctl get 1030
fw ctl iflist 1032
fw ctl install 1033
fw ctl leak 1034
fw ctl pstat 1037
fw ctl set 1040
fw ctl tcpstrstat 1043

R80.40 CLI Reference Guide | 23

Table of Contents

fw ctl uninstall 1045

fw defaultgen 1046
fw fetch 1048
fw fetchlogs 1051
fw getifs 1053
fw hastat 1054
fw isp_link 1055
fw kill 1056
fw lichosts 1057
fw log 1058
fw logswitch 1068
fw lslogs 1072
fw mergefiles 1075
fw monitor 1078
fw repairlog 1112
fw sam 1113
fw sam_policy 1121
fw sam_policy add 1124
fw sam_policy batch 1137
fw sam_policy del 1139
fw sam_policy get 1142
fw showuptables 1148
fw stat 1149
fw tab 1152
fw unloadlocal 1161
fw up_execute 1165
fw ver 1168
fwboot 1170
fwboot bootconf 1172
fwboot corexl 1176

R80.40 CLI Reference Guide | 24

Table of Contents

fwboot cpuid 1183

fwboot default 1185
fwboot fwboot_ipv6 1186
fwboot fwdefault 1187
fwboot ha_conf 1188
fwboot ht 1189
fwboot multik_reg 1190
fwboot post_drv 1192
sam_alert 1193
stattest 1197
usrchk 1200
ClusterXL Commands 1204
ClusterXL Configuration Commands 1205
Configuring the Cluster Member ID Mode in Local Logs 1209
Registering a Critical Device 1210
Unregistering a Critical Device 1214
Reporting the State of a Critical Device 1215
Registering Critical Devices Listed in a File 1217
Unregistering All Critical Devices 1219
Configuring the Cluster Control Protocol (CCP) Settings 1220
Initiating Manual Cluster Failover 1221
Configuring the Minimal Number of Required Subordinate Interfaces for Bond
Load Sharing 1225
Configuring Link Monitoring on the Cluster Interfaces 1228
Configuring the Multi-Version Cluster Mechanism 1231
ClusterXL Monitoring Commands 1232
Viewing Cluster State 1237
Viewing Critical Devices 1243
Viewing Cluster Interfaces 1251
Viewing Bond Interfaces 1256

R80.40 CLI Reference Guide | 25

Table of Contents

Viewing Cluster Failover Statistics 1261

Viewing Software Versions on Cluster Members 1263
Viewing Delta Synchronization 1264
Viewing IGMP Status 1271
Viewing Cluster Delta Sync Statistics for Connections Table 1272
Viewing Cluster IP Addresses 1273
Viewing the Cluster Member ID Mode in Local Logs 1275
Viewing Interfaces Monitored by RouteD 1276
Viewing Roles of RouteD Daemon on Cluster Members 1277
Viewing Cluster Correction Statistics 1278
Viewing the Cluster Control Protocol (CCP) Settings 1280
Viewing the State of the Multi-Version Cluster Mechanism 1281
Viewing Full Connectivity Upgrade Statistics 1282
cpconfig 1283
cphastart 1286
cphastop 1287
cp_conf fullha 1288
cp_conf ha 1289
fw hastat 1291
fwboot ha_conf 1293
The clusterXL_admin Script 1294
The clusterXL_monitor_ips Script 1298
The clusterXL_monitor_process Script 1302
SecureXL Commands 1306
'fwaccel' and 'fwaccel6' 1307
fwaccel cfg 1310
fwaccel conns 1313
fwaccel dbg 1316
fwaccel dos 1322
fwaccel dos allow / whitelist 1325

R80.40 CLI Reference Guide | 26

Table of Contents

fwaccel dos config 1330

fwaccel dos deny / blacklist 1336
fwaccel dos pbox 1341
fwaccel dos rate 1346
fwaccel dos stats 1348
fwaccel feature 1350
fwaccel off 1353
fwaccel on 1357
fwaccel ranges 1361
fwaccel stat 1368
fwaccel stats 1374
Description of the Statistics Counters in the "fwaccel stats" Output 1376
Example Outputs on the "fwaccel stats" Commands 1385
fwaccel synatk 1393
fwaccel synatk -a 1395
fwaccel synatk -c <Configuration File> 1396
fwaccel synatk -d 1397
fwaccel synatk -e 1398
fwaccel synatk -g 1399
fwaccel synatk -m 1400
fwaccel synatk -t <Threshold> 1401
fwaccel synatk allow / whitelist 1403
fwaccel synatk config 1408
fwaccel synatk monitor 1411
fwaccel synatk state 1416
fwaccel tab 1418
fwaccel templates 1421
fwaccel ver 1425
fw sam_policy 1426
fw sam_policy add 1429

R80.40 CLI Reference Guide | 27

Table of Contents

fw sam_policy batch 1442

fw sam_policy del 1444
fw sam_policy get 1447
The /proc/ppk/ and /proc/ppk6/ entries 1453
/proc/ppk/affinity 1455
/proc/ppk/conf 1456
/proc/ppk/conns 1457
/proc/ppk/cpls 1458
/proc/ppk/cqstats 1459
/proc/ppk/drop_statistics 1460
/proc/ppk/ifs 1461
/proc/ppk/mcast_statistics 1466
/proc/ppk/nac 1467
/proc/ppk/notify_statistics 1468
/proc/ppk/profile_cpu_stat 1470
/proc/ppk/rlc 1471
/proc/ppk/statistics 1472
/proc/ppk/stats 1474
/proc/ppk/viol_statistics 1475
SecureXL Debug 1476
fwaccel dbg 1477
SecureXL Debug Procedure 1483
SecureXL Debug Modules and Debug Flags 1487
CoreXL Commands 1495
cp_conf corexl 1496
dynamic_split 1498
fw ctl multik 1500
fw ctl multik add_bypass_port 1502
fw ctl multik del_bypass_port 1504
fw ctl multik dynamic_dispatching 1506

R80.40 CLI Reference Guide | 28

Table of Contents

fw ctl multik gconn 1507

fw ctl multik get_instance 1512
fw ctl multik print_heavy_conn 1514
fw ctl multik prioq 1516
fw ctl multik show_bypass_ports 1517
fw ctl multik stat 1518
fw ctl multik start 1520
fw ctl multik stop 1521
fw ctl multik utilize 1522
fw ctl affinity 1523
Running the 'fw ctl affinity -l' command in Gateway Mode 1524
Running the 'fw ctl affinity -l' command in VSX Mode 1529
Running the 'fw ctl affinity -s' command in Gateway Mode 1532
Running the 'fw ctl affinity -s' command in VSX Mode 1535
fw -i 1539
fwboot bootconf 1540
fwboot corexl 1544
fwboot cpuid 1551
fwboot ht 1553
fwboot multik_reg 1554
fwboot post_drv 1556
Multi-Queue Commands 1557
mq_mng 1558
Multi-Queue Configuration in the Expert mode 1558
Multi-Queue Configuration in Gaia Clish 1563
Identity Awareness Commands 1566
adlog 1567
adlog control 1569
adlog dc 1571
adlog debug 1572

R80.40 CLI Reference Guide | 29

Table of Contents

adlog query 1573

adlog statistics 1574
pdp 1575
pdp ad 1577
General Syntax 1577
The 'pdp ad associate' command 1577
The 'pdp ad disassociate' command 1578
pdp auth 1579
pdp broker 1583
pdp conciliation 1587
pdp connections 1589
pdp control 1590
pdp debug 1591
pdp idc 1594
pdp idp 1598
pdp ifmap 1599
pdp monitor 1601
pdp muh 1603
pdp nested_groups 1604
pdp network 1607
pdp radius 1608
pdp roles 1611
General Syntax 1611
The 'pdp roles extract' command 1611
The 'pdp roles fetch' command 1611
pdp status 1614
pdp tasks_manager 1615
pdp timers 1616
pdp topology_map 1617
pdp tracker 1618

R80.40 CLI Reference Guide | 30

Table of Contents

pdp update 1619

pdp vpn 1620
pep 1621
pep control 1622
pep debug 1623
pep show 1625
pep tracker 1628
test_ad_connectivity 1629
VPN Commands 1633
vpn 1634
vpn check_ttm 1637
vpn compreset 1638
vpn compstat 1639
vpn crl_zap 1640
vpn crlview 1641
vpn debug 1643
vpn dll 1646
vpn drv 1647
vpn dump_psk 1648
vpn ipafile_check 1649
vpn ipafile_users_capacity 1650
vpn macutil 1651
vpn mep_refresh 1652
vpn neo_proto 1653
vpn nssm_toplogy 1654
vpn overlap_encdom 1655
vpn rim_cleanup 1657
vpn rll 1658
vpn set_slim_server 1659
vpn set_snx_encdom_groups 1660

R80.40 CLI Reference Guide | 31

Table of Contents

vpn set_trac 1661

vpn shell 1662
vpn show_tcpt 1669
vpn sw_topology 1670
vpn tu 1671
vpn tu del 1673
vpn tu list 1676
vpn tu mstats 1678
vpn tu tlist 1679
vpn ver 1681
mcc 1682
mcc add 1684
mcc add2main 1685
mcc del 1686
mcc lca 1687
mcc main2add 1688
mcc show 1689
Mobile Access Commands 1691
admin_wizard 1692
cvpnd_admin 1696
cvpnd_settings 1699
cvpn_ver 1701
cvpnrestart 1702
cvpnstart 1703
cvpnstop 1704
deleteUserSettings 1705
fwpush 1706
ics_updates_script 1710
listusers 1712
rehash_ca_bundle 1713

R80.40 CLI Reference Guide | 32

Table of Contents

UserSettingsUtil 1714
Data Loss Prevention Commands 1716
dlpcmd 1717
VSX Commands 1720
cpconfig 1721
cpview 1724
Overview of CPView 1724
CPView User Interface 1724
Using CPView 1725
vsenv 1726
vsx 1727
vsx fetch 1730
vsx fetch_all_cluster_policies 1732
vsx fetchvs 1733
vsx get 1734
vsx mstat 1735
vsx showncs 1739
vsx sicreset 1740
vsx stat 1741
vsx unloadall 1744
vsx vspurge 1745
vsx_util 1746
vsx_util add_member 1751
vsx_util change_interfaces 1753
vsx_util change_mgmt_ip 1757
vsx_util change_mgmt_subnet 1758
vsx_util change_private_net 1760
vsx_util convert_cluster 1762
vsx_util downgrade 1763
vsx_util reconfigure 1764

R80.40 CLI Reference Guide | 33

Table of Contents

vsx_util remove_member 1770

vsx_util show_interfaces 1771
vsx_util upgrade 1775
vsx_util view_vs_conf 1776
vsx_util vsls 1780
vsx_provisioning_tool 1782
Transactions 1785
vsx_provisioning_tool Commands 1786
Explicit Transaction Commands 1787
Adding a VSX Gateway 1788
Adding a VSX Cluster 1791
Adding a Virtual Device 1794
Deleting a Virtual Device 1797
Modifying Settings of a Virtual Device 1798
Adding an Interface to a Virtual Device 1801
Removing an Interface from a Virtual Device 1805
Modifying Settings of an Interface 1807
Adding a Route 1811
Removing a Route 1813
Showing Virtual Device Data 1815
Script Examples 1816
Example 1 1816
Example 2 1817
Example 3 1818
QoS Commands 1819
etmstart 1820
etmstop 1821
fgate 1822
IPS Commands 1830
ips 1831

R80.40 CLI Reference Guide | 34

Table of Contents

ips bypass 1833

ips debug 1835
ips off 1836
ips on 1837
ips pmstats 1838
ips refreshcap 1839
ips stat 1840
ips stats 1841
Monitoring Commands 1844
rtm 1845
rtm debug 1846
rtm drv 1847
rtm monitor 1848
rtm rtmd 1854
rtm stat 1855
rtm ver 1858
rtmstart 1859
rtmstop 1860
Working with Kernel Parameters on Security Gateway 1861
Running Check Point Commands in Shell Scripts 1862
On a Security Management Server / Log Server / SmartEvent Server 1862
On a Multi-Domain Server / Multi-Domain Log Server 1863
On a Security Gateway / Cluster Members (non-VSX) 1863
On a VSX Gateway / VSX Cluster Members 1864
Glossary 1865

R80.40 CLI Reference Guide | 35

Introduction

Introduction
The CLI Reference Guide provides CLI commands to configure and monitor Check Point
Software Blades.

R80.40 CLI Reference Guide | 36

Syntax Legend

Syntax Legend
Whenever possible, this guide lists commands, parameters and options in the alphabetical
order.
This guide uses this convention in the Command Line Interface (CLI) syntax:

Character Description

TAB Shows the available nested subcommands:

main command
→ nested subcommand 1
→ → nested subsubcommand 1-1
→ → nested subsubcommand 1-2
→ nested subcommand 2
Example:
cpwd_admin
config
-a <options>
-d <options>
-p
-r
del <options>
Meaning, you can run only one of these commands:
n This command:
cpwd_admin config -a <options>
n Or this command:
cpwd_admin config -d <options>
n Or this command:
cpwd_admin config -p
n Or this command:
cpwd_admin config -r
n Or this command:
cpwd_admin del <options>

Curly brackets or Enclose a list of available commands or parameters, separated by

braces the vertical bar |.
{} User can enter only one of the available commands or parameters.

R80.40 CLI Reference Guide | 37

Syntax Legend

Character Description

Angle brackets Enclose a variable.

<> User must explicitly specify a supported value.

Square brackets or Enclose an optional command or parameter, which user can also
brackets enter.
[]

R80.40 CLI Reference Guide | 38

Gaia Commands

Gaia Commands
See:
n R80.40 Gaia Administration Guide
n R80.40 Gaia Advanced Routing Administration Guide

R80.40 CLI Reference Guide | 39

Security Management Server Commands

Security Management Server

Commands
For more information about Security Management Server, see the R80.40 Security
Management Administration Guide.

R80.40 CLI Reference Guide | 40

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the
API Server that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions
with third party systems, such as virtualization servers, ticketing systems, and change
management systems.
To learn more about the management APIs, to see code samples, and to take advantage of
user forums, see:
n The API Documentation:
l Online - Check Point Management API Reference
l Local - https://<Server IP Address>/api_docs
By default, access to the local API Documentation is disabled. Follow the
instructions in sk174606.
n The Developers Network section of Check Point CheckMates Community.

API Tools
You can use these tools to work with the API Server on the Management Server:
n Standalone management tool, included with Gaia operating system:
mgmt_cli
n Standalone management tool, included with SmartConsole:
mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other computers that
run Windows operating system.
n Web Services APIs that allow communication and data exchange between the clients
and the Management Server over the HTTP protocol.
These APIs also let other Check Point processes communicate with the Management
Server over the HTTPS protocol.
https://<IP Address of Management Server>/web_api/<command>

R80.40 CLI Reference Guide | 41

Managing Security through API

Configuring the API Server

To configure the API Server:

1. Connect with SmartConsole to the Security Management Server or applicable Domain
Management Server.
2. From the left navigation panel, click Manage & Settings.
3. In the upper left section, click Blades.
4. In the Management API section, click Advanced Settings.
The Management API Settings window opens.

5. Configure the Startup Settings and the Access Settings.

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

Start option is deactivated.

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only - Only the Management Server itself can connect to
the API Server. This option only lets you use the mgmt_cli utility on the
Management Server to send API requests. You cannot use SmartConsole or
Web services to send API requests.
n All IP addresses that can be used for GUI clients - You can send API requests
from all IP addresses that are defined as Trusted Clients in SmartConsole. This
includes requests from SmartConsole, Web services, and the mgmt_cli utility
on the Management Server.
n All IP addresses - You can send API requests from all IP addresses. This
includes requests from SmartConsole, Web services, and the mgmt_cli utility
on the Management Server.

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

R80.40 CLI Reference Guide | 42

Managing Security through API

api restart
Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

R80.40 CLI Reference Guide | 43

contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options> See "contract_util check" on page 46.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options> See "contract_util cpmacro" on page 47.

download Downloads all associated Check Point Service Contracts from the User
<options> Center, or from a local file.
See "contract_util download" on page 48.

mgmt Delivers the Service Contract information from the Management Server to
the managed Security Gateways.
See "contract_util mgmt" on page 50.

print Shows all the installed licenses and whether the Service Contract covers
<options> these license, which entitles them for upgrade or not.
See "contract_util print" on page 51.

R80.40 CLI Reference Guide | 44

contract_util

Parameter Description

summary Shows post-installation summary.

<options> See "contract_util summary" on page 52.

update Updates Check Point Service Contracts from your User Center account.
<options> See "contract_util update" on page 53.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful
message.
See "contract_util verify" on page 54.

R80.40 CLI Reference Guide | 45

contract_util check

Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher
Hotfix Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Major version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Minor version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

R80.40 CLI Reference Guide | 46

contract_util cpmacro

Description
Overwrites the current cp.macro file with the specified cp.macro file, if the specified is
newer than the current file.
For more information about the cp.macro file, see sk96217: What is a cp.macro file?

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_ The contract_util cpmacro command failed:

Write_cp_macro
returned -1
n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_ The contract_util cpmacro command was able to

Write_cp_macro overwrite the current file with the specified file, because the
returned 0 specified file is newer.

CntrctUtils_ The contract_util cpmacro command did not overwrite the

Write_cp_macro current file, because it is newer than the specified file.
returned 1

R80.40 CLI Reference Guide | 47

contract_util download

Description
Downloads all associated Check Point Service Contracts from User Center, or from a local file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util download
{-h | -help}
local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service
Contract File>
uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}]
<Username> <Password> [<Proxy Server> [<Proxy Username>:<Proxy
Password>]]

R80.40 CLI Reference Guide | 48

contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local

file.
This is equivalent to the "cplic contract put"
command (see "cplic contract" on page 133).

uc Specifies to download the Service Contract from the User

Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Proxy Server> [<Proxy Specifies that the connection to the User Center goes
Username>:<Proxy through the proxy server.
Password>]
n <Proxy Server> - IP address of resolvable
hostname of the proxy server
n <Proxy Username> - Username for the proxy
server.
n <Proxy Password> - Password for the proxy
server.
Note - If you do not specify the proxy server explicitly, the
command uses the proxy server configured in the
management database.

<Service Contract Path to and the name of the Service Contract file.
File> First, you must download the Service Contract file from
your User Center account.

R80.40 CLI Reference Guide | 49

contract_util mgmt

Description
Delivers the Service Contract information from the Management Server to the managed
Security Gateways.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util mgmt

R80.40 CLI Reference Guide | 50

contract_util print

Description
Shows all the installed licenses and whether the Service Contract covers these license, which
entitles them for upgrade or not.
This command can show which licenses are not recognized by the Service Contract file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d] print

{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 51

contract_util summary

Description
Shows post-installation summary and whether this Check Point computer is eligible for
upgrades.

Syntax

contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 52

contract_util update

Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-

installed licenses) from your User Center account.

-proxy <Proxy Specifies that the connection to the User Center goes through
Server>:<Proxy the proxy server:
Port>
n <Proxy Server> - IP address of resolvable hostname
of the proxy server.
n <Proxy Port> - The applicable port on the proxy
server.
Note - If you do not specify the proxy explicitly, the
command uses the proxy configured in the management
database.

-ca_path <Path to Specifies the path to the Certificate Authority Bundle file (ca-
ca-bundle.crt File> bundle.crt).
Note - If you do not specify the path explicitly, the
command uses the default path.

R80.40 CLI Reference Guide | 53

contract_util verify

Description
Checks whether the Security Gateway is eligible for an upgrade.
This command is the same as the "contract_util check" on page 46 command, but it also
interprets the return values and shows a meaningful message.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util verify

R80.40 CLI Reference Guide | 54

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Syntax on a Security Gateway

cp_conf
-h
adv_routing <options>
auto <options>
corexl <options>
fullha <options>
ha <options>
intfs <options>
lic <options>
sic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

R80.40 CLI Reference Guide | 55

cp_conf

Parameter Description

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 58.

adv_routing Enables or disables the Advanced Routing feature on this Security

<options> Gateway.
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto Shows and configures the automatic start of Check Point products
<options> during boot.
See "cp_conf auto" on page 61.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain

Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 63.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 65.

corexl Enables or disables CoreXL on this Security Gateway.

<options> See "cp_conf corexl" on page 926.

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 69.

fullha Manages Full High Availability Cluster.

<options> See "cp_conf fullha" on page 928.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 929.

intfs Sets the topology of interfaces on a Security Gateway, which you

<options> manage with SmartProvisioning.
See "cp_conf intfs" on page 930.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 71.

sic Manages SIC on this Security Gateway.

<options> See "cp_conf sic" on page 934.

R80.40 CLI Reference Guide | 56

cp_conf

Parameter Description

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

R80.40 CLI Reference Guide | 57

cp_conf admin

Description
Configures Check Point system administrators for the Security Management Server.

Notes:
n Multi-Domain Server does not support this command.
n Only one administrator can be defined in the "cpconfig" on page 124 menu.
To define additional administrators, use SmartConsole.
n This command corresponds to the option Administrator in the "cpconfig" on
page 124 menu.

Syntax

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

R80.40 CLI Reference Guide | 58

cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> Adds a Check Point system administrator:

<Password> {a | w | r}]
n <UserName> - Specifies the administrator's
username
n <Password> - Specifies the administrator's
password
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

add -gaia [{a | w | r}] Adds the Gaia administrator user admin:
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

del <UserName1> Deletes the specified system administrators.

<UserName2> ...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the

Gaia administrator user admin.

R80.40 CLI Reference Guide | 59

cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 60

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 124 menu.
Note - On a Multi-Domain Server, use the option Automatic Start of Multi-Domain
Server in the "mdsconfig" on page 717 menu.

Syntax

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 61

cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

R80.40 CLI Reference Guide | 62

cp_conf ca

Description
This command changes the settings of the Internal Certificate Authority (ICA).

Note - On a Security Management Server, this command corresponds to the option

Certificate Authority in the "cpconfig" on page 124 menu.
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf ca
-h
fqdn <FQDN Name>
init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

fqdn <FQDN Configures the Fully Qualified Domain Name (FQDN) for the Internal
Name> Certificate Authority (ICA).
The "<FQDN Name>" is the text string in this format:
hostname.domainname
Notes:
n The existing certificates for configured objects are not
revoked.
n The existing ICA certificate is not changed.
n The Management Server uses the specified "<FQDN Name>"
to configure the Certificate Revocation List Distribution Point
(CRL DP) property in all certificates that the ICA generates.
Refer to this command: "cpca_client get_crldp" on page 101

init Initializes the Internal Certificate Authority (ICA).

R80.40 CLI Reference Guide | 63

cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

R80.40 CLI Reference Guide | 64

cp_conf client

Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security
Management Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on
page 124 menu.

Syntax

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

R80.40 CLI Reference Guide | 65

cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

n One IPv4 address (for example,
192.168.10.20), or
one IPv6 address (for example,
3731:54:65fe:2::a7)
n One hostname (for example, MyComputer)
n "Any" - To denote all IPv4 and IPv6
addresses without restriction
n A range of IPv4 addresses (for example,
192.168.10.0/255.255.255.0), or
a range of IPv6 addresses (for example,
2001::1/128)
n IPv4 address wildcard (for example,
192.168.10.*)

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates
<GUI Client 2> ... a new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples
Example 1 - Configure one IPv4 address
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 66

cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 67

cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

Example 6 - Delete the current list and create a new list of allowed GUI clients
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 68

cp_conf finger

Description
Shows the Internal Certificate Authority's Fingerprint.
This fingerprint is a text string derived from the ICA certificate on the Security Management
Server, Multi-Domain Server, or Domain Management Server.
This fingerprint verifies the identity of the Security Management Server, Multi-Domain Server,
or Domain Management Server when you connect to it with SmartConsole.

Note - This command corresponds to the option Certificate's Fingerprint in the

"cpconfig" on page 124 menu.
Note - On a Multi-Domain Server:
n To see the fingerprint of the Multi-Domain Server, this command corresponds to
the option Certificate's Fingerprint in the "mdsconfig" on page 717 menu.
n You can run this command in these contexts:
l To see the fingerprint of the Multi-Domain Server, run it in the context of

the Multi-Domain Server:

mdsenv
l To see the fingerprint of a Domain Management Server, run it in the
context of the applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>

Syntax

cp_conf finger
-h
get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

R80.40 CLI Reference Guide | 69

cp_conf finger

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 70

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 124 menu.
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R80.40 CLI Reference Guide | 71

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to Adds a license from the specified Check Point
License File> license file.
You get this license file in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 135.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 135.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 140.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 144.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 72

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R80.40 CLI Reference Guide | 73

cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R80.40 Logging and Monitoring Administration
Guide.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_log_export
cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

R80.40 CLI Reference Guide | 74

cp_log_export

Internal Commands

Name Description

add Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-
Server> target-port <Target-Server-Port> protocol
{udp | tcp} [Optional Arguments]

delete Removes an existing Log Exporter.

cp_log_export delete name <Name>

reconf Applies the Log Exporter configuration to all existing exporters.

cp_log_export reconf [name <Name>]

reexport Resets the current log position and exports all logs again based on the
configuration.
cp_log_export reexport name <Name> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Last Exported Log> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Gap Start> end-position <Position of
Gap End> --apply-now

restart Restarts a Log Exporter process.

cp_log_export restart name <Name>

set Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start Starts an existing Log Exporter process.

cp_log_export start name <Name>

status Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

R80.40 CLI Reference Guide | 75

cp_log_export

Name Description

stop Stops an existing Log Exporter process.

cp_log_export stop name <Name>

R80.40 CLI Reference Guide | 76

cp_log_export

Internal Command Arguments

Req
uired
for
"rest
Req art",
Requ Requ
Requ Requ uired "sho
ired ired
ired ired for w",
for for
for for "rec "stat
Name Description "dele "reex
"add" "set" onf" us",
te" port"
com com com "star
com com
mand mand man t",
mand mand
d "sto
p"
com
man
d

--apply-now Applies immediately Optio Optio Man N/A N/A Man

any change that was nal nal dator dator
done with the "add", y y
"set", "delete", or
"reexport"
command.

ca-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the CA nal nal
certificate file
*.pem.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 77

cp_log_export

client-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the client nal nal
certificate *.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- Specifies the Optio Optio N/A N/A N/A N/A

secret challenge phrase nal nal
<Phrase> used to create the
client certificate
*.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 78

cp_log_export

domain- On a Multi-Domain Man Man Man N/A Opti Man

server {mds Server, specifies the dator dator dator onal dator
| all} applicable Domain y y y y
Management Server
context.
On a Multi-Domain
Log Server,
specifies the
applicable Domain
Log Server context.
Important:
n "mds" (in
small
letters) -
Exports
all logs
from only
the main
MDS
level.
n "all" (in
small
letters) -
Exports
all logs
from all
Domains.

R80.40 CLI Reference Guide | 79

cp_log_export

enabled Specifies whether to Optio Optio N/A N/A N/A N/A

{true | allow the Log nal nal
false} Exporter to start
when you run the
"cpstart" on
page 191 or
"mdsstart" on
page 725 command.
Default: true

encrypted Specifies whether to Optio Optio N/A N/A N/A N/A

{true | use TSL (SSL) nal nal
false} encryption to send
the logs.
Default: false

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
link {true | exported logs that
false} represents a link to
SmartView that
shows the log card
and automatically
opens the
attachment.
Default: false

R80.40 CLI Reference Guide | 80

cp_log_export

export-link Specifies whether to Optio Optio N/A N/A N/A N/A

{true | add a field to the nal nal
false} exported logs that
represents a link to
SmartView that
shows the log card.
Default: false

R80.40 CLI Reference Guide | 81

cp_log_export

export-link- Specifies whether to Optio Optio N/A N/A N/A N/A

ip {true | make the links to nal nal
false} SmartView use a
custom IP address
(for example, for a
Log Server behind
NAT).
Important -
Applicable only
when the value
of the
"export-
link"
argument is
"true", or the
value of the
"export-
attachment-
link"
argument is
"true".
Default: false

R80.40 CLI Reference Guide | 82

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

action-in export all logs that nal nal
{"Action1"," contain a specific
Action2",... value in the "Action"
| false} field.
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Monitor view
and open the
Logs tab.
2. In the top
query field,
enter action:
and a letter.
Examples of values:

R80.40 CLI Reference Guide | 83

cp_log_export

n Accept
n Block
n Bypass
n Detect
n Drop
n HTTPS
Bypass
n HTTPS
Inspect
n Prevent
n Reject

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 84

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

blade-in export all logs that nal nal
{"Blade1","B contain a specific
lade2",... | value in the "Blade"
false} field (the object
name of the
Software Blade that
generated these
logs).
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Monitor view
and open the
Logs tab.

R80.40 CLI Reference Guide | 85

cp_log_export

2. In the top
query field,
enter blade:
and a letter.
Examples of values:
n Anti-Bot
n Firewall
n HTTPS
Inspection
n Identity
Awareness
n IPS
Valid Software
Blade families:
n Access
n TP
n Endpoint
n Mobile

R80.40 CLI Reference Guide | 86

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 87

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

origin-in export all logs that nal nal
{"Origin1"," contain a specific
Origin2",... value in the "Origin"
| false} field (the object
name of the Security
Gateway / Cluster
Member that
generated these
logs).
Each origin value
must be surrounded
by double quotes
("").
Multiple values are
supported and must
be separated by a
comma without
spaces.

R80.40 CLI Reference Guide | 88

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

format {cef Specifies the format, Optio Optio N/A N/A N/A N/A
| syslog} in which the logs are nal nal
exported.
Default: syslog

R80.40 CLI Reference Guide | 89

cp_log_export

name Specifies the unique Man Man Man Opti Opti Man
"<Name>" name of the Log dator dator dator onal. onal. dator
Exporter y y y By By y
configuration. defa defa
ult, ult,
appli appli
es to es to
all. all.

R80.40 CLI Reference Guide | 90

cp_log_export

Notes:
n Allowed
characters
are: Latin
letters, digits
("0-9"),
minus ("-"),
underscore
("_"), and
period (".").
n Must start
with a letter.
n The minimum
length is two
characters.
n The "add"
command
creates a new
target
directory with
the specified
unique name
in the
$EXPORTERD
IR/target
s/ directory.

R80.40 CLI Reference Guide | 91

cp_log_export

protocol Specifies the Layer Man Optio N/A N/A N/A N/A
{tcp | udp} 4 Transport protocol dator nal
to use (TCP or y
UDP).
There is no default
value.

R80.40 CLI Reference Guide | 92

cp_log_export

read-mode Specifies the mode, Optio Optio N/A N/A N/A N/A
{raw | semi- in which to read the nal nal
unified} log files.
n raw -
Specifies to
export log
records
without any
unification.
n semi-
unified -
Specifies to
export log
records with
step-by-step
unification.
That is, for
each log
record, export
a record that
unifies this
record with all
previously-
encountered
records with
the same ID.
Default: raw

R80.40 CLI Reference Guide | 93

cp_log_export

target-port Specifies the Man Optio N/A N/A N/A N/A

<Target- listening port on the dator nal
Server-Port> target server, to y
which you export the
logs.

target- Specifies the IP Man Optio N/A N/A N/A N/A

server address or FQDN of dator nal
<Target- the target server, to y
Server> which you export the
logs.

R80.40 CLI Reference Guide | 94

cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d]
create_cert <options>
double_sign <options>
get_crldp <options>
get_pubkey <options>
init_certs <options>
lscert <options>
revoke_cert <options>
revoke_non_exist_cert <options>
search <options>
set_cert_validity <options>
set_mgmt_tool <options>
set_sign_hash <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

create_cert Issues a SIC certificate for the Security Management Server

<options> or Domain Management Server.
See "cpca_client create_cert" on page 97.

double_sign Creates a second signature for a certificate.

<options> See "cpca_client double_sign" on page 99.

R80.40 CLI Reference Guide | 95

cpca_client

Parameter Description

get_crldp <options> Shows how to access a CRL file from a CRL Distribution
Point.
See "cpca_client get_crldp" on page 101.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate
to a file.
See "cpca_client get_pubkey" on page 103.

init_certs <options> Imports a list of DNs for users and creates a file with
registration keys for each user.
See "cpca_client init_certs" on page 104.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 105.

revoke_cert Revokes a certificate issued by the ICA.

<options> See "cpca_client revoke_cert" on page 108.

revoke_non_exist_ Revokes a non-existent certificate issued by the ICA.

cert <options> See "cpca_client revoke_non_exist_cert" on page 111.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 112.

set_cert_validity Configures the default certificate validity period for new

<options> certificates.
See "cpca_client set_cert_validity" on page 114.

set_mgmt_tool Controls the ICA Management Tool.

<options> See "cpca_client set_mgmt_tool" on page 116.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options> See "cpca_client set_sign_hash" on page 121.

R80.40 CLI Reference Guide | 96

cpca_client create_cert

Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC |
USER | IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

R80.40 CLI Reference Guide | 97

cpca_client create_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the
Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path Specifies the PKCS12 file, which stores the certificate and keys.
to PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER Optional. Specifies the certificate kind.

| IKE | ADMIN_
PKG}

-c "<Comment Optional. Specifies the certificate comment (must enclose in double

for quotes).
Certificate>"

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

R80.40 CLI Reference Guide | 98

cpca_client double_sign

Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management
number> Server or Domain Management Server, which is used to connect to
the Certificate Authority.
The default TCP port number is 18209.

-i Imports the specified certificate (only in PEM format).

-o <Full Path Optional. Saves the certificate into the specified file.
to Output
File>

R80.40 CLI Reference Guide | 99

cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("[email protected],CN=http://www.example.com/,OU=exampleOU Class 2
Policy Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 100

cpca_client get_crldp

Description
Shows the Fully Qualified Domain Name (FQDN) configured for the Internal Certificate
Authority (ICA) with the ""cp_conf ca" on page 63" command.
The Management Server uses this FQDN:
1. To configure the Certificate Revocation List Distribution Point (CRL DP) property in all
certificates that the ICA generates.
2. To create the URL for accessing the CRL.
Example: http://MyMGMT.checkpoint.com:18264/ICA_CRL1.crl

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <ICA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <ICA Optional.
port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18264.

R80.40 CLI Reference Guide | 101

cpca_client get_crldp

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cpca_client get_crldp

MyMGMT.checkpoint.com
[Expert@MyMGMT:0]

R80.40 CLI Reference Guide | 102

cpca_client get_pubkey

Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to

Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 103

cpca_client init_certs

Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for
each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Full Imports the specified file.

Path to Make sure to use the full path.
Input File> Make sure that there is an empty line between each DN in the specified
file.
Example:
...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o <Full Saves the registration keys to the specified file.

Path to This command saves the error messages in the <Name of Output
Output File> File>.failures file in the same directory.

R80.40 CLI Reference Guide | 104

cpca_client lscert

Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid

| Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}]
[-ser <Certificate Serial Number>] [-dp <Certificate Distribution
Point>]

R80.40 CLI Reference Guide | 105

cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN

that matches the specified <SubString>.
This command does not support multiple values.

-stat {Pending | Valid | Optional. Filters the search results to those with
Revoked | Expired | certificate status that matches the specified status.
Renewed} This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with
LDAP} certificate kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with
Number> certificate serial number that matches the specified
serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

R80.40 CLI Reference Guide | 106

cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 107

cpca_client revoke_cert

Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

R80.40 CLI Reference Guide | 108

cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-n Specifies the certificate CN.

"CN=<Common To get the CN, run the "cpca_client lscert" on page 105 command and
Name>" examine the text that you see between the "Subject =" and the
",O=...".
Example
From this output:
Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02
2023

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate To see the serial number, run the "cpca_client lscert" on page 105
Serial command.
Number> Note - You can use the parameter "-s" only, or together with the
parameter "-n".

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 109

cpca_client revoke_cert

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 110

cpca_client revoke_non_exist_cert

Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input

File>

Parameters

Paramet
Description
er

-d Runs the cpca_client command under debug.

-i Specifies the file that contains the list of the certificate to revoke.
<Full You must create this file in the same format as the "cpca_client lscert" on
Path page 105 command prints its output.
to
Input Example
File> Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri
Apr 7 19:40:12 2023
<Empty Line>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri
Apr 7 19:40:13 2023

Note - This command saves the error messages in the <Name of Input
File>.failures file.

R80.40 CLI Reference Guide | 111

cpca_client search

Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-
max <Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the
command itself.
Best Practice - If you use this
parameter, then redirect the output
to a file, or use the script
command to save the entire CLI
session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that
does not contain spaces.

R80.40 CLI Reference Guide | 112

cpca_client search

Parameter Description

-where {dn | comment | serial | Optional. Specifies the certificate's field,

device_type | device_id | device_ in which to search for the string:
name}
n dn - Certificate DN
n comment - Certificate comment
n serial - Certificate serial
number
n device_type - Device type
n device_id - Device ID
n device_name - Device Name
The default is to search in all fields.

-kind {SIC | IKE | User | LDAP} Optional. Specifies the certificate kind
to search.
You can enter multiple values in this
format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.

-stat {Pending | Valid | Revoked | Optional. Specifies the certificate status

Expired | Renewed} to search.
You can enter multiple values in this
format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.

-max <Maximal Number of Results> Optional. Specifies the maximal number

of results to show.
n Range: 1 and greater
n Default: 200

-showfp {y | n} Optional. Specifies whether to show the

certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint
and thumbprint

R80.40 CLI Reference Guide | 113

cpca_client search

Example 1

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending
Valid Renewed

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

cpca_client set_cert_validity

Description
This command configures the default certificate validity period for new certificates.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n The new certificate validity period applies only to certificate you create after this
change.

Syntax

cpca_client set_cert_validity -k {SIC | IKE | USER} [-y <Number of

Years>] [-d <Number of Days>] [-h <Number of Hours>] [-s <Number
of Seconds>]

R80.40 CLI Reference Guide | 114

cpca_client search

Parameters

Parameter Description

-k {SIC | IKE | USER} Specifies the certificate type.

-y <Number of Years> Specifies the validity period in years.

-d <Number of Days> Specifies the validity period in days.

-h <Number of Hours> Specifies the validity period in hours.

-s <Number of Seconds> Specifies the validity period in seconds.

Example

[Expert@MGMT:0]# cpca_client set_cert_validity -k IKE -y 3

cert validity period was changed successfully.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 115

cpca_client set_mgmt_tool

Description
Controls the ICA Management Tool.
This tool is disabled by default.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

See sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] [{-a <Administrator DN> | -u <User
DN> | -c <Custom User DN>}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are

permitted to use the ICA Management Tool.

print Shows the configured administrators, users, or custom users that

are permitted to use the ICA Management Tool.

R80.40 CLI Reference Guide | 116

cpca_client set_mgmt_tool

Parameter Description

-a Optional. Specifies the DN of the administrator that is permitted to

<Administrator use the ICA Management Tool.
DN> Must specify the full DN as appears in SmartConsole
Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:
-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the
ICA Management Tool.
Must specify the full DN as appears in SmartConsole:
Procedure

1. Open Object Explorer > Users

Example:
-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

R80.40 CLI Reference Guide | 117

cpca_client set_mgmt_tool

Parameter Description

-c <Custom Optional. Specifies the DN for the custom user that is permitted to
User DN> use the ICA Management Tool.
Must specify the full DN as appears in SmartConsole.
Procedure

1. Open Object Explorer > Users

Example:
-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

R80.40 CLI Reference Guide | 118

cpca_client set_mgmt_tool

To connect to the ICA Management Tool

1. In SmartConsole, configure the required administrator and user objects.
You must create a certificate for these administrators and users.
You use this certificate to configure the permitted users in the ICA Management Tool and
in the client web browsers.
2. In the command line on the Management Server, add the required administrators and
users that are permitted to use the ICA Management Tool.

cpca_client set_mgmt_tool add ...

3. In the command line on the Management Server, start the ICA Management Tool.

cpca_client set_mgmt_tool on

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

5. Import the administrator's / user's certificate into the Windows Certificate Store:.
a. Right-click the *.p12 file you saved when you created the required administrator /
user, and click Install PFX.
The Certificate Import Wizard opens.

b. In the Store Location section, select the applicable option:

n Current User (this is the default)
n Local Machine

c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator / user certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.
g. Click Next.
h. Select Place all certificates in the following store > click Browse > select
Personal > click OK.
i. Click Next.
j. Click Finish.

R80.40 CLI Reference Guide | 119

cpca_client set_mgmt_tool

6. In a web browser, connect to the ICA Management Tool:

https://<IP Address of the Management Server>:18265

Important - The fact that the TCP port 18265 is open is not a vulnerability. The
ICA Management Tool Portal is secured and protected by SSL. In addition, only
authorized administrators and users are allowed to access it using a certificate.

7. A dialog box with this message appears:

Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R80.40 CLI Reference Guide | 120

cpca_client set_sign_hash

Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Important - After this change, you must restart the Check Point services with these
commands:
n On Security Management Server, run:
1. cpstop
2. cpstart
n On a Multi-Domain Server, run:
1. mdsstop_customer <Name or IP Address of Domain
Management Server>
2. mdsstart_customer <Name or IP Address of Domain
Management Server>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the
sha512} file hash.
The default algorithm is SHA-256.

R80.40 CLI Reference Guide | 121

cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this has no security
implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart

R80.40 CLI Reference Guide | 122

cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to
save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

R80.40 CLI Reference Guide | 123

cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool configures specific settings for the installed Check Point products.

Syntax

cpconfig

Note - On a Multi-Domain Server, run the "mdsconfig" on page 717 command.

R80.40 CLI Reference Guide | 124

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and Manages Check Point licenses and contracts on this server.
contracts

Administrator Configures Check Point system administrators for this server.

GUI Clients Configures the GUI clients that can use SmartConsole to connect to
this server.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Certificate Initializes the Internal Certificate Authority (ICA) and configures the
Authority Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).

Certificate's Shows the ICA's Fingerprint.

Fingerprint This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you connect to
it with SmartConsole.

Automatic start of Shows and controls which of the installed Check Point products start
Check Point automatically during boot.
Products

Exit Exits from the Check Point Configuration Tool.

R80.40 CLI Reference Guide | 125

cpconfig

Example - Menu on a Security Management Server

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

R80.40 CLI Reference Guide | 126

cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on
your Check Point server.
For more information, see sk92739.

R80.40 CLI Reference Guide | 127

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management You execute these commands locally on the

commands Servers, Check Point computers.
Security Gateways
and Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management
commands Server.
These changes affect the managed Security
Gateways and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management
commands Server.
These changes affect the licenses stored in the
local license repository.

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R80.40 CLI Reference Guide | 128

cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security
<options> Gateway or Management Server.
See "cplic check" on page 131.

contract Manages (deletes and installs) the Check Point Service Contract on
<options> the local Check Point computer.
See "cplic contract" on page 133.

db_add Applies only to a Management Server.

<options> Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 135.

R80.40 CLI Reference Guide | 129

cplic

Parameter Description

db_print Applies only to a Management Server.

<options> Shows the details of Check Point licenses stored in the license
repository on the Management Server.
See "cplic db_print" on page 137.

db_rm Applies only to a Management Server.

<options> Removes a license from the license repository on the Management
Server.
See "cplic db_rm" on page 139.

del <options> Deletes a Check Point license on a host, including unwanted

evaluation, expired, and other licenses.
See "cplic del" on page 140.

del <Object Detaches a Central license from a remote managed Security Gateway
Name> or Cluster Member.
<options> See "cplic del <object name>" on page 141.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster
Members into the license repository on the Management Server.
See "cplic get" on page 142.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 144.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 146.

put <Object Attaches one or more Central or Local licenses to a remote managed
Name> Security Gateways and Cluster Members.
<options> See "cplic put <object name>" on page 148.

upgrade Applies only to a Management Server.

<options> Upgrades licenses in the license repository with licenses in the
specified license file.
See "cplic upgrade" on page 151.

R80.40 CLI Reference Guide | 130

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product> Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member
(all blades), or Management Server (all blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

{-c | - Outputs the number of licenses connected to this feature.

count}

R80.40 CLI Reference Guide | 131

cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1 fw1:6.0:rt
fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit fw1:6.0:prov
fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes
fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades
fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

[Expert@GW]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf fw1:6.0:av
fw1:6.0:vsx5 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:connect fw1:6.0:pam
etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited fw1:6.0:des
fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps fw1:6.0:pam
fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm
fw1:6.0:blades fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u
cplic check 'cluster-u': 9 licenses
[Expert@GW]#

R80.40 CLI Reference Guide | 132

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member, you must update the license repository on the applicable Management
Server - either with the "cplic get" on page 142 command, or in SmartUpdate.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

R80.40 CLI Reference Guide | 133

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/cp.contract file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R80.40 CLI Reference Guide | 134

cplic db_add

Description
Adds licenses to the license repository on the Management Server.
When you add Local licenses to the license repository, Management Server automatically
attaches them to the managed Security Gateway / Cluster Member with the matching IP
address.
When you add Central licenses, you must manually attach them.

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

R80.40 CLI Reference Guide | 135

cplic db_add

Parameter Description

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -
l 192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

R80.40 CLI Reference Guide | 136

cplic db_print

Description
Shows the details of Check Point licenses stored in the license repository on the Management
Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x]
[{-t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name> <Object Name> is the name of the Security Gateway / Cluster Member
object as defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached} Useful, if the parameter "-all" is specified.

R80.40 CLI Reference Guide | 137

cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 138

cplic db_rm

Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the
"cplic del" on page 140 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

R80.40 CLI Reference Guide | 139

cplic del

Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other
licenses.
This command can delete a license on both local computer, and on remote managed
computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

<Object The name of the Security Gateway / Cluster Member object as defined
Name> in SmartConsole.

R80.40 CLI Reference Guide | 140

cplic del <object name>

Description
Detaches a Central license from a remote managed Security Gateway or Cluster Member.
When you run this command, it automatically updates the license repository.
The Central license remains in the license repository as an unattached license.

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the
Address> specified IP address.
Note - If this parameter is used, then object name must be a
DAIP Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on
page 144 command.

R80.40 CLI Reference Guide | 141

cplic get

Description
Retrieves all licenses from managed Security Gateways and Cluster Members into the license
repository on the Management Server.
This command helps synchronize the license repository with the managed Security Gateways
and Cluster Members.
When you run this command, it updates the license repository with all local changes.

Syntax

cplic get {-h | -help}

cplic [-d] get
-all
<IP Address>
<Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the
managed network.

<IP The IP address of the Security Gateway / Cluster Member, from which
Address> licenses are to be retrieved.

<Host The name of the Security Gateway / Cluster Member object as defined in
Name> SmartConsole, from which licenses are to be retrieved.

R80.40 CLI Reference Guide | 142

cplic get

Example
If the Security Gateway with the object name MyGW contains four Local licenses, and the
license repository contains two other Local licenses, the command "cplic get MyGW"
produces output similar to this:

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 143

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 144

cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 145

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -
select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-
only}] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member, this command erases only

overwrite} the local licenses, but not central licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

R80.40 CLI Reference Guide | 146

cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for

a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 147

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and
Cluster Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F
<Output File>] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Feature>]

R80.40 CLI Reference Guide | 148

cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object, as
defined in SmartConsole.

-ip <Dynamic Installs the license on the Security Gateway with the specified IP
IP Address> address.
This parameter is used to install a license on a Security Gateway with
dynamically assigned IP address (DAIP).
Note - If you use this parameter, then the object name must be
that of a DAIP Security Gateway.

-F <Output Saves the command output to the specified file.

File>

-l <License Installs the licenses from the <License file>.

File>

<Host> Hostname or IP address of the Security Management Server /

Domain Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the
license.
For example: CPSUITE-EVAL-3DES-vNG

R80.40 CLI Reference Guide | 149

cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R80.40 CLI Reference Guide | 150

cplic upgrade

Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l <Input Upgrades the licenses in the license repository and Check Point Security
File> Gateways / Cluster Members to match the licenses in the specified file.

Example
This example explains the procedure to upgrade the licenses in the license repository.
There are two Software Blade licenses in the input file:
n One license does not match any license on a remote managed Security Gateway.
n The other license matches an NGX-version license on a managed Security Gateway that
has to be upgraded.
Workflow in this example:
1. Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the
Security Gateways with the previous product versions.
2. Import all licenses into the license repository.
You can also do this after you upgrade the products on the remote Security Gateways.
3. Run this command:

R80.40 CLI Reference Guide | 151

cplic upgrade

cplic get -all

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

5. In the Check Point User Center, view the licenses for the products that were upgraded
from version NGX to a Software Blades license.
You can also create new upgraded licenses.
6. Download a file containing the upgraded licenses.
Only download licenses for the products that were upgraded from version NGX to
Software Blades.
7. If you did not import the version NGX licenses into the repository, import the version NGX
licenses now.

Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

n The licenses in the downloaded license file and in the license repository are
compared.
n If the certificate keys and features match, the old licenses in the repository and in
the remote Security Gateways are updated with the new licenses.
n A report of the results of the license upgrade is printed.

R80.40 CLI Reference Guide | 152

cplic upgrade

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

R80.40 CLI Reference Guide | 153

cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management
Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

cppkg
add <options>
{del | delete} <options>
get
getroot
print
setroot <options>
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run mdsenv).

R80.40 CLI Reference Guide | 154

cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 156.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options> See "cppkg delete" on page 157.

get Updates the list of the SmartUpdate software packages in the

repository.
See "cppkg get" on page 159.

getroot Shows the path to the root directory of the repository (the value of
the environment variable $SUROOT).
See "cppkg getroot" on page 160.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 161.

setroot Configures the path to the root directory of the repository.

<options> See "cppkg setroot" on page 162.

R80.40 CLI Reference Guide | 155

cppkg add

Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n This command does not overwrite existing packages. To overwrite an existing
package, you must first delete the existing package.
n You get the SmartUpdate software packages from the Check Point Support
Center.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 156

cppkg delete

Description
Deletes SmartUpdate software packages from the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]
cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>"
"<Minor Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the
delete interactive mode. The command shows the menu with applicable options.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

"< Specifies the product name. Enclose in double quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double quotes.

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 161
command.
n You must specify all optional parameters, or no parameters.

R80.40 CLI Reference Guide | 157

cppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 158

cppkg get

Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software
packages repository based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 159

cppkg getroot

Description
Shows the path to the root directory of the SmartUpdate software packages repository (the
value of the environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to :
/var/log/cpupgrade/suroot
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 160

cppkg print

Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 161

cppkg setroot

Description
Configures the path to the root directory of the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n The default path is: /var/log/cpupgrade/suroot
n When changing repository root directory:
l This command copies the software packages from the old repository to

the new repository. A package in the new location is overwritten by a

package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT in

the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh and

$CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 162

cpprod_util

cpprod_util
Description
This utility works with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point
computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R80.40 CLI Reference Guide | 163

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the
output file is RegDump.

R80.40 CLI Reference Guide | 164

cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant
Domain Management Server.
n If you run the cpprod_util command without parameters, it prints:
l The list of all available products and features (for example,
"FwIsFirewallMgmt", "FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the cpprod_util command, it is necessary to redirect the
stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples
Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 165

cpprod_util

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 166

cpprod_util

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

Example - Showing a list of all installed Check Point Products Packages on a Security Gateway
[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 167

cpprod_util

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP (DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 168

cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the
managed Security Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

R80.40 CLI Reference Guide | 169

cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote
managed Security Gateways.

Important - Installing software packages with this command is not supported for
Security Gateways that run on Gaia OS.
Notes:
n This command requires a license for SmartUpdate.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On the remote Security Gateways these are required:
l SIC Trust must be established between the Security Management Server

and the Security Gateway.

l The cpd daemon must run.

l The cprid daemon must run.

Syntax

cprinstall
boot <options>
cprestart <options>
cpstart <options>
cpstop <options>
delete <options>
get <options>
install <options>
revert <options>
show <options>
snapshot <options>
transfer <options>
uninstall <options>
verify <options>

R80.40 CLI Reference Guide | 170

cprinstall

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options> See "cprinstall boot" on page 173.

cprestart Runs the cprestart command on the managed Security Gateway.

<options> See "cprinstall cprestart" on page 174.

cpstart Runs the cpstart command on the managed Security Gateway.

<options> See "cprinstall cpstart" on page 175.

cpstop Runs the cpstop command on the managed Security Gateway.

<options> See "cprinstall cpstop" on page 176.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options> See "cprinstall delete" on page 177.

get n Gets details of the products and the operating system installed on
<options> the managed Security Gateway.
n Updates the management database on the Security Management
Server.
See "cprinstall get" on page 178.

install Installs Check Point products on the managed Security Gateway.

<options> See "cprinstall install" on page 179.

revert Restores the managed Security Gateway that runs on SecurePlatform OS

<options> from a snapshot saved on that Security Gateway.
See "cprinstall revert" on page 182.

show Displays all snapshot (backup) files on the managed Security Gateway
<options> that runs on SecurePlatform OS.
See "cprinstall show" on page 183.

snapshot Creates a snapshot on the managed Security Gateway that runs on

<options> SecurePlatform OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 184.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 185.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options> See "cprinstall uninstall" on page 187.

R80.40 CLI Reference Guide | 171

cprinstall

Parameter Description

verify Confirms these operations were successful:

<options>
n If a specific product can be installed on the managed Security
Gateway.
n That the operating system and currently installed products the
managed Security Gateway are appropriate for the software
package.
n That there is enough disk space to install the product the managed
Security Gateway.
n That there is a CPRID connection with the managed Security
Gateway.
See "cprinstall verify" on page 189.

R80.40 CLI Reference Guide | 172

cprinstall boot

Description
Reboots the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

R80.40 CLI Reference Guide | 173

cprinstall cprestart

Description
Runs the cprestart command on the managed Security Gateway.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

R80.40 CLI Reference Guide | 174

cprinstall cpstart

Description
Runs the cpstart command on the managed Security Gateway.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

R80.40 CLI Reference Guide | 175

cprinstall cpstop

Description
Runs the cpstop command on the managed Security Gateway.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-proc Kills the Check Point daemons and Security Servers, while it maintains the
active Security Policy running in the Check Point kernel.
Rules with generic Allow, Drop or Reject action based on services, continue
to work.

-nopolicy Kills the Check Point daemons and Security Servers and unloads the
Security Policy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

R80.40 CLI Reference Guide | 176

cprinstall delete

Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

<Snapshot Specifies the name of the snapshot (backup) on SecurePlatform OS.

File>

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

R80.40 CLI Reference Guide | 177

cprinstall get

Description
n Gets details of the products and the operating system installed on the managed Security
Gateway.
n Updates the management database on the Security Management Server.

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20 R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20
[Expert@MGMT]#

R80.40 CLI Reference Guide | 178

cprinstall install

Description
Installs Check Point products on the managed Security Gateway.

Important - Installing software packages with this command is not supported for
Security Gateways that run Gaia OS.
Notes:
n Before transferring the software package, this command runs the "cprinstall
verify" on page 189 command.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n To see the values for the package attributes, run the "cppkg print" on page 161
command.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object

Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 179

cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is
canceled in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing

the package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 180

cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#

R80.40 CLI Reference Guide | 181

cprinstall revert

Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot
saved on that Security Gateway.

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 182

cprinstall show

Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

R80.40 CLI Reference Guide | 183

cprinstall snapshot

Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and
saves it on that Security Gateway.

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 184

cprinstall transfer

Description
Transfers a software package from the repository to the managed Security Gateway without
installing the package.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 185

cprinstall transfer

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 186

cprinstall uninstall

Description
Uninstalls Check Point products on the managed Security Gateway.

Important - Uninstalling software packages with this command is not supported for
Security Gateways running on Gaia OS.
Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n Before uninstalling product packages, this command runs the "cprinstall verify"
on page 189 command.
n After uninstalling a product package, you must run the "cprinstall get" on
page 178 command.
n To see the values for the package attributes, run the "cppkg print" on page 161
command.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 187

cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the

package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

Example
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get

R80.40 CLI Reference Guide | 188

cprinstall verify

Description
Confirms these operations were successful:
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed Security
Gateway are appropriate for the software package.
n That there is enough disk space to install the product the managed Security Gateway.
n That there is a CPRID connection with the managed Security Gateway.

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

R80.40 CLI Reference Guide | 189

cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>" This parameter is optional.

Example 1 - Verification succeeds

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Example 2 - Verification fails

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R75 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

R80.40 CLI Reference Guide | 190

cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 169
command.
n For manually starting specific Check Point processes, see
sk97638.

Syntax

cpstart

R80.40 CLI Reference Guide | 191

cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-h <Host> Optional.
When you run this command on a Management Server, this parameter
specifies the managed Security Gateway.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object
name.
The default is localhost.
Note - On a Multi-Domain Server, you must run this command in
the context of the applicable Domain Management Server:mdsenv
<IP Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R80.40 CLI Reference Guide | 192

cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor
in the <Application Flag>. To see all flavors, run the cpstat
command without any parameters.

-o <Polling Optional.
Interval> Specifies the polling interval (in seconds) - how frequently the
command collects and shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this
is the default value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the
loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the
"-e <Period>" parameter.
Example:
cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results
before it stops.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling
Interval> and then stops.
Example:
cpstat os -f perf -o 2 -c 2

R80.40 CLI Reference Guide | 193

cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the
statistics.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
You can use this parameter together with the "-c <Count>"
parameter.
Example:
cpstat os -f perf -o 2 -c 2 -e 60

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

System routing6, memory, old_memory, cpu,
disk, perf, multi_cpu, multi_disk,
raidInfo, sensors, power_supply,
hw_info, all, average_cpu,
average_memory, statistics,
updates, licensing, connectivity,
vsx

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R80.40 CLI Reference Guide | 194

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R80.40 CLI Reference Guide | 195

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

emulation status, scanned_files, malware_
detected, scanned_on_cloud,
malware_on_cloud, average_process_
time, emulated_file_size, queue_
size, peak_size, file_type_stat_
file_scanned, file_type_stat_
malware_detected, file_type_stat_
cloud_scanned, file_type_stat_
cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_
type_stat_cache_hit_rate, file_
type_stat_error_count, file_type_
stat_no_resource_count, contract,
downloads_information_current,
downloading_file_information,
queue_table, history_te_incidents,
history_te_comp_hosts

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R80.40 CLI Reference Guide | 196

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

contxt_delete_info, contxt_update_
info, contxt_path_mng_info, GXSA_
GPDU_info, contxt_initiate_info,
gtpv2_create_info, gtpv2_delete_
info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the threshold_
config
command

Historical status persistency product, TableConfig, SourceConfig

values

R80.40 CLI Reference Guide | 197

cpstat

Examples
Example - Interfaces on a Security Gateway
[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
---------------------------------------------------------------------------------------------
-----------------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy
name|Slaves|Ports|IPv6 Address|IPv6 Len|
---------------------------------------------------------------------------------------------
-----------------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
---------------------------------------------------------------------------------------------
-----------------------

[Expert@MyGW:0]#

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 198

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

R80.40 CLI Reference Guide | 199

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 200

cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 169 command.
n For manually stopping specific Check Point processes, see
sk97638.

Syntax

cpstop

R80.40 CLI Reference Guide | 201

cpview

cpview
Overview of CPView

Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU,
Memory, Disk space) and information for different Software Blades (only on Security
Gateway).
The CPView continuously updates the data in easy to access views.

On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R80.40 CLI Reference Guide | 202

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R80.40 CLI Reference Guide | 203

cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes
such as Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products
and Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log
file.

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning
(not stuck on deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows
Y for actively monitored processes.
The list of actively monitored processes is predefined by Check Point.
Users cannot change or configure it.

R80.40 CLI Reference Guide | 204

cpwd_admin

Syntax

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 207.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 211.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 212.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 213.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 214.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 216.

R80.40 CLI Reference Guide | 205

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 217.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 218.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 223.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 224.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 227.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 228.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 230.

R80.40 CLI Reference Guide | 206

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

1> <Configuration_Parameter_2>=<Value_ parameters.
2> ... <Configuration_Parameter_ Note - Spaces are not allowed
N>=<Value_N> between the name of the
configuration parameter, the
equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R80.40 CLI Reference Guide | 207

cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ctx Text string up to On a VSX Gateway, configures the CTX value that is
128 characters assigned to monitored processes, for which no CTX
is specified.

display_ctx n 0 (default) On a VSX Gateway, configures whether the

n 1 WatchDog shows the CTX column in the output of
the cpwd_admin list command (between the
APP and the PID columns):
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

reset_ n Range: > 0 Configures the time (in seconds) the WatchDog
startups n Default: waits after the process starts and before the
3600 WatchDog resets the process's startup_counter
to 0.
To see the process's startup counter, in the output of
the cpwd_admin list command, refer to the
#START column.

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

R80.40 CLI Reference Guide | 208

cpwd_admin config

Configuration Accepted
Description
Parameter Values

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

R80.40 CLI Reference Guide | 209

cpwd_admin config

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 210

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 218 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 191 command.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 211

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 218 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 191 command.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 212

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 213

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 214

cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 215

cpwd_admin getpid

Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 216

cpwd_admin kill

Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 201 and "cpstart" on page 191 commands.

Syntax

cpwd_admin kill

R80.40 CLI Reference Guide | 217

cpwd_admin list

Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 218

cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Examples
Example - Default output on a Management Server
[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-
R80.40/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R80.40/log_indexer/log_
indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-
R80.40/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 219

cpwd_admin list

Example - Default output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list
APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2019 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 N mpdaemon /opt/CPshrd-
R80.40/log/mpdaemon.elg /opt/CPshrd-R80.40/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 N ci_http_server -j -f
/opt/CPsuite-R80.40/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2019 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2019 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 N DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 220

cpwd_admin list

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/java_solr
COMMAND = java_solr /opt/CPrt-R80.40/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/log_indexer/log_indexer
COMMAND = /opt/CPrt-R80.40/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R80.40/smartlog_server
COMMAND = /opt/CPSmartLog-R80.40/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 221

cpwd_admin list

Example - Verbose output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list -full
APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 3/u N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R80.40/log/mpdaemon.elg /opt/CPshrd-
R80.40/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R80.40/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 222

cpwd_admin monitor_list

Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 204.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 223

cpwd_admin start

Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_
limit {<Limit> | u}]

Parameters

Parameter Description

-name Name, under which the cpwd_admin list command shows the
<Application monitored process in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

R80.40 CLI Reference Guide | 224

cpwd_admin start

Parameter Description

-path "<Full The full path (with or without Check Point environment variables)
Path to to the executable including the executable name.
Executable>" Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-
R80.40/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl"

-command The command and its arguments to run.

"<Command Must enclose in double quotes.
Syntax>" Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-
R80.40/fw1/scripts/cpm.sh -s"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl -
c "/opt/CPuepm-R80.40/engine/conf/cptnl_
srv.conf""

-env {inherit | Configures whether to inherit the environment variables from the
<Env_ shell.
Var>=<Value>}
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout"

<Timeout> configuration parameter.
See "cpwd_admin config" on page 207.

-retry_limit Configures the value of the "retry_limit" configuration

{<Limit> | u} parameter.
See "cpwd_admin config" on page 207.
n <Limit> - Tries to restart the process the specified number
of times
n u - Tries to restart the process unlimited number of times

R80.40 CLI Reference Guide | 225

cpwd_admin start

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 226

cpwd_admin start_monitor

Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes
actively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 227

cpwd_admin stop

Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows
Name> the monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable

Virtual System.

-path "<Full Path The full path (with or without Check Point environment
to Executable>" variables) to the executable including the executable name.
Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

R80.40 CLI Reference Guide | 228

cpwd_admin stop

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit | Configures whether to inherit the environment variables from

<Env_Var>=<Value>} the shell.
n inherit - Inherits all the environment variables
(WatchDog supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to
the specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 229

cpwd_admin stop_monitor

Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 230

dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

dbedit -help
dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u
<Username> | -c <Certificate>}] [-p <Password>] [-f <File_Name>
[ignore_script_failure] [-continue_updating]] [-r "<Open_Reason_
Text>"] [-d <Database_Name>] [-listen] [-readonly] [-session]
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-help Prints the general help.

-globallock When you work with the dbedit utility, it partially locks the management
database. If a user configures objects in SmartConsole at the same
time, it causes problems in the management database.
This option does not let SmartConsole, or a dbedit user to make
changes in the management database.
When you specify this option, the dbedit commands run on a copy of
the management database. After you make the changes with the
dbedit commands and run the savedb command, the dbedit utility
saves and commits your changes to the actual management database.

-local Connects to the localhost (127.0.0.1) without using

username/password.
If you do not specify this parameter, the dbedit utility asks how to
connect.

R80.40 CLI Reference Guide | 231

dbedit

Parameter Description

-s Specifies the Security Management Server - by IP address or

<Management_ HostName.
Server> If you do not specify this parameter, the dbedit utility asks how to
connect.

-u Specifies the username, with which the dbedit utility connects to the
<Username> Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-c Specifies the user's certificate file, with which the dbedit utility connects
< to the Security Management Server.
Certificate> Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-p Specifies the user's password, with which the dbedit utility connects to
<Password> the Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" and "-u <Username>" parameters.

-f <File_ Specifies the file that contains the applicable dbedit internal commands
Name> (see the section "dbedit Internal Commands" below):
n create <object_type> <object_name>
n modify <table_name> <object_name> <field_name>
<value>
n update <table_name> <object_name>
n delete <table_name> <object_name>
n print <table_name> <object_name>
n quit

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and
script_ ignores errors.
failure You can use it when you specify the "-f <File_Name>" parameter.

-continue_ Continues to update the modified objects, even if the operation fails for
updating some of the objects (ignores the errors and runs the update_all
command at the end of the script).
You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode
Reason_ (default mode).
Text>"

R80.40 CLI Reference Guide | 232

dbedit

Parameter Description

-d Specifies the name of the database, to which the dbedit utility should
<Database_ connect (for example, mdsdb).
Name>

-listen The dbedit utility "listens" for changes (use this mode for advanced
troubleshooting with the assistance of Check Point Support).
The dbedit utility prints its internal messages when a change occurs in
the management database.

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with Database Tool (GuiDBEdit Tool) (see sk13009).

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:
dbedit> -h

-q Description:
Quits from dbedit.
quit Syntax:
dbedit> -q
dbedit> quit [-update_all | -noupdate]
Examples:
n Exit the utility and commit the remaining modified objects
(interactive mode):
dbedit> quit
n Exit the utility and update all the remaining modified objects:
dbedit> quit -update_all
n Exit the utility and discard all modifications:
dbedit> quit -no_update

R80.40 CLI Reference Guide | 233

dbedit

Command Description, Syntax, Examples

update Description:
Saves the specified object in the specified table (for example,
"network_objects", "services", "users").
Syntax:
dbedit> update <table_name> <object_name>
Example:
Save the object My_Service in the table services:
dbedit> update services My_Service

update_all Description:
Saves all the modified objects.
Syntax:
dbedit> update_all

_print_set Description:
Prints the specified object from the specified table (for example,
"network_objects", "services", "users") as it appears in the
$FWDIR/conf/objects_5_0.C file (sets of attributes).
Syntax:
dbedit> _print_set <table_name> <object_name>
Example:
Print the object My_Obj from the table network_objects:
dbedit> print network_objects My_Obj

print Description:
Prints the list of attributes of the specified object from the specified
table (for example, "network_objects", "properties",
"services", "users").
Syntax:
dbedit> print <table_name> <object_name>
Examples:
n Print the object My_Obj from the table network_objects (in
"Network Objects"):
dbedit> print network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> print properties firewall_properties

R80.40 CLI Reference Guide | 234

dbedit

Command Description, Syntax, Examples

printxml Description:
Prints in XML format the list of attributes of the specified object from the
specified table (for example, "network_objects", "properties",
"services", "users").
You can export the settings from a Management Server to an XML file
that you can use later with external automation systems.
Syntax:
dbedit> printxml <table_name> [<object_name>]
Examples:
n Print the object My_Obj from the table network_objects:
dbedit> printxml network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> printxml properties firewall_
properties

printbyuid Description:
Prints the attributes of the object specified by its UID (appears in the
$FWDIR/conf/objects_5_0.C file at the beginning of the object as
"chkpf_uid ({...})").
Syntax:
dbedit> printbyuid {object_id}
Example:
Print the attributes of the object with the specified UID:
dbedit> printbyuid {D3833F1D-0A58-AA42-865F-
39BFE3C126F1}

R80.40 CLI Reference Guide | 235

dbedit

Command Description, Syntax, Examples

query Description:
Prints all the objects in the specified table.
Optionally, you can query for objects with specific attribute and value -
query is separated by a comma after "query <table_name>"
(spaces are not allowed between the <attribute> and '<value>').
Syntax:
dbedit> query <table_name> [ ,
<attribute>='<value>' ]
Examples:
n Print all objects in the table users:
dbedit> query users
n Print all objects in the table network_objects that are defined as
Management Servers:
dbedit> query network_objects,
management='true'
n Print all objects in the table services with the name ssh:
command_sdbedit> query services, name='ssh'
n Print all objects in the table services with the port 22:
dbedit> query services, port='22'
n Print all objects with the IP address 10.10.10.10:
dbedit> query network_objects,
ipaddr='10.10.10.10'

whereused Description:
Checks where the specified object used in the database.
Prints the number of places, where this object is used and relevant
information about each such place.
Syntax:
dbedit> whereused <table_name> <object_name>
Example:
Check where the object My_Obj is used:
dbedit> whereused network_objects My_Obj

R80.40 CLI Reference Guide | 236

dbedit

Command Description, Syntax, Examples

create Description:
Creates an object of specified type (with its default values) in the
database.
Restrictions apply to the object's name:
n Object names can have a maximum of 100 characters.
n Objects names can contain only ASCII letters, numbers, and
dashes.
n Reserved words will be blocked by the Management Server (refer
to sk40179).
Syntax:
dbedit> create <object_type> <object_name>
Example:
Create the service object My_Service of the type tcp_service (with its
default values):
dbedit> create tcp_service my_service

delete Description:
Deletes an object from the specified table.
Syntax:
dbedit> delete <table_name> <object_name>
Example:
Delete the service object My_Service from the table services:
dbedit> delete services my_service

R80.40 CLI Reference Guide | 237

dbedit

Command Description, Syntax, Examples

modify Description:
Modifies the value of specified attribute in the specified object in the
specified table (for example, "network_objects", "services",
"users") in the management database.
Syntax:
dbedit> modify <table_name> <object_name> <field_
name> <value>
Examples:
n Modify the color to red in the object My_Service in the table
services:
dbedit> modify services My_Service color red
n Add a comment to the object MyObj:
dbedit> modify network_objects MyObj comments
"Created by fwadmin with dbedit"
n Set the value of the global property ike_use_largest_possible_
subnets in the table properties to false:
dbedit> modify properties firewall_properties
ike_use_largest_possible_subnets false
n Create a new interface on the Security Gateway My_FW and
modify its attributes - set the IP address / Mask and enable Anti-
Spoofing on interface with "Element Index"=3 (check the
attributes of the object My_FW in Database Tool (GuiDBEdit
Tool) (see sk13009)):

R80.40 CLI Reference Guide | 238

dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW

interfaces interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW
interfaces:3:ipaddr IP_ADDRESS
dbedit> modify network_objects My_FW
interfaces:3:netmask NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access
specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed
network_objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_
spoofing true
dbedit> modify network_objects MyObj FieldA
LINKSYS
n In the Owned Object MyObj change the value of FieldB to
NewVal:
dbedit> modify network_objects MyObj
FieldA:FieldB NewVal
n In the Linked Object MyObj change the value of FieldA from B to
C:
dbedit> modify network_objects MyObj FieldA
B:C

R80.40 CLI Reference Guide | 239

dbedit

Command Description, Syntax, Examples

lock Description:
Locks the specified object (by administrator) in the specified table (for
example, "network_objects", "services", "users") from being
modified by other users.
For example, if you connect from a remote computer to this
Management Server with admin1 and lock an object, you are be able to
connect with admin2, but are not able to modify the locked object, until
admin1 releases the lock.
Syntax:
dbedit> lock <table_name> <object_name>
Example:
Lock the object My_Service_Obj in the table services in the database:
dbedit> lock services My_Service_Obj

addelement Description:
Adds a specified multiple field / container (with specified value) to a
specified object in specified table.
Syntax:
dbedit> addelement <table_name> <object_name>
<field_name> <value>
Examples:
n Add the element BranchObjectClass with the value Organization
to a multiple field Read in the object My_Obj in the table ldap:
dbedit> addelement ldap My_Obj
Read:BranchObjectClass Organization
n Add the service MyService to the group of services
MyServicesGroup in the table services:
dbedit> addelement services MyServicesGroup
'' services:MyService
n Add the network MyNetwork to the group of networks
MyNetworksGroup in the table network_objects:
dbedit> addelement network_objects
MyNetworksGroup '' network_objects:MyNetwork

R80.40 CLI Reference Guide | 240

dbedit

Command Description, Syntax, Examples

rmelement Description:
Removes a specified multiple field / container (with specified value)
from a specified object in specified table.
Syntax:
dbedit> rmelement <table_name> <object_name>
<field_name> <value>
Examples:
n Remove the service MyService from the group of services
MyServicesGroup from the table services:
dbedit> rmelement services MyServicesGroup ''
services:MyService
n Remove the network MyNetwork from the group of networks
MyNetworksGroup from the table network_objects:
dbedit> rmelement network_objects
MyNetworksGroup '' network_objects:MyNetwork
n Remove the element BranchObjectClass with the value
Organization from the multiple field Read in the object My_Obj in
the table ldap:
dbedit> rmelement ldap my_obj
Read:BranchObjectClass Organization

rename Description:
Renames the specified object in specified table.
Syntax:
dbedit> rename <table_name> <object_name> <new_
object_name>
Example:
Rename the network object london to chicago in the table network_
objects:
dbedit> rename network_objects london chicago

R80.40 CLI Reference Guide | 241

dbedit

Command Description, Syntax, Examples

rmbyindex Description:
Removes an element from a container by element's index.
Syntax:
dbedit> rmbyindex <table_name> <object_name>
<field_name> <index_number>
Example:
Remove the element backup_log_servers from the container log_
servers by element index 1 in the table network_objects:
dbedit> rmbyindex network_objects g log_
servers:backup_log_servers 1

add_owned_ Description:
remove_name Adds an owned object (and removes its name) to a specified owned
object field (or container).
Syntax:
dbedit> add_owned_remove_name <table_name>
<object_name> <field_name> <value>
Example:
Add the owned object My_Gateway (and remove its name) to the
owned object field (or container) my_external_products:
dbedit> add_owned_remove_name network_objects My_
Gateway additional_products owned:my_external_
products

is_delete_ Description:
allowed Checks if the specified object can be deleted from the specified table
(object cannot be deleted if it is used by other objects).
Syntax:
dbedit> is_delete_allowed <table_name> <object_
name>
Example:
dbedit> is_delete_allowed network_objects MyObj
Check if the object MyObj can be deleted from the table network_
objects:

R80.40 CLI Reference Guide | 242

dbedit

Command Description, Syntax, Examples

set_pass Description:
Sets specified password for specified user.
Notes:
n The password must contain at least 4 characters and no more
than 50 characters.
n This command cannot change the administrator's password.
Syntax:
dbedit> set_pass <Username> <Password>
Example:
Set the password 1234 for the user abcd:
dbedit> set_pass abcd 1234

savedb Description:
Saves the database. You can run this command only when the
database is locked globally (when you start the dbedit utility with the
"dbedit -globallock" command).
Syntax:
dbedit> savedb

savesession Description:
Saves the session. You can run this command only when you start the
dbedit utility in session mode (with the "dbedit -session"
command).
Syntax:
dbedit> savesession

R80.40 CLI Reference Guide | 243

fw
Description
n Performs various operations on Security or Audit log files.
n Kills the specified Check Point processes.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.

Syntax

fw [-d]
fetchlogs <options>
hastat <options>
kill <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security

<options> ($FWDIR/log/*.log*) or Audit ($FWDIR/log/*.adtlog*), from the
specified Check Point computer.
See "fw fetchlogs" on page 246.

hastat Shows information about Check Point computers in High Availability

<options> configuration and their states.
See "fw hastat" on page 248.

R80.40 CLI Reference Guide | 244

Parameter Description

kill Kills the specified Check Point process.

<options> See "fw kill" on page 249.

log Shows the content of Check Point log files - Security

<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 250.

logswitch Switches the current active Check Point log file - Security
<options> ($FWDIR/log/fw.log) or Audit ($FWDIR/log/fw.adtlog).
See "fw logswitch" on page 260.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/.log)

<options> or Audit ($FWDIR/log/*.adtlog*), located on the local computer or a
remote computer.
See "fw lslogs" on page 264.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log)

<options> or Audit ($FWDIR/log/*.adtlog), into a single log file.
See "fw mergefiles" on page 267.

repairlog Rebuilds pointer files for Check Point log files - Security
<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw repairlog" on page 270.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options> See "fw sam" on page 271.

sam_policy Manages the Suspicious Activity Policy editor that works with these type
<options> of rules:
or n Suspicious Activity Monitoring (SAM) rules.
samp
<options>
n Rate Limiting rules.
See "fw sam_policy" on page 279.

R80.40 CLI Reference Guide | 245

fw fetchlogs

Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log Notes:
File N>
n If you do not specify the log file name explicitly, the command
transfers all Security log files ($FWDIR/log/*.log*) and all Audit
log files ($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for
example, 2017-0?-*.log).
If you enter a wildcard, you must enclose it in double quotes or single
quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name
or main IP address of the Check Point Computer as configured in
SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

R80.40 CLI Reference Guide | 246

fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the
specified Check Point computer. Meaning, it deletes the specified log files on the
specified Check Point computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local
Check Point computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer.
The new log file name is the concatenation of the Check Point computer's name (as
configured in SmartConsole), two underscore (_) characters, and the original log file
name (for example: MyGW__2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 247

fw hastat

Description
Shows information about Check Point computers in High Availability configuration and their
states.

Note - This command is outdated. On cluster members, run the Gaia Clish command
"show cluster state", or the Expert mode command "cphaprob state".
Note - This command is outdated. On Management Servers, run the "cpstat" on
page 192 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ... If you run this command on the Management Server, you can enter the
<TargetN> applicable IP address, or the resolvable HostName of the managed
Security Gateway or Cluster Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 248

fw kill

Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-t <Signal Specifies which signal to send to the Check Point process.

Number> For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the
kill and signal.
If you do not specify the signal explicitly, the command sends Signal
15 (SIGTERM).
Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

R80.40 CLI Reference Guide | 249

fw log

Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c
<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert
Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q]
[-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"] [-u
<Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End
Entry Number>] [-z] [-#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters
described in this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-a Shows only Account log entries.

R80.40 CLI Reference Guide | 250

fw log

Parameter Description

-b "<Start Shows only entries that were logged between the specified start and
Timestamp>" end times.
"<End
Timestamp>"
n The <Start Timestamp> and <End Timestamp> may be a
date, a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End
Timestamp> in single or double quotes (-b 'XX' 'YY", or -b
"XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-
e" parameters.
n See the date and time format below.

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>" Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b"
parameter.
n See the date and time format below.

R80.40 CLI Reference Guide | 251

fw log

Parameter Description

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with
the specified IP address or object name (as configured in
SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert
type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries,
and then specify the time for each log entry.

R80.40 CLI Reference Guide | 252

fw log

Parameter Description

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command
shows one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not
show any updates, but shows only entries that relate to the start
of new connections. To shows updates, use the semi
parameter.
n semi - Step-by-step unification of log entries. For each log
entry, the output shows an entry that unifies this entry with all
previously encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log
entry.

-p Does not perform resolution of the port numbers in the log file (this is
the default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>" Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current
date.
n Enclose the <Start Timestamp> in single or double quotes
(-s '...', or -s "...").
n You cannot use the "-s" parameter together with the "-b"
parameter.
n See the date and time format below.

R80.40 CLI Reference Guide | 253

fw log

Parameter Description

-t This parameter:
1. Does not show the saved entries that match the specified
conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the
"nature" of the log - for example, control, audit, accounting,
complementary, and so on).

-x <Start Shows only entries from the specified log entry number and below,
Entry Number> counting from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from
Number> the beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show

log entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

R80.40 CLI Reference Guide | 254

fw log

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes
the current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum

Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log <max_null>, or empty

Key

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc00000

00)

SequenceNum Log Sequence 1

Number

R80.40 CLI Reference Guide | 255

fw log

Field Header Description Example

Flags Internal flags 428292

that specify the
"nature" of the
log - for
example,
control, audit,
accounting,
complementary,
and so on

Action Action n accept

performed on n dropreject
this connection n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of MyGW

the Security
Gateway that
generated this
log

IfDir Traffic direction n <

through n >
interface:
n <-
Outbound
(sent by a
Security
Gateway)
n >-
Inbound
(received
by a
Security
Gateway)

R80.40 CLI Reference Guide | 256

fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security n daemon
Gateway n N/A
interface, on
which this traffic
was logged
If a Security
Gateway
performed some
internal action
(for example,
log switch), then
the log entry
shows daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Server.checkpoint.com.s6t98x
Gateway that
generated this
log

inzone Inbound Local

Security Zone

outzone Outbound External

Security Zone

service_id Name of the ftp

service used to
inspect this
connection

R80.40 CLI Reference Guide | 257

fw log

Field Header Description Example

src Object name or MyHost

IP address of
the connection's
source
computer

dst Object name or MyFTPServer

IP address of
the connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of 64933

the connection

ProductName Name of the n VPN-1 & FireWall-1

Check Point n Application Control
product that n FloodGate-1
generated this
log

ProductFamily Name of the Network

Check Point
product family
that generated
this log

Examples
Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

R80.40 CLI Reference Guide | 258

fw log

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity: 2;
status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action:
drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 259

fw logswitch

Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target> Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a
Security Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP
address or Object Name as configured in SmartConsole.

R80.40 CLI Reference Guide | 260

fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
switch log file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched
log matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is
230 characters.

+ Specifies to copy the active log from the remote computer to the local
computer.
Notes:
n If you specify the name of the switched log file, you must write it
immediately after this + (plus) parameter.
n The command copies the active log from the remote computer and
saves it in the $FWDIR/log/ directory on the local computer.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

R80.40 CLI Reference Guide | 261

fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote computer to the local
computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/
directory on the local computer and then deletes the switched log file
on the remote computer.
n If you specify the name of the switched log file, you must write it
immediately after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 246
command.

Compression
When this command transfers the log files from the remote computer, it compresses the file
with the gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation
of LZ77 method. The compression ratio varies with the content of the log file and is difficult to
predict. Binary data are not compressed. Text data, such as user names and URLs, are
compressed.
Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 262

fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying the
switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 263

fw lslogs

Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]
... [-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime |
etime}] [<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to show. Need to specify name only.
of Log Notes:
File>
n If the log file name is not specified explicitly, the command shows all
Security log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-
0?-*). If you enter a wildcard, you must enclose it in double quotes or
single quotes.
n You can specify multiple log files in one command. You must use the
"-f" parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2>
... -f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log
file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

R80.40 CLI Reference Guide | 264

fw lslogs

Parameter Description

-s {name | Specifies the sort order of the log files using one of the following sort
size | options:
stime |
etime}
n name - The file name
n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or
Domain Management Server, then <Target> is the applicable
object's name or main IP address of the Check Point Computer as
configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 265

fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended
information

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse
order

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security
Gateway with main IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 266

fw mergefiles

Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw logswitch" on
page 1068 command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw logswitch"
on page 1068 command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:
Warning: The size of the files you have chosen to merge
is greater than 2GB. The merge will produce two or more
files.
The names of merged files are:
l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...

l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of
Log File 1> <Name of Log File 2> ... <Name of Log File N> <Name of
Merged Log File>

R80.40 CLI Reference Guide | 267

fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion Specifies a full path and name of a file that instructs this
File> command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:
<IP Address of Log Server #1> <Signed
Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...
Notes
n You must specify the absolute path and the file
name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> Specifies the log files to merge.

... <Name of Log File Notes:
N>
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

R80.40 CLI Reference Guide | 268

fw mergefiles

Parameter Description

<Name of Merged Log Specifies the output merged log file.

File> Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 269

fw repairlog

Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) are databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this
command can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/.log .logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/.adtlog .adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

R80.40 CLI Reference Guide | 270

fw sam

Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block
connections to and from IP addresses without the need to change or reinstall the Security
Policy. For more information, see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" and "sam_alert" commands.
n SAM rules consume some CPU resources on Security Gateway.
Best Practice - The SAM Policy rules consume some CPU resources on
Security Gateway. Set an expiration for rules that gives you time to
investigate, but does not affect performance. Keep only the required SAM
Policy rules. If you confirm that an activity is risky, edit the Security Policy,
educate users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches
100,000.
This data log file contains the records in one of these formats:
<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>
n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security
Gateway in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM.
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

R80.40 CLI Reference Guide | 271

fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log
Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q}
<Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security
Gateway, on which the command is enforced. These messages show
whether the command was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of
Server> the Security Gateway that enforces the command.
The default is localhost.

R80.40 CLI Reference Guide | 272

fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected
Name of that the SAM server has this SIC name, otherwise the connection fails.
SAM Notes:
Server>
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC
API Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command
to show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security <Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n localhost - Specifies to enforce the action on this local Check Point
computer (on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as
Security Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Security Gateway object - Specifies to enforce the action on
this specific Security Gateway object.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Group object - Specifies to enforce the action on all specific
Security Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.
Notes:
n To "uninhibit" the inhibited connections, run the fw sam
command with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

R80.40 CLI Reference Guide | 273

fw sam

Parameter Description

-C Cancels the fw sam command to inhibit connections with the specified

parameters.
Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+ Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match
the specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

R80.40 CLI Reference Guide | 274

fw sam

Parameter Description

-I Inhibits (drops or rejects) new connections with the specified parameters,

and closes all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all
existing connections with the specified parameters.
Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following
parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

R80.40 CLI Reference Guide | 275

fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Src IP> <Src Netmask> <Dest IP> <Dest
Netmask> <Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port>
<Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the

connection.

any <IP> Matches either the Source IP address or the

Destination IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the

connections according to the netmask.

R80.40 CLI Reference Guide | 276

fw sam

Parameter Description

subany <IP> <Netmask> Matches either the Source IP address or

Destination IP address of connections according to
the netmask.

srv <Src IP> <Dest IP> Matches the specific Source IP address,
<Port> <Protocol> Destination IP address, Service (port number) and
Protocol.

subsrv <Src IP> <Netmask> Matches the specific Source IP address,

<Dest IP> <Netmask> <Port> Destination IP address, Service (port number) and
<Protocol> Protocol.
Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Matches the specific Source IP address, source
Netmask> <Dest IP> <Port> netmask, destination netmask, Service (port
<Protocol> number) and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination
<Dest Netmask> <Port> IP, destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service

<Protocol> (port number) and Protocol.

subdstsrv <Dest IP> Matches specific Destination IP address, Service

<Netmask> <Port> <Protocol> (port number) and Protocol.
Destination IP address is assigned according to
the netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to
the netmask.

R80.40 CLI Reference Guide | 277

fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the

specified keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

R80.40 CLI Reference Guide | 278

fw sam_policy

Description
Manages the Suspicious Activity Policy editor that works with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 376

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

R80.40 CLI Reference Guide | 279

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R80.40 CLI Reference Guide | 280

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

R80.40 CLI Reference Guide | 281

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R80.40 CLI Reference Guide | 282

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b} Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against
the policy rules.
Note - Rules with action set to Bypass cannot have a log or limit
specification. Bypassed packets and connections do not count
towards overall number of packets and connection for limit
enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R80.40 CLI Reference Guide | 283

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate
Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be
enforced on all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the
rule should be enforced only on this Security Gateway or Cluster
object (the object name must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be
enforced on all Security Gateways that are members of this Group
object (the object name must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>" Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ rule\ name\ with\ a\ backslash\
\\"

-c "<Rule Optional.
Comment>" Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ comment\ with\ a\ backslash\ \\"

R80.40 CLI Reference Guide | 284

fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator Specifies the name of the originator for this rule.
>" Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter Configures the Suspicious Activity Monitoring (SAM) rule.
Arguments> Specifies the IP Filter Arguments for the SAM rule (you must use at least
one of these options):
[-C] [-s <Source IP>] [-m <Source Mask>] [-d
<Destination IP>] [-M <Destination Mask>] [-p
<Port>] [-r <Protocol>]
See the explanations below.

R80.40 CLI Reference Guide | 285

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota Configures the Rate Limiting rule.
Filter Specifies the Quota Filter Arguments for the Rate Limiting rule (see the
Arguments> explanations below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service
<Protocol and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name>
<Limit2 Value>] ...[<LimitN Name> <LimitN
Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from
the SAM policy database immediately, add "flush true" in
the fw samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general),
when a rule's limit is violated, the Security Gateway also drops
all packets that match the rule.
The Security Gateway computes new connection rates on a
per-second basis.
At the start of the 1-second timer, the Security Gateway allows
all packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too
many new connections, then the Security Gateway blocks all
remaining packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are
reset, and the process starts over - the Security Gateway
allows packets to pass again up to the point, where the rule’s
limit is violated.

R80.40 CLI Reference Guide | 286

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R80.40 CLI Reference Guide | 287

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
source IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that
are assigned to this organization, based on
the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

R80.40 CLI Reference Guide | 288

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

| false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses
that are assigned to this organization, based
on the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the
specified type

R80.40 CLI Reference Guide | 289

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

false}] service <Protocol Numbers) and Port number (see IANA Service
and Port numbers> Name and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port
End>
IP protocol number and range of TCP/UDP
port numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process
all traffic except the traffic with the specified
protocols and ports

R80.40 CLI Reference Guide | 290

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

Value>] [<Limit 2 Name> Note - Separate multiple quota limits with spaces.
<Limit 2 Value>] ...
n concurrent-conns <Value>
[<Limit N Name> <Limit N
Value>] Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the
concurrent-conns value to the total number
of active connections through the Security
Gateway, expressed in parts per 65536
(formula: N / 65536).
n pkt-rate <Value>
Specifies the maximum number of packets
per second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate
value to the rate of all connections through
the Security Gateway, expressed in parts per
65536 (formula: N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes
per second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate
value to the bytes per second rate of all
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n new-conn-rate <Value>
Specifies the maximal number of
connections per second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-
rate value to the rate of all connections per
second through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).

R80.40 CLI Reference Guide | 291

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not
cumulatively for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific
IP protocol and destination port, and not
cumulatively for this rule.

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this
rule, including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second
(new-conn-rate 5) for any traffic (service any) from the source IP addresses in
the range 172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-
172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the
fwaccel dos config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the
Suspicious Activity Monitoring (SAM) policy database immediately, because this rule
includes the "flush true" parameter.

R80.40 CLI Reference Guide | 292

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this
rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all packets except (service-negated true) the packets with
IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-
51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the
country with specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP
protocol number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the Autonomous System number 64500
(asn:AS64500).
n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120
(cidr:[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

R80.40 CLI Reference Guide | 293

fw sam_policy add

n This rule bypasses (-a b) all packets that match this rule.
Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).
n This rule applies to packets sent to TCP port 80 (service 6/80).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP
addresses that are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to
655/65536=~1% (concurrent-conns-ratio 655) for any traffic (service any)
except (service-negated true) the connections from the source IP addresses
that are assigned to the country with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that
match this rule, and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

R80.40 CLI Reference Guide | 294

fw sam_policy batch

Description
The "fw sam_policy batch" and "fw6 sam_policy batch" commands:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R80.40 CLI Reference Guide | 295

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

necessary.
Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l fw sam_policy add
l fw sam_policy del
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press
Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

R80.40 CLI Reference Guide | 296

fw sam_policy del

Description
The "fw sam_policy del" and "fw6 sam_policy del" commands:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R80.40 CLI Reference Guide | 297

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n To see the Rule UID, run the "fw
sam_policy get" command.

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1
originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 298

fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The "fw samp del" and "fw6 samp del" commands only remove a rule from the
persistent database. The Security Gateway continues to enforce the deleted rule until
the next time you compiled and load a policy. To force the rule deletion immediately,
you must enter a flush-only rule right after the "fw samp del" and "fw6 samp del"
command. This flush-only rule immediately deletes the rule you specified in the
previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R80.40 CLI Reference Guide | 299

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R80.40 CLI Reference Guide | 300

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on
a separate line.
n In the list format (with "-l"), the output shows each parameter of a
rule on a separate line.
n See the "fw sam_policy add" command.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 301

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify
log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 302

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R80.40 CLI Reference Guide | 303

fw sam_policy get

[Expert@HostName:0]# fw samp get

no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated
true source cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service
6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite

R80.40 CLI Reference Guide | 304

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 305

fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

fwm [-d]
dbload <options>
exportcert <options>
fetchfile <options>
fingerprint <options>
getpcap <options>
ikecrypt <options>
load [<options>]
logexport <options>
mds <options>
printcert <options>
sic_reset
snmp_trap <options>
unload [<options>]
ver [<options>]
verify <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 306

fwm

Parameter Description

dbload Downloads the user database and network objects information to the
<options> specified targets
See "fwm dbload" on page 309.

exportcert Export a SIC certificate of the specified object to file.

<options> See "fwm exportcert" on page 310.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 311.

fingerprint Shows the Check Point fingerprint.

<options> See "fwm fingerprint" on page 313.

getpcap Fetches the IPS packet capture data from the specified Security
<options> Gateway.
See "fwm getpcap" on page 315.

ikecrypt Encrypts a secret with a key.

<options> See "fwm ikecrypt" on page 317.

load This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 362 command to load a policy to a
managed Security Gateway.
See "fwm load" on page 318.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.
See "fwm logexport" on page 319.

mds <options> Shows information and performs various operations on Multi-Domain

Server.
See "fwm mds" on page 324.

printcert Shows a SIC certificate's details.

<options> See "fwm printcert" on page 326.

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 332.

snmp_trap Sends an SNMP Trap to the specified host.

<options> See "fwm snmp_trap" on page 333.

unload Unloads the policy from the specified managed Security Gateways.
<options> See "fwm unload" on page 336.

R80.40 CLI Reference Guide | 307

fwm

Parameter Description

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 340.

verify This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 362 command to verify a policy.
See "fwm verify" on page 341.

R80.40 CLI Reference Guide | 308

fwm dbload

Description
Copies the user database and network objects information to specified managed servers with
one or more Management Software Blades enabled.

Important - This command is obsolete for R80 and higher.

Use the API command "install-database" to install the database on the
applicable servers.
See the Check Point Management API Reference.

R80.40 CLI Reference Guide | 309

fwm exportcert

Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

<Name of Specifies the name of the managed object, whose certificate you wish
Object> to export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish
to export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

R80.40 CLI Reference Guide | 310

fwm fetchfile

Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the fwopsec.conf or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/fwopsec.conf
n conf/fwopsec.v4x

-d <Local Specifies the local directory to save the fetched file.

Path>

<Source> Specifies the managed remote source computer, from which to fetch
the file.
Note - The local and the remote source computers must have
established SIC trust.

R80.40 CLI Reference Guide | 311

fwm fetchfile

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 312

fwm fingerprint

Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.
The debug options are:
n fwm -d
Runs the complete debug of all fwm actions.
For complete debug instructions, see the description of the
fwm process in sk97638.
n fingerprint -d
Runs the debug only for the fingerprint actions.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

R80.40 CLI Reference Guide | 313

fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.51,L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.52,L=Locality Name (eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 314

fwm getpcap

Description
Fetches the IPS packet capture data from the specified Security Gateway.
This command only works with IPS packet captures stored on the Security Gateway in the
$FWDIR/log/captures_repository/ directory.
This command does not work with other Software Blades, such as Anti-Bot and Anti-Virus that
store packet captures in the $FWDIR/log/blob/ directory on the Security Gateway.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p

Parameters

Parameter Description

-d Runs the command in debug mode.

-g Specifies the main IP address or Name of Security Gateway object as

-u ' Specifies the Unique ID of the packet capture file.

{<Capture To see the Unique ID of the packet capture file, open the applicable log
UID>}' file in SmartConsole > Logs & Monitor > Logs.

-p <Local Specifies the local path to save the specified packet capture file.
Path> If you do not specify the local directory explicitly, the command saves the
packet capture file in the current working directory.

R80.40 CLI Reference Guide | 315

fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}'

/var/log/
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 316

fwm ikecrypt

Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must
then be stored in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties
window on the Encryption tab.

<Password> Specifies the password for the Endpoint VPN Client user.

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 317

fwm load

Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and higher.

Use the API command "install-policy" to load a policy on a managed Security
Gateway.
See the Check Point Management API Reference.

R80.40 CLI Reference Guide | 318

fwm logexport

Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog)
to an ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h
fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>]
[-i <Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry
Number>] [-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u
<Unification Scheme File>] [-m {initial | semi | raw}]

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

-d Specifies the output delimiter between fields of log entries:

<Delimiter>
| -s
n -d <Delimiter> - Uses the specified delimiter.
n -s - Uses the ASCII character #255 (non-breaking space) as the
delimiter.
Note - If you do not specify the delimiter explicitly, the default is a
semicolon (;).

R80.40 CLI Reference Guide | 319

fwm logexport

Parameter Description

-t <Table Specifies the output delimiter inside table field.

Delimiter> Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a
comma (,).

-i <Input Specifies the name of the input log file.

File> Notes:
n This command supports only Security log file
($FWDIR/log/*.log) and Audit log file
($FWDIR/log/*.adtlog)
n If you do not specify the input log file explicitly, the command
processes the active Security log file $FWDIR/log/fw.log

-o <Output Specifies the name of the output file.

File> Note - If you do not specify the output log file explicitly, the command
prints its output on the screen.

-f After reaching the end of the currently opened log file, specifies to
continue to monitor the log file indefinitely and export the new entries as
well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-e After reaching the end of the currently opened log file, continue to
monitor the log file indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-x <Start Starts exporting the log entries from the specified log entry number and
Entry below, counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number,
Entry counting from the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to

continue the export of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log

file (this is the default behavior).
This significantly speeds up the log processing.

R80.40 CLI Reference Guide | 320

fwm logexport

Parameter Description

-p Specifies to not to perform resolution of the port numbers in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

| semi |
raw}
n initial - Complete unification of log entries. The command
exports one unified log entry for each ID. This is the default.
If you also specify the "-f" parameter, then the output does not
export any updates, but exports only entries that relate to the start
of new connections. To export updates as well, use the "semi"
parameter.
n semi - Step-by-step unification of log entries. For each log entry,
exports entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. Exports all log entries.

R80.40 CLI Reference Guide | 321

fwm logexport

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.
Each of the next rows consists of a single log entry, whose fields are sorted in the same order
as the first row.
If a log entry has no information in a specific field, this field remains empty (as indicated by two
successive semi-colons ";;").
You can control which log fields appear in the output of the command output:

Step Instructions

1 Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2 Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

3 To include or exclude the log fields from the output, add these lines in the
configuration file:
[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_
FIELDS>,field100
excluded_fields = field10,field11
Where:
n You can specify only the included_fields parameter, only the
excluded_fields parameter, or both.
n The num field must always appear first. You cannot manipulate this field.
n The <REST_OF_FIELDS> is an optional reserved token that refers to a list of
fields.
l If you specify the "-f" parameter, then the <REST_OF_FIELDS> is

based on a list of fields from the $FWDIR/conf/logexport_

default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS>

is based on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

R80.40 CLI Reference Guide | 322

fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file
has been switched to: MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host
Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 323

fwm mds

Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN
Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

R80.40 CLI Reference Guide | 324

fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.40 -
Build 11
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 325

fwm printcert

Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-
verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

R80.40 CLI Reference Guide | 326

fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

-obj <Name of Object> Specifies the name of the managed object, for which to
show the SIC certificate information.

-cert <Certificate Specifies the certificate nick name.

Nick Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

R80.40 CLI Reference Guide | 327

fwm printcert

Examples
Example 1 - Showing the SIC certificate of a Management Server
[Expert@MGMT:0]# fwm printcert -ca internal_ca
Subject: O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 328

fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed. Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45
f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be
db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2 a5 e0 a8 ab
45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c d2 dc 3d 36
ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2 30 a5 32 c7
46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d bc b3 f2 ae
f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57 54 79 d0 0f
0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90 08 ba 63 85
b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e 95 8b 2f 48
5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34 be b8 00 ae
ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b 43 3f f7 36
5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50
01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 329

fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.3.244
CRL distribution points:
http://192.168.3.240:18264/ICA_CRL2.crl
CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 330

fwm printcert

Example 4 - Showing the SIC certificate of a managed Cluster object in verbose mode
[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed. Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af c1 fd 20 0a
3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73 77 fa db 86
0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93 c5 4b 01 f4
3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d 23 74 5c d9
00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7 df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: 192.168.3.244
Basic Constraint:
not CA
CRL distribution Points:
URI: http://192.168.3.240:18264/ICA_CRL2.crl
DN: CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 331

fwm sic_reset

Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Warning:
n Before you run this command, take a Gaia Snapshot and a full backup of the
Management Server.
This command resets SIC between the Management Server and all its
managed objects.
n This operation breaks trust in all Internal CA certificates and SIC trust across
the managed environment.
Therefore, we do not recommend it at all, except for real disaster recovery.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

R80.40 CLI Reference Guide | 332

fwm snmp_trap

Description
Sends an SNMPv1 Trap to the specified host.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On a Multi-Domain Server, the SNMP Trap packet is sent from the IP address of
the Leading Interface.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

R80.40 CLI Reference Guide | 333

fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

Number> One of these values:
n 0 - For coldStart trap
n 1 - For warmStart trap
n 2 - For linkDown trap
n 3 - For linkUp trap
n 4 - For authenticationFailure trap
n 5 - For egpNeighborLoss trap
n 6 - For enterpriseSpecific trap (this is the default
value)

-s <Specific Trap Specifies the unique trap type.

Number> Valid only of generic trap value is 6 (for
enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap
packets.

-c <SNMP Specifies the SNMP community.

Community>

<Target> Specifies the managed target host, to which to send the SNMP
Trap packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

R80.40 CLI Reference Guide | 334

fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on
the Security Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host 192.168.3.51

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 103)
192.168.3.51.53450 > MyGW_192.168.3.52.snmptrap: [udp sum ok] { SNMPv1 { Trap(58) E:2620.1.1
192.168.3.240 linkDown 1486440 E:2620.1.1.11.0="My Trap Message" } }
Pressed CTRL+C
[Expert@MyGW_192.168.3.52:0]#

R80.40 CLI Reference Guide | 335

fwm unload

Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

Warning:
1. The fwm unload command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the specified Security Gateway (Cluster Member).
2. The fwm unload command removes all policies from the specified Security
Gateway (Cluster Member).
This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection
enabled.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n If it is necessary to remove the current policy, but keep the Security Gateway
(Cluster Member) protected, then run the "comp_init_policy" on page 913
command on the Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of
these commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 1048

l "cpstart" on page 957

n In addition, see the "fw unloadlocal" on page 1161 command.

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

R80.40 CLI Reference Guide | 336

fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or
... <GWN> Object Name as configured in SmartConsole.

R80.40 CLI Reference Guide | 337

fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 338

fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 339

fwm ver

Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.40 - Build 11
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 340

fwm verify

fwm verify
Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 362 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 341

inet_alert

inet_alert
Description
Notifies an Internet Service Provider (ISP) when a company's corporate network is under
attack. This command forwards log messages generated by the alert daemon on your Check
Point Security Gateway to an external Management Station. This external Management
Station is usually located at the ISP site. The ISP can then analyze the alert and react
accordingly.
This command uses the Event Logging API (ELA) protocol to send the alerts. The
Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must
be performed between the external Management Station running the ELA Proxy at the ISP site
and the Check Point Security Gateway generating the alert.

Procedure

Step Instructions

1 Connect with SmartConsole to the applicable Security Management Server or

Domain Management Server, which manages the applicable Security Gateway
that should forward log messages to an external Management Station.

2 From the top left Menu, click Global properties.

3 Click on the [+] near the Log and Alert and click Alerts.

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Control Policy on the applicable Security Gateway.

R80.40 CLI Reference Guide | 342

inet_alert

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f
<Token> <Value>] [-m <Alert Type>]
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some
command> | inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

Type> One of these values:
n ssl_opsec - The connection is authenticated and encrypted (this is
the default).
n auth_opsec - The connection is authenticated.
n clear - The connection is neither authenticated, nor encrypted.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair

<Value> as follows:
n <Token> - The name of the field to be added to the log. Cannot
contain spaces.
n <Value> - The field's value. Cannot contain spaces.
This option can be used multiple times to add multiple <Token>
<Value> pairs to the log.

R80.40 CLI Reference Guide | 343

inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

Type> This alert overrides the alert specified in the log message generated by the
alert daemon.
The response to the alert is handled according to the actions specified in
the ISP Security Policy:
These alerts execute the OS commands:
n alert - Popup alert command
n mail - Mail alert command
n snmptrap - SNMP trap alert command
n spoofalert - Anti-Spoof alert command

These NetQuota and ServerQuota alerts execute the OS commands

specified in the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

n Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4
n Send a log message to the specified ELA Proxy. Set the product field of this log message
to cads
n Trigger the OS command specified in the SmartConsole > Menu > Global properties >
Log and Alert > Popup Alert Command field.

R80.40 CLI Reference Guide | 344

ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing
debug information.

Statistics LDAP search statistics, such as:

n All user searches
n Pending lookups (when two or more lookups are identical)
n Total lookup time (the total search time for a specific lookup)
n Cache statistics such as hits and misses
These statistics are saved in the $FWDIR/log/ldap_pid_<Process
PID>.stats file.

Logging View the alert and warning logs.

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

R80.40 CLI Reference Guide | 345

ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check

Name> | all} Point processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Clears cache for all objects

l UserCacheObject - Clears cache for user objects

l TemplateCacheObject - Clears cache for template

objects
l TemplateExtGrpCacheObject - Clears cache for

external template group objects

n cachetrace {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Traces cache for all objects

l UserCacheObject - Traces cache for user objects

l TemplateCacheObject - Traces cache for template

objects
l TemplateExtGrpCacheObject - Traces cache for

external template group objects

n log {on | off}
l on - Creates LDAP logs

l off - Does not create LDAP logs

n stat {<Print Interval in Sec> | 0}

l <Print Interval in Sec> - How frequently to

collect the statistics

l 0 - Stops collecting the statistics

R80.40 CLI Reference Guide | 346

ldapcompare

ldapcompare
Description
This is an LDAP utility that performs compare queries and prints a message whether the result
returned a match or not.
This utility opens a connection to an LDAP directory server, binds, and performs the
comparison specified on the command line or from a specified file.

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute>

<Value> | <Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

R80.40 CLI Reference Guide | 347

ldapcompare

Compare options

Option Description

-E [!]<Extension> Specifies the compare extensions.

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version
is 3.

-z Enables the quiet mode.

The command does not print anything. You can use
the command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

R80.40 CLI Reference Guide | 348

ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
n [!]assert=<Filter>
RFC 4528; an RFC 4515 filter string
n [!]authzid=<Authorization ID>
RFC 4370; either "dn:<DN>", or
"u:<Username>"
n [!]chaining[=<Resolve Behavior>
[/<Continuation Behavior>]]
One of these:
l "chainingPreferred"

l "chainingRequired"

l "referralsPreferred"

l "referralsRequired"

n [!]manageDSAit
RFC 3296
n [!]noop
n ppolicy
n [!]postread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]preread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]relax
n abandon
SIGINT sends the abandon signal; if critical,
does not wait for SIGINT. Not really controls.
n cancel
SIGINT sends the cancel signal; if critical, does
not wait for SIGINT. Not really controls.
n ignore
SIGINT ignores the response; if critical, does not
wait for SIGINT. Not really controls.

-h <LDAP Server> Specifies the LDAP Server computer by its IP address

or resolvable hostname.

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier

(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not

actually do it.

R80.40 CLI Reference Guide | 349

ldapcompare

Option Description

-N Specifies not to use the reverse DNS to canonicalize

SASL host name.

-o <Option>[=<Option Specifies the general options:

Parameter>] nettimeout={<Timeout in Sec> | none |
max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to

stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Specifies the SASL authorization identity (either

Identity> "dn:<DN>", or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator

password from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

R80.40 CLI Reference Guide | 350

ldapmemberconvert

ldapmemberconvert
Description
This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to
the "MemberOf" attribute values in LDAP member (User or Template) entries.
This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both"
mode. The utility searches through all specified group or template entries that hold one or
more "Member" attribute values and modifies each value. The utility searches through all
specified group/template entries and fetches their "Member" attribute values.
Each value is the DN of a member entry. The entry identified by this DN is added to the
"MemberOf" attribute value of the group/template DN at hand. In addition, the utility delete
those "Member" attribute values from the group/template, unless you run the command in the
"Both" mode.
When your run the command, it creates a log file ldapmemberconvert.log in the current
working directory. The command logs all modifications done and errors encountered in that log
file.

Important - Back up the LDAP server database before you run this conversion utility.

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP

Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m
<Member Attribute Name> -o <MemberOf Attribute Name> -c <Member
ObjectClass Value> [-B] [-f <File> | -g <Group DN>] [-L <LDAP
Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T <LDAP
Client Timeout>] [-Z]

R80.40 CLI Reference Guide | 351

ldapmemberconvert

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly)
Attribute Name> deleting a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP

Attribute Name> "MemberOf" attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines,

ObjectClass which type of member to modify.
Value> You can specify multiple attribute values with this syntax:
-c <Member Object Class 1> -c <Member Object
Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a
new line:
<Group DN 1>
<Group DN 2>
...
<Group DN N>
Length of each line is limited to 256 characters.

R80.40 CLI Reference Guide | 352

ldapmemberconvert

Parameter Description

-g <Group DN> Specifies the Group or Template Distinguished Name, on which

to perform the conversion.
You can specify multiple Group DNs with this syntax:
-g <Group DN 1> -g <Group DN 2> ... -g
<Group DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-M <Number of Specifies the maximal number of simultaneous member LDAP

Updates> updates.
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in
number of entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups

For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for
their groups, then this conversion has to be applied on LDAP defined templates for their
groups.

R80.40 CLI Reference Guide | 353

ldapmemberconvert

Troubleshooting
Symptom:
A command fails with an error message stating the connection stopped unexpectedly when
you run it with the parameter -M <Number of Updates>.
Root Cause:
The LDAP server could not handle that many LDAP requests simultaneously and closed the
connection.
Solution:
Run the command again with a lower value for the "-M" parameter. The default value should
be adequate, but can also cause a connection failure in extreme situations. Continue to reduce
the value until the command runs normally. Each time you run the command with the same set
of groups, the command continues from where it left off.

R80.40 CLI Reference Guide | 354

ldapmemberconvert

Examples
Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these

attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o memberof -c
fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the
group entry is not modified.

R80.40 CLI Reference Guide | 355

ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the
parameter "-c fw1Person", but the object class of "template1" is "fw1Template".

R80.40 CLI Reference Guide | 356

ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF
format.

Syntax

ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b]
[-c] [-F] [-k] [-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f
<Input File> .ldif | < <Entry>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

R80.40 CLI Reference Guide | 357

ldapmodify

Parameter Description

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually

perform them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data
you enter on the screen).

R80.40 CLI Reference Guide | 358

ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Syntax

ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>]
[-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b
<Base DN>] [-F <Separator>] [-l <LDAP Server Timeout>] [-s
<Scope>] [-S <Sort Attribute>] [-t] [-T <LDAP Client Timeout>] [-
u] [-z <Number of Search Entries>] [-Z] <Filter> [<Attributes>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified
TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

R80.40 CLI Reference Guide | 359

ldapsearch

Parameter Description

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

-F <Separator> Specifies the print separator character between attribute names

and their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Specifies to sort the results by the values of this attribute.

Attribute>

-t Specifies to write values to files in the /tmp/ directory.

Writes each <attribute>-<value> pair to a separate file named:
/tmp/ldapsearch-<Attribute>-<Value>
For example, for the fw1color attribute with the value a00188,
the command writes to the file named:
/tmp/ldapsearch-fw1color-a00188

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximal number of entries to search on the LDAP

Search Entries> Server.

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

R80.40 CLI Reference Guide | 360

ldapsearch

Parameter Description

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command
retrieves all attributes.

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.

2. Connects to the LDAP Server with Base DN "cn=omi".

3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

R80.40 CLI Reference Guide | 361

mgmt_cli

mgmt_cli
Description
The mgmt_cli tool works directly with the management database on your Management
Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles
(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe)
command and press Enter.
n For more information, see the Check Point Management API Reference.

R80.40 CLI Reference Guide | 362

migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/bin/upgrade_tools/
directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate utility from the
migration tools package created specifically for that higher software version.
See the Installation and Upgrade Guide for that higher software version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log

R80.40 CLI Reference Guide | 363

migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File> &

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File>.tgz &

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

./migrate ...
& 1. Sends the "yes" input to the interactive "migrate" command
through the pipeline.
2. The "nohup" forces the "migrate" command to ignore the
hangup signals from the shell.
3. The "&" forces the command to run in the background.
As a result, when the CLI session closes, the command continues to
run in the background.
See:
n sk133312
n https://linux.die.net/man/1/bash
n https://linux.die.net/man/1/nohup

export Exports the management database and applicable Check Point

configuration.

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.

R80.40 CLI Reference Guide | 364

migrate

Parameter Description

-l Exports and imports the Check Point logs without log indexes in the
$FWDIR/log/ directory.
Important:
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs).

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and
Log Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs and
indexes).

-n Runs silently (non-interactive mode) and uses the default options for
each setting.
Important:
n If you export a management database in this mode and the
specified name of the exported file matches the name of an
existing file, the command overwrites the existing file
without prompting.
n If you import a management database in this mode, the
"migrate import" command runs the "cpstop"
command automatically.

--exclude- n During the export operation, does not back up the PostgreSQL
uepm- database from the Endpoint Security Management Server.
postgres-db n During the import operation, does not restore the PostgreSQL
database on the Endpoint Security Management Server.

--include- n During the export operation, backs up the MSI files from the
uepm-msi- Endpoint Security Management Server.
files n During the import operation, restores the MSI files on the
Endpoint Security Management Server.

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

R80.40 CLI Reference Guide | 365

migrate

Parameter Description

<Name of n During the export operation, specifies the name of the output
Exported file.
File> The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported
file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 366

migrate_server

migrate_server
Important - This command is used to migrate the management database from
R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.
For more information, see:
n sk135172 - Upgrade Tools
n The R80.40 Installation and Upgrade Guide

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2020 - 2024.06.14_11.21.39.log

R80.40 CLI Reference Guide | 367

migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R80.40 [-skip_
upgrade_tools_check]

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R80.40 [-skip_
upgrade_tools_check] [-l | -x] [--include-uepm-msi-files] [--
exclude-uepm-postgres-db] [--ignore_warnings] /<Full
Path>/<Name of Exported File>

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R80.40 [-skip_
upgrade_tools_check] [-l | -x] [/var/log/mdss.json] [--
include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full
Path>/<Name of Exported File>.tgz

Parameters

Parameter Description

-h Shows the built-in help.

export Exports the management database and applicable Check Point

configuration.

R80.40 CLI Reference Guide | 368

migrate_server

Parameter Description

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.
Important:
n This command automatically restarts Check Point services (runs
the "cpstop" and "cpstart" commands).
n This note applies to a Multi-Domain Security Management
environment, if at least one of the servers changes its IPv4 address
comparing to the source server, from which you exported its
database.
You must do these steps before you start the upgrade and import:
1. You must create a special JSON configuration file with the
new IPv4 address(es).
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","new
IpAddress4":"172.30.40.51"},
{"name":"MySecondaryMultiDomainServer","ne
wIpAddress4":"172.30.40.52"}]
2. You must call this file: mdss.json
3. You must put this file on all servers in this directory: /var/log/

verify Verifies the management database and applicable Check Point

configuration that were exported from another Management Server.

-v R80.40 Specifies the version, to which you plan to migrate / upgrade.

-skip_ Does not try to connect to Check Point Cloud to check for a more recent
upgrade_ version of the Upgrade Tools.
tools_check Best Practice - Use this parameter on the Management Server that
is not connected to the Internet.

R80.40 CLI Reference Guide | 369

migrate_server

Parameter Description

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long time
to complete (depends on the number of logs and indexes).

R80.40 CLI Reference Guide | 370

migrate_server

Parameter Description

/var/log/md Important:
ss.json
n In the Upgrade Tools for R80.40 build higher than 994000406,
the syntax is (this filename is mandatory):
Previously:
-change_ /var/log/mdss.json
ips_file You must create the file /var/log/mdss.json and not use the
/<Full parameter "-change_ips_file".
Path>/<Name n In the Upgrade Tools for R80.40 build 994000406 and lower,
of JSON
the syntax was:
File>.json
-change_ips_file /<Full Path>/<Name of JSON
File>.json

Specifies the absolute path to the special JSON configuration file with
new IPv4 addresses.
This file is mandatory during an upgrade of a Multi-Domain Security
Management environment.
Even if only one of the servers migrates to a new IP address, all the other
servers must get this configuration file for the import process.
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress
4":"172.30.40.51"},
{"name":"MySecondaryMultiDomainServer","newIpAddres
s4":"172.30.40.52"}]

-n Disables the interactive mode.

R80.40 CLI Reference Guide | 371

migrate_server

Parameter Description

/<Full Specifies the absolute path to the exported database file. This path must
Path>/<Name exist.
of Exported
File>
n During the export operation, specifies the name of the output file.
The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2020 - 2024.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2020 - 2024.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 372

queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 362 command to search in the management database for objects or policy rules
according to search parameters.

R80.40 CLI Reference Guide | 373

rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-
Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

R80.40 CLI Reference Guide | 374

rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Specifies the IPv4 address of the DAIP object

Address>

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the
Live> entry is valid.

R80.40 CLI Reference Guide | 375

sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the
information received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User
Defined Alerts mechanism.

Important:
n You must run this command on the Management Server.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the "fw sam" command.

-o Specifies to print the input of this tool to the standard output (to use with
pipes in a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is "localhost".

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The
default is forever.

R80.40 CLI Reference Guide | 376

sam_alert

Parameter Description

-f Specifies the Security Gateway / Cluster object, on which to run the

<Security operation.
Gateway> Important - If you do not specify the target Security Gateway /
Cluster object explicitly, this command applies to all managed
Security Gateways and Clusters.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified

criteria, passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria

and closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

R80.40 CLI Reference Guide | 377

sam_alert

SAM v2 syntax

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f
<Security Gateway>] [-n <Name>] [-c "<Comment">] [-o
<Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip
|-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to
use with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the
action. The default is forever.

-f <Security Specifies the Security Gateway / Cluster object, on which to run

Gateway> the operation.
Important - If you do not specify the target Security
Gateway / Cluster object explicitly, this command applies
to all managed Security Gateways and Clusters.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single
quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is "sam_alert".

R80.40 CLI Reference Guide | 378

sam_alert

Parameter Description

-l {r | a} Specifies the log type for connections that match the specified
criteria:
n r - Regular
n a - Alert
Default is None.

-a {d | r| n | b Specifies the action to apply on connections that match the

| q | i} specified criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the

criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of

connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

R80.40 CLI Reference Guide | 379

stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug
purposes - to make sure the applicable SNMP OIDs provide the requested information.

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2> ...
<Regular_OID_N>

These are specified in the SNMP MIB files.

For Check Point MIB files, see sk90470.
n To query a Statistical OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_
oid.conf file.

R80.40 CLI Reference Guide | 380

stattest

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to

query by its IP address or resolvable
hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address

or resolvable hostname.
Note - Use only when you query a
remote host.

-l <Polling Interval> Specifies the time in seconds between

queries.
Note - Use only when you query a
Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which

to run consecutive queries.
Note - Use only when you query a
Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of

a Virtual Device to query.

-t <Timeout> Specifies the session timeout in

milliseconds.

<Regular_OID_1> <Regular_OID_2> Specifies the Regular OIDs to query.

... <Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

R80.40 CLI Reference Guide | 381

stattest

Parameter Description

<Statistical_OID_1> Specifies the Statistical OIDs to query.

<Statistical_OID_2> ... Notes:
<Statistical_OID_N>
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

R80.40 CLI Reference Guide | 382

threshold_config

threshold_config
Description
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts.
You can use these thresholds to monitor many system components automatically without
requesting information from each object or device.
You configure these SNMP Monitoring Thresholds only on the Security Management Server,
Multi-Domain Server, or Domain Management Server.
During policy installation, the managed a Security Gateway and Clusters receive and apply
these thresholds as part of their policy.

For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Instructions

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain

Management Server:
[Expert@HostName:0]# mdsenv <Name or IP address of Domain
Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

R80.40 CLI Reference Guide | 383

threshold_config

Step Instructions

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).
Threshold Engine Configuration Options:
---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
See "cpwd_admin stop" on page 228.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"
See "cpwd_admin start" on page 224.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"
See "cpwd_admin list" on page 218.

11 In SmartConsole, install the Access Control Policy on Security Gateways and

Clusters.

R80.40 CLI Reference Guide | 384

threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file If you do not specify the path explicitly, the file is imported from the
current working directory.

(6) Configure Configures global settings:

global alert
settings
n How frequently alerts are sent (configured delay must be
greater than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to

alert which the managed Security Gateways and Cluster Members send
destinations their SNMP alerts.
Configure Alert Destinations Options:
-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS

(8) View Shows a list of all available thresholds and their current settings.
thresholds These include:
overview
n Name
n Category (see the next option "(9)")
n State (disabled or enabled)
n Threshold (threshold point, if applicable)
n Description

R80.40 CLI Reference Guide | 385

threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

thresholds Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources
See the Thresholds Categories table below.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Local Logging Mode Status Thresholds:

Mode Status -------------------------------------
(1) Local Logging Mode

(4) Log Server Log Server Connectivity Thresholds:

Connectivity -----------------------------------
(1) Connection with log server
(2) Connection with all log servers

R80.40 CLI Reference Guide | 386

threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

R80.40 CLI Reference Guide | 387

threshold_config

Notes:
n If you run the threshold_config command locally on a Security Gateway or
Cluster Members to configure the SNMP Monitoring Thresholds, then each
policy installation erases these local SNMP threshold settings and reverts them
to the global SNMP threshold settings configured on the Management Server
that manages this Security Gateway or Cluster.
n On a Security Gateway and Cluster Members, you can save the local Threshold
Engine Configuration settings to a file and load it locally later.
n The Threshold Engine Configuration is stored in the
$FWDIR/conf/thresholds.conf file.
n In a Multi-Domain Security Management environment:
l You can configure the SNMP thresholds in the context of Multi-Domain

Server (MDS) and in the context of each individual Domain Management

Server.
l Thresholds that you configure in the context of the Multi-Domain Server

are for the Multi-Domain Server only.

l Thresholds that you configure in the context of a Domain Management

Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a

Domain Management Server, then configure the SNMP threshold both in

the context of the Multi-Domain Server and in the context of the Domain
Management Server.
However, in this scenario you can only get alerts from the Multi-Domain
Server, if the monitored object exceeds the threshold.
Example:
If you configure the CPU threshold, then when the monitored value
exceeds the configured threshold, it applies to both the Multi-Domain
Server and the Domain Management Server. However, only the Multi-
Domain Server generates SNMP alerts.

R80.40 CLI Reference Guide | 388

Multi-Domain Security Management Commands

Multi-Domain Security
Management Commands
For more information about Multi-Domain Server, see the R80.40 Multi-Domain Security
Management Administration Guide.
In addition, see "Security Management Server Commands" on page 40.

R80.40 CLI Reference Guide | 389

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

R80.40 CLI Reference Guide | 390

Managing Security through API

Configuring the API Server

To configure the API Server:

5. Configure the Startup Settings and the Access Settings.

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

Start option is deactivated.

Configuring Access Settings

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

R80.40 CLI Reference Guide | 391

Managing Security through API

api restart
Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

R80.40 CLI Reference Guide | 392

cma_migrate

cma_migrate
Description
On the applicable target Domain Management Server, imports the management database that
was exported from an R7x Domain Management Server.

Note - This command updates the database schema before it imports. First, the
command runs pre-upgrade verification. If no errors are found, migration continues. If
there are errors, you must fix them on the source R7x Domain Management Server
according to instructions in the error messages. Then do this procedure again.

For the complete procedure, see the R80.40 Installation and Upgrade Guide.

Syntax

cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz

/<Full Path>/<$FWDIR Directory of the New Domain Management
Server>/

Example

[[email protected]_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz

/opt/CPmds-R80.40/customers/MyDomain3/CPsuite-R80.40/fw1/

R80.40 CLI Reference Guide | 393

contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options> See "contract_util check" on page 46.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options> See "contract_util cpmacro" on page 47.

download Downloads all associated Check Point Service Contracts from the User
<options> Center, or from a local file.
See "contract_util download" on page 48.

mgmt Delivers the Service Contract information from the Management Server to
the managed Security Gateways.
See "contract_util mgmt" on page 50.

print Shows all the installed licenses and whether the Service Contract covers
<options> these license, which entitles them for upgrade or not.
See "contract_util print" on page 51.

R80.40 CLI Reference Guide | 394

contract_util

Parameter Description

summary Shows post-installation summary.

<options> See "contract_util summary" on page 52.

update Updates Check Point Service Contracts from your User Center account.
<options> See "contract_util update" on page 53.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful
message.
See "contract_util verify" on page 54.

R80.40 CLI Reference Guide | 395

contract_util check

Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher
Hotfix Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Major version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Minor version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

R80.40 CLI Reference Guide | 396

contract_util cpmacro

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_ The contract_util cpmacro command failed:

Write_cp_macro
returned -1
n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_ The contract_util cpmacro command was able to

Write_cp_macro overwrite the current file with the specified file, because the
returned 0 specified file is newer.

CntrctUtils_ The contract_util cpmacro command did not overwrite the

Write_cp_macro current file, because it is newer than the specified file.
returned 1

R80.40 CLI Reference Guide | 397

contract_util download

Syntax

R80.40 CLI Reference Guide | 398

contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local

file.
This is equivalent to the "cplic contract put"
command (see "cplic contract" on page 133).

uc Specifies to download the Service Contract from the User

Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Service Contract Path to and the name of the Service Contract file.
File> First, you must download the Service Contract file from
your User Center account.

R80.40 CLI Reference Guide | 399

contract_util mgmt

Syntax

contract_util mgmt

R80.40 CLI Reference Guide | 400

contract_util print

Syntax

contract_util [-d] print

{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 401

contract_util summary

Description
Shows post-installation summary and whether this Check Point computer is eligible for
upgrades.

Syntax

contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 402

contract_util update

Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-

installed licenses) from your User Center account.

R80.40 CLI Reference Guide | 403

contract_util verify

Syntax

contract_util verify

R80.40 CLI Reference Guide | 404

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Syntax on a Security Gateway

cp_conf
-h
adv_routing <options>
auto <options>
corexl <options>
fullha <options>
ha <options>
intfs <options>
lic <options>
sic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

R80.40 CLI Reference Guide | 405

cp_conf

Parameter Description

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 58.

adv_routing Enables or disables the Advanced Routing feature on this Security

<options> Gateway.
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto Shows and configures the automatic start of Check Point products
<options> during boot.
See "cp_conf auto" on page 61.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain

Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 63.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 65.

corexl Enables or disables CoreXL on this Security Gateway.

<options> See "cp_conf corexl" on page 926.

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 69.

fullha Manages Full High Availability Cluster.

<options> See "cp_conf fullha" on page 928.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 929.

intfs Sets the topology of interfaces on a Security Gateway, which you

<options> manage with SmartProvisioning.
See "cp_conf intfs" on page 930.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 71.

sic Manages SIC on this Security Gateway.

<options> See "cp_conf sic" on page 934.

R80.40 CLI Reference Guide | 406

cp_conf

Parameter Description

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

R80.40 CLI Reference Guide | 407

cp_conf admin

Description
Configures Check Point system administrators for the Security Management Server.

Syntax

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

R80.40 CLI Reference Guide | 408

cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> Adds a Check Point system administrator:

del <UserName1> Deletes the specified system administrators.

<UserName2> ...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the

Gaia administrator user admin.

R80.40 CLI Reference Guide | 409

cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 410

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Syntax

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 411

cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

R80.40 CLI Reference Guide | 412

cp_conf ca

Description
This command changes the settings of the Internal Certificate Authority (ICA).

Note - On a Security Management Server, this command corresponds to the option

Syntax

cp_conf ca
-h
fqdn <FQDN Name>
init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

init Initializes the Internal Certificate Authority (ICA).

R80.40 CLI Reference Guide | 413

cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

R80.40 CLI Reference Guide | 414

cp_conf client

Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security
Management Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on
page 124 menu.

Syntax

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

R80.40 CLI Reference Guide | 415

cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates
<GUI Client 2> ... a new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples
Example 1 - Configure one IPv4 address
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 416

cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 417

cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 418

cp_conf finger

Note - This command corresponds to the option Certificate's Fingerprint in the

the Multi-Domain Server:

mdsenv
l To see the fingerprint of a Domain Management Server, run it in the
context of the applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>

Syntax

cp_conf finger
-h
get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

R80.40 CLI Reference Guide | 419

cp_conf finger

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 420

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Syntax

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R80.40 CLI Reference Guide | 421

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 135.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 140.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 144.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 422

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R80.40 CLI Reference Guide | 423

cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R80.40 Logging and Monitoring Administration
Guide.

Syntax

cp_log_export
cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

R80.40 CLI Reference Guide | 424

cp_log_export

Internal Commands

Name Description

add Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-
Server> target-port <Target-Server-Port> protocol
{udp | tcp} [Optional Arguments]

delete Removes an existing Log Exporter.

cp_log_export delete name <Name>

reconf Applies the Log Exporter configuration to all existing exporters.

cp_log_export reconf [name <Name>]

restart Restarts a Log Exporter process.

cp_log_export restart name <Name>

set Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start Starts an existing Log Exporter process.

cp_log_export start name <Name>

status Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

R80.40 CLI Reference Guide | 425

cp_log_export

Name Description

stop Stops an existing Log Exporter process.

cp_log_export stop name <Name>

R80.40 CLI Reference Guide | 426

cp_log_export

Internal Command Arguments

--apply-now Applies immediately Optio Optio Man N/A N/A Man

any change that was nal nal dator dator
done with the "add", y y
"set", "delete", or
"reexport"
command.

ca-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the CA nal nal
certificate file
*.pem.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 427

cp_log_export

client-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the client nal nal
certificate *.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- Specifies the Optio Optio N/A N/A N/A N/A

secret challenge phrase nal nal
<Phrase> used to create the
client certificate
*.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 428

cp_log_export

domain- On a Multi-Domain Man Man Man N/A Opti Man

R80.40 CLI Reference Guide | 429

cp_log_export

enabled Specifies whether to Optio Optio N/A N/A N/A N/A

{true | allow the Log nal nal
false} Exporter to start
when you run the
"cpstart" on
page 191 or
"mdsstart" on
page 725 command.
Default: true

encrypted Specifies whether to Optio Optio N/A N/A N/A N/A

{true | use TSL (SSL) nal nal
false} encryption to send
the logs.
Default: false

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
link {true | exported logs that
false} represents a link to
SmartView that
shows the log card
and automatically
opens the
attachment.
Default: false

R80.40 CLI Reference Guide | 430

cp_log_export

export-link Specifies whether to Optio Optio N/A N/A N/A N/A

{true | add a field to the nal nal
false} exported logs that
represents a link to
SmartView that
shows the log card.
Default: false

R80.40 CLI Reference Guide | 431

cp_log_export

export-link- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 432

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 433

cp_log_export

n Accept
n Block
n Bypass
n Detect
n Drop
n HTTPS
Bypass
n HTTPS
Inspect
n Prevent
n Reject

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 434

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 435

cp_log_export

R80.40 CLI Reference Guide | 436

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 437

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 438

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

format {cef Specifies the format, Optio Optio N/A N/A N/A N/A
| syslog} in which the logs are nal nal
exported.
Default: syslog

R80.40 CLI Reference Guide | 439

cp_log_export

R80.40 CLI Reference Guide | 440

cp_log_export

R80.40 CLI Reference Guide | 441

cp_log_export

protocol Specifies the Layer Man Optio N/A N/A N/A N/A
{tcp | udp} 4 Transport protocol dator nal
to use (TCP or y
UDP).
There is no default
value.

R80.40 CLI Reference Guide | 442

cp_log_export

R80.40 CLI Reference Guide | 443

cp_log_export

target-port Specifies the Man Optio N/A N/A N/A N/A

<Target- listening port on the dator nal
Server-Port> target server, to y
which you export the
logs.

target- Specifies the IP Man Optio N/A N/A N/A N/A

server address or FQDN of dator nal
<Target- the target server, to y
Server> which you export the
logs.

R80.40 CLI Reference Guide | 444

cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

create_cert Issues a SIC certificate for the Security Management Server

<options> or Domain Management Server.
See "cpca_client create_cert" on page 97.

double_sign Creates a second signature for a certificate.

<options> See "cpca_client double_sign" on page 99.

R80.40 CLI Reference Guide | 445

cpca_client

Parameter Description

get_crldp <options> Shows how to access a CRL file from a CRL Distribution
Point.
See "cpca_client get_crldp" on page 101.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate
to a file.
See "cpca_client get_pubkey" on page 103.

init_certs <options> Imports a list of DNs for users and creates a file with
registration keys for each user.
See "cpca_client init_certs" on page 104.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 105.

revoke_cert Revokes a certificate issued by the ICA.

<options> See "cpca_client revoke_cert" on page 108.

revoke_non_exist_ Revokes a non-existent certificate issued by the ICA.

cert <options> See "cpca_client revoke_non_exist_cert" on page 111.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 112.

set_cert_validity Configures the default certificate validity period for new

<options> certificates.
See "cpca_client set_cert_validity" on page 114.

set_mgmt_tool Controls the ICA Management Tool.

<options> See "cpca_client set_mgmt_tool" on page 116.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options> See "cpca_client set_sign_hash" on page 121.

R80.40 CLI Reference Guide | 446

cpca_client create_cert

Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC |
USER | IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

R80.40 CLI Reference Guide | 447

cpca_client create_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the
Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path Specifies the PKCS12 file, which stores the certificate and keys.
to PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER Optional. Specifies the certificate kind.

| IKE | ADMIN_
PKG}

-c "<Comment Optional. Specifies the certificate comment (must enclose in double

for quotes).
Certificate>"

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

R80.40 CLI Reference Guide | 448

cpca_client double_sign

Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-i Imports the specified certificate (only in PEM format).

-o <Full Path Optional. Saves the certificate into the specified file.
to Output
File>

R80.40 CLI Reference Guide | 449

cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

Double Sign of Cert:

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 450

cpca_client get_crldp

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <ICA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

R80.40 CLI Reference Guide | 451

cpca_client get_crldp

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cpca_client get_crldp

MyMGMT.checkpoint.com
[Expert@MyMGMT:0]

R80.40 CLI Reference Guide | 452

cpca_client get_pubkey

Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to

Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 453

cpca_client init_certs

Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for
each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-i <Full Imports the specified file.

Path to Make sure to use the full path.
Input File> Make sure that there is an empty line between each DN in the specified
file.
Example:
...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o <Full Saves the registration keys to the specified file.

Path to This command saves the error messages in the <Name of Output
Output File> File>.failures file in the same directory.

R80.40 CLI Reference Guide | 454

cpca_client lscert

Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid

| Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}]
[-ser <Certificate Serial Number>] [-dp <Certificate Distribution
Point>]

R80.40 CLI Reference Guide | 455

cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN

that matches the specified <SubString>.
This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with
LDAP} certificate kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with
Number> certificate serial number that matches the specified
serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

R80.40 CLI Reference Guide | 456

cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 457

cpca_client revoke_cert

Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

R80.40 CLI Reference Guide | 458

cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-n Specifies the certificate CN.

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate To see the serial number, run the "cpca_client lscert" on page 105
Serial command.
Number> Note - You can use the parameter "-s" only, or together with the
parameter "-n".

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

R80.40 CLI Reference Guide | 459

cpca_client revoke_cert

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 460

cpca_client revoke_non_exist_cert

Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input

File>

Parameters

Paramet
Description
er

-d Runs the cpca_client command under debug.

Note - This command saves the error messages in the <Name of Input
File>.failures file.

R80.40 CLI Reference Guide | 461

cpca_client search

Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-
max <Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the
command itself.
Best Practice - If you use this
parameter, then redirect the output
to a file, or use the script
command to save the entire CLI
session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that
does not contain spaces.

R80.40 CLI Reference Guide | 462

cpca_client search

Parameter Description

-where {dn | comment | serial | Optional. Specifies the certificate's field,

-kind {SIC | IKE | User | LDAP} Optional. Specifies the certificate kind
to search.
You can enter multiple values in this
format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.

-stat {Pending | Valid | Revoked | Optional. Specifies the certificate status

Expired | Renewed} to search.
You can enter multiple values in this
format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.

-max <Maximal Number of Results> Optional. Specifies the maximal number

of results to show.
n Range: 1 and greater
n Default: 200

-showfp {y | n} Optional. Specifies whether to show the

certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint
and thumbprint

R80.40 CLI Reference Guide | 463

cpca_client search

Example 1

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending
Valid Renewed

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 464

cpca_client set_mgmt_tool

Description
Controls the ICA Management Tool.
This tool is disabled by default.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

See sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] [{-a <Administrator DN> | -u <User
DN> | -c <Custom User DN>}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are

permitted to use the ICA Management Tool.

print Shows the configured administrators, users, or custom users that

are permitted to use the ICA Management Tool.

R80.40 CLI Reference Guide | 465

cpca_client set_mgmt_tool

Parameter Description

-a Optional. Specifies the DN of the administrator that is permitted to

<Administrator use the ICA Management Tool.
DN> Must specify the full DN as appears in SmartConsole
Procedure

1. Open Object Explorer > Users

Example:
-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the
ICA Management Tool.
Must specify the full DN as appears in SmartConsole:
Procedure

1. Open Object Explorer > Users

Example:
-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

R80.40 CLI Reference Guide | 466

cpca_client set_mgmt_tool

Parameter Description

-c <Custom Optional. Specifies the DN for the custom user that is permitted to
User DN> use the ICA Management Tool.
Must specify the full DN as appears in SmartConsole.
Procedure

1. Open Object Explorer > Users

Example:
-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

R80.40 CLI Reference Guide | 467

cpca_client set_mgmt_tool

To connect to the ICA Management Tool

cpca_client set_mgmt_tool add ...

3. In the command line on the Management Server, start the ICA Management Tool.

cpca_client set_mgmt_tool on

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

b. In the Store Location section, select the applicable option:

n Current User (this is the default)
n Local Machine

R80.40 CLI Reference Guide | 468

cpca_client set_mgmt_tool

6. In a web browser, connect to the ICA Management Tool:

https://<IP Address of the Management Server>:18265

7. A dialog box with this message appears:

Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R80.40 CLI Reference Guide | 469

cpca_client set_sign_hash

Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the
sha512} file hash.
The default algorithm is SHA-256.

R80.40 CLI Reference Guide | 470

cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

R80.40 CLI Reference Guide | 471

cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to
save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

R80.40 CLI Reference Guide | 472

cpinfo

R80.40 CLI Reference Guide | 473

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management You execute these commands locally on the

commands Servers, Check Point computers.
Security Gateways
and Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management
commands Server.
These changes affect the managed Security
Gateways and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management
commands Server.
These changes affect the licenses stored in the
local license repository.

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R80.40 CLI Reference Guide | 474

cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security
<options> Gateway or Management Server.
See "cplic check" on page 131.

contract Manages (deletes and installs) the Check Point Service Contract on
<options> the local Check Point computer.
See "cplic contract" on page 133.

db_add Applies only to a Management Server.

<options> Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 135.

R80.40 CLI Reference Guide | 475

cplic

Parameter Description

db_print Applies only to a Management Server.

<options> Shows the details of Check Point licenses stored in the license
repository on the Management Server.
See "cplic db_print" on page 137.

db_rm Applies only to a Management Server.

<options> Removes a license from the license repository on the Management
Server.
See "cplic db_rm" on page 139.

del <options> Deletes a Check Point license on a host, including unwanted

evaluation, expired, and other licenses.
See "cplic del" on page 140.

del <Object Detaches a Central license from a remote managed Security Gateway
Name> or Cluster Member.
<options> See "cplic del <object name>" on page 141.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster
Members into the license repository on the Management Server.
See "cplic get" on page 142.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 144.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 146.

put <Object Attaches one or more Central or Local licenses to a remote managed
Name> Security Gateways and Cluster Members.
<options> See "cplic put <object name>" on page 148.

upgrade Applies only to a Management Server.

<options> Upgrades licenses in the license repository with licenses in the
specified license file.
See "cplic upgrade" on page 151.

R80.40 CLI Reference Guide | 476

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

-v Product version, for which license information is requested.

{-c | - Outputs the number of licenses connected to this feature.

count}

R80.40 CLI Reference Guide | 477

cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u
cplic check 'cluster-u': 9 licenses
[Expert@GW]#

R80.40 CLI Reference Guide | 478

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

R80.40 CLI Reference Guide | 479

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/cp.contract file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R80.40 CLI Reference Guide | 480

cplic db_add

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

R80.40 CLI Reference Guide | 481

cplic db_add

Parameter Description

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -
l 192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

R80.40 CLI Reference Guide | 482

cplic db_print

Description
Shows the details of Check Point licenses stored in the license repository on the Management
Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x]
[{-t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name> <Object Name> is the name of the Security Gateway / Cluster Member
object as defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached} Useful, if the parameter "-all" is specified.

R80.40 CLI Reference Guide | 483

cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 484

cplic db_rm

Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the
"cplic del" on page 140 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

R80.40 CLI Reference Guide | 485

cplic del

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

<Object The name of the Security Gateway / Cluster Member object as defined
Name> in SmartConsole.

R80.40 CLI Reference Guide | 486

cplic del <object name>

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the
Address> specified IP address.
Note - If this parameter is used, then object name must be a
DAIP Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on
page 144 command.

R80.40 CLI Reference Guide | 487

cplic get

Syntax

cplic get {-h | -help}

cplic [-d] get
-all
<IP Address>
<Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the
managed network.

<IP The IP address of the Security Gateway / Cluster Member, from which
Address> licenses are to be retrieved.

<Host The name of the Security Gateway / Cluster Member object as defined in
Name> SmartConsole, from which licenses are to be retrieved.

R80.40 CLI Reference Guide | 488

cplic get

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 489

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 490

cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 491

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member, this command erases only

overwrite} the local licenses, but not central licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

R80.40 CLI Reference Guide | 492

cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for

a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 493

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and
Cluster Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F
<Output File>] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Feature>]

R80.40 CLI Reference Guide | 494

cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object, as
defined in SmartConsole.

-F <Output Saves the command output to the specified file.

File>

-l <License Installs the licenses from the <License file>.

File>

<Host> Hostname or IP address of the Security Management Server /

Domain Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the
license.
For example: CPSUITE-EVAL-3DES-vNG

R80.40 CLI Reference Guide | 495

cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R80.40 CLI Reference Guide | 496

cplic upgrade

Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l <Input Upgrades the licenses in the license repository and Check Point Security
File> Gateways / Cluster Members to match the licenses in the specified file.

R80.40 CLI Reference Guide | 497

cplic upgrade

cplic get -all

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

R80.40 CLI Reference Guide | 498

cplic upgrade

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

R80.40 CLI Reference Guide | 499

cpmiquerybin

cpmiquerybin
Description
The cpmiquerybin utility connects to a specified database, runs a user-defined query and
shows the query results.
The results can be a collection of Security Gateway sets or a tab-delimited list of specified
fields from each retrieved object.
The default database of the query tool is based on the shell environment settings.
To connect to a Domain Management Server database, run "mdsenv" on page 721 and define
the necessary environment variables.

Use the Domain Management Server name or IP address as the first parameter.

Notes:
n You can see complete documentation of the cpmiquerybin utility, with the full
query syntax, examples, and a list of common attributes in sk65181.
n The MISSING_ATTR string shows when you use an attribute name that does
not exist in the objects in query result.

Syntax

cpmiquerybin <query_result_type> <database> <table> <query> [-a

<attributes_list>]

R80.40 CLI Reference Guide | 500

cpmiquerybin

Parameters

Parameter Description

<query_ Query result in one of these formats:

result_type>
n attr - Returns values from one or more specified fields for each
object. Use the "-a" parameter followed by a comma separated
list of fields.
n object - Shows Security Gateway sets containing data of each
retrieved object.

<database> Name of the database file in quotes. For example, "mdsdb".

Use empty double quotes "" to run the query on the default database.

<table> Name of the database table that contains the data.

<query> One or more query strings in a comma separated list.

Use empty double quotes ("") to return all objects in the database
table.
You can use the asterisk character (*) as a wildcard replacement for
one or more matching characters in your query string.

-a If you use the "query_result_type" parameter, you must specify

<attributes_ one or more attributes in a comma-delimited list (without spaces) of
list> object fields.
You can return all object names with the special string: __name__

Return Values
n 0 - Query returns data successfully
n 1 - Query does not return data or there is a query syntax error

Example - Viewing the names of the currently defined network objects

[Expert@HostName:0]# cpmiquerybin attr "" network_objects "" -a name

DMZZone
WirelessZone
ExternalZone
InternalZone
AuxiliaryNet
LocalMachine_All_Interfaces
CPDShield
InternalNet
LocalMachine
DMZNet
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 501

cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management
Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

R80.40 CLI Reference Guide | 502

cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 156.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options> See "cppkg delete" on page 157.

get Updates the list of the SmartUpdate software packages in the

repository.
See "cppkg get" on page 159.

getroot Shows the path to the root directory of the repository (the value of
the environment variable $SUROOT).
See "cppkg getroot" on page 160.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 161.

setroot Configures the path to the root directory of the repository.

<options> See "cppkg setroot" on page 162.

R80.40 CLI Reference Guide | 503

cppkg add

Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 504

ppkg delete

Description
Deletes SmartUpdate software packages from the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]
cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>"
"<Minor Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the
delete interactive mode. The command shows the menu with applicable options.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

"< Specifies the product name. Enclose in double quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double quotes.

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 161
command.
n You must specify all optional parameters, or no parameters.

R80.40 CLI Reference Guide | 505

ppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 506

cppkg get

Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software
packages repository based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 507

cppkg getroot

Description
Shows the path to the root directory of the SmartUpdate software packages repository (the
value of the environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to :
/var/log/cpupgrade/suroot
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 508

cppkg print

Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 509

cppkg setroot

Description
Configures the path to the root directory of the SmartUpdate software packages repository.

the new repository. A package in the new location is overwritten by a

package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT in

the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh and

$CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 510

cpprod_util

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R80.40 CLI Reference Guide | 511

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the
output file is RegDump.

R80.40 CLI Reference Guide | 512

cpprod_util

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

R80.40 CLI Reference Guide | 513

cpprod_util

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 514

cpprod_util

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 515

cpprod_util

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP (DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 516

cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the
managed Security Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

R80.40 CLI Reference Guide | 517

cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote
managed Security Gateways.

and the Security Gateway.

l The cpd daemon must run.

l The cprid daemon must run.

Syntax

R80.40 CLI Reference Guide | 518

cprinstall

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options> See "cprinstall boot" on page 173.

cprestart Runs the cprestart command on the managed Security Gateway.

<options> See "cprinstall cprestart" on page 174.

cpstart Runs the cpstart command on the managed Security Gateway.

<options> See "cprinstall cpstart" on page 175.

cpstop Runs the cpstop command on the managed Security Gateway.

<options> See "cprinstall cpstop" on page 176.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options> See "cprinstall delete" on page 177.

install Installs Check Point products on the managed Security Gateway.

<options> See "cprinstall install" on page 179.

revert Restores the managed Security Gateway that runs on SecurePlatform OS

<options> from a snapshot saved on that Security Gateway.
See "cprinstall revert" on page 182.

show Displays all snapshot (backup) files on the managed Security Gateway
<options> that runs on SecurePlatform OS.
See "cprinstall show" on page 183.

snapshot Creates a snapshot on the managed Security Gateway that runs on

<options> SecurePlatform OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 184.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 185.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options> See "cprinstall uninstall" on page 187.

R80.40 CLI Reference Guide | 519

cprinstall

Parameter Description

verify Confirms these operations were successful:

R80.40 CLI Reference Guide | 520

cprinstall boot

Description
Reboots the managed Security Gateway.

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

R80.40 CLI Reference Guide | 521

cprinstall cprestart

Description
Runs the cprestart command on the managed Security Gateway.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

R80.40 CLI Reference Guide | 522

cprinstall cpstart

Description
Runs the cpstart command on the managed Security Gateway.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

R80.40 CLI Reference Guide | 523

cprinstall cpstop

Description
Runs the cpstop command on the managed Security Gateway.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-nopolicy Kills the Check Point daemons and Security Servers and unloads the
Security Policy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

R80.40 CLI Reference Guide | 524

cprinstall delete

Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

<Snapshot Specifies the name of the snapshot (backup) on SecurePlatform OS.

File>

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

R80.40 CLI Reference Guide | 525

cprinstall get

Description
n Gets details of the products and the operating system installed on the managed Security
Gateway.
n Updates the management database on the Security Management Server.

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Vendor Product Major Version Minor Version

R80.40 CLI Reference Guide | 526

cprinstall install

Description
Installs Check Point products on the managed Security Gateway.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object

Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 527

cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is
canceled in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing

the package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 528

cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

R80.40 CLI Reference Guide | 529

cprinstall revert

Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot
saved on that Security Gateway.

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 530

cprinstall show

Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

R80.40 CLI Reference Guide | 531

cprinstall snapshot

Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and
saves it on that Security Gateway.

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 532

cprinstall transfer

Description
Transfers a software package from the repository to the managed Security Gateway without
installing the package.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 533

cprinstall transfer

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 534

cprinstall uninstall

Description
Uninstalls Check Point products on the managed Security Gateway.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 535

cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the

package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 536

cprinstall verify

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

R80.40 CLI Reference Guide | 537

cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>" This parameter is optional.

Example 1 - Verification succeeds

Example 2 - Verification fails

R80.40 CLI Reference Guide | 538

cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R80.40 CLI Reference Guide | 539

cpstat

Parameter Description

R80.40 CLI Reference Guide | 540

cpstat

Parameter Description

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R80.40 CLI Reference Guide | 541

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R80.40 CLI Reference Guide | 542

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R80.40 CLI Reference Guide | 543

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the threshold_
config
command

Historical status persistency product, TableConfig, SourceConfig

values

R80.40 CLI Reference Guide | 544

cpstat

Examples
Example - Interfaces on a Security Gateway
[Expert@MyGW:0]# cpstat -f interfaces fw

[Expert@MyGW:0]#

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 545

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

[Expert@HostName:0]#

R80.40 CLI Reference Guide | 546

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 547

cpview

cpview
Overview of CPView

On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R80.40 CLI Reference Guide | 548

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R80.40 CLI Reference Guide | 549

cpwd_admin

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

R80.40 CLI Reference Guide | 550

cpwd_admin

Syntax

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 207.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 211.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 212.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 213.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 214.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 216.

R80.40 CLI Reference Guide | 551

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 217.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 218.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 223.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 224.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 227.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 228.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 230.

R80.40 CLI Reference Guide | 552

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R80.40 CLI Reference Guide | 553

cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ctx Text string up to On a VSX Gateway, configures the CTX value that is
128 characters assigned to monitored processes, for which no CTX
is specified.

display_ctx n 0 (default) On a VSX Gateway, configures whether the

n 1 WatchDog shows the CTX column in the output of
the cpwd_admin list command (between the
APP and the PID columns):
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

R80.40 CLI Reference Guide | 554

cpwd_admin config

Configuration Accepted
Description
Parameter Values

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

R80.40 CLI Reference Guide | 555

cpwd_admin config

Example

[Expert@HostName:0]# cpwd_admin config -p

[Expert@HostName:0]# cpwd_admin config -r

R80.40 CLI Reference Guide | 556

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 557

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 558

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 559

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 560

cpwd_admin flist

Output

Column Description