- Check Point Command line (CLI) functions
- Check Point FW Monitor
- Check Point Logging Troubleshooting
- Check Point Password Reset
Check Point commands generally come under cp (general), fw (firewall), and fwm (management).
| CP, FW & FWM | |
| cphaprob stat | List cluster status |
| cphaprob -a if | List status of interfaces |
| cphaprob syncstat | shows the sync status |
| cphaprob list | Shows a status in list form |
| cphastart/stop | Stops clustering on the specfic node |
| cp_conf sic | SIC stuff |
| cpconfig | config util |
| cplic print | prints the license |
| cprestart | Restarts all Check Point Services |
| cpstart | Starts all Check Point Services |
| cpstop | Stops all Check Point Services |
| cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
| cpwd_admin list | List checkpoint processes |
| cplic print | Print all the licensing information. |
| cpstat -f all polsrv | Show VPN Policy Server Stats |
| cpstat | Shows the status of the firewall |
| fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
| fw tab -t connections -s | Show connection stats |
| fw tab -t connections -f | Show connections with IP instead of HEX |
| fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
| fw tab -t peers_count -s | Shows VPN stats |
| fw tab -t userc_users -s | Shows VPN stats |
| fw checklic | Check license details |
| fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
| fw ctl set int [global kernel parameter] [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
| fw ctl arp | Shows arp table |
| fw ctl install | Install hosts internal interfaces |
| fw ctl ip_forwarding | Control IP forwarding |
| fw ctl pstat | System Resource stats |
| fw ctl uninstall | Uninstall hosts internal interfaces |
| fw exportlog .o | Export current log file to ascii file |
| fw fetch | Fetch security policy and install |
| fw fetch localhost | Installs (on gateway) the last installed policy. |
| fw hastat | Shows Cluster statistics |
| fw lichosts | Display protected hosts |
| fw log -f | Tail the current log file |
| fw log -s -e | Retrieve logs between times |
| fw logswitch | Rotate current log file |
| fw lslogs | Display remote machine log-file list |
| fw monitor | Packet sniffer |
| fw printlic -p | Print current Firewall modules |
| fw printlic | Print current license details |
| fw putkey | Install authenication key onto host |
| fw stat -l | Long stat list, shows which policies are installed |
| fw stat -s | Short stat list, shows which policies are installed |
| fw unloadlocal | Unload policy |
| fw ver -k | Returns version, patch info and Kernal info |
| fwstart | Starts the firewall |
| fwstop | Stop the firewall |
| fwm lock_admin -v | View locked admin accounts |
| fwm dbexport -f user.txt | used to export users , can also use dbimport |
| fwm_start | starts the management processes |
| fwm -p | Print a list of Admin users |
| fwm -a | Adds an Admin |
| fwm -r | Delete an administrator |
| Provider 1 | |
| mdsenv [cma name] | Sets the mds environment |
| mcd | Changes your directory to that of the environment. |
| mds_setup | To setup MDS Servers |
| mdsconfig | Alternative to cpconfig for MDS servers |
| mdsstat | To see the processes status |
| mdsstart_customer [cma name] | To start cma |
| mdsstop_customer [cma name] | To stop cma |
| cma_migrate | To migrate an Smart center server to CMA |
| cmamigrate_assist | If you don’t want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
| VPN | |
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail? | Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
| Debugging | |
| fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
| SPLAT Only | |
| router | Enters router mode for use on Secure Platform Pro for advanced routing options |
| patch add cd | Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only) |
| backup | Allows you to preform a system operating system backup |
| restore | Allows you to restore your backup |
| snapshot | Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop. |
| SPLAT Commands | |
| clock | display date and time on firewall |
| cpconfig | change SIC, licenses and more |
| cphaprob ldstat | display sync serialization statistics |
| cphaprob stat | list the state of the high availability cluster members. Should show active and standby devices. |
| cphaprob syncstat | display sync transport layer statistics |
| cphastop | stop a cluster member from passing traffic. Stops synchronization. (emergency only) |
| cplic print | license information |
| cpstart | start all checkpoint services |
| cpstat fw | show policy name, policy install time and interface table |
| cpstat ha | high availability state |
| cpstat os -f all | checkpoint interface table, routing table, version, memory status, cpu load, disk space |
| cpstat os -f cpu | checkpoint cpu status |
| cpstat os -f routing | checkpoint routing table |
| cpstop | stop all checkpoint services |
| cpwd_admin monitor_list | list processes actively monitored. Firewall should contain cpd and vpnd. |
| expert | change from the initial administrator privilege to advanced privilege |
| find / -type f -size 10240k -exec ls -la {} \; | Search for files larger than 10Mb |
| fw ctl iflist | show interface names |
| fw ctl pstat | show control kernel memory and connections |
| fw exportlog -o | export the current log file to ascii |
| fw fetch 10.0.0.42 | get the policy from the firewall manager (use this only if there are problems on the firewall) |
| fw log | show the content of the connections log |
| fw log -b <MMM DD, YYYY HH:MM:SS> <MMM DD, YYYY HH:MM:SS> | search the current log for activity between specific times, egfw log -b “Jul 23, 2009 15:01:30″ “Jul 23,2009 15:15:00″ |
| fw log -c drop | search for dropped packets in the active log; also can use accept or reject to search |
| fw log -f | tail the current log |
| fwm logexport -i <log name> -o <output name> | export an old log file on the firewall manager |
| fw logswitch | rotate logs |
| fw lslogs | list firewall logs |
| fw stat | firewall status, should contain the name of the policy and the relevant interfaces, i.e. Standard_5_1_1_1_1 [>eth4] [<eth4] [<eth5] [>eth0.900] [<eth0.900] |
| fw stat -l | show which policy is associated with which interface and package drop, accept and reject |
| fw tab | displays firewall tables |
| fw tab -s -t connections | number of connections in state table |
| fw tab -t xlate -x | clear all translated entries (emergency only) |
| fw unloadlocal | clear local firewall policy (emergency only) |
| fw ver | firewall version |
| fwm lock_admin -h | unlock a user account after repeated failed log in attempts |
| fwm ver | firewall manager version (on SmartCenter) |
| ifconfig -a | list all interfaces |
| log list | list the names of the logs |
| log show <list #> | display a specific log, ‘log show 33′ will display “Can’t find my SIC name in registry” if there are communication problems |
| netstat -an | more | check what ports are in use or listening |
| netstat -rn | routing table |
| passwd | change the current user’s password |
| ps -ef | list running processes |
| sysconfig | configure date/time, network, dns, ntp |
| upgrade_import | run ‘/opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_import’ after a system upgrade to import the old license and system information. |
| hwclock | show the hardware clock. If the hardware and operating system clocks are off by more than a minute, sync the hardware clock to the OS with “hwclock –systohc” |
| fw fetch 10.0.0.42 | Manually grab the policy from the mgmt server at 10.0.0.42 |
| fw log -f | Shows you realtime logs on the firewall – will likely crash your terminal |
| VSX | |
| vsx get [vsys name/id] | get the current context |
| vsx set [vsys name/id] | set your context |
| vsenv [VSname | VSID] | Applies only to VSX versions R75.40VS and above. Sets current context to the specified Virtual System by name or ID |
| vsx stat | Displays VSX status information -v (verbose) -l (list) VSID (specified Virtual System) |
| vsx unloadall | Uninstalls security policy from all the Virtual Devices at once. |
| vsx mstat | Displays Nstatus of memory Resource Control for the specified Virtual System by ID. vsx mstat -vs VSID1 VSID2 VSID3 VSID4-VSID6 … |
| fw -vs [vsys id] getifs | show the interfaces for a virtual device |
| fw vsx stat -l | shows a list of the virtual devices and installed policies |
| fw vsx stat -v | shows a list of the virtual devices and installed policies (verbose) |
| reset_gw | resets the gateway, clearing all previous virtual devices and settings |
| Show VSX Internal Communication Network (only VSX R65, R67, R68) | In export mode execute: export SHOW_REAL_IP=1 ifconfig IF_NAME ifconfig -a -z all unset SHOW_REAL_IP |
FW monitor is a great tool for troubleshooting traffic flow issues with your checkpoint. It works by using 4 inspection points,
Examples:
- fw monitor -e “accept dport=6000;”
- fw monitor -m iO -e ‘accept dport=80;’
- fw monitor -e ‘accept dport;’ -o ping.cap
For a further detailed description please see the following link
Check Point Logging Troubleshooting
Below are some basic guidelines for troubleshooting Check Point Logging issues.
Note : This guide does not cover issues with any OPSEC LEA based issues.
Note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257.
Are the logs being sent to the manager ?
Ok, so first of all are the logs being sent to the Smart Centre Manager or the necessary Log Manager ? We can check this by confirming whether the gateway is sending the log packets via the FW Log port tcp/257 upon the gateway and the manager. To do this use either or both of the following commands,
- netstat -an | grep 257 – This will show the state of the TCP sockets.
- tcpdump -ni [interface name] port 257 – This will show a packet capture of the FW Log packets on the subsequent interface.
If the gateway is not sending the logs then this can be down to one of the following issues,
- SIC is not established.
- The Logging configuration for the Gateway is not configured correctly.
- The SmartCentre/Log Manager is not listening on port tcp/257.
- There is an issue with FWD on the gateway. In some instances you may need to restart FWD via a cpstart. Though the root cause could be down to a number of factors.
The SmartCentre / Log Manager is not receiving the logs
If the gateway is sending the logs but the SmartCentre / Log Manager is not receiving them then either a device between the 2 nodes is blocking the packets or there is a routing issue.
Log Files Corrupted
If the log files are corrupted you should expect to see no logs within the SmartView Tracker. If this is the case you will need to action the following steps :
- Close the Log Viewer/SmartView Tracker and Policy Editor/SmartDashboard.
- Execute the fwstop or cpstop command (depending on the version) from the command line.
- Remove all files starting with fw.log and fw.logptr from the $FWDIR\log directory.
- Execute the fwstart or cpstart (depending on the version) command.
Full details can be found at Check Points KB within Solution ID sk6432.
Only some of the logs are not being displayed
If only some of the logs are not being displayed then this could point to an issue with the trust between the manager and the gateway. To confirm the issue you will need to debug FWD using the following steps.
root@cp-mgnt# fw debug fwd on TDERROR_ALL_ALL=5 root@cp-mgnt# tail -f $FWDIR/log/fwd.elg root@cp-mgnt# tail -f $FWDIR/log/fwd.elg | grep -i "Certificate is revoked" root@cp-mgnt# fw debug fwd off
Within these steps we first enable the debug. Then we run a live tail on the log file. And then we run a grep on the live tail for a specific error. The live tail allows us to view the end of the log file in real time. We finally turn off the debug.
Below shows an example of an error with the SIC trust between the Gateway and Manager obtained from the $FWDIR/log/fwd.elg,
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:32] fwCert_ValCerts: Certificate is revoked. \
CN=cp-fw1,O=cp-mgnt..bizt7z
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:41] fwCert_ValCerts: Certificate is revoked. \
CN=cp-fw2,O=cp-mgnt..bizt7z
Logging issues VSX gateways.
In some scenarios when logs are not being sent to CMA/SmartCenter you can restart the cplogd process. You can do this with kill -15 <pid cplogd> When this is done, check if there are no processes left that use tcp/257, this can be done with the command lsof -i:257. If there are still processes using tcp/257 kill these processes. Finally when this is done, restart cplogd with the following command: cplogd -vsx &
[Expert@gateway:0]# ps -axuw | grep cplogd root 10973 1.6 0.1 131604 18016 pts/1 Sl 10:56 0:40 cplogd -vsx root 15640 0.0 0.0 1816 548 pts/1 R+ 11:38 0:00 grep cplogd [Expert@gateway:0]# kill -15 10973 [Expert@gateway:0]# lsof -i:257 [Expert@gateway:0]# kill -15 (processes visual after lsof command) [Expert@gateway:0]# cplogd -vsx &
Reset Admin and or Expert password:
Check Point Gaia is the next generation Secure Operating System for all Check Point Appliances, Open Servers and Virtualized Gateways. Gaia combines the best features from IPSO and SecurePlatform (SPLAT) into a single unified OS providing greater efficiency and robust performance. By upgrading to Gaia, customers will benefit from improved appliance connection capacity and reduced operating costs. With Gaia, IP Appliance customers will gain the ability to leverage the full breadth and power of all Check Point Software Blades.
Sometimes you need to reset your admin or expert password in GAIA and you do not have physical access to the machine. Follow procedure below to reset passwords remotely from management (of course there must be SIC established before your GW and management you will issue commands from).
- Generate hash for new password – run the following command and save the generated hash string:
[Expert@HostName]# /sbin/grub-md5-crypt
- Ensure that the Clish database is unlocked on the remote Security Gateway:
[Expert@HostName]# $CPDIR/bin/cprid_util -server <ip_of_gateway> -verbose rexec -rcmd /bin/clish -s -c 'set config-lock on override'</ip_of_gateway>
- Change the admin user password:
[Expert@HostName]# $CPDIR/bin/cprid_util -server <ip_of_gateway> -verbose rexec -rcmd /bin/clish -s -c 'set user admin password-hash <password_hash_from_step_1>
- You can also change the Expert password:
[Expert@HostName]# $CPDIR/bin/cprid_util -server <ip_of_gateway> -verbose rexec -rcmd /bin/clish -s -c 'set expert-password-hash <password_hash_from_step_1>
