0% found this document useful (0 votes)

19 views

CP R80.40 CLI ReferenceGuide

Uploaded by

isabelle.mailto

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

19 views

CP R80.40 CLI ReferenceGuide

Uploaded by

isabelle.mailto

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1902

04 July 2024

CLI

R80.40

Reference Guide
Check Point Copyright Notice
© 2020 - 2024 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Check Point R80.40

For more about this release, see the R80.40 home page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

R80.40 CLI Reference Guide | 3

Important Information

Revision History

Date Description

26 October Updated:
2023
n "ClusterXL Monitoring Commands" on page 1232 - removed the
"cphaprob latency" command as not supported
n "fw ctl multik prioq" on page 1516
n "cpstart" on page 957 (for Security Gateway)
n "fw tab" on page 1152 - added "fw tab -t connections -z"

09 Updated:
September
2023
n "cp_conf ca" on page 63 - for Security Management Server
n "cpca_client get_crldp" on page 101 - for Security Management
Server
n "fwm dbload" on page 309 - for Security Management Server
n "cp_conf ca" on page 413 - for Multi-Domain Server
n "cpca_client get_crldp" on page 451 - for Multi-Domain Server
n "fwm dbload" on page 655 - for Multi-Domain Server
n "fw ctl conn" on page 1021

14 February Updated:
2023
n "cp_log_export" on page 74 for Security Management Server
n "ips stats" on page 1841

17 October Updated:
2022
n "cp_log_export" on page 74 - for Security Management Server
n "cp_log_export" on page 424 - for Multi-Domain Server

03 August Updated:
2022
n "Running Check Point Commands in Shell Scripts" on page 1862

04 July 2022 Updated:

n "pdp idc" on page 1594

R80.40 CLI Reference Guide | 4

Important Information

Date Description

16 June 2022 In the HTML version, added glossary terms in the text
Added:
n "Monitoring Commands" on page 1844
n "cpca_client set_mgmt_tool" on page 116 - for Security Management
Server
n "cpca_client set_mgmt_tool" on page 465 - for Multi-Domain Server
Updated:
n The syntax in all commands listed in the chapter "fwaccel dos" on
page 1322
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92:
l The term "allow-list" replaces the term "blacklist"

l The term "deny-list" replaces the term "whitelist"

n "fw ctl multik prioq" on page 1516

n "fw ctl set" on page 1040 - added the "-f" flag
n "fwaccel synatk allow / whitelist" on page 1403
n "fwaccel templates" on page 1421
n "fwboot ht" on page 1189 - for Security Gateway
n "fwboot ht" on page 1553 - for CoreXL
n "mds_backup" on page 711
n "migrate_server" on page 367 - for Security Management Server
n "migrate_server" on page 742 - for Multi-Domain Server
Removed:
n All "sim" and "sim6" commands as deprecated
n Information about the "vsx initmsg" command, as it is not
supported in Gaia 3.10.

26 June 2021 Updated formatting

R80.40 CLI Reference Guide | 5

Important Information

Date Description

30 May 2021 Updated:

n "migrate" on page 363 - for Security Management Server
n "migrate" on page 738 - for Multi-Domain Server
n "migrate_server" on page 367 - for Security Management Server
n "migrate_server" on page 742 - for Multi-Domain Server
n "pdp idc" on page 1594
n "vsx_util change_private_net" on page 1760
n "ClusterXL Monitoring Commands" on page 1232
n "Viewing Cluster IP Addresses" on page 1273
Removed:
n LSMcli Gateway Conversion Actions (Known Limitation PMTR-
49506)

21 December Updated:
2020
n "fw up_execute" on page 1165

23 August Added:
2020
n "vsx_util downgrade" on page 1763
Updated:
n "vsx_util" on page 1746
n "vsx_util convert_cluster" on page 1762
n "vsx_util upgrade" on page 1775

30 July 2020 Updated:

n "Configuring the Minimal Number of Required Subordinate Interfaces
for Bond Load Sharing" on page 1225

29 July 2020 Updated:

n "dynamic_split" on page 1498 - added link to sk164155
n "LSMcli AddROBO <Appliance_Model>Cluster" on page 909

10 March Updated:
2020
n "Registering a Critical Device" on page 1210

02 February Updated:
2020
n "vsx" on page 1727
n "vsx mstat" on page 1735

R80.40 CLI Reference Guide | 6

Important Information

Date Description

29 January Updated:
2020
n "dynamic_split" on page 1498

27 January First release of this document

2020

R80.40 CLI Reference Guide | 7

Table of Contents

Table of Contents
Introduction 36
Syntax Legend 37
Gaia Commands 39
Security Management Server Commands 40
Managing Security through API 41
API 41
API Tools 41
Configuring the API Server 42
contract_util 44
contract_util check 46
contract_util cpmacro 47
contract_util download 48
contract_util mgmt 50
contract_util print 51
contract_util summary 52
contract_util update 53
contract_util verify 54
cp_conf 55
cp_conf admin 58
cp_conf auto 61
cp_conf ca 63
cp_conf client 65
cp_conf finger 69
cp_conf lic 71
cp_log_export 74
cpca_client 95
cpca_client create_cert 97

R80.40 CLI Reference Guide | 8

Table of Contents

cpca_client double_sign 99
cpca_client get_crldp 101
cpca_client get_pubkey 103
cpca_client init_certs 104
cpca_client lscert 105
cpca_client revoke_cert 108
cpca_client revoke_non_exist_cert 111
cpca_client search 112
cpca_client set_cert_validity 114
cpca_client set_mgmt_tool 116
cpca_client set_sign_hash 121
cpca_create 123
cpconfig 124
cpinfo 127
cplic 128
cplic check 131
cplic contract 133
cplic db_add 135
cplic db_print 137
cplic db_rm 139
cplic del 140
cplic del <object name> 141
cplic get 142
cplic print 144
cplic put 146
cplic put <object name> 148
cplic upgrade 151
cppkg 154
cppkg add 156
cppkg delete 157

R80.40 CLI Reference Guide | 9

Table of Contents

cppkg get 159

cppkg getroot 160
cppkg print 161
cppkg setroot 162
cpprod_util 163
cprid 169
cprinstall 170
cprinstall boot 173
cprinstall cprestart 174
cprinstall cpstart 175
cprinstall cpstop 176
cprinstall delete 177
cprinstall get 178
cprinstall install 179
cprinstall revert 182
cprinstall show 183
cprinstall snapshot 184
cprinstall transfer 185
cprinstall uninstall 187
cprinstall verify 189
cpstart 191
cpstat 192
cpstop 201
cpview 202
Overview of CPView 202
CPView User Interface 202
Using CPView 203
cpwd_admin 204
cpwd_admin config 207
cpwd_admin del 211

R80.40 CLI Reference Guide | 10

Table of Contents

cpwd_admin detach 212

cpwd_admin exist 213
cpwd_admin flist 214
cpwd_admin getpid 216
cpwd_admin kill 217
cpwd_admin list 218
cpwd_admin monitor_list 223
cpwd_admin start 224
cpwd_admin start_monitor 227
cpwd_admin stop 228
cpwd_admin stop_monitor 230
dbedit 231
fw 244
fw fetchlogs 246
fw hastat 248
fw kill 249
fw log 250
fw logswitch 260
fw lslogs 264
fw mergefiles 267
fw repairlog 270
fw sam 271
fw sam_policy 279
fw sam_policy add 282
fw sam_policy batch 295
fw sam_policy del 297
fw sam_policy get 300
fwm 306
fwm dbload 309
fwm exportcert 310

R80.40 CLI Reference Guide | 11

Table of Contents

fwm fetchfile 311

fwm fingerprint 313
fwm getpcap 315
fwm ikecrypt 317
fwm load 318
fwm logexport 319
fwm mds 324
fwm printcert 326
fwm sic_reset 332
fwm snmp_trap 333
fwm unload 336
fwm ver 340
fwm verify 341
inet_alert 342
ldapcmd 345
ldapcompare 347
ldapmemberconvert 351
ldapmodify 357
ldapsearch 359
mgmt_cli 362
migrate 363
migrate_server 367
queryDB_util 373
rs_db_tool 374
sam_alert 376
stattest 380
threshold_config 383
Multi-Domain Security Management Commands 389
Managing Security through API 390
API 390

R80.40 CLI Reference Guide | 12

Table of Contents

API Tools 390

Configuring the API Server 391
cma_migrate 393
contract_util 394
contract_util check 396
contract_util cpmacro 397
contract_util download 398
contract_util mgmt 400
contract_util print 401
contract_util summary 402
contract_util update 403
contract_util verify 404
cp_conf 405
cp_conf admin 408
cp_conf auto 411
cp_conf ca 413
cp_conf client 415
cp_conf finger 419
cp_conf lic 421
cp_log_export 424
cpca_client 445
cpca_client create_cert 447
cpca_client double_sign 449
cpca_client get_crldp 451
cpca_client get_pubkey 453
cpca_client init_certs 454
cpca_client lscert 455
cpca_client revoke_cert 458
cpca_client revoke_non_exist_cert 461
cpca_client search 462

R80.40 CLI Reference Guide | 13

Table of Contents

cpca_client set_mgmt_tool 465

cpca_client set_sign_hash 470
cpca_create 472
cpinfo 473
cplic 474
cplic check 477
cplic contract 479
cplic db_add 481
cplic db_print 483
cplic db_rm 485
cplic del 486
cplic del <object name> 487
cplic get 488
cplic print 490
cplic put 492
cplic put <object name> 494
cplic upgrade 497
cpmiquerybin 500
cppkg 502
cppkg add 504
ppkg delete 505
cppkg get 507
cppkg getroot 508
cppkg print 509
cppkg setroot 510
cpprod_util 511
cprid 517
cprinstall 518
cprinstall boot 521
cprinstall cprestart 522

R80.40 CLI Reference Guide | 14

Table of Contents

cprinstall cpstart 523

cprinstall cpstop 524
cprinstall delete 525
cprinstall get 526
cprinstall install 527
cprinstall revert 530
cprinstall show 531
cprinstall snapshot 532
cprinstall transfer 533
cprinstall uninstall 535
cprinstall verify 537
cpstat 539
cpview 548
Overview of CPView 548
CPView User Interface 548
Using CPView 549
cpwd_admin 550
cpwd_admin config 553
cpwd_admin del 557
cpwd_admin detach 558
cpwd_admin exist 559
cpwd_admin flist 560
cpwd_admin getpid 562
cpwd_admin kill 563
cpwd_admin list 564
cpwd_admin monitor_list 569
cpwd_admin start 570
cpwd_admin start_monitor 573
cpwd_admin stop 574
cpwd_admin stop_monitor 576

R80.40 CLI Reference Guide | 15

Table of Contents

dbedit 577
fw 590
fw fetchlogs 592
fw hastat 594
fw kill 595
fw log 596
fw logswitch 606
fw lslogs 610
fw mergefiles 613
fw repairlog 616
fw sam 617
fw sam_policy 625
fw sam_policy add 628
fw sam_policy batch 641
fw sam_policy del 643
fw sam_policy get 646
fwm 652
fwm dbload 655
fwm exportcert 656
fwm fetchfile 657
fwm fingerprint 659
fwm getpcap 661
fwm ikecrypt 663
fwm load 664
fwm logexport 665
fwm mds 670
fwm printcert 672
fwm sic_reset 678
fwm snmp_trap 679
fwm unload 682

R80.40 CLI Reference Guide | 16

Table of Contents

fwm ver 686

fwm verify 687
inet_alert 688
ldapcmd 691
ldapcompare 693
ldapmemberconvert 697
ldapmodify 703
ldapsearch 705
mcd 708
mds_backup 711
mds_restore 714
mdscmd 715
mdsconfig 717
mdsenv 721
mdsquerydb 723
mdsstart 725
mdsstart_customer 729
mdsstat 730
mdsstop 732
mdsstop_customer 736
mgmt_cli 737
migrate 738
migrate_server 742
migrate_global_policies 748
queryDB_util 749
rs_db_tool 750
sam_alert 752
stattest 756
threshold_config 759
$MDSVERUTIL 765

R80.40 CLI Reference Guide | 17

Table of Contents

$MDSVERUTIL AllCMAs 776

$MDSVERUTIL AllVersions 777
$MDSVERUTIL CMAAddonDir 780
$MDSVERUTIL CMACompDir 781
$MDSVERUTIL CMAFgDir 782
$MDSVERUTIL CMAFw40Dir 783
$MDSVERUTIL CMAFw41Dir 784
$MDSVERUTIL CMAFwConfDir 785
$MDSVERUTIL CMAFwDir 786
$MDSVERUTIL CMAIp 787
$MDSVERUTIL CMAIp6 788
$MDSVERUTIL CMALogExporterDir 789
$MDSVERUTIL CMALogIndexerDir 790
$MDSVERUTIL CMANameByFwDir 791
$MDSVERUTIL CMANameByIp 792
$MDSVERUTIL CMARegistryDir 793
$MDSVERUTIL CMAReporterDir 794
$MDSVERUTIL CMASmartLogDir 795
$MDSVERUTIL CMASvnConfDir 796
$MDSVERUTIL CMASvnDir 797
$MDSVERUTIL ConfDirVersion 798
$MDSVERUTIL CpdbUpParam 799
$MDSVERUTIL CPprofileDir 800
$MDSVERUTIL CPVer 801
$MDSVERUTIL CustomersBaseDir 802
$MDSVERUTIL DiskSpaceFactor 803
$MDSVERUTIL InstallationLogDir 804
$MDSVERUTIL IsIPv6Enabled 805
$MDSVERUTIL IsLegalVersion 806
$MDSVERUTIL IsOsSupportsIPv6 807

R80.40 CLI Reference Guide | 18

Table of Contents

$MDSVERUTIL LatestVersion 808

$MDSVERUTIL MDSAddonDir 809
$MDSVERUTIL MDSCompDir 810
$MDSVERUTIL MDSDir 811
$MDSVERUTIL MDSFgDir 812
$MDSVERUTIL MDSFwbcDir 813
$MDSVERUTIL MDSFwDir 814
$MDSVERUTIL MDSIp 815
$MDSVERUTIL MDSIp6 816
$MDSVERUTIL MDSLogExporterDir 817
$MDSVERUTIL MDSLogIndexerDir 818
$MDSVERUTIL MDSPkgName 819
$MDSVERUTIL MDSRegistryDir 820
$MDSVERUTIL MDSReporterDir 821
$MDSVERUTIL MDSSmartLogDir 822
$MDSVERUTIL MDSSvnDir 823
$MDSVERUTIL MDSVarCompDir 824
$MDSVERUTIL MDSVarDir 825
$MDSVERUTIL MDSVarFwbcDir 826
$MDSVERUTIL MDSVarFwDir 827
$MDSVERUTIL MDSVarSvnDir 828
$MDSVERUTIL MSP 829
$MDSVERUTIL OfficialName 830
$MDSVERUTIL OptionPack 831
$MDSVERUTIL ProductName 832
$MDSVERUTIL RegistryCurrentVer 833
$MDSVERUTIL ShortOfficialName 834
$MDSVERUTIL SmartCenterPuvUpgradeParam 835
$MDSVERUTIL SP 836
$MDSVERUTIL SVNPkgName 837

R80.40 CLI Reference Guide | 19

Table of Contents

$MDSVERUTIL SvrDirectory 838

$MDSVERUTIL SvrParam 839
Creating a Domain Management Server with the 'mgmt_cli' Command 840
SmartProvisioning Commands 841
Managing Security through API 842
API 842
API Tools 842
Configuring the API Server 843
Check Point LSMcli Overview 845
SmartLSM Security Gateway Management Actions 847
LSMcli AddROBO VPN1 848
LSMcli ModifyROBO VPN1 850
LSMcli ModifyROBOManualVPNDomain 852
LSMcli ModifyROBOTopology VPN1 854
LSMcli ModifyROBOInterface VPN1 855
LSMcli AddROBOInterface VPN1 856
LSMcli DeleteROBOInterface VPN1 857
LSMcli ExportIke 858
LSMcli ResetIke 859
LSMcli Remove 860
LSMcli ResetSic 861
LSMcli Show 863
LSMcli ShowROBOTopology 865
LSMcli UpdateCO 866
SmartUpdate Actions 867
LSMcli Install 868
LSMcli Uninstall 870
LSMcli Distribute 871
LSMcli VerifyInstall 872
LSMcli VerifyUpgrade 873

R80.40 CLI Reference Guide | 20

Table of Contents

LSMcli Upgrade 874

LSMcli GetInfo 875
LSMcli ShowInfo 876
LSMcli ShowRepository 877
LSMcli Stop 878
LSMcli Start 879
LSMcli Restart 880
LSMcli Reboot 881
LSMcli Push Actions 882
LSMcli PushPolicy 883
LSMcli PushDOs 884
LSMcli GetStatus 885
Managing SmartLSM Clusters with LSMcli 886
LSMcli AddROBO VPN1Cluster 887
LSMcli ModifyROBO VPN1Cluster 889
LSMcli ModifyROBOTopology VPN1Cluster 890
LSMcli ModifyROBONetaccess VPN1Cluster 891
LSMcli AddClusterSubnetOverride VPN1Cluster 893
LSMcli ModifyClusterSubnetOverride VPN1Cluster 895
LSMcli DeleteClusterSubnetOverride VPN1Cluster 897
LSMcli AddPrivateSubnetOverride VPN1ClusterMember 899
LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember 901
LSMcli DeletePrivateSubnetOverride VPN1ClusterMember 903
LSMcli RemoveCluster 905
Using LSMcli Commands for Small Office Appliances 906
LSMcli AddROBO <Appliance_Model> 907
LSMcli AddROBO <Appliance_Model>Cluster 909
Other LSMcli Commands for Small Office Appliances 911
Security Gateway Commands 912
comp_init_policy 913

R80.40 CLI Reference Guide | 21

Table of Contents

control_bootsec 917
cp_conf 921
cp_conf auto 924
cp_conf corexl 926
cp_conf fullha 928
cp_conf ha 929
cp_conf intfs 930
cp_conf lic 931
cp_conf sic 934
cpconfig 936
cpinfo 939
cplic 940
cplic check 942
cplic contract 944
cplic del 946
cplic print 947
cplic put 949
cpprod_util 951
cpstart 957
cpstat 958
cpstop 967
cpview 968
Overview of CPView 968
CPView User Interface 968
Using CPView 969
dynamic_objects 970
cpwd_admin 974
cpwd_admin config 977
cpwd_admin del 984
cpwd_admin detach 985

R80.40 CLI Reference Guide | 22

Table of Contents

cpwd_admin exist 986

cpwd_admin flist 987
cpwd_admin getpid 989
cpwd_admin kill 990
cpwd_admin list 991
cpwd_admin monitor_list 996
cpwd_admin start 997
cpwd_admin start_monitor 1000
cpwd_admin stop 1001
cpwd_admin stop_monitor 1003
fw 1004
fw -i 1008
fw amw 1009
fw ctl 1012
fw ctl arp 1015
fw ctl bench 1016
fw ctl block 1018
fw ctl chain 1019
fw ctl conn 1021
fw ctl conntab 1023
fw ctl cpasstat 1027
'fw ctl debug' and 'fw ctl kdebug' 1028
fw ctl dlpkstat 1029
fw ctl get 1030
fw ctl iflist 1032
fw ctl install 1033
fw ctl leak 1034
fw ctl pstat 1037
fw ctl set 1040
fw ctl tcpstrstat 1043

R80.40 CLI Reference Guide | 23

Table of Contents

fw ctl uninstall 1045

fw defaultgen 1046
fw fetch 1048
fw fetchlogs 1051
fw getifs 1053
fw hastat 1054
fw isp_link 1055
fw kill 1056
fw lichosts 1057
fw log 1058
fw logswitch 1068
fw lslogs 1072
fw mergefiles 1075
fw monitor 1078
fw repairlog 1112
fw sam 1113
fw sam_policy 1121
fw sam_policy add 1124
fw sam_policy batch 1137
fw sam_policy del 1139
fw sam_policy get 1142
fw showuptables 1148
fw stat 1149
fw tab 1152
fw unloadlocal 1161
fw up_execute 1165
fw ver 1168
fwboot 1170
fwboot bootconf 1172
fwboot corexl 1176

R80.40 CLI Reference Guide | 24

Table of Contents

fwboot cpuid 1183

fwboot default 1185
fwboot fwboot_ipv6 1186
fwboot fwdefault 1187
fwboot ha_conf 1188
fwboot ht 1189
fwboot multik_reg 1190
fwboot post_drv 1192
sam_alert 1193
stattest 1197
usrchk 1200
ClusterXL Commands 1204
ClusterXL Configuration Commands 1205
Configuring the Cluster Member ID Mode in Local Logs 1209
Registering a Critical Device 1210
Unregistering a Critical Device 1214
Reporting the State of a Critical Device 1215
Registering Critical Devices Listed in a File 1217
Unregistering All Critical Devices 1219
Configuring the Cluster Control Protocol (CCP) Settings 1220
Initiating Manual Cluster Failover 1221
Configuring the Minimal Number of Required Subordinate Interfaces for Bond
Load Sharing 1225
Configuring Link Monitoring on the Cluster Interfaces 1228
Configuring the Multi-Version Cluster Mechanism 1231
ClusterXL Monitoring Commands 1232
Viewing Cluster State 1237
Viewing Critical Devices 1243
Viewing Cluster Interfaces 1251
Viewing Bond Interfaces 1256

R80.40 CLI Reference Guide | 25

Table of Contents

Viewing Cluster Failover Statistics 1261

Viewing Software Versions on Cluster Members 1263
Viewing Delta Synchronization 1264
Viewing IGMP Status 1271
Viewing Cluster Delta Sync Statistics for Connections Table 1272
Viewing Cluster IP Addresses 1273
Viewing the Cluster Member ID Mode in Local Logs 1275
Viewing Interfaces Monitored by RouteD 1276
Viewing Roles of RouteD Daemon on Cluster Members 1277
Viewing Cluster Correction Statistics 1278
Viewing the Cluster Control Protocol (CCP) Settings 1280
Viewing the State of the Multi-Version Cluster Mechanism 1281
Viewing Full Connectivity Upgrade Statistics 1282
cpconfig 1283
cphastart 1286
cphastop 1287
cp_conf fullha 1288
cp_conf ha 1289
fw hastat 1291
fwboot ha_conf 1293
The clusterXL_admin Script 1294
The clusterXL_monitor_ips Script 1298
The clusterXL_monitor_process Script 1302
SecureXL Commands 1306
'fwaccel' and 'fwaccel6' 1307
fwaccel cfg 1310
fwaccel conns 1313
fwaccel dbg 1316
fwaccel dos 1322
fwaccel dos allow / whitelist 1325

R80.40 CLI Reference Guide | 26

Table of Contents

fwaccel dos config 1330

fwaccel dos deny / blacklist 1336
fwaccel dos pbox 1341
fwaccel dos rate 1346
fwaccel dos stats 1348
fwaccel feature 1350
fwaccel off 1353
fwaccel on 1357
fwaccel ranges 1361
fwaccel stat 1368
fwaccel stats 1374
Description of the Statistics Counters in the "fwaccel stats" Output 1376
Example Outputs on the "fwaccel stats" Commands 1385
fwaccel synatk 1393
fwaccel synatk -a 1395
fwaccel synatk -c <Configuration File> 1396
fwaccel synatk -d 1397
fwaccel synatk -e 1398
fwaccel synatk -g 1399
fwaccel synatk -m 1400
fwaccel synatk -t <Threshold> 1401
fwaccel synatk allow / whitelist 1403
fwaccel synatk config 1408
fwaccel synatk monitor 1411
fwaccel synatk state 1416
fwaccel tab 1418
fwaccel templates 1421
fwaccel ver 1425
fw sam_policy 1426
fw sam_policy add 1429

R80.40 CLI Reference Guide | 27

Table of Contents

fw sam_policy batch 1442

fw sam_policy del 1444
fw sam_policy get 1447
The /proc/ppk/ and /proc/ppk6/ entries 1453
/proc/ppk/affinity 1455
/proc/ppk/conf 1456
/proc/ppk/conns 1457
/proc/ppk/cpls 1458
/proc/ppk/cqstats 1459
/proc/ppk/drop_statistics 1460
/proc/ppk/ifs 1461
/proc/ppk/mcast_statistics 1466
/proc/ppk/nac 1467
/proc/ppk/notify_statistics 1468
/proc/ppk/profile_cpu_stat 1470
/proc/ppk/rlc 1471
/proc/ppk/statistics 1472
/proc/ppk/stats 1474
/proc/ppk/viol_statistics 1475
SecureXL Debug 1476
fwaccel dbg 1477
SecureXL Debug Procedure 1483
SecureXL Debug Modules and Debug Flags 1487
CoreXL Commands 1495
cp_conf corexl 1496
dynamic_split 1498
fw ctl multik 1500
fw ctl multik add_bypass_port 1502
fw ctl multik del_bypass_port 1504
fw ctl multik dynamic_dispatching 1506

R80.40 CLI Reference Guide | 28

Table of Contents

fw ctl multik gconn 1507

fw ctl multik get_instance 1512
fw ctl multik print_heavy_conn 1514
fw ctl multik prioq 1516
fw ctl multik show_bypass_ports 1517
fw ctl multik stat 1518
fw ctl multik start 1520
fw ctl multik stop 1521
fw ctl multik utilize 1522
fw ctl affinity 1523
Running the 'fw ctl affinity -l' command in Gateway Mode 1524
Running the 'fw ctl affinity -l' command in VSX Mode 1529
Running the 'fw ctl affinity -s' command in Gateway Mode 1532
Running the 'fw ctl affinity -s' command in VSX Mode 1535
fw -i 1539
fwboot bootconf 1540
fwboot corexl 1544
fwboot cpuid 1551
fwboot ht 1553
fwboot multik_reg 1554
fwboot post_drv 1556
Multi-Queue Commands 1557
mq_mng 1558
Multi-Queue Configuration in the Expert mode 1558
Multi-Queue Configuration in Gaia Clish 1563
Identity Awareness Commands 1566
adlog 1567
adlog control 1569
adlog dc 1571
adlog debug 1572

R80.40 CLI Reference Guide | 29

Table of Contents

adlog query 1573

adlog statistics 1574
pdp 1575
pdp ad 1577
General Syntax 1577
The 'pdp ad associate' command 1577
The 'pdp ad disassociate' command 1578
pdp auth 1579
pdp broker 1583
pdp conciliation 1587
pdp connections 1589
pdp control 1590
pdp debug 1591
pdp idc 1594
pdp idp 1598
pdp ifmap 1599
pdp monitor 1601
pdp muh 1603
pdp nested_groups 1604
pdp network 1607
pdp radius 1608
pdp roles 1611
General Syntax 1611
The 'pdp roles extract' command 1611
The 'pdp roles fetch' command 1611
pdp status 1614
pdp tasks_manager 1615
pdp timers 1616
pdp topology_map 1617
pdp tracker 1618

R80.40 CLI Reference Guide | 30

Table of Contents

pdp update 1619

pdp vpn 1620
pep 1621
pep control 1622
pep debug 1623
pep show 1625
pep tracker 1628
test_ad_connectivity 1629
VPN Commands 1633
vpn 1634
vpn check_ttm 1637
vpn compreset 1638
vpn compstat 1639
vpn crl_zap 1640
vpn crlview 1641
vpn debug 1643
vpn dll 1646
vpn drv 1647
vpn dump_psk 1648
vpn ipafile_check 1649
vpn ipafile_users_capacity 1650
vpn macutil 1651
vpn mep_refresh 1652
vpn neo_proto 1653
vpn nssm_toplogy 1654
vpn overlap_encdom 1655
vpn rim_cleanup 1657
vpn rll 1658
vpn set_slim_server 1659
vpn set_snx_encdom_groups 1660

R80.40 CLI Reference Guide | 31

Table of Contents

vpn set_trac 1661

vpn shell 1662
vpn show_tcpt 1669
vpn sw_topology 1670
vpn tu 1671
vpn tu del 1673
vpn tu list 1676
vpn tu mstats 1678
vpn tu tlist 1679
vpn ver 1681
mcc 1682
mcc add 1684
mcc add2main 1685
mcc del 1686
mcc lca 1687
mcc main2add 1688
mcc show 1689
Mobile Access Commands 1691
admin_wizard 1692
cvpnd_admin 1696
cvpnd_settings 1699
cvpn_ver 1701
cvpnrestart 1702
cvpnstart 1703
cvpnstop 1704
deleteUserSettings 1705
fwpush 1706
ics_updates_script 1710
listusers 1712
rehash_ca_bundle 1713

R80.40 CLI Reference Guide | 32

Table of Contents

UserSettingsUtil 1714
Data Loss Prevention Commands 1716
dlpcmd 1717
VSX Commands 1720
cpconfig 1721
cpview 1724
Overview of CPView 1724
CPView User Interface 1724
Using CPView 1725
vsenv 1726
vsx 1727
vsx fetch 1730
vsx fetch_all_cluster_policies 1732
vsx fetchvs 1733
vsx get 1734
vsx mstat 1735
vsx showncs 1739
vsx sicreset 1740
vsx stat 1741
vsx unloadall 1744
vsx vspurge 1745
vsx_util 1746
vsx_util add_member 1751
vsx_util change_interfaces 1753
vsx_util change_mgmt_ip 1757
vsx_util change_mgmt_subnet 1758
vsx_util change_private_net 1760
vsx_util convert_cluster 1762
vsx_util downgrade 1763
vsx_util reconfigure 1764

R80.40 CLI Reference Guide | 33

Table of Contents

vsx_util remove_member 1770

vsx_util show_interfaces 1771
vsx_util upgrade 1775
vsx_util view_vs_conf 1776
vsx_util vsls 1780
vsx_provisioning_tool 1782
Transactions 1785
vsx_provisioning_tool Commands 1786
Explicit Transaction Commands 1787
Adding a VSX Gateway 1788
Adding a VSX Cluster 1791
Adding a Virtual Device 1794
Deleting a Virtual Device 1797
Modifying Settings of a Virtual Device 1798
Adding an Interface to a Virtual Device 1801
Removing an Interface from a Virtual Device 1805
Modifying Settings of an Interface 1807
Adding a Route 1811
Removing a Route 1813
Showing Virtual Device Data 1815
Script Examples 1816
Example 1 1816
Example 2 1817
Example 3 1818
QoS Commands 1819
etmstart 1820
etmstop 1821
fgate 1822
IPS Commands 1830
ips 1831

R80.40 CLI Reference Guide | 34

Table of Contents

ips bypass 1833

ips debug 1835
ips off 1836
ips on 1837
ips pmstats 1838
ips refreshcap 1839
ips stat 1840
ips stats 1841
Monitoring Commands 1844
rtm 1845
rtm debug 1846
rtm drv 1847
rtm monitor 1848
rtm rtmd 1854
rtm stat 1855
rtm ver 1858
rtmstart 1859
rtmstop 1860
Working with Kernel Parameters on Security Gateway 1861
Running Check Point Commands in Shell Scripts 1862
On a Security Management Server / Log Server / SmartEvent Server 1862
On a Multi-Domain Server / Multi-Domain Log Server 1863
On a Security Gateway / Cluster Members (non-VSX) 1863
On a VSX Gateway / VSX Cluster Members 1864
Glossary 1865

R80.40 CLI Reference Guide | 35

Introduction

Introduction
The CLI Reference Guide provides CLI commands to configure and monitor Check Point
Software Blades.

R80.40 CLI Reference Guide | 36

Syntax Legend

Syntax Legend
Whenever possible, this guide lists commands, parameters and options in the alphabetical
order.
This guide uses this convention in the Command Line Interface (CLI) syntax:

Character Description

TAB Shows the available nested subcommands:

main command
→ nested subcommand 1
→ → nested subsubcommand 1-1
→ → nested subsubcommand 1-2
→ nested subcommand 2
Example:
cpwd_admin
config
-a <options>
-d <options>
-p
-r
del <options>
Meaning, you can run only one of these commands:
n This command:
cpwd_admin config -a <options>
n Or this command:
cpwd_admin config -d <options>
n Or this command:
cpwd_admin config -p
n Or this command:
cpwd_admin config -r
n Or this command:
cpwd_admin del <options>

Curly brackets or Enclose a list of available commands or parameters, separated by

braces the vertical bar |.
{} User can enter only one of the available commands or parameters.

R80.40 CLI Reference Guide | 37

Syntax Legend

Character Description

Angle brackets Enclose a variable.

<> User must explicitly specify a supported value.

Square brackets or Enclose an optional command or parameter, which user can also
brackets enter.
[]

R80.40 CLI Reference Guide | 38

Gaia Commands

Gaia Commands
See:
n R80.40 Gaia Administration Guide
n R80.40 Gaia Advanced Routing Administration Guide

R80.40 CLI Reference Guide | 39

Security Management Server Commands

Security Management Server

Commands
For more information about Security Management Server, see the R80.40 Security
Management Administration Guide.

R80.40 CLI Reference Guide | 40

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the
API Server that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions
with third party systems, such as virtualization servers, ticketing systems, and change
management systems.
To learn more about the management APIs, to see code samples, and to take advantage of
user forums, see:
n The API Documentation:
l Online - Check Point Management API Reference
l Local - https://<Server IP Address>/api_docs
By default, access to the local API Documentation is disabled. Follow the
instructions in sk174606.
n The Developers Network section of Check Point CheckMates Community.

API Tools
You can use these tools to work with the API Server on the Management Server:
n Standalone management tool, included with Gaia operating system:
mgmt_cli
n Standalone management tool, included with SmartConsole:
mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other computers that
run Windows operating system.
n Web Services APIs that allow communication and data exchange between the clients
and the Management Server over the HTTP protocol.
These APIs also let other Check Point processes communicate with the Management
Server over the HTTPS protocol.
https://<IP Address of Management Server>/web_api/<command>

R80.40 CLI Reference Guide | 41

Managing Security through API

Configuring the API Server

To configure the API Server:

1. Connect with SmartConsole to the Security Management Server or applicable Domain
Management Server.
2. From the left navigation panel, click Manage & Settings.
3. In the upper left section, click Blades.
4. In the Management API section, click Advanced Settings.
The Management API Settings window opens.

5. Configure the Startup Settings and the Access Settings.

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

Start option is deactivated.

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only - Only the Management Server itself can connect to
the API Server. This option only lets you use the mgmt_cli utility on the
Management Server to send API requests. You cannot use SmartConsole or
Web services to send API requests.
n All IP addresses that can be used for GUI clients - You can send API requests
from all IP addresses that are defined as Trusted Clients in SmartConsole. This
includes requests from SmartConsole, Web services, and the mgmt_cli utility
on the Management Server.
n All IP addresses - You can send API requests from all IP addresses. This
includes requests from SmartConsole, Web services, and the mgmt_cli utility
on the Management Server.

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

R80.40 CLI Reference Guide | 42

Managing Security through API

api restart
Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

R80.40 CLI Reference Guide | 43

contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options> See "contract_util check" on page 46.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options> See "contract_util cpmacro" on page 47.

download Downloads all associated Check Point Service Contracts from the User
<options> Center, or from a local file.
See "contract_util download" on page 48.

mgmt Delivers the Service Contract information from the Management Server to
the managed Security Gateways.
See "contract_util mgmt" on page 50.

print Shows all the installed licenses and whether the Service Contract covers
<options> these license, which entitles them for upgrade or not.
See "contract_util print" on page 51.

R80.40 CLI Reference Guide | 44

contract_util

Parameter Description

summary Shows post-installation summary.

<options> See "contract_util summary" on page 52.

update Updates Check Point Service Contracts from your User Center account.
<options> See "contract_util update" on page 53.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful
message.
See "contract_util verify" on page 54.

R80.40 CLI Reference Guide | 45

contract_util check

Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher
Hotfix Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Major version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Minor version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

R80.40 CLI Reference Guide | 46

contract_util cpmacro

Description
Overwrites the current cp.macro file with the specified cp.macro file, if the specified is
newer than the current file.
For more information about the cp.macro file, see sk96217: What is a cp.macro file?

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_ The contract_util cpmacro command failed:

Write_cp_macro
returned -1
n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_ The contract_util cpmacro command was able to

Write_cp_macro overwrite the current file with the specified file, because the
returned 0 specified file is newer.

CntrctUtils_ The contract_util cpmacro command did not overwrite the

Write_cp_macro current file, because it is newer than the specified file.
returned 1

R80.40 CLI Reference Guide | 47

contract_util download

Description
Downloads all associated Check Point Service Contracts from User Center, or from a local file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util download
{-h | -help}
local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service
Contract File>
uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}]
<Username> <Password> [<Proxy Server> [<Proxy Username>:<Proxy
Password>]]

R80.40 CLI Reference Guide | 48

contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local

file.
This is equivalent to the "cplic contract put"
command (see "cplic contract" on page 133).

uc Specifies to download the Service Contract from the User

Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Proxy Server> [<Proxy Specifies that the connection to the User Center goes
Username>:<Proxy through the proxy server.
Password>]
n <Proxy Server> - IP address of resolvable
hostname of the proxy server
n <Proxy Username> - Username for the proxy
server.
n <Proxy Password> - Password for the proxy
server.
Note - If you do not specify the proxy server explicitly, the
command uses the proxy server configured in the
management database.

<Service Contract Path to and the name of the Service Contract file.
File> First, you must download the Service Contract file from
your User Center account.

R80.40 CLI Reference Guide | 49

contract_util mgmt

Description
Delivers the Service Contract information from the Management Server to the managed
Security Gateways.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util mgmt

R80.40 CLI Reference Guide | 50

contract_util print

Description
Shows all the installed licenses and whether the Service Contract covers these license, which
entitles them for upgrade or not.
This command can show which licenses are not recognized by the Service Contract file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d] print

{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 51

contract_util summary

Description
Shows post-installation summary and whether this Check Point computer is eligible for
upgrades.

Syntax

contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 52

contract_util update

Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-

installed licenses) from your User Center account.

-proxy <Proxy Specifies that the connection to the User Center goes through
Server>:<Proxy the proxy server:
Port>
n <Proxy Server> - IP address of resolvable hostname
of the proxy server.
n <Proxy Port> - The applicable port on the proxy
server.
Note - If you do not specify the proxy explicitly, the
command uses the proxy configured in the management
database.

-ca_path <Path to Specifies the path to the Certificate Authority Bundle file (ca-
ca-bundle.crt File> bundle.crt).
Note - If you do not specify the path explicitly, the
command uses the default path.

R80.40 CLI Reference Guide | 53

contract_util verify

Description
Checks whether the Security Gateway is eligible for an upgrade.
This command is the same as the "contract_util check" on page 46 command, but it also
interprets the return values and shows a meaningful message.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util verify

R80.40 CLI Reference Guide | 54

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Syntax on a Security Gateway

cp_conf
-h
adv_routing <options>
auto <options>
corexl <options>
fullha <options>
ha <options>
intfs <options>
lic <options>
sic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

R80.40 CLI Reference Guide | 55

cp_conf

Parameter Description

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 58.

adv_routing Enables or disables the Advanced Routing feature on this Security

<options> Gateway.
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto Shows and configures the automatic start of Check Point products
<options> during boot.
See "cp_conf auto" on page 61.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain

Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 63.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 65.

corexl Enables or disables CoreXL on this Security Gateway.

<options> See "cp_conf corexl" on page 926.

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 69.

fullha Manages Full High Availability Cluster.

<options> See "cp_conf fullha" on page 928.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 929.

intfs Sets the topology of interfaces on a Security Gateway, which you

<options> manage with SmartProvisioning.
See "cp_conf intfs" on page 930.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 71.

sic Manages SIC on this Security Gateway.

<options> See "cp_conf sic" on page 934.

R80.40 CLI Reference Guide | 56

cp_conf

Parameter Description

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

R80.40 CLI Reference Guide | 57

cp_conf admin

Description
Configures Check Point system administrators for the Security Management Server.

Notes:
n Multi-Domain Server does not support this command.
n Only one administrator can be defined in the "cpconfig" on page 124 menu.
To define additional administrators, use SmartConsole.
n This command corresponds to the option Administrator in the "cpconfig" on
page 124 menu.

Syntax

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

R80.40 CLI Reference Guide | 58

cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> Adds a Check Point system administrator:

<Password> {a | w | r}]
n <UserName> - Specifies the administrator's
username
n <Password> - Specifies the administrator's
password
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

add -gaia [{a | w | r}] Adds the Gaia administrator user admin:
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

del <UserName1> Deletes the specified system administrators.

<UserName2> ...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the

Gaia administrator user admin.

R80.40 CLI Reference Guide | 59

cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 60

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 124 menu.
Note - On a Multi-Domain Server, use the option Automatic Start of Multi-Domain
Server in the "mdsconfig" on page 717 menu.

Syntax

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 61

cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

R80.40 CLI Reference Guide | 62

cp_conf ca

Description
This command changes the settings of the Internal Certificate Authority (ICA).

Note - On a Security Management Server, this command corresponds to the option

Certificate Authority in the "cpconfig" on page 124 menu.
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf ca
-h
fqdn <FQDN Name>
init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

fqdn <FQDN Configures the Fully Qualified Domain Name (FQDN) for the Internal
Name> Certificate Authority (ICA).
The "<FQDN Name>" is the text string in this format:
hostname.domainname
Notes:
n The existing certificates for configured objects are not
revoked.
n The existing ICA certificate is not changed.
n The Management Server uses the specified "<FQDN Name>"
to configure the Certificate Revocation List Distribution Point
(CRL DP) property in all certificates that the ICA generates.
Refer to this command: "cpca_client get_crldp" on page 101

init Initializes the Internal Certificate Authority (ICA).

R80.40 CLI Reference Guide | 63

cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

R80.40 CLI Reference Guide | 64

cp_conf client

Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security
Management Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on
page 124 menu.

Syntax

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

R80.40 CLI Reference Guide | 65

cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

n One IPv4 address (for example,
192.168.10.20), or
one IPv6 address (for example,
3731:54:65fe:2::a7)
n One hostname (for example, MyComputer)
n "Any" - To denote all IPv4 and IPv6
addresses without restriction
n A range of IPv4 addresses (for example,
192.168.10.0/255.255.255.0), or
a range of IPv6 addresses (for example,
2001::1/128)
n IPv4 address wildcard (for example,
192.168.10.*)

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates
<GUI Client 2> ... a new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples
Example 1 - Configure one IPv4 address
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 66

cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 67

cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

Example 6 - Delete the current list and create a new list of allowed GUI clients
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 68

cp_conf finger

Description
Shows the Internal Certificate Authority's Fingerprint.
This fingerprint is a text string derived from the ICA certificate on the Security Management
Server, Multi-Domain Server, or Domain Management Server.
This fingerprint verifies the identity of the Security Management Server, Multi-Domain Server,
or Domain Management Server when you connect to it with SmartConsole.

Note - This command corresponds to the option Certificate's Fingerprint in the

"cpconfig" on page 124 menu.
Note - On a Multi-Domain Server:
n To see the fingerprint of the Multi-Domain Server, this command corresponds to
the option Certificate's Fingerprint in the "mdsconfig" on page 717 menu.
n You can run this command in these contexts:
l To see the fingerprint of the Multi-Domain Server, run it in the context of

the Multi-Domain Server:

mdsenv
l To see the fingerprint of a Domain Management Server, run it in the
context of the applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>

Syntax

cp_conf finger
-h
get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

R80.40 CLI Reference Guide | 69

cp_conf finger

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 70

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 124 menu.
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R80.40 CLI Reference Guide | 71

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to Adds a license from the specified Check Point
License File> license file.
You get this license file in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 135.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 135.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 140.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 144.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 72

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R80.40 CLI Reference Guide | 73

cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R80.40 Logging and Monitoring Administration
Guide.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_log_export
cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

R80.40 CLI Reference Guide | 74

cp_log_export

Internal Commands

Name Description

add Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-
Server> target-port <Target-Server-Port> protocol
{udp | tcp} [Optional Arguments]

delete Removes an existing Log Exporter.

cp_log_export delete name <Name>

reconf Applies the Log Exporter configuration to all existing exporters.

cp_log_export reconf [name <Name>]

reexport Resets the current log position and exports all logs again based on the
configuration.
cp_log_export reexport name <Name> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Last Exported Log> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Gap Start> end-position <Position of
Gap End> --apply-now

restart Restarts a Log Exporter process.

cp_log_export restart name <Name>

set Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start Starts an existing Log Exporter process.

cp_log_export start name <Name>

status Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

R80.40 CLI Reference Guide | 75

cp_log_export

Name Description

stop Stops an existing Log Exporter process.

cp_log_export stop name <Name>

R80.40 CLI Reference Guide | 76

cp_log_export

Internal Command Arguments

Req
uired
for
"rest
Req art",
Requ Requ
Requ Requ uired "sho
ired ired
ired ired for w",
for for
for for "rec "stat
Name Description "dele "reex
"add" "set" onf" us",
te" port"
com com com "star
com com
mand mand man t",
mand mand
d "sto
p"
com
man
d

--apply-now Applies immediately Optio Optio Man N/A N/A Man

any change that was nal nal dator dator
done with the "add", y y
"set", "delete", or
"reexport"
command.

ca-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the CA nal nal
certificate file
*.pem.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 77

cp_log_export

client-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the client nal nal
certificate *.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- Specifies the Optio Optio N/A N/A N/A N/A

secret challenge phrase nal nal
<Phrase> used to create the
client certificate
*.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 78

cp_log_export

domain- On a Multi-Domain Man Man Man N/A Opti Man

server {mds Server, specifies the dator dator dator onal dator
| all} applicable Domain y y y y
Management Server
context.
On a Multi-Domain
Log Server,
specifies the
applicable Domain
Log Server context.
Important:
n "mds" (in
small
letters) -
Exports
all logs
from only
the main
MDS
level.
n "all" (in
small
letters) -
Exports
all logs
from all
Domains.

R80.40 CLI Reference Guide | 79

cp_log_export

enabled Specifies whether to Optio Optio N/A N/A N/A N/A

{true | allow the Log nal nal
false} Exporter to start
when you run the
"cpstart" on
page 191 or
"mdsstart" on
page 725 command.
Default: true

encrypted Specifies whether to Optio Optio N/A N/A N/A N/A

{true | use TSL (SSL) nal nal
false} encryption to send
the logs.
Default: false

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
link {true | exported logs that
false} represents a link to
SmartView that
shows the log card
and automatically
opens the
attachment.
Default: false

R80.40 CLI Reference Guide | 80

cp_log_export

export-link Specifies whether to Optio Optio N/A N/A N/A N/A

{true | add a field to the nal nal
false} exported logs that
represents a link to
SmartView that
shows the log card.
Default: false

R80.40 CLI Reference Guide | 81

cp_log_export

export-link- Specifies whether to Optio Optio N/A N/A N/A N/A

ip {true | make the links to nal nal
false} SmartView use a
custom IP address
(for example, for a
Log Server behind
NAT).
Important -
Applicable only
when the value
of the
"export-
link"
argument is
"true", or the
value of the
"export-
attachment-
link"
argument is
"true".
Default: false

R80.40 CLI Reference Guide | 82

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

action-in export all logs that nal nal
{"Action1"," contain a specific
Action2",... value in the "Action"
| false} field.
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Monitor view
and open the
Logs tab.
2. In the top
query field,
enter action:
and a letter.
Examples of values:

R80.40 CLI Reference Guide | 83

cp_log_export

n Accept
n Block
n Bypass
n Detect
n Drop
n HTTPS
Bypass
n HTTPS
Inspect
n Prevent
n Reject

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 84

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

blade-in export all logs that nal nal
{"Blade1","B contain a specific
lade2",... | value in the "Blade"
false} field (the object
name of the
Software Blade that
generated these
logs).
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Monitor view
and open the
Logs tab.

R80.40 CLI Reference Guide | 85

cp_log_export

2. In the top
query field,
enter blade:
and a letter.
Examples of values:
n Anti-Bot
n Firewall
n HTTPS
Inspection
n Identity
Awareness
n IPS
Valid Software
Blade families:
n Access
n TP
n Endpoint
n Mobile

R80.40 CLI Reference Guide | 86

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 87

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

origin-in export all logs that nal nal
{"Origin1"," contain a specific
Origin2",... value in the "Origin"
| false} field (the object
name of the Security
Gateway / Cluster
Member that
generated these
logs).
Each origin value
must be surrounded
by double quotes
("").
Multiple values are
supported and must
be separated by a
comma without
spaces.

R80.40 CLI Reference Guide | 88

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

format {cef Specifies the format, Optio Optio N/A N/A N/A N/A
| syslog} in which the logs are nal nal
exported.
Default: syslog

R80.40 CLI Reference Guide | 89

cp_log_export

name Specifies the unique Man Man Man Opti Opti Man
"<Name>" name of the Log dator dator dator onal. onal. dator
Exporter y y y By By y
configuration. defa defa
ult, ult,
appli appli
es to es to
all. all.

R80.40 CLI Reference Guide | 90

cp_log_export

Notes:
n Allowed
characters
are: Latin
letters, digits
("0-9"),
minus ("-"),
underscore
("_"), and
period (".").
n Must start
with a letter.
n The minimum
length is two
characters.
n The "add"
command
creates a new
target
directory with
the specified
unique name
in the
$EXPORTERD
IR/target
s/ directory.

R80.40 CLI Reference Guide | 91

cp_log_export

protocol Specifies the Layer Man Optio N/A N/A N/A N/A
{tcp | udp} 4 Transport protocol dator nal
to use (TCP or y
UDP).
There is no default
value.

R80.40 CLI Reference Guide | 92

cp_log_export

read-mode Specifies the mode, Optio Optio N/A N/A N/A N/A
{raw | semi- in which to read the nal nal
unified} log files.
n raw -
Specifies to
export log
records
without any
unification.
n semi-
unified -
Specifies to
export log
records with
step-by-step
unification.
That is, for
each log
record, export
a record that
unifies this
record with all
previously-
encountered
records with
the same ID.
Default: raw

R80.40 CLI Reference Guide | 93

cp_log_export

target-port Specifies the Man Optio N/A N/A N/A N/A

<Target- listening port on the dator nal
Server-Port> target server, to y
which you export the
logs.

target- Specifies the IP Man Optio N/A N/A N/A N/A

server address or FQDN of dator nal
<Target- the target server, to y
Server> which you export the
logs.

R80.40 CLI Reference Guide | 94

cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d]
create_cert <options>
double_sign <options>
get_crldp <options>
get_pubkey <options>
init_certs <options>
lscert <options>
revoke_cert <options>
revoke_non_exist_cert <options>
search <options>
set_cert_validity <options>
set_mgmt_tool <options>
set_sign_hash <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

create_cert Issues a SIC certificate for the Security Management Server

<options> or Domain Management Server.
See "cpca_client create_cert" on page 97.

double_sign Creates a second signature for a certificate.

<options> See "cpca_client double_sign" on page 99.

R80.40 CLI Reference Guide | 95

cpca_client

Parameter Description

get_crldp <options> Shows how to access a CRL file from a CRL Distribution
Point.
See "cpca_client get_crldp" on page 101.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate
to a file.
See "cpca_client get_pubkey" on page 103.

init_certs <options> Imports a list of DNs for users and creates a file with
registration keys for each user.
See "cpca_client init_certs" on page 104.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 105.

revoke_cert Revokes a certificate issued by the ICA.

<options> See "cpca_client revoke_cert" on page 108.

revoke_non_exist_ Revokes a non-existent certificate issued by the ICA.

cert <options> See "cpca_client revoke_non_exist_cert" on page 111.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 112.

set_cert_validity Configures the default certificate validity period for new

<options> certificates.
See "cpca_client set_cert_validity" on page 114.

set_mgmt_tool Controls the ICA Management Tool.

<options> See "cpca_client set_mgmt_tool" on page 116.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options> See "cpca_client set_sign_hash" on page 121.

R80.40 CLI Reference Guide | 96

cpca_client create_cert

Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC |
USER | IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

R80.40 CLI Reference Guide | 97

cpca_client create_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the
Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path Specifies the PKCS12 file, which stores the certificate and keys.
to PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER Optional. Specifies the certificate kind.

| IKE | ADMIN_
PKG}

-c "<Comment Optional. Specifies the certificate comment (must enclose in double

for quotes).
Certificate>"

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

R80.40 CLI Reference Guide | 98

cpca_client double_sign

Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management
number> Server or Domain Management Server, which is used to connect to
the Certificate Authority.
The default TCP port number is 18209.

-i Imports the specified certificate (only in PEM format).

-o <Full Path Optional. Saves the certificate into the specified file.
to Output
File>

R80.40 CLI Reference Guide | 99

cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("[email protected],CN=http://www.example.com/,OU=exampleOU Class 2
Policy Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 100

cpca_client get_crldp

Description
Shows the Fully Qualified Domain Name (FQDN) configured for the Internal Certificate
Authority (ICA) with the ""cp_conf ca" on page 63" command.
The Management Server uses this FQDN:
1. To configure the Certificate Revocation List Distribution Point (CRL DP) property in all
certificates that the ICA generates.
2. To create the URL for accessing the CRL.
Example: http://MyMGMT.checkpoint.com:18264/ICA_CRL1.crl

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <ICA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <ICA Optional.
port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18264.

R80.40 CLI Reference Guide | 101

cpca_client get_crldp

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cpca_client get_crldp

MyMGMT.checkpoint.com
[Expert@MyMGMT:0]

R80.40 CLI Reference Guide | 102

cpca_client get_pubkey

Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to

Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 103

cpca_client init_certs

Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for
each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Full Imports the specified file.

Path to Make sure to use the full path.
Input File> Make sure that there is an empty line between each DN in the specified
file.
Example:
...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o <Full Saves the registration keys to the specified file.

Path to This command saves the error messages in the <Name of Output
Output File> File>.failures file in the same directory.

R80.40 CLI Reference Guide | 104

cpca_client lscert

Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid

| Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}]
[-ser <Certificate Serial Number>] [-dp <Certificate Distribution
Point>]

R80.40 CLI Reference Guide | 105

cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN

that matches the specified <SubString>.
This command does not support multiple values.

-stat {Pending | Valid | Optional. Filters the search results to those with
Revoked | Expired | certificate status that matches the specified status.
Renewed} This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with
LDAP} certificate kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with
Number> certificate serial number that matches the specified
serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

R80.40 CLI Reference Guide | 106

cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 107

cpca_client revoke_cert

Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

R80.40 CLI Reference Guide | 108

cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-n Specifies the certificate CN.

"CN=<Common To get the CN, run the "cpca_client lscert" on page 105 command and
Name>" examine the text that you see between the "Subject =" and the
",O=...".
Example
From this output:
Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02
2023

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate To see the serial number, run the "cpca_client lscert" on page 105
Serial command.
Number> Note - You can use the parameter "-s" only, or together with the
parameter "-n".

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 109

cpca_client revoke_cert

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 110

cpca_client revoke_non_exist_cert

Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input

File>

Parameters

Paramet
Description
er

-d Runs the cpca_client command under debug.

-i Specifies the file that contains the list of the certificate to revoke.
<Full You must create this file in the same format as the "cpca_client lscert" on
Path page 105 command prints its output.
to
Input Example
File> Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri
Apr 7 19:40:12 2023
<Empty Line>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri
Apr 7 19:40:13 2023

Note - This command saves the error messages in the <Name of Input
File>.failures file.

R80.40 CLI Reference Guide | 111

cpca_client search

Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-
max <Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the
command itself.
Best Practice - If you use this
parameter, then redirect the output
to a file, or use the script
command to save the entire CLI
session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that
does not contain spaces.

R80.40 CLI Reference Guide | 112

cpca_client search

Parameter Description

-where {dn | comment | serial | Optional. Specifies the certificate's field,

device_type | device_id | device_ in which to search for the string:
name}
n dn - Certificate DN
n comment - Certificate comment
n serial - Certificate serial
number
n device_type - Device type
n device_id - Device ID
n device_name - Device Name
The default is to search in all fields.

-kind {SIC | IKE | User | LDAP} Optional. Specifies the certificate kind
to search.
You can enter multiple values in this
format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.

-stat {Pending | Valid | Revoked | Optional. Specifies the certificate status

Expired | Renewed} to search.
You can enter multiple values in this
format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.

-max <Maximal Number of Results> Optional. Specifies the maximal number

of results to show.
n Range: 1 and greater
n Default: 200

-showfp {y | n} Optional. Specifies whether to show the

certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint
and thumbprint

R80.40 CLI Reference Guide | 113

cpca_client search

Example 1

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending
Valid Renewed

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

cpca_client set_cert_validity

Description
This command configures the default certificate validity period for new certificates.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n The new certificate validity period applies only to certificate you create after this
change.

Syntax

cpca_client set_cert_validity -k {SIC | IKE | USER} [-y <Number of

Years>] [-d <Number of Days>] [-h <Number of Hours>] [-s <Number
of Seconds>]

R80.40 CLI Reference Guide | 114

cpca_client search

Parameters

Parameter Description

-k {SIC | IKE | USER} Specifies the certificate type.

-y <Number of Years> Specifies the validity period in years.

-d <Number of Days> Specifies the validity period in days.

-h <Number of Hours> Specifies the validity period in hours.

-s <Number of Seconds> Specifies the validity period in seconds.

Example

[Expert@MGMT:0]# cpca_client set_cert_validity -k IKE -y 3

cert validity period was changed successfully.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 115

cpca_client set_mgmt_tool

Description
Controls the ICA Management Tool.
This tool is disabled by default.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

See sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] [{-a <Administrator DN> | -u <User
DN> | -c <Custom User DN>}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are

permitted to use the ICA Management Tool.

print Shows the configured administrators, users, or custom users that

are permitted to use the ICA Management Tool.

R80.40 CLI Reference Guide | 116

cpca_client set_mgmt_tool

Parameter Description

-a Optional. Specifies the DN of the administrator that is permitted to

<Administrator use the ICA Management Tool.
DN> Must specify the full DN as appears in SmartConsole
Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:
-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the
ICA Management Tool.
Must specify the full DN as appears in SmartConsole:
Procedure

1. Open Object Explorer > Users

Example:
-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

R80.40 CLI Reference Guide | 117

cpca_client set_mgmt_tool

Parameter Description

-c <Custom Optional. Specifies the DN for the custom user that is permitted to
User DN> use the ICA Management Tool.
Must specify the full DN as appears in SmartConsole.
Procedure

1. Open Object Explorer > Users

Example:
-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

R80.40 CLI Reference Guide | 118

cpca_client set_mgmt_tool

To connect to the ICA Management Tool

1. In SmartConsole, configure the required administrator and user objects.
You must create a certificate for these administrators and users.
You use this certificate to configure the permitted users in the ICA Management Tool and
in the client web browsers.
2. In the command line on the Management Server, add the required administrators and
users that are permitted to use the ICA Management Tool.

cpca_client set_mgmt_tool add ...

3. In the command line on the Management Server, start the ICA Management Tool.

cpca_client set_mgmt_tool on

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

5. Import the administrator's / user's certificate into the Windows Certificate Store:.
a. Right-click the *.p12 file you saved when you created the required administrator /
user, and click Install PFX.
The Certificate Import Wizard opens.

b. In the Store Location section, select the applicable option:

n Current User (this is the default)
n Local Machine

c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator / user certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.
g. Click Next.
h. Select Place all certificates in the following store > click Browse > select
Personal > click OK.
i. Click Next.
j. Click Finish.

R80.40 CLI Reference Guide | 119

cpca_client set_mgmt_tool

6. In a web browser, connect to the ICA Management Tool:

https://<IP Address of the Management Server>:18265

Important - The fact that the TCP port 18265 is open is not a vulnerability. The
ICA Management Tool Portal is secured and protected by SSL. In addition, only
authorized administrators and users are allowed to access it using a certificate.

7. A dialog box with this message appears:

Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R80.40 CLI Reference Guide | 120

cpca_client set_sign_hash

Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Important - After this change, you must restart the Check Point services with these
commands:
n On Security Management Server, run:
1. cpstop
2. cpstart
n On a Multi-Domain Server, run:
1. mdsstop_customer <Name or IP Address of Domain
Management Server>
2. mdsstart_customer <Name or IP Address of Domain
Management Server>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the
sha512} file hash.
The default algorithm is SHA-256.

R80.40 CLI Reference Guide | 121

cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this has no security
implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart

R80.40 CLI Reference Guide | 122

cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to
save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

R80.40 CLI Reference Guide | 123

cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool configures specific settings for the installed Check Point products.

Syntax

cpconfig

Note - On a Multi-Domain Server, run the "mdsconfig" on page 717 command.

R80.40 CLI Reference Guide | 124

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and Manages Check Point licenses and contracts on this server.
contracts

Administrator Configures Check Point system administrators for this server.

GUI Clients Configures the GUI clients that can use SmartConsole to connect to
this server.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Certificate Initializes the Internal Certificate Authority (ICA) and configures the
Authority Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).

Certificate's Shows the ICA's Fingerprint.

Fingerprint This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you connect to
it with SmartConsole.

Automatic start of Shows and controls which of the installed Check Point products start
Check Point automatically during boot.
Products

Exit Exits from the Check Point Configuration Tool.

R80.40 CLI Reference Guide | 125

cpconfig

Example - Menu on a Security Management Server

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

R80.40 CLI Reference Guide | 126

cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on
your Check Point server.
For more information, see sk92739.

R80.40 CLI Reference Guide | 127

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management You execute these commands locally on the

commands Servers, Check Point computers.
Security Gateways
and Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management
commands Server.
These changes affect the managed Security
Gateways and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management
commands Server.
These changes affect the licenses stored in the
local license repository.

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R80.40 CLI Reference Guide | 128

cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security
<options> Gateway or Management Server.
See "cplic check" on page 131.

contract Manages (deletes and installs) the Check Point Service Contract on
<options> the local Check Point computer.
See "cplic contract" on page 133.

db_add Applies only to a Management Server.

<options> Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 135.

R80.40 CLI Reference Guide | 129

cplic

Parameter Description

db_print Applies only to a Management Server.

<options> Shows the details of Check Point licenses stored in the license
repository on the Management Server.
See "cplic db_print" on page 137.

db_rm Applies only to a Management Server.

<options> Removes a license from the license repository on the Management
Server.
See "cplic db_rm" on page 139.

del <options> Deletes a Check Point license on a host, including unwanted

evaluation, expired, and other licenses.
See "cplic del" on page 140.

del <Object Detaches a Central license from a remote managed Security Gateway
Name> or Cluster Member.
<options> See "cplic del <object name>" on page 141.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster
Members into the license repository on the Management Server.
See "cplic get" on page 142.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 144.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 146.

put <Object Attaches one or more Central or Local licenses to a remote managed
Name> Security Gateways and Cluster Members.
<options> See "cplic put <object name>" on page 148.

upgrade Applies only to a Management Server.

<options> Upgrades licenses in the license repository with licenses in the
specified license file.
See "cplic upgrade" on page 151.

R80.40 CLI Reference Guide | 130

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product> Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member
(all blades), or Management Server (all blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

{-c | - Outputs the number of licenses connected to this feature.

count}

R80.40 CLI Reference Guide | 131

cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1 fw1:6.0:rt
fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit fw1:6.0:prov
fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes
fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades
fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

[Expert@GW]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf fw1:6.0:av
fw1:6.0:vsx5 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:connect fw1:6.0:pam
etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited fw1:6.0:des
fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps fw1:6.0:pam
fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm
fw1:6.0:blades fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u
cplic check 'cluster-u': 9 licenses
[Expert@GW]#

R80.40 CLI Reference Guide | 132

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member, you must update the license repository on the applicable Management
Server - either with the "cplic get" on page 142 command, or in SmartUpdate.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

R80.40 CLI Reference Guide | 133

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/cp.contract file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R80.40 CLI Reference Guide | 134

cplic db_add

Description
Adds licenses to the license repository on the Management Server.
When you add Local licenses to the license repository, Management Server automatically
attaches them to the managed Security Gateway / Cluster Member with the matching IP
address.
When you add Central licenses, you must manually attach them.

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

R80.40 CLI Reference Guide | 135

cplic db_add

Parameter Description

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -
l 192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

R80.40 CLI Reference Guide | 136

cplic db_print

Description
Shows the details of Check Point licenses stored in the license repository on the Management
Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x]
[{-t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name> <Object Name> is the name of the Security Gateway / Cluster Member
object as defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached} Useful, if the parameter "-all" is specified.

R80.40 CLI Reference Guide | 137

cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 138

cplic db_rm

Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the
"cplic del" on page 140 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

R80.40 CLI Reference Guide | 139

cplic del

Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other
licenses.
This command can delete a license on both local computer, and on remote managed
computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

<Object The name of the Security Gateway / Cluster Member object as defined
Name> in SmartConsole.

R80.40 CLI Reference Guide | 140

cplic del <object name>

Description
Detaches a Central license from a remote managed Security Gateway or Cluster Member.
When you run this command, it automatically updates the license repository.
The Central license remains in the license repository as an unattached license.

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the
Address> specified IP address.
Note - If this parameter is used, then object name must be a
DAIP Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on
page 144 command.

R80.40 CLI Reference Guide | 141

cplic get

Description
Retrieves all licenses from managed Security Gateways and Cluster Members into the license
repository on the Management Server.
This command helps synchronize the license repository with the managed Security Gateways
and Cluster Members.
When you run this command, it updates the license repository with all local changes.

Syntax

cplic get {-h | -help}

cplic [-d] get
-all
<IP Address>
<Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the
managed network.

<IP The IP address of the Security Gateway / Cluster Member, from which
Address> licenses are to be retrieved.

<Host The name of the Security Gateway / Cluster Member object as defined in
Name> SmartConsole, from which licenses are to be retrieved.

R80.40 CLI Reference Guide | 142

cplic get

Example
If the Security Gateway with the object name MyGW contains four Local licenses, and the
license repository contains two other Local licenses, the command "cplic get MyGW"
produces output similar to this:

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 143

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 144

cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 145

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -
select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-
only}] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member, this command erases only

overwrite} the local licenses, but not central licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

R80.40 CLI Reference Guide | 146

cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for

a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 147

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and
Cluster Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F
<Output File>] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Feature>]

R80.40 CLI Reference Guide | 148

cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object, as
defined in SmartConsole.

-ip <Dynamic Installs the license on the Security Gateway with the specified IP
IP Address> address.
This parameter is used to install a license on a Security Gateway with
dynamically assigned IP address (DAIP).
Note - If you use this parameter, then the object name must be
that of a DAIP Security Gateway.

-F <Output Saves the command output to the specified file.

File>

-l <License Installs the licenses from the <License file>.

File>

<Host> Hostname or IP address of the Security Management Server /

Domain Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the
license.
For example: CPSUITE-EVAL-3DES-vNG

R80.40 CLI Reference Guide | 149

cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R80.40 CLI Reference Guide | 150

cplic upgrade

Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l <Input Upgrades the licenses in the license repository and Check Point Security
File> Gateways / Cluster Members to match the licenses in the specified file.

Example
This example explains the procedure to upgrade the licenses in the license repository.
There are two Software Blade licenses in the input file:
n One license does not match any license on a remote managed Security Gateway.
n The other license matches an NGX-version license on a managed Security Gateway that
has to be upgraded.
Workflow in this example:
1. Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the
Security Gateways with the previous product versions.
2. Import all licenses into the license repository.
You can also do this after you upgrade the products on the remote Security Gateways.
3. Run this command:

R80.40 CLI Reference Guide | 151

cplic upgrade

cplic get -all

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

5. In the Check Point User Center, view the licenses for the products that were upgraded
from version NGX to a Software Blades license.
You can also create new upgraded licenses.
6. Download a file containing the upgraded licenses.
Only download licenses for the products that were upgraded from version NGX to
Software Blades.
7. If you did not import the version NGX licenses into the repository, import the version NGX
licenses now.

Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

n The licenses in the downloaded license file and in the license repository are
compared.
n If the certificate keys and features match, the old licenses in the repository and in
the remote Security Gateways are updated with the new licenses.
n A report of the results of the license upgrade is printed.

R80.40 CLI Reference Guide | 152

cplic upgrade

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

R80.40 CLI Reference Guide | 153

cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management
Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

cppkg
add <options>
{del | delete} <options>
get
getroot
print
setroot <options>
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run mdsenv).

R80.40 CLI Reference Guide | 154

cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 156.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options> See "cppkg delete" on page 157.

get Updates the list of the SmartUpdate software packages in the

repository.
See "cppkg get" on page 159.

getroot Shows the path to the root directory of the repository (the value of
the environment variable $SUROOT).
See "cppkg getroot" on page 160.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 161.

setroot Configures the path to the root directory of the repository.

<options> See "cppkg setroot" on page 162.

R80.40 CLI Reference Guide | 155

cppkg add

Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n This command does not overwrite existing packages. To overwrite an existing
package, you must first delete the existing package.
n You get the SmartUpdate software packages from the Check Point Support
Center.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 156

cppkg delete

Description
Deletes SmartUpdate software packages from the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]
cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>"
"<Minor Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the
delete interactive mode. The command shows the menu with applicable options.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

"< Specifies the product name. Enclose in double quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double quotes.

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 161
command.
n You must specify all optional parameters, or no parameters.

R80.40 CLI Reference Guide | 157

cppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 158

cppkg get

Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software
packages repository based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 159

cppkg getroot

Description
Shows the path to the root directory of the SmartUpdate software packages repository (the
value of the environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to :
/var/log/cpupgrade/suroot
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 160

cppkg print

Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 161

cppkg setroot

Description
Configures the path to the root directory of the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n The default path is: /var/log/cpupgrade/suroot
n When changing repository root directory:
l This command copies the software packages from the old repository to

the new repository. A package in the new location is overwritten by a

package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT in

the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh and

$CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 162

cpprod_util

cpprod_util
Description
This utility works with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point
computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R80.40 CLI Reference Guide | 163

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the
output file is RegDump.

R80.40 CLI Reference Guide | 164

cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant
Domain Management Server.
n If you run the cpprod_util command without parameters, it prints:
l The list of all available products and features (for example,
"FwIsFirewallMgmt", "FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the cpprod_util command, it is necessary to redirect the
stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples
Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 165

cpprod_util

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 166

cpprod_util

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

Example - Showing a list of all installed Check Point Products Packages on a Security Gateway
[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 167

cpprod_util

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP (DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 168

cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the
managed Security Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

R80.40 CLI Reference Guide | 169

cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote
managed Security Gateways.

Important - Installing software packages with this command is not supported for
Security Gateways that run on Gaia OS.
Notes:
n This command requires a license for SmartUpdate.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On the remote Security Gateways these are required:
l SIC Trust must be established between the Security Management Server

and the Security Gateway.

l The cpd daemon must run.

l The cprid daemon must run.

Syntax

cprinstall
boot <options>
cprestart <options>
cpstart <options>
cpstop <options>
delete <options>
get <options>
install <options>
revert <options>
show <options>
snapshot <options>
transfer <options>
uninstall <options>
verify <options>

R80.40 CLI Reference Guide | 170

cprinstall

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options> See "cprinstall boot" on page 173.

cprestart Runs the cprestart command on the managed Security Gateway.

<options> See "cprinstall cprestart" on page 174.

cpstart Runs the cpstart command on the managed Security Gateway.

<options> See "cprinstall cpstart" on page 175.

cpstop Runs the cpstop command on the managed Security Gateway.

<options> See "cprinstall cpstop" on page 176.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options> See "cprinstall delete" on page 177.

get n Gets details of the products and the operating system installed on
<options> the managed Security Gateway.
n Updates the management database on the Security Management
Server.
See "cprinstall get" on page 178.

install Installs Check Point products on the managed Security Gateway.

<options> See "cprinstall install" on page 179.

revert Restores the managed Security Gateway that runs on SecurePlatform OS

<options> from a snapshot saved on that Security Gateway.
See "cprinstall revert" on page 182.

show Displays all snapshot (backup) files on the managed Security Gateway
<options> that runs on SecurePlatform OS.
See "cprinstall show" on page 183.

snapshot Creates a snapshot on the managed Security Gateway that runs on

<options> SecurePlatform OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 184.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 185.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options> See "cprinstall uninstall" on page 187.

R80.40 CLI Reference Guide | 171

cprinstall

Parameter Description

verify Confirms these operations were successful:

<options>
n If a specific product can be installed on the managed Security
Gateway.
n That the operating system and currently installed products the
managed Security Gateway are appropriate for the software
package.
n That there is enough disk space to install the product the managed
Security Gateway.
n That there is a CPRID connection with the managed Security
Gateway.
See "cprinstall verify" on page 189.

R80.40 CLI Reference Guide | 172

cprinstall boot

Description
Reboots the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

R80.40 CLI Reference Guide | 173

cprinstall cprestart

Description
Runs the cprestart command on the managed Security Gateway.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

R80.40 CLI Reference Guide | 174

cprinstall cpstart

Description
Runs the cpstart command on the managed Security Gateway.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

R80.40 CLI Reference Guide | 175

cprinstall cpstop

Description
Runs the cpstop command on the managed Security Gateway.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-proc Kills the Check Point daemons and Security Servers, while it maintains the
active Security Policy running in the Check Point kernel.
Rules with generic Allow, Drop or Reject action based on services, continue
to work.

-nopolicy Kills the Check Point daemons and Security Servers and unloads the
Security Policy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

R80.40 CLI Reference Guide | 176

cprinstall delete

Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

<Snapshot Specifies the name of the snapshot (backup) on SecurePlatform OS.

File>

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

R80.40 CLI Reference Guide | 177

cprinstall get

Description
n Gets details of the products and the operating system installed on the managed Security
Gateway.
n Updates the management database on the Security Management Server.

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20 R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20
[Expert@MGMT]#

R80.40 CLI Reference Guide | 178

cprinstall install

Description
Installs Check Point products on the managed Security Gateway.

Important - Installing software packages with this command is not supported for
Security Gateways that run Gaia OS.
Notes:
n Before transferring the software package, this command runs the "cprinstall
verify" on page 189 command.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n To see the values for the package attributes, run the "cppkg print" on page 161
command.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object

Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 179

cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is
canceled in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing

the package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 180

cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#

R80.40 CLI Reference Guide | 181

cprinstall revert

Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot
saved on that Security Gateway.

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 182

cprinstall show

Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

R80.40 CLI Reference Guide | 183

cprinstall snapshot

Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and
saves it on that Security Gateway.

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 184

cprinstall transfer

Description
Transfers a software package from the repository to the managed Security Gateway without
installing the package.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 185

cprinstall transfer

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 186

cprinstall uninstall

Description
Uninstalls Check Point products on the managed Security Gateway.

Important - Uninstalling software packages with this command is not supported for
Security Gateways running on Gaia OS.
Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n Before uninstalling product packages, this command runs the "cprinstall verify"
on page 189 command.
n After uninstalling a product package, you must run the "cprinstall get" on
page 178 command.
n To see the values for the package attributes, run the "cppkg print" on page 161
command.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 187

cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the

package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

Example
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get

R80.40 CLI Reference Guide | 188

cprinstall verify

Description
Confirms these operations were successful:
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed Security
Gateway are appropriate for the software package.
n That there is enough disk space to install the product the managed Security Gateway.
n That there is a CPRID connection with the managed Security Gateway.

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

R80.40 CLI Reference Guide | 189

cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>" This parameter is optional.

Example 1 - Verification succeeds

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Example 2 - Verification fails

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R75 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

R80.40 CLI Reference Guide | 190

cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 169
command.
n For manually starting specific Check Point processes, see
sk97638.

Syntax

cpstart

R80.40 CLI Reference Guide | 191

cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-h <Host> Optional.
When you run this command on a Management Server, this parameter
specifies the managed Security Gateway.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object
name.
The default is localhost.
Note - On a Multi-Domain Server, you must run this command in
the context of the applicable Domain Management Server:mdsenv
<IP Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R80.40 CLI Reference Guide | 192

cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor
in the <Application Flag>. To see all flavors, run the cpstat
command without any parameters.

-o <Polling Optional.
Interval> Specifies the polling interval (in seconds) - how frequently the
command collects and shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this
is the default value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the
loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the
"-e <Period>" parameter.
Example:
cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results
before it stops.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling
Interval> and then stops.
Example:
cpstat os -f perf -o 2 -c 2

R80.40 CLI Reference Guide | 193

cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the
statistics.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
You can use this parameter together with the "-c <Count>"
parameter.
Example:
cpstat os -f perf -o 2 -c 2 -e 60

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

System routing6, memory, old_memory, cpu,
disk, perf, multi_cpu, multi_disk,
raidInfo, sensors, power_supply,
hw_info, all, average_cpu,
average_memory, statistics,
updates, licensing, connectivity,
vsx

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R80.40 CLI Reference Guide | 194

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R80.40 CLI Reference Guide | 195

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

emulation status, scanned_files, malware_
detected, scanned_on_cloud,
malware_on_cloud, average_process_
time, emulated_file_size, queue_
size, peak_size, file_type_stat_
file_scanned, file_type_stat_
malware_detected, file_type_stat_
cloud_scanned, file_type_stat_
cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_
type_stat_cache_hit_rate, file_
type_stat_error_count, file_type_
stat_no_resource_count, contract,
downloads_information_current,
downloading_file_information,
queue_table, history_te_incidents,
history_te_comp_hosts

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R80.40 CLI Reference Guide | 196

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

contxt_delete_info, contxt_update_
info, contxt_path_mng_info, GXSA_
GPDU_info, contxt_initiate_info,
gtpv2_create_info, gtpv2_delete_
info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the threshold_
config
command

Historical status persistency product, TableConfig, SourceConfig

values

R80.40 CLI Reference Guide | 197

cpstat

Examples
Example - Interfaces on a Security Gateway
[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
---------------------------------------------------------------------------------------------
-----------------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy
name|Slaves|Ports|IPv6 Address|IPv6 Len|
---------------------------------------------------------------------------------------------
-----------------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
---------------------------------------------------------------------------------------------
-----------------------

[Expert@MyGW:0]#

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 198

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

R80.40 CLI Reference Guide | 199

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 200

cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 169 command.
n For manually stopping specific Check Point processes, see
sk97638.

Syntax

cpstop

R80.40 CLI Reference Guide | 201

cpview

cpview
Overview of CPView

Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU,
Memory, Disk space) and information for different Software Blades (only on Security
Gateway).
The CPView continuously updates the data in easy to access views.

On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R80.40 CLI Reference Guide | 202

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R80.40 CLI Reference Guide | 203

cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes
such as Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products
and Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log
file.

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning
(not stuck on deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows
Y for actively monitored processes.
The list of actively monitored processes is predefined by Check Point.
Users cannot change or configure it.

R80.40 CLI Reference Guide | 204

cpwd_admin

Syntax

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 207.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 211.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 212.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 213.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 214.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 216.

R80.40 CLI Reference Guide | 205

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 217.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 218.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 223.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 224.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 227.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 228.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 230.

R80.40 CLI Reference Guide | 206

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

1> <Configuration_Parameter_2>=<Value_ parameters.
2> ... <Configuration_Parameter_ Note - Spaces are not allowed
N>=<Value_N> between the name of the
configuration parameter, the
equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R80.40 CLI Reference Guide | 207

cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ctx Text string up to On a VSX Gateway, configures the CTX value that is
128 characters assigned to monitored processes, for which no CTX
is specified.

display_ctx n 0 (default) On a VSX Gateway, configures whether the

n 1 WatchDog shows the CTX column in the output of
the cpwd_admin list command (between the
APP and the PID columns):
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

reset_ n Range: > 0 Configures the time (in seconds) the WatchDog
startups n Default: waits after the process starts and before the
3600 WatchDog resets the process's startup_counter
to 0.
To see the process's startup counter, in the output of
the cpwd_admin list command, refer to the
#START column.

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

R80.40 CLI Reference Guide | 208

cpwd_admin config

Configuration Accepted
Description
Parameter Values

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

R80.40 CLI Reference Guide | 209

cpwd_admin config

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 210

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 218 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 191 command.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 211

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 218 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 191 command.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 212

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 213

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 214

cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 215

cpwd_admin getpid

Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 216

cpwd_admin kill

Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 201 and "cpstart" on page 191 commands.

Syntax

cpwd_admin kill

R80.40 CLI Reference Guide | 217

cpwd_admin list

Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 218

cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Examples
Example - Default output on a Management Server
[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-
R80.40/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R80.40/log_indexer/log_
indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-
R80.40/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 219

cpwd_admin list

Example - Default output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list
APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2019 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 N mpdaemon /opt/CPshrd-
R80.40/log/mpdaemon.elg /opt/CPshrd-R80.40/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 N ci_http_server -j -f
/opt/CPsuite-R80.40/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2019 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2019 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 N DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 220

cpwd_admin list

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/java_solr
COMMAND = java_solr /opt/CPrt-R80.40/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R80.40/log_indexer/log_indexer
COMMAND = /opt/CPrt-R80.40/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R80.40/smartlog_server
COMMAND = /opt/CPSmartLog-R80.40/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R80.40/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 221

cpwd_admin list

Example - Verbose output on a Security Gateway

[Expert@HostName:0]# cpwd_admin list -full
APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2019 3/u N
PATH = /opt/CPsuite-R80.40/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2019 60/5 Y
PATH = /opt/CPshrd-R80.40/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2019 60/5 N
PATH = /opt/CPshrd-R80.40/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R80.40/log/mpdaemon.elg /opt/CPshrd-
R80.40/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R80.40/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2019 60/5 N
PATH = /opt/CPsuite-R80.40/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 222

cpwd_admin monitor_list

Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 204.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 223

cpwd_admin start

Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_
limit {<Limit> | u}]

Parameters

Parameter Description

-name Name, under which the cpwd_admin list command shows the
<Application monitored process in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

R80.40 CLI Reference Guide | 224

cpwd_admin start

Parameter Description

-path "<Full The full path (with or without Check Point environment variables)
Path to to the executable including the executable name.
Executable>" Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-
R80.40/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl"

-command The command and its arguments to run.

"<Command Must enclose in double quotes.
Syntax>" Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-
R80.40/fw1/scripts/cpm.sh -s"
n For SICTUNNEL: "/opt/CPshrd-R80.40/bin/cptnl -
c "/opt/CPuepm-R80.40/engine/conf/cptnl_
srv.conf""

-env {inherit | Configures whether to inherit the environment variables from the
<Env_ shell.
Var>=<Value>}
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout"

<Timeout> configuration parameter.
See "cpwd_admin config" on page 207.

-retry_limit Configures the value of the "retry_limit" configuration

{<Limit> | u} parameter.
See "cpwd_admin config" on page 207.
n <Limit> - Tries to restart the process the specified number
of times
n u - Tries to restart the process unlimited number of times

R80.40 CLI Reference Guide | 225

cpwd_admin start

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 226

cpwd_admin start_monitor

Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes
actively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 227

cpwd_admin stop

Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows
Name> the monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable

Virtual System.

-path "<Full Path The full path (with or without Check Point environment
to Executable>" variables) to the executable including the executable name.
Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R80.40/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

R80.40 CLI Reference Guide | 228

cpwd_admin stop

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit | Configures whether to inherit the environment variables from

<Env_Var>=<Value>} the shell.
n inherit - Inherits all the environment variables
(WatchDog supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to
the specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 229

cpwd_admin stop_monitor

Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 230

dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

dbedit -help
dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u
<Username> | -c <Certificate>}] [-p <Password>] [-f <File_Name>
[ignore_script_failure] [-continue_updating]] [-r "<Open_Reason_
Text>"] [-d <Database_Name>] [-listen] [-readonly] [-session]
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-help Prints the general help.

-globallock When you work with the dbedit utility, it partially locks the management
database. If a user configures objects in SmartConsole at the same
time, it causes problems in the management database.
This option does not let SmartConsole, or a dbedit user to make
changes in the management database.
When you specify this option, the dbedit commands run on a copy of
the management database. After you make the changes with the
dbedit commands and run the savedb command, the dbedit utility
saves and commits your changes to the actual management database.

-local Connects to the localhost (127.0.0.1) without using

username/password.
If you do not specify this parameter, the dbedit utility asks how to
connect.

R80.40 CLI Reference Guide | 231

dbedit

Parameter Description

-s Specifies the Security Management Server - by IP address or

<Management_ HostName.
Server> If you do not specify this parameter, the dbedit utility asks how to
connect.

-u Specifies the username, with which the dbedit utility connects to the
<Username> Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-c Specifies the user's certificate file, with which the dbedit utility connects
< to the Security Management Server.
Certificate> Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-p Specifies the user's password, with which the dbedit utility connects to
<Password> the Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" and "-u <Username>" parameters.

-f <File_ Specifies the file that contains the applicable dbedit internal commands
Name> (see the section "dbedit Internal Commands" below):
n create <object_type> <object_name>
n modify <table_name> <object_name> <field_name>
<value>
n update <table_name> <object_name>
n delete <table_name> <object_name>
n print <table_name> <object_name>
n quit

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and
script_ ignores errors.
failure You can use it when you specify the "-f <File_Name>" parameter.

-continue_ Continues to update the modified objects, even if the operation fails for
updating some of the objects (ignores the errors and runs the update_all
command at the end of the script).
You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode
Reason_ (default mode).
Text>"

R80.40 CLI Reference Guide | 232

dbedit

Parameter Description

-d Specifies the name of the database, to which the dbedit utility should
<Database_ connect (for example, mdsdb).
Name>

-listen The dbedit utility "listens" for changes (use this mode for advanced
troubleshooting with the assistance of Check Point Support).
The dbedit utility prints its internal messages when a change occurs in
the management database.

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with Database Tool (GuiDBEdit Tool) (see sk13009).

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:
dbedit> -h

-q Description:
Quits from dbedit.
quit Syntax:
dbedit> -q
dbedit> quit [-update_all | -noupdate]
Examples:
n Exit the utility and commit the remaining modified objects
(interactive mode):
dbedit> quit
n Exit the utility and update all the remaining modified objects:
dbedit> quit -update_all
n Exit the utility and discard all modifications:
dbedit> quit -no_update

R80.40 CLI Reference Guide | 233

dbedit

Command Description, Syntax, Examples

update Description:
Saves the specified object in the specified table (for example,
"network_objects", "services", "users").
Syntax:
dbedit> update <table_name> <object_name>
Example:
Save the object My_Service in the table services:
dbedit> update services My_Service

update_all Description:
Saves all the modified objects.
Syntax:
dbedit> update_all

_print_set Description:
Prints the specified object from the specified table (for example,
"network_objects", "services", "users") as it appears in the
$FWDIR/conf/objects_5_0.C file (sets of attributes).
Syntax:
dbedit> _print_set <table_name> <object_name>
Example:
Print the object My_Obj from the table network_objects:
dbedit> print network_objects My_Obj

print Description:
Prints the list of attributes of the specified object from the specified
table (for example, "network_objects", "properties",
"services", "users").
Syntax:
dbedit> print <table_name> <object_name>
Examples:
n Print the object My_Obj from the table network_objects (in
"Network Objects"):
dbedit> print network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> print properties firewall_properties

R80.40 CLI Reference Guide | 234

dbedit

Command Description, Syntax, Examples

printxml Description:
Prints in XML format the list of attributes of the specified object from the
specified table (for example, "network_objects", "properties",
"services", "users").
You can export the settings from a Management Server to an XML file
that you can use later with external automation systems.
Syntax:
dbedit> printxml <table_name> [<object_name>]
Examples:
n Print the object My_Obj from the table network_objects:
dbedit> printxml network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> printxml properties firewall_
properties

printbyuid Description:
Prints the attributes of the object specified by its UID (appears in the
$FWDIR/conf/objects_5_0.C file at the beginning of the object as
"chkpf_uid ({...})").
Syntax:
dbedit> printbyuid {object_id}
Example:
Print the attributes of the object with the specified UID:
dbedit> printbyuid {D3833F1D-0A58-AA42-865F-
39BFE3C126F1}

R80.40 CLI Reference Guide | 235

dbedit

Command Description, Syntax, Examples

query Description:
Prints all the objects in the specified table.
Optionally, you can query for objects with specific attribute and value -
query is separated by a comma after "query <table_name>"
(spaces are not allowed between the <attribute> and '<value>').
Syntax:
dbedit> query <table_name> [ ,
<attribute>='<value>' ]
Examples:
n Print all objects in the table users:
dbedit> query users
n Print all objects in the table network_objects that are defined as
Management Servers:
dbedit> query network_objects,
management='true'
n Print all objects in the table services with the name ssh:
command_sdbedit> query services, name='ssh'
n Print all objects in the table services with the port 22:
dbedit> query services, port='22'
n Print all objects with the IP address 10.10.10.10:
dbedit> query network_objects,
ipaddr='10.10.10.10'

whereused Description:
Checks where the specified object used in the database.
Prints the number of places, where this object is used and relevant
information about each such place.
Syntax:
dbedit> whereused <table_name> <object_name>
Example:
Check where the object My_Obj is used:
dbedit> whereused network_objects My_Obj

R80.40 CLI Reference Guide | 236

dbedit

Command Description, Syntax, Examples

create Description:
Creates an object of specified type (with its default values) in the
database.
Restrictions apply to the object's name:
n Object names can have a maximum of 100 characters.
n Objects names can contain only ASCII letters, numbers, and
dashes.
n Reserved words will be blocked by the Management Server (refer
to sk40179).
Syntax:
dbedit> create <object_type> <object_name>
Example:
Create the service object My_Service of the type tcp_service (with its
default values):
dbedit> create tcp_service my_service

delete Description:
Deletes an object from the specified table.
Syntax:
dbedit> delete <table_name> <object_name>
Example:
Delete the service object My_Service from the table services:
dbedit> delete services my_service

R80.40 CLI Reference Guide | 237

dbedit

Command Description, Syntax, Examples

modify Description:
Modifies the value of specified attribute in the specified object in the
specified table (for example, "network_objects", "services",
"users") in the management database.
Syntax:
dbedit> modify <table_name> <object_name> <field_
name> <value>
Examples:
n Modify the color to red in the object My_Service in the table
services:
dbedit> modify services My_Service color red
n Add a comment to the object MyObj:
dbedit> modify network_objects MyObj comments
"Created by fwadmin with dbedit"
n Set the value of the global property ike_use_largest_possible_
subnets in the table properties to false:
dbedit> modify properties firewall_properties
ike_use_largest_possible_subnets false
n Create a new interface on the Security Gateway My_FW and
modify its attributes - set the IP address / Mask and enable Anti-
Spoofing on interface with "Element Index"=3 (check the
attributes of the object My_FW in Database Tool (GuiDBEdit
Tool) (see sk13009)):

R80.40 CLI Reference Guide | 238

dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW

interfaces interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW
interfaces:3:ipaddr IP_ADDRESS
dbedit> modify network_objects My_FW
interfaces:3:netmask NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access
specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed
network_objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_
spoofing true
dbedit> modify network_objects MyObj FieldA
LINKSYS
n In the Owned Object MyObj change the value of FieldB to
NewVal:
dbedit> modify network_objects MyObj
FieldA:FieldB NewVal
n In the Linked Object MyObj change the value of FieldA from B to
C:
dbedit> modify network_objects MyObj FieldA
B:C

R80.40 CLI Reference Guide | 239

dbedit

Command Description, Syntax, Examples

lock Description:
Locks the specified object (by administrator) in the specified table (for
example, "network_objects", "services", "users") from being
modified by other users.
For example, if you connect from a remote computer to this
Management Server with admin1 and lock an object, you are be able to
connect with admin2, but are not able to modify the locked object, until
admin1 releases the lock.
Syntax:
dbedit> lock <table_name> <object_name>
Example:
Lock the object My_Service_Obj in the table services in the database:
dbedit> lock services My_Service_Obj

addelement Description:
Adds a specified multiple field / container (with specified value) to a
specified object in specified table.
Syntax:
dbedit> addelement <table_name> <object_name>
<field_name> <value>
Examples:
n Add the element BranchObjectClass with the value Organization
to a multiple field Read in the object My_Obj in the table ldap:
dbedit> addelement ldap My_Obj
Read:BranchObjectClass Organization
n Add the service MyService to the group of services
MyServicesGroup in the table services:
dbedit> addelement services MyServicesGroup
'' services:MyService
n Add the network MyNetwork to the group of networks
MyNetworksGroup in the table network_objects:
dbedit> addelement network_objects
MyNetworksGroup '' network_objects:MyNetwork

R80.40 CLI Reference Guide | 240

dbedit

Command Description, Syntax, Examples

rmelement Description:
Removes a specified multiple field / container (with specified value)
from a specified object in specified table.
Syntax:
dbedit> rmelement <table_name> <object_name>
<field_name> <value>
Examples:
n Remove the service MyService from the group of services
MyServicesGroup from the table services:
dbedit> rmelement services MyServicesGroup ''
services:MyService
n Remove the network MyNetwork from the group of networks
MyNetworksGroup from the table network_objects:
dbedit> rmelement network_objects
MyNetworksGroup '' network_objects:MyNetwork
n Remove the element BranchObjectClass with the value
Organization from the multiple field Read in the object My_Obj in
the table ldap:
dbedit> rmelement ldap my_obj
Read:BranchObjectClass Organization

rename Description:
Renames the specified object in specified table.
Syntax:
dbedit> rename <table_name> <object_name> <new_
object_name>
Example:
Rename the network object london to chicago in the table network_
objects:
dbedit> rename network_objects london chicago

R80.40 CLI Reference Guide | 241

dbedit

Command Description, Syntax, Examples

rmbyindex Description:
Removes an element from a container by element's index.
Syntax:
dbedit> rmbyindex <table_name> <object_name>
<field_name> <index_number>
Example:
Remove the element backup_log_servers from the container log_
servers by element index 1 in the table network_objects:
dbedit> rmbyindex network_objects g log_
servers:backup_log_servers 1

add_owned_ Description:
remove_name Adds an owned object (and removes its name) to a specified owned
object field (or container).
Syntax:
dbedit> add_owned_remove_name <table_name>
<object_name> <field_name> <value>
Example:
Add the owned object My_Gateway (and remove its name) to the
owned object field (or container) my_external_products:
dbedit> add_owned_remove_name network_objects My_
Gateway additional_products owned:my_external_
products

is_delete_ Description:
allowed Checks if the specified object can be deleted from the specified table
(object cannot be deleted if it is used by other objects).
Syntax:
dbedit> is_delete_allowed <table_name> <object_
name>
Example:
dbedit> is_delete_allowed network_objects MyObj
Check if the object MyObj can be deleted from the table network_
objects:

R80.40 CLI Reference Guide | 242

dbedit

Command Description, Syntax, Examples

set_pass Description:
Sets specified password for specified user.
Notes:
n The password must contain at least 4 characters and no more
than 50 characters.
n This command cannot change the administrator's password.
Syntax:
dbedit> set_pass <Username> <Password>
Example:
Set the password 1234 for the user abcd:
dbedit> set_pass abcd 1234

savedb Description:
Saves the database. You can run this command only when the
database is locked globally (when you start the dbedit utility with the
"dbedit -globallock" command).
Syntax:
dbedit> savedb

savesession Description:
Saves the session. You can run this command only when you start the
dbedit utility in session mode (with the "dbedit -session"
command).
Syntax:
dbedit> savesession

R80.40 CLI Reference Guide | 243

fw
Description
n Performs various operations on Security or Audit log files.
n Kills the specified Check Point processes.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.

Syntax

fw [-d]
fetchlogs <options>
hastat <options>
kill <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security

<options> ($FWDIR/log/*.log*) or Audit ($FWDIR/log/*.adtlog*), from the
specified Check Point computer.
See "fw fetchlogs" on page 246.

hastat Shows information about Check Point computers in High Availability

<options> configuration and their states.
See "fw hastat" on page 248.

R80.40 CLI Reference Guide | 244

Parameter Description

kill Kills the specified Check Point process.

<options> See "fw kill" on page 249.

log Shows the content of Check Point log files - Security

<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 250.

logswitch Switches the current active Check Point log file - Security
<options> ($FWDIR/log/fw.log) or Audit ($FWDIR/log/fw.adtlog).
See "fw logswitch" on page 260.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/.log)

<options> or Audit ($FWDIR/log/*.adtlog*), located on the local computer or a
remote computer.
See "fw lslogs" on page 264.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log)

<options> or Audit ($FWDIR/log/*.adtlog), into a single log file.
See "fw mergefiles" on page 267.

repairlog Rebuilds pointer files for Check Point log files - Security
<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw repairlog" on page 270.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options> See "fw sam" on page 271.

sam_policy Manages the Suspicious Activity Policy editor that works with these type
<options> of rules:
or n Suspicious Activity Monitoring (SAM) rules.
samp
<options>
n Rate Limiting rules.
See "fw sam_policy" on page 279.

R80.40 CLI Reference Guide | 245

fw fetchlogs

Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log Notes:
File N>
n If you do not specify the log file name explicitly, the command
transfers all Security log files ($FWDIR/log/*.log*) and all Audit
log files ($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for
example, 2017-0?-*.log).
If you enter a wildcard, you must enclose it in double quotes or single
quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name
or main IP address of the Check Point Computer as configured in
SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

R80.40 CLI Reference Guide | 246

fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the
specified Check Point computer. Meaning, it deletes the specified log files on the
specified Check Point computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local
Check Point computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer.
The new log file name is the concatenation of the Check Point computer's name (as
configured in SmartConsole), two underscore (_) characters, and the original log file
name (for example: MyGW__2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R80.40/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 247

fw hastat

Description
Shows information about Check Point computers in High Availability configuration and their
states.

Note - This command is outdated. On cluster members, run the Gaia Clish command
"show cluster state", or the Expert mode command "cphaprob state".
Note - This command is outdated. On Management Servers, run the "cpstat" on
page 192 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ... If you run this command on the Management Server, you can enter the
<TargetN> applicable IP address, or the resolvable HostName of the managed
Security Gateway or Cluster Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 248

fw kill

Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-t <Signal Specifies which signal to send to the Check Point process.

Number> For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the
kill and signal.
If you do not specify the signal explicitly, the command sends Signal
15 (SIGTERM).
Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

R80.40 CLI Reference Guide | 249

fw log

Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c
<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert
Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q]
[-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"] [-u
<Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End
Entry Number>] [-z] [-#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters
described in this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-a Shows only Account log entries.

R80.40 CLI Reference Guide | 250

fw log

Parameter Description

-b "<Start Shows only entries that were logged between the specified start and
Timestamp>" end times.
"<End
Timestamp>"
n The <Start Timestamp> and <End Timestamp> may be a
date, a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End
Timestamp> in single or double quotes (-b 'XX' 'YY", or -b
"XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-
e" parameters.
n See the date and time format below.

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>" Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b"
parameter.
n See the date and time format below.

R80.40 CLI Reference Guide | 251

fw log

Parameter Description

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with
the specified IP address or object name (as configured in
SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert
type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries,
and then specify the time for each log entry.

R80.40 CLI Reference Guide | 252

fw log

Parameter Description

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command
shows one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not
show any updates, but shows only entries that relate to the start
of new connections. To shows updates, use the semi
parameter.
n semi - Step-by-step unification of log entries. For each log
entry, the output shows an entry that unifies this entry with all
previously encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log
entry.

-p Does not perform resolution of the port numbers in the log file (this is
the default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>" Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current
date.
n Enclose the <Start Timestamp> in single or double quotes
(-s '...', or -s "...").
n You cannot use the "-s" parameter together with the "-b"
parameter.
n See the date and time format below.

R80.40 CLI Reference Guide | 253

fw log

Parameter Description

-t This parameter:
1. Does not show the saved entries that match the specified
conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the
"nature" of the log - for example, control, audit, accounting,
complementary, and so on).

-x <Start Shows only entries from the specified log entry number and below,
Entry Number> counting from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from
Number> the beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show

log entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

R80.40 CLI Reference Guide | 254

fw log

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes
the current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum

Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log <max_null>, or empty

Key

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc00000

00)

SequenceNum Log Sequence 1

Number

R80.40 CLI Reference Guide | 255

fw log

Field Header Description Example

Flags Internal flags 428292

that specify the
"nature" of the
log - for
example,
control, audit,
accounting,
complementary,
and so on

Action Action n accept

performed on n dropreject
this connection n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of MyGW

the Security
Gateway that
generated this
log

IfDir Traffic direction n <

through n >
interface:
n <-
Outbound
(sent by a
Security
Gateway)
n >-
Inbound
(received
by a
Security
Gateway)

R80.40 CLI Reference Guide | 256

fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security n daemon
Gateway n N/A
interface, on
which this traffic
was logged
If a Security
Gateway
performed some
internal action
(for example,
log switch), then
the log entry
shows daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Server.checkpoint.com.s6t98x
Gateway that
generated this
log

inzone Inbound Local

Security Zone

outzone Outbound External

Security Zone

service_id Name of the ftp

service used to
inspect this
connection

R80.40 CLI Reference Guide | 257

fw log

Field Header Description Example

src Object name or MyHost

IP address of
the connection's
source
computer

dst Object name or MyFTPServer

IP address of
the connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of 64933

the connection

ProductName Name of the n VPN-1 & FireWall-1

Check Point n Application Control
product that n FloodGate-1
generated this
log

ProductFamily Name of the Network

Check Point
product family
that generated
this log

Examples
Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

R80.40 CLI Reference Guide | 258

fw log

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity: 2;
status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action:
drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 259

fw logswitch

Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target> Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a
Security Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP
address or Object Name as configured in SmartConsole.

R80.40 CLI Reference Guide | 260

fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
switch log file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched
log matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is
230 characters.

+ Specifies to copy the active log from the remote computer to the local
computer.
Notes:
n If you specify the name of the switched log file, you must write it
immediately after this + (plus) parameter.
n The command copies the active log from the remote computer and
saves it in the $FWDIR/log/ directory on the local computer.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

R80.40 CLI Reference Guide | 261

fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote computer to the local
computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/
directory on the local computer and then deletes the switched log file
on the remote computer.
n If you specify the name of the switched log file, you must write it
immediately after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 246
command.

Compression
When this command transfers the log files from the remote computer, it compresses the file
with the gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation
of LZ77 method. The compression ratio varies with the content of the log file and is difficult to
predict. Binary data are not compressed. Text data, such as user names and URLs, are
compressed.
Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 262

fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying the
switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 263

fw lslogs

Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]
... [-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime |
etime}] [<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to show. Need to specify name only.
of Log Notes:
File>
n If the log file name is not specified explicitly, the command shows all
Security log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-
0?-*). If you enter a wildcard, you must enclose it in double quotes or
single quotes.
n You can specify multiple log files in one command. You must use the
"-f" parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2>
... -f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log
file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

R80.40 CLI Reference Guide | 264

fw lslogs

Parameter Description

-s {name | Specifies the sort order of the log files using one of the following sort
size | options:
stime |
etime}
n name - The file name
n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or
Domain Management Server, then <Target> is the applicable
object's name or main IP address of the Check Point Computer as
configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 265

fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended
information

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse
order

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security
Gateway with main IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 266

fw mergefiles

Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw logswitch" on
page 1068 command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw logswitch"
on page 1068 command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:
Warning: The size of the files you have chosen to merge
is greater than 2GB. The merge will produce two or more
files.
The names of merged files are:
l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...

l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of
Log File 1> <Name of Log File 2> ... <Name of Log File N> <Name of
Merged Log File>

R80.40 CLI Reference Guide | 267

fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion Specifies a full path and name of a file that instructs this
File> command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:
<IP Address of Log Server #1> <Signed
Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...
Notes
n You must specify the absolute path and the file
name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> Specifies the log files to merge.

... <Name of Log File Notes:
N>
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

R80.40 CLI Reference Guide | 268

fw mergefiles

Parameter Description

<Name of Merged Log Specifies the output merged log file.

File> Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 269

fw repairlog

Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) are databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this
command can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/.log .logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/.adtlog .adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

R80.40 CLI Reference Guide | 270

fw sam

Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block
connections to and from IP addresses without the need to change or reinstall the Security
Policy. For more information, see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" and "sam_alert" commands.
n SAM rules consume some CPU resources on Security Gateway.
Best Practice - The SAM Policy rules consume some CPU resources on
Security Gateway. Set an expiration for rules that gives you time to
investigate, but does not affect performance. Keep only the required SAM
Policy rules. If you confirm that an activity is risky, edit the Security Policy,
educate users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches
100,000.
This data log file contains the records in one of these formats:
<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>
n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security
Gateway in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM.
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

R80.40 CLI Reference Guide | 271

fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log
Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q}
<Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security
Gateway, on which the command is enforced. These messages show
whether the command was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of
Server> the Security Gateway that enforces the command.
The default is localhost.

R80.40 CLI Reference Guide | 272

fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected
Name of that the SAM server has this SIC name, otherwise the connection fails.
SAM Notes:
Server>
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC
API Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command
to show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security <Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n localhost - Specifies to enforce the action on this local Check Point
computer (on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as
Security Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Security Gateway object - Specifies to enforce the action on
this specific Security Gateway object.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Group object - Specifies to enforce the action on all specific
Security Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.
Notes:
n To "uninhibit" the inhibited connections, run the fw sam
command with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

R80.40 CLI Reference Guide | 273

fw sam

Parameter Description

-C Cancels the fw sam command to inhibit connections with the specified

parameters.
Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+ Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match
the specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

R80.40 CLI Reference Guide | 274

fw sam

Parameter Description

-I Inhibits (drops or rejects) new connections with the specified parameters,

and closes all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all
existing connections with the specified parameters.
Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following
parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

R80.40 CLI Reference Guide | 275

fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Src IP> <Src Netmask> <Dest IP> <Dest
Netmask> <Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port>
<Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the

connection.

any <IP> Matches either the Source IP address or the

Destination IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the

connections according to the netmask.

R80.40 CLI Reference Guide | 276

fw sam

Parameter Description

subany <IP> <Netmask> Matches either the Source IP address or

Destination IP address of connections according to
the netmask.

srv <Src IP> <Dest IP> Matches the specific Source IP address,
<Port> <Protocol> Destination IP address, Service (port number) and
Protocol.

subsrv <Src IP> <Netmask> Matches the specific Source IP address,

<Dest IP> <Netmask> <Port> Destination IP address, Service (port number) and
<Protocol> Protocol.
Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Matches the specific Source IP address, source
Netmask> <Dest IP> <Port> netmask, destination netmask, Service (port
<Protocol> number) and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination
<Dest Netmask> <Port> IP, destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service

<Protocol> (port number) and Protocol.

subdstsrv <Dest IP> Matches specific Destination IP address, Service

<Netmask> <Port> <Protocol> (port number) and Protocol.
Destination IP address is assigned according to
the netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to
the netmask.

R80.40 CLI Reference Guide | 277

fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the

specified keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

R80.40 CLI Reference Guide | 278

fw sam_policy

Description
Manages the Suspicious Activity Policy editor that works with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 376

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

R80.40 CLI Reference Guide | 279

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R80.40 CLI Reference Guide | 280

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

R80.40 CLI Reference Guide | 281

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R80.40 CLI Reference Guide | 282

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b} Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against
the policy rules.
Note - Rules with action set to Bypass cannot have a log or limit
specification. Bypassed packets and connections do not count
towards overall number of packets and connection for limit
enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R80.40 CLI Reference Guide | 283

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate
Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be
enforced on all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the
rule should be enforced only on this Security Gateway or Cluster
object (the object name must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be
enforced on all Security Gateways that are members of this Group
object (the object name must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>" Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ rule\ name\ with\ a\ backslash\
\\"

-c "<Rule Optional.
Comment>" Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ comment\ with\ a\ backslash\ \\"

R80.40 CLI Reference Guide | 284

fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator Specifies the name of the originator for this rule.
>" Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter Configures the Suspicious Activity Monitoring (SAM) rule.
Arguments> Specifies the IP Filter Arguments for the SAM rule (you must use at least
one of these options):
[-C] [-s <Source IP>] [-m <Source Mask>] [-d
<Destination IP>] [-M <Destination Mask>] [-p
<Port>] [-r <Protocol>]
See the explanations below.

R80.40 CLI Reference Guide | 285

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota Configures the Rate Limiting rule.
Filter Specifies the Quota Filter Arguments for the Rate Limiting rule (see the
Arguments> explanations below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service
<Protocol and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name>
<Limit2 Value>] ...[<LimitN Name> <LimitN
Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from
the SAM policy database immediately, add "flush true" in
the fw samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general),
when a rule's limit is violated, the Security Gateway also drops
all packets that match the rule.
The Security Gateway computes new connection rates on a
per-second basis.
At the start of the 1-second timer, the Security Gateway allows
all packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too
many new connections, then the Security Gateway blocks all
remaining packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are
reset, and the process starts over - the Security Gateway
allows packets to pass again up to the point, where the rule’s
limit is violated.

R80.40 CLI Reference Guide | 286

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R80.40 CLI Reference Guide | 287

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
source IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that
are assigned to this organization, based on
the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

R80.40 CLI Reference Guide | 288

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

| false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses
that are assigned to this organization, based
on the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the
specified type

R80.40 CLI Reference Guide | 289

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

false}] service <Protocol Numbers) and Port number (see IANA Service
and Port numbers> Name and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port
End>
IP protocol number and range of TCP/UDP
port numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process
all traffic except the traffic with the specified
protocols and ports

R80.40 CLI Reference Guide | 290

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

Value>] [<Limit 2 Name> Note - Separate multiple quota limits with spaces.
<Limit 2 Value>] ...
n concurrent-conns <Value>
[<Limit N Name> <Limit N
Value>] Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the
concurrent-conns value to the total number
of active connections through the Security
Gateway, expressed in parts per 65536
(formula: N / 65536).
n pkt-rate <Value>
Specifies the maximum number of packets
per second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate
value to the rate of all connections through
the Security Gateway, expressed in parts per
65536 (formula: N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes
per second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate
value to the bytes per second rate of all
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n new-conn-rate <Value>
Specifies the maximal number of
connections per second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-
rate value to the rate of all connections per
second through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).

R80.40 CLI Reference Guide | 291

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not
cumulatively for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific
IP protocol and destination port, and not
cumulatively for this rule.

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this
rule, including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second
(new-conn-rate 5) for any traffic (service any) from the source IP addresses in
the range 172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-
172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the
fwaccel dos config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the
Suspicious Activity Monitoring (SAM) policy database immediately, because this rule
includes the "flush true" parameter.

R80.40 CLI Reference Guide | 292

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this
rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all packets except (service-negated true) the packets with
IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-
51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the
country with specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP
protocol number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the Autonomous System number 64500
(asn:AS64500).
n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120
(cidr:[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

R80.40 CLI Reference Guide | 293

fw sam_policy add

n This rule bypasses (-a b) all packets that match this rule.
Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).
n This rule applies to packets sent to TCP port 80 (service 6/80).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP
addresses that are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to
655/65536=~1% (concurrent-conns-ratio 655) for any traffic (service any)
except (service-negated true) the connections from the source IP addresses
that are assigned to the country with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that
match this rule, and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

R80.40 CLI Reference Guide | 294

fw sam_policy batch

Description
The "fw sam_policy batch" and "fw6 sam_policy batch" commands:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R80.40 CLI Reference Guide | 295

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

necessary.
Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l fw sam_policy add
l fw sam_policy del
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press
Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

R80.40 CLI Reference Guide | 296

fw sam_policy del

Description
The "fw sam_policy del" and "fw6 sam_policy del" commands:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R80.40 CLI Reference Guide | 297

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n To see the Rule UID, run the "fw
sam_policy get" command.

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1
originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 298

fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The "fw samp del" and "fw6 samp del" commands only remove a rule from the
persistent database. The Security Gateway continues to enforce the deleted rule until
the next time you compiled and load a policy. To force the rule deletion immediately,
you must enter a flush-only rule right after the "fw samp del" and "fw6 samp del"
command. This flush-only rule immediately deletes the rule you specified in the
previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R80.40 CLI Reference Guide | 299

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R80.40 CLI Reference Guide | 300

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on
a separate line.
n In the list format (with "-l"), the output shows each parameter of a
rule on a separate line.
n See the "fw sam_policy add" command.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 301

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify
log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 302

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R80.40 CLI Reference Guide | 303

fw sam_policy get

[Expert@HostName:0]# fw samp get

no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated
true source cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service
6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite

R80.40 CLI Reference Guide | 304

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 305

fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

fwm [-d]
dbload <options>
exportcert <options>
fetchfile <options>
fingerprint <options>
getpcap <options>
ikecrypt <options>
load [<options>]
logexport <options>
mds <options>
printcert <options>
sic_reset
snmp_trap <options>
unload [<options>]
ver [<options>]
verify <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 306

fwm

Parameter Description

dbload Downloads the user database and network objects information to the
<options> specified targets
See "fwm dbload" on page 309.

exportcert Export a SIC certificate of the specified object to file.

<options> See "fwm exportcert" on page 310.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 311.

fingerprint Shows the Check Point fingerprint.

<options> See "fwm fingerprint" on page 313.

getpcap Fetches the IPS packet capture data from the specified Security
<options> Gateway.
See "fwm getpcap" on page 315.

ikecrypt Encrypts a secret with a key.

<options> See "fwm ikecrypt" on page 317.

load This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 362 command to load a policy to a
managed Security Gateway.
See "fwm load" on page 318.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.
See "fwm logexport" on page 319.

mds <options> Shows information and performs various operations on Multi-Domain

Server.
See "fwm mds" on page 324.

printcert Shows a SIC certificate's details.

<options> See "fwm printcert" on page 326.

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 332.

snmp_trap Sends an SNMP Trap to the specified host.

<options> See "fwm snmp_trap" on page 333.

unload Unloads the policy from the specified managed Security Gateways.
<options> See "fwm unload" on page 336.

R80.40 CLI Reference Guide | 307

fwm

Parameter Description

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 340.

verify This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 362 command to verify a policy.
See "fwm verify" on page 341.

R80.40 CLI Reference Guide | 308

fwm dbload

Description
Copies the user database and network objects information to specified managed servers with
one or more Management Software Blades enabled.

Important - This command is obsolete for R80 and higher.

Use the API command "install-database" to install the database on the
applicable servers.
See the Check Point Management API Reference.

R80.40 CLI Reference Guide | 309

fwm exportcert

Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

<Name of Specifies the name of the managed object, whose certificate you wish
Object> to export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish
to export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

R80.40 CLI Reference Guide | 310

fwm fetchfile

Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the fwopsec.conf or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/fwopsec.conf
n conf/fwopsec.v4x

-d <Local Specifies the local directory to save the fetched file.

Path>

<Source> Specifies the managed remote source computer, from which to fetch
the file.
Note - The local and the remote source computers must have
established SIC trust.

R80.40 CLI Reference Guide | 311

fwm fetchfile

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 312

fwm fingerprint

Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.
The debug options are:
n fwm -d
Runs the complete debug of all fwm actions.
For complete debug instructions, see the description of the
fwm process in sk97638.
n fingerprint -d
Runs the debug only for the fingerprint actions.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

R80.40 CLI Reference Guide | 313

fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.51,L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.52,L=Locality Name (eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 314

fwm getpcap

Description
Fetches the IPS packet capture data from the specified Security Gateway.
This command only works with IPS packet captures stored on the Security Gateway in the
$FWDIR/log/captures_repository/ directory.
This command does not work with other Software Blades, such as Anti-Bot and Anti-Virus that
store packet captures in the $FWDIR/log/blob/ directory on the Security Gateway.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p

Parameters

Parameter Description

-d Runs the command in debug mode.

-g Specifies the main IP address or Name of Security Gateway object as

-u ' Specifies the Unique ID of the packet capture file.

{<Capture To see the Unique ID of the packet capture file, open the applicable log
UID>}' file in SmartConsole > Logs & Monitor > Logs.

-p <Local Specifies the local path to save the specified packet capture file.
Path> If you do not specify the local directory explicitly, the command saves the
packet capture file in the current working directory.

R80.40 CLI Reference Guide | 315

fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}'

/var/log/
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 316

fwm ikecrypt

Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must
then be stored in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties
window on the Encryption tab.

<Password> Specifies the password for the Endpoint VPN Client user.

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 317

fwm load

Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and higher.

Use the API command "install-policy" to load a policy on a managed Security
Gateway.
See the Check Point Management API Reference.

R80.40 CLI Reference Guide | 318

fwm logexport

Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog)
to an ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h
fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>]
[-i <Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry
Number>] [-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u
<Unification Scheme File>] [-m {initial | semi | raw}]

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

-d Specifies the output delimiter between fields of log entries:

<Delimiter>
| -s
n -d <Delimiter> - Uses the specified delimiter.
n -s - Uses the ASCII character #255 (non-breaking space) as the
delimiter.
Note - If you do not specify the delimiter explicitly, the default is a
semicolon (;).

R80.40 CLI Reference Guide | 319

fwm logexport

Parameter Description

-t <Table Specifies the output delimiter inside table field.

Delimiter> Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a
comma (,).

-i <Input Specifies the name of the input log file.

File> Notes:
n This command supports only Security log file
($FWDIR/log/*.log) and Audit log file
($FWDIR/log/*.adtlog)
n If you do not specify the input log file explicitly, the command
processes the active Security log file $FWDIR/log/fw.log

-o <Output Specifies the name of the output file.

File> Note - If you do not specify the output log file explicitly, the command
prints its output on the screen.

-f After reaching the end of the currently opened log file, specifies to
continue to monitor the log file indefinitely and export the new entries as
well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-e After reaching the end of the currently opened log file, continue to
monitor the log file indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-x <Start Starts exporting the log entries from the specified log entry number and
Entry below, counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number,
Entry counting from the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to

continue the export of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log

file (this is the default behavior).
This significantly speeds up the log processing.

R80.40 CLI Reference Guide | 320

fwm logexport

Parameter Description

-p Specifies to not to perform resolution of the port numbers in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

| semi |
raw}
n initial - Complete unification of log entries. The command
exports one unified log entry for each ID. This is the default.
If you also specify the "-f" parameter, then the output does not
export any updates, but exports only entries that relate to the start
of new connections. To export updates as well, use the "semi"
parameter.
n semi - Step-by-step unification of log entries. For each log entry,
exports entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. Exports all log entries.

R80.40 CLI Reference Guide | 321

fwm logexport

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.
Each of the next rows consists of a single log entry, whose fields are sorted in the same order
as the first row.
If a log entry has no information in a specific field, this field remains empty (as indicated by two
successive semi-colons ";;").
You can control which log fields appear in the output of the command output:

Step Instructions

1 Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2 Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

3 To include or exclude the log fields from the output, add these lines in the
configuration file:
[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_
FIELDS>,field100
excluded_fields = field10,field11
Where:
n You can specify only the included_fields parameter, only the
excluded_fields parameter, or both.
n The num field must always appear first. You cannot manipulate this field.
n The <REST_OF_FIELDS> is an optional reserved token that refers to a list of
fields.
l If you specify the "-f" parameter, then the <REST_OF_FIELDS> is

based on a list of fields from the $FWDIR/conf/logexport_

default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS>

is based on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

R80.40 CLI Reference Guide | 322

fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file
has been switched to: MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host
Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 323

fwm mds

Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN
Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

R80.40 CLI Reference Guide | 324

fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.40 -
Build 11
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 325

fwm printcert

Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-
verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

R80.40 CLI Reference Guide | 326

fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

-obj <Name of Object> Specifies the name of the managed object, for which to
show the SIC certificate information.

-cert <Certificate Specifies the certificate nick name.

Nick Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

R80.40 CLI Reference Guide | 327

fwm printcert

Examples
Example 1 - Showing the SIC certificate of a Management Server
[Expert@MGMT:0]# fwm printcert -ca internal_ca
Subject: O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 328

fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed. Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45
f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be
db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2 a5 e0 a8 ab
45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c d2 dc 3d 36
ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2 30 a5 32 c7
46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d bc b3 f2 ae
f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57 54 79 d0 0f
0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90 08 ba 63 85
b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e 95 8b 2f 48
5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34 be b8 00 ae
ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b 43 3f f7 36
5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50
01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 329

fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.3.244
CRL distribution points:
http://192.168.3.240:18264/ICA_CRL2.crl
CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 330

fwm printcert

Example 4 - Showing the SIC certificate of a managed Cluster object in verbose mode
[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed. Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af c1 fd 20 0a
3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73 77 fa db 86
0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93 c5 4b 01 f4
3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d 23 74 5c d9
00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7 df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: 192.168.3.244
Basic Constraint:
not CA
CRL distribution Points:
URI: http://192.168.3.240:18264/ICA_CRL2.crl
DN: CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 331

fwm sic_reset

Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Warning:
n Before you run this command, take a Gaia Snapshot and a full backup of the
Management Server.
This command resets SIC between the Management Server and all its
managed objects.
n This operation breaks trust in all Internal CA certificates and SIC trust across
the managed environment.
Therefore, we do not recommend it at all, except for real disaster recovery.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

R80.40 CLI Reference Guide | 332

fwm snmp_trap

Description
Sends an SNMPv1 Trap to the specified host.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On a Multi-Domain Server, the SNMP Trap packet is sent from the IP address of
the Leading Interface.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

R80.40 CLI Reference Guide | 333

fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

Number> One of these values:
n 0 - For coldStart trap
n 1 - For warmStart trap
n 2 - For linkDown trap
n 3 - For linkUp trap
n 4 - For authenticationFailure trap
n 5 - For egpNeighborLoss trap
n 6 - For enterpriseSpecific trap (this is the default
value)

-s <Specific Trap Specifies the unique trap type.

Number> Valid only of generic trap value is 6 (for
enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap
packets.

-c <SNMP Specifies the SNMP community.

Community>

<Target> Specifies the managed target host, to which to send the SNMP
Trap packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

R80.40 CLI Reference Guide | 334

fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on
the Security Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host 192.168.3.51

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 103)
192.168.3.51.53450 > MyGW_192.168.3.52.snmptrap: [udp sum ok] { SNMPv1 { Trap(58) E:2620.1.1
192.168.3.240 linkDown 1486440 E:2620.1.1.11.0="My Trap Message" } }
Pressed CTRL+C
[Expert@MyGW_192.168.3.52:0]#

R80.40 CLI Reference Guide | 335

fwm unload

Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

Warning:
1. The fwm unload command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the specified Security Gateway (Cluster Member).
2. The fwm unload command removes all policies from the specified Security
Gateway (Cluster Member).
This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection
enabled.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n If it is necessary to remove the current policy, but keep the Security Gateway
(Cluster Member) protected, then run the "comp_init_policy" on page 913
command on the Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of
these commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 1048

l "cpstart" on page 957

n In addition, see the "fw unloadlocal" on page 1161 command.

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

R80.40 CLI Reference Guide | 336

fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or
... <GWN> Object Name as configured in SmartConsole.

R80.40 CLI Reference Guide | 337

fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 338

fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 339

fwm ver

Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.40 - Build 11
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 340

fwm verify

fwm verify
Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 362 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 341

inet_alert

inet_alert
Description
Notifies an Internet Service Provider (ISP) when a company's corporate network is under
attack. This command forwards log messages generated by the alert daemon on your Check
Point Security Gateway to an external Management Station. This external Management
Station is usually located at the ISP site. The ISP can then analyze the alert and react
accordingly.
This command uses the Event Logging API (ELA) protocol to send the alerts. The
Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must
be performed between the external Management Station running the ELA Proxy at the ISP site
and the Check Point Security Gateway generating the alert.

Procedure

Step Instructions

1 Connect with SmartConsole to the applicable Security Management Server or

Domain Management Server, which manages the applicable Security Gateway
that should forward log messages to an external Management Station.

2 From the top left Menu, click Global properties.

3 Click on the [+] near the Log and Alert and click Alerts.

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Control Policy on the applicable Security Gateway.

R80.40 CLI Reference Guide | 342

inet_alert

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f
<Token> <Value>] [-m <Alert Type>]
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some
command> | inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

Type> One of these values:
n ssl_opsec - The connection is authenticated and encrypted (this is
the default).
n auth_opsec - The connection is authenticated.
n clear - The connection is neither authenticated, nor encrypted.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair

<Value> as follows:
n <Token> - The name of the field to be added to the log. Cannot
contain spaces.
n <Value> - The field's value. Cannot contain spaces.
This option can be used multiple times to add multiple <Token>
<Value> pairs to the log.

R80.40 CLI Reference Guide | 343

inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

Type> This alert overrides the alert specified in the log message generated by the
alert daemon.
The response to the alert is handled according to the actions specified in
the ISP Security Policy:
These alerts execute the OS commands:
n alert - Popup alert command
n mail - Mail alert command
n snmptrap - SNMP trap alert command
n spoofalert - Anti-Spoof alert command

These NetQuota and ServerQuota alerts execute the OS commands

specified in the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

n Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4
n Send a log message to the specified ELA Proxy. Set the product field of this log message
to cads
n Trigger the OS command specified in the SmartConsole > Menu > Global properties >
Log and Alert > Popup Alert Command field.

R80.40 CLI Reference Guide | 344

ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing
debug information.

Statistics LDAP search statistics, such as:

n All user searches
n Pending lookups (when two or more lookups are identical)
n Total lookup time (the total search time for a specific lookup)
n Cache statistics such as hits and misses
These statistics are saved in the $FWDIR/log/ldap_pid_<Process
PID>.stats file.

Logging View the alert and warning logs.

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

R80.40 CLI Reference Guide | 345

ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check

Name> | all} Point processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Clears cache for all objects

l UserCacheObject - Clears cache for user objects

l TemplateCacheObject - Clears cache for template

objects
l TemplateExtGrpCacheObject - Clears cache for

external template group objects

n cachetrace {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Traces cache for all objects

l UserCacheObject - Traces cache for user objects

l TemplateCacheObject - Traces cache for template

objects
l TemplateExtGrpCacheObject - Traces cache for

external template group objects

n log {on | off}
l on - Creates LDAP logs

l off - Does not create LDAP logs

n stat {<Print Interval in Sec> | 0}

l <Print Interval in Sec> - How frequently to

collect the statistics

l 0 - Stops collecting the statistics

R80.40 CLI Reference Guide | 346

ldapcompare

ldapcompare
Description
This is an LDAP utility that performs compare queries and prints a message whether the result
returned a match or not.
This utility opens a connection to an LDAP directory server, binds, and performs the
comparison specified on the command line or from a specified file.

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute>

<Value> | <Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

R80.40 CLI Reference Guide | 347

ldapcompare

Compare options

Option Description

-E [!]<Extension> Specifies the compare extensions.

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version
is 3.

-z Enables the quiet mode.

The command does not print anything. You can use
the command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

R80.40 CLI Reference Guide | 348

ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
n [!]assert=<Filter>
RFC 4528; an RFC 4515 filter string
n [!]authzid=<Authorization ID>
RFC 4370; either "dn:<DN>", or
"u:<Username>"
n [!]chaining[=<Resolve Behavior>
[/<Continuation Behavior>]]
One of these:
l "chainingPreferred"

l "chainingRequired"

l "referralsPreferred"

l "referralsRequired"

n [!]manageDSAit
RFC 3296
n [!]noop
n ppolicy
n [!]postread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]preread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]relax
n abandon
SIGINT sends the abandon signal; if critical,
does not wait for SIGINT. Not really controls.
n cancel
SIGINT sends the cancel signal; if critical, does
not wait for SIGINT. Not really controls.
n ignore
SIGINT ignores the response; if critical, does not
wait for SIGINT. Not really controls.

-h <LDAP Server> Specifies the LDAP Server computer by its IP address

or resolvable hostname.

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier

(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not

actually do it.

R80.40 CLI Reference Guide | 349

ldapcompare

Option Description

-N Specifies not to use the reverse DNS to canonicalize

SASL host name.

-o <Option>[=<Option Specifies the general options:

Parameter>] nettimeout={<Timeout in Sec> | none |
max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to

stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Specifies the SASL authorization identity (either

Identity> "dn:<DN>", or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator

password from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

R80.40 CLI Reference Guide | 350

ldapmemberconvert

ldapmemberconvert
Description
This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to
the "MemberOf" attribute values in LDAP member (User or Template) entries.
This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both"
mode. The utility searches through all specified group or template entries that hold one or
more "Member" attribute values and modifies each value. The utility searches through all
specified group/template entries and fetches their "Member" attribute values.
Each value is the DN of a member entry. The entry identified by this DN is added to the
"MemberOf" attribute value of the group/template DN at hand. In addition, the utility delete
those "Member" attribute values from the group/template, unless you run the command in the
"Both" mode.
When your run the command, it creates a log file ldapmemberconvert.log in the current
working directory. The command logs all modifications done and errors encountered in that log
file.

Important - Back up the LDAP server database before you run this conversion utility.

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP

Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m
<Member Attribute Name> -o <MemberOf Attribute Name> -c <Member
ObjectClass Value> [-B] [-f <File> | -g <Group DN>] [-L <LDAP
Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T <LDAP
Client Timeout>] [-Z]

R80.40 CLI Reference Guide | 351

ldapmemberconvert

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly)
Attribute Name> deleting a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP

Attribute Name> "MemberOf" attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines,

ObjectClass which type of member to modify.
Value> You can specify multiple attribute values with this syntax:
-c <Member Object Class 1> -c <Member Object
Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a
new line:
<Group DN 1>
<Group DN 2>
...
<Group DN N>
Length of each line is limited to 256 characters.

R80.40 CLI Reference Guide | 352

ldapmemberconvert

Parameter Description

-g <Group DN> Specifies the Group or Template Distinguished Name, on which

to perform the conversion.
You can specify multiple Group DNs with this syntax:
-g <Group DN 1> -g <Group DN 2> ... -g
<Group DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-M <Number of Specifies the maximal number of simultaneous member LDAP

Updates> updates.
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in
number of entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups

For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for
their groups, then this conversion has to be applied on LDAP defined templates for their
groups.

R80.40 CLI Reference Guide | 353

ldapmemberconvert

Troubleshooting
Symptom:
A command fails with an error message stating the connection stopped unexpectedly when
you run it with the parameter -M <Number of Updates>.
Root Cause:
The LDAP server could not handle that many LDAP requests simultaneously and closed the
connection.
Solution:
Run the command again with a lower value for the "-M" parameter. The default value should
be adequate, but can also cause a connection failure in extreme situations. Continue to reduce
the value until the command runs normally. Each time you run the command with the same set
of groups, the command continues from where it left off.

R80.40 CLI Reference Guide | 354

ldapmemberconvert

Examples
Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these

attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o memberof -c
fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the
group entry is not modified.

R80.40 CLI Reference Guide | 355

ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the
parameter "-c fw1Person", but the object class of "template1" is "fw1Template".

R80.40 CLI Reference Guide | 356

ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF
format.

Syntax

ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b]
[-c] [-F] [-k] [-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f
<Input File> .ldif | < <Entry>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

R80.40 CLI Reference Guide | 357

ldapmodify

Parameter Description

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually

perform them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data
you enter on the screen).

R80.40 CLI Reference Guide | 358

ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Syntax

ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>]
[-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b
<Base DN>] [-F <Separator>] [-l <LDAP Server Timeout>] [-s
<Scope>] [-S <Sort Attribute>] [-t] [-T <LDAP Client Timeout>] [-
u] [-z <Number of Search Entries>] [-Z] <Filter> [<Attributes>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified
TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

R80.40 CLI Reference Guide | 359

ldapsearch

Parameter Description

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

-F <Separator> Specifies the print separator character between attribute names

and their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Specifies to sort the results by the values of this attribute.

Attribute>

-t Specifies to write values to files in the /tmp/ directory.

Writes each <attribute>-<value> pair to a separate file named:
/tmp/ldapsearch-<Attribute>-<Value>
For example, for the fw1color attribute with the value a00188,
the command writes to the file named:
/tmp/ldapsearch-fw1color-a00188

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximal number of entries to search on the LDAP

Search Entries> Server.

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

R80.40 CLI Reference Guide | 360

ldapsearch

Parameter Description

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command
retrieves all attributes.

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.

2. Connects to the LDAP Server with Base DN "cn=omi".

3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

R80.40 CLI Reference Guide | 361

mgmt_cli

mgmt_cli
Description
The mgmt_cli tool works directly with the management database on your Management
Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles
(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe)
command and press Enter.
n For more information, see the Check Point Management API Reference.

R80.40 CLI Reference Guide | 362

migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/bin/upgrade_tools/
directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate utility from the
migration tools package created specifically for that higher software version.
See the Installation and Upgrade Guide for that higher software version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2019.06.14_11.21.39.log

R80.40 CLI Reference Guide | 363

migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File> &

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File>.tgz &

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

./migrate ...
& 1. Sends the "yes" input to the interactive "migrate" command
through the pipeline.
2. The "nohup" forces the "migrate" command to ignore the
hangup signals from the shell.
3. The "&" forces the command to run in the background.
As a result, when the CLI session closes, the command continues to
run in the background.
See:
n sk133312
n https://linux.die.net/man/1/bash
n https://linux.die.net/man/1/nohup

export Exports the management database and applicable Check Point

configuration.

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.

R80.40 CLI Reference Guide | 364

migrate

Parameter Description

-l Exports and imports the Check Point logs without log indexes in the
$FWDIR/log/ directory.
Important:
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs).

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and
Log Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs and
indexes).

-n Runs silently (non-interactive mode) and uses the default options for
each setting.
Important:
n If you export a management database in this mode and the
specified name of the exported file matches the name of an
existing file, the command overwrites the existing file
without prompting.
n If you import a management database in this mode, the
"migrate import" command runs the "cpstop"
command automatically.

--exclude- n During the export operation, does not back up the PostgreSQL
uepm- database from the Endpoint Security Management Server.
postgres-db n During the import operation, does not restore the PostgreSQL
database on the Endpoint Security Management Server.

--include- n During the export operation, backs up the MSI files from the
uepm-msi- Endpoint Security Management Server.
files n During the import operation, restores the MSI files on the
Endpoint Security Management Server.

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

R80.40 CLI Reference Guide | 365

migrate

Parameter Description

<Name of n During the export operation, specifies the name of the output
Exported file.
File> The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported
file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 366

migrate_server

migrate_server
Important - This command is used to migrate the management database from
R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.
For more information, see:
n sk135172 - Upgrade Tools
n The R80.40 Installation and Upgrade Guide

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2020 - 2024.06.14_11.21.39.log

R80.40 CLI Reference Guide | 367

migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R80.40 [-skip_
upgrade_tools_check]

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R80.40 [-skip_
upgrade_tools_check] [-l | -x] [--include-uepm-msi-files] [--
exclude-uepm-postgres-db] [--ignore_warnings] /<Full
Path>/<Name of Exported File>

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R80.40 [-skip_
upgrade_tools_check] [-l | -x] [/var/log/mdss.json] [--
include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full
Path>/<Name of Exported File>.tgz

Parameters

Parameter Description

-h Shows the built-in help.

export Exports the management database and applicable Check Point

configuration.

R80.40 CLI Reference Guide | 368

migrate_server

Parameter Description

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.
Important:
n This command automatically restarts Check Point services (runs
the "cpstop" and "cpstart" commands).
n This note applies to a Multi-Domain Security Management
environment, if at least one of the servers changes its IPv4 address
comparing to the source server, from which you exported its
database.
You must do these steps before you start the upgrade and import:
1. You must create a special JSON configuration file with the
new IPv4 address(es).
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","new
IpAddress4":"172.30.40.51"},
{"name":"MySecondaryMultiDomainServer","ne
wIpAddress4":"172.30.40.52"}]
2. You must call this file: mdss.json
3. You must put this file on all servers in this directory: /var/log/

verify Verifies the management database and applicable Check Point

configuration that were exported from another Management Server.

-v R80.40 Specifies the version, to which you plan to migrate / upgrade.

-skip_ Does not try to connect to Check Point Cloud to check for a more recent
upgrade_ version of the Upgrade Tools.
tools_check Best Practice - Use this parameter on the Management Server that
is not connected to the Internet.

R80.40 CLI Reference Guide | 369

migrate_server

Parameter Description

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long time
to complete (depends on the number of logs and indexes).

R80.40 CLI Reference Guide | 370

migrate_server

Parameter Description

/var/log/md Important:
ss.json
n In the Upgrade Tools for R80.40 build higher than 994000406,
the syntax is (this filename is mandatory):
Previously:
-change_ /var/log/mdss.json
ips_file You must create the file /var/log/mdss.json and not use the
/<Full parameter "-change_ips_file".
Path>/<Name n In the Upgrade Tools for R80.40 build 994000406 and lower,
of JSON
the syntax was:
File>.json
-change_ips_file /<Full Path>/<Name of JSON
File>.json

Specifies the absolute path to the special JSON configuration file with
new IPv4 addresses.
This file is mandatory during an upgrade of a Multi-Domain Security
Management environment.
Even if only one of the servers migrates to a new IP address, all the other
servers must get this configuration file for the import process.
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress
4":"172.30.40.51"},
{"name":"MySecondaryMultiDomainServer","newIpAddres
s4":"172.30.40.52"}]

-n Disables the interactive mode.

R80.40 CLI Reference Guide | 371

migrate_server

Parameter Description

/<Full Specifies the absolute path to the exported database file. This path must
Path>/<Name exist.
of Exported
File>
n During the export operation, specifies the name of the output file.
The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2020 - 2024.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2020 - 2024.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 372

queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 362 command to search in the management database for objects or policy rules
according to search parameters.

R80.40 CLI Reference Guide | 373

rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-
Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

R80.40 CLI Reference Guide | 374

rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Specifies the IPv4 address of the DAIP object

Address>

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the
Live> entry is valid.

R80.40 CLI Reference Guide | 375

sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the
information received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User
Defined Alerts mechanism.

Important:
n You must run this command on the Management Server.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the "fw sam" command.

-o Specifies to print the input of this tool to the standard output (to use with
pipes in a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is "localhost".

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The
default is forever.

R80.40 CLI Reference Guide | 376

sam_alert

Parameter Description

-f Specifies the Security Gateway / Cluster object, on which to run the

<Security operation.
Gateway> Important - If you do not specify the target Security Gateway /
Cluster object explicitly, this command applies to all managed
Security Gateways and Clusters.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified

criteria, passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria

and closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

R80.40 CLI Reference Guide | 377

sam_alert

SAM v2 syntax

Syntax for SAM v2

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f
<Security Gateway>] [-n <Name>] [-c "<Comment">] [-o
<Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip
|-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to
use with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the
action. The default is forever.

-f <Security Specifies the Security Gateway / Cluster object, on which to run

Gateway> the operation.
Important - If you do not specify the target Security
Gateway / Cluster object explicitly, this command applies
to all managed Security Gateways and Clusters.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single
quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is "sam_alert".

R80.40 CLI Reference Guide | 378

sam_alert

Parameter Description

-l {r | a} Specifies the log type for connections that match the specified
criteria:
n r - Regular
n a - Alert
Default is None.

-a {d | r| n | b Specifies the action to apply on connections that match the

| q | i} specified criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the

criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of

connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

R80.40 CLI Reference Guide | 379

stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug
purposes - to make sure the applicable SNMP OIDs provide the requested information.

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2> ...
<Regular_OID_N>

These are specified in the SNMP MIB files.

For Check Point MIB files, see sk90470.
n To query a Statistical OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_
oid.conf file.

R80.40 CLI Reference Guide | 380

stattest

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to

query by its IP address or resolvable
hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address

or resolvable hostname.
Note - Use only when you query a
remote host.

-l <Polling Interval> Specifies the time in seconds between

queries.
Note - Use only when you query a
Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which

to run consecutive queries.
Note - Use only when you query a
Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of

a Virtual Device to query.

-t <Timeout> Specifies the session timeout in

milliseconds.

<Regular_OID_1> <Regular_OID_2> Specifies the Regular OIDs to query.

... <Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

R80.40 CLI Reference Guide | 381

stattest

Parameter Description

<Statistical_OID_1> Specifies the Statistical OIDs to query.

<Statistical_OID_2> ... Notes:
<Statistical_OID_N>
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

R80.40 CLI Reference Guide | 382

threshold_config

threshold_config
Description
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts.
You can use these thresholds to monitor many system components automatically without
requesting information from each object or device.
You configure these SNMP Monitoring Thresholds only on the Security Management Server,
Multi-Domain Server, or Domain Management Server.
During policy installation, the managed a Security Gateway and Clusters receive and apply
these thresholds as part of their policy.

For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Instructions

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain

Management Server:
[Expert@HostName:0]# mdsenv <Name or IP address of Domain
Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

R80.40 CLI Reference Guide | 383

threshold_config

Step Instructions

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).
Threshold Engine Configuration Options:
---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
See "cpwd_admin stop" on page 228.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"
See "cpwd_admin start" on page 224.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"
See "cpwd_admin list" on page 218.

11 In SmartConsole, install the Access Control Policy on Security Gateways and

Clusters.

R80.40 CLI Reference Guide | 384

threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file If you do not specify the path explicitly, the file is imported from the
current working directory.

(6) Configure Configures global settings:

global alert
settings
n How frequently alerts are sent (configured delay must be
greater than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to

alert which the managed Security Gateways and Cluster Members send
destinations their SNMP alerts.
Configure Alert Destinations Options:
-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS

(8) View Shows a list of all available thresholds and their current settings.
thresholds These include:
overview
n Name
n Category (see the next option "(9)")
n State (disabled or enabled)
n Threshold (threshold point, if applicable)
n Description

R80.40 CLI Reference Guide | 385

threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

thresholds Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources
See the Thresholds Categories table below.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Local Logging Mode Status Thresholds:

Mode Status -------------------------------------
(1) Local Logging Mode

(4) Log Server Log Server Connectivity Thresholds:

Connectivity -----------------------------------
(1) Connection with log server
(2) Connection with all log servers

R80.40 CLI Reference Guide | 386

threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

R80.40 CLI Reference Guide | 387

threshold_config

Notes:
n If you run the threshold_config command locally on a Security Gateway or
Cluster Members to configure the SNMP Monitoring Thresholds, then each
policy installation erases these local SNMP threshold settings and reverts them
to the global SNMP threshold settings configured on the Management Server
that manages this Security Gateway or Cluster.
n On a Security Gateway and Cluster Members, you can save the local Threshold
Engine Configuration settings to a file and load it locally later.
n The Threshold Engine Configuration is stored in the
$FWDIR/conf/thresholds.conf file.
n In a Multi-Domain Security Management environment:
l You can configure the SNMP thresholds in the context of Multi-Domain

Server (MDS) and in the context of each individual Domain Management

Server.
l Thresholds that you configure in the context of the Multi-Domain Server

are for the Multi-Domain Server only.

l Thresholds that you configure in the context of a Domain Management

Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a

Domain Management Server, then configure the SNMP threshold both in

the context of the Multi-Domain Server and in the context of the Domain
Management Server.
However, in this scenario you can only get alerts from the Multi-Domain
Server, if the monitored object exceeds the threshold.
Example:
If you configure the CPU threshold, then when the monitored value
exceeds the configured threshold, it applies to both the Multi-Domain
Server and the Domain Management Server. However, only the Multi-
Domain Server generates SNMP alerts.

R80.40 CLI Reference Guide | 388

Multi-Domain Security Management Commands

Multi-Domain Security
Management Commands
For more information about Multi-Domain Server, see the R80.40 Multi-Domain Security
Management Administration Guide.
In addition, see "Security Management Server Commands" on page 40.

R80.40 CLI Reference Guide | 389

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

R80.40 CLI Reference Guide | 390

Managing Security through API

Configuring the API Server

To configure the API Server:

5. Configure the Startup Settings and the Access Settings.

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

Start option is deactivated.

Configuring Access Settings

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

R80.40 CLI Reference Guide | 391

Managing Security through API

api restart
Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

R80.40 CLI Reference Guide | 392

cma_migrate

cma_migrate
Description
On the applicable target Domain Management Server, imports the management database that
was exported from an R7x Domain Management Server.

Note - This command updates the database schema before it imports. First, the
command runs pre-upgrade verification. If no errors are found, migration continues. If
there are errors, you must fix them on the source R7x Domain Management Server
according to instructions in the error messages. Then do this procedure again.

For the complete procedure, see the R80.40 Installation and Upgrade Guide.

Syntax

cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz

/<Full Path>/<$FWDIR Directory of the New Domain Management
Server>/

Example

[[email protected]_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz

/opt/CPmds-R80.40/customers/MyDomain3/CPsuite-R80.40/fw1/

R80.40 CLI Reference Guide | 393

contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options> See "contract_util check" on page 46.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options> See "contract_util cpmacro" on page 47.

download Downloads all associated Check Point Service Contracts from the User
<options> Center, or from a local file.
See "contract_util download" on page 48.

mgmt Delivers the Service Contract information from the Management Server to
the managed Security Gateways.
See "contract_util mgmt" on page 50.

print Shows all the installed licenses and whether the Service Contract covers
<options> these license, which entitles them for upgrade or not.
See "contract_util print" on page 51.

R80.40 CLI Reference Guide | 394

contract_util

Parameter Description

summary Shows post-installation summary.

<options> See "contract_util summary" on page 52.

update Updates Check Point Service Contracts from your User Center account.
<options> See "contract_util update" on page 53.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful
message.
See "contract_util verify" on page 54.

R80.40 CLI Reference Guide | 395

contract_util check

Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher
Hotfix Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Major version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Minor version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

R80.40 CLI Reference Guide | 396

contract_util cpmacro

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_ The contract_util cpmacro command failed:

Write_cp_macro
returned -1
n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_ The contract_util cpmacro command was able to

Write_cp_macro overwrite the current file with the specified file, because the
returned 0 specified file is newer.

CntrctUtils_ The contract_util cpmacro command did not overwrite the

Write_cp_macro current file, because it is newer than the specified file.
returned 1

R80.40 CLI Reference Guide | 397

contract_util download

Syntax

R80.40 CLI Reference Guide | 398

contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local

file.
This is equivalent to the "cplic contract put"
command (see "cplic contract" on page 133).

uc Specifies to download the Service Contract from the User

Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Service Contract Path to and the name of the Service Contract file.
File> First, you must download the Service Contract file from
your User Center account.

R80.40 CLI Reference Guide | 399

contract_util mgmt

Syntax

contract_util mgmt

R80.40 CLI Reference Guide | 400

contract_util print

Syntax

contract_util [-d] print

{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 401

contract_util summary

Description
Shows post-installation summary and whether this Check Point computer is eligible for
upgrades.

Syntax

contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R80.40 CLI Reference Guide | 402

contract_util update

Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-

installed licenses) from your User Center account.

R80.40 CLI Reference Guide | 403

contract_util verify

Syntax

contract_util verify

R80.40 CLI Reference Guide | 404

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Syntax on a Security Gateway

cp_conf
-h
adv_routing <options>
auto <options>
corexl <options>
fullha <options>
ha <options>
intfs <options>
lic <options>
sic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

R80.40 CLI Reference Guide | 405

cp_conf

Parameter Description

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 58.

adv_routing Enables or disables the Advanced Routing feature on this Security

<options> Gateway.
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto Shows and configures the automatic start of Check Point products
<options> during boot.
See "cp_conf auto" on page 61.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain

Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 63.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 65.

corexl Enables or disables CoreXL on this Security Gateway.

<options> See "cp_conf corexl" on page 926.

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 69.

fullha Manages Full High Availability Cluster.

<options> See "cp_conf fullha" on page 928.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 929.

intfs Sets the topology of interfaces on a Security Gateway, which you

<options> manage with SmartProvisioning.
See "cp_conf intfs" on page 930.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 71.

sic Manages SIC on this Security Gateway.

<options> See "cp_conf sic" on page 934.

R80.40 CLI Reference Guide | 406

cp_conf

Parameter Description

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

R80.40 CLI Reference Guide | 407

cp_conf admin

Description
Configures Check Point system administrators for the Security Management Server.

Syntax

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

R80.40 CLI Reference Guide | 408

cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> Adds a Check Point system administrator:

del <UserName1> Deletes the specified system administrators.

<UserName2> ...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the

Gaia administrator user admin.

R80.40 CLI Reference Guide | 409

cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 410

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Syntax

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 411

cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

R80.40 CLI Reference Guide | 412

cp_conf ca

Description
This command changes the settings of the Internal Certificate Authority (ICA).

Note - On a Security Management Server, this command corresponds to the option

Syntax

cp_conf ca
-h
fqdn <FQDN Name>
init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

init Initializes the Internal Certificate Authority (ICA).

R80.40 CLI Reference Guide | 413

cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

R80.40 CLI Reference Guide | 414

cp_conf client

Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security
Management Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on
page 124 menu.

Syntax

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

R80.40 CLI Reference Guide | 415

cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates
<GUI Client 2> ... a new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples
Example 1 - Configure one IPv4 address
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 416

cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 417

cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 418

cp_conf finger

Note - This command corresponds to the option Certificate's Fingerprint in the

the Multi-Domain Server:

mdsenv
l To see the fingerprint of a Domain Management Server, run it in the
context of the applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>

Syntax

cp_conf finger
-h
get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

R80.40 CLI Reference Guide | 419

cp_conf finger

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 420

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Syntax

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R80.40 CLI Reference Guide | 421

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 135.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 140.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 144.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 422

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R80.40 CLI Reference Guide | 423

cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R80.40 Logging and Monitoring Administration
Guide.

Syntax

cp_log_export
cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

R80.40 CLI Reference Guide | 424

cp_log_export

Internal Commands

Name Description

add Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-
Server> target-port <Target-Server-Port> protocol
{udp | tcp} [Optional Arguments]

delete Removes an existing Log Exporter.

cp_log_export delete name <Name>

reconf Applies the Log Exporter configuration to all existing exporters.

cp_log_export reconf [name <Name>]

restart Restarts a Log Exporter process.

cp_log_export restart name <Name>

set Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start Starts an existing Log Exporter process.

cp_log_export start name <Name>

status Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

R80.40 CLI Reference Guide | 425

cp_log_export

Name Description

stop Stops an existing Log Exporter process.

cp_log_export stop name <Name>

R80.40 CLI Reference Guide | 426

cp_log_export

Internal Command Arguments

--apply-now Applies immediately Optio Optio Man N/A N/A Man

any change that was nal nal dator dator
done with the "add", y y
"set", "delete", or
"reexport"
command.

ca-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the CA nal nal
certificate file
*.pem.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 427

cp_log_export

client-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the client nal nal
certificate *.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- Specifies the Optio Optio N/A N/A N/A N/A

secret challenge phrase nal nal
<Phrase> used to create the
client certificate
*.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R80.40 CLI Reference Guide | 428

cp_log_export

domain- On a Multi-Domain Man Man Man N/A Opti Man

R80.40 CLI Reference Guide | 429

cp_log_export

enabled Specifies whether to Optio Optio N/A N/A N/A N/A

{true | allow the Log nal nal
false} Exporter to start
when you run the
"cpstart" on
page 191 or
"mdsstart" on
page 725 command.
Default: true

encrypted Specifies whether to Optio Optio N/A N/A N/A N/A

{true | use TSL (SSL) nal nal
false} encryption to send
the logs.
Default: false

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
link {true | exported logs that
false} represents a link to
SmartView that
shows the log card
and automatically
opens the
attachment.
Default: false

R80.40 CLI Reference Guide | 430

cp_log_export

export-link Specifies whether to Optio Optio N/A N/A N/A N/A

{true | add a field to the nal nal
false} exported logs that
represents a link to
SmartView that
shows the log card.
Default: false

R80.40 CLI Reference Guide | 431

cp_log_export

export-link- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 432

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 433

cp_log_export

n Accept
n Block
n Bypass
n Detect
n Drop
n HTTPS
Bypass
n HTTPS
Inspect
n Prevent
n Reject

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 434

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 435

cp_log_export

R80.40 CLI Reference Guide | 436

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R80.40 CLI Reference Guide | 437

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

R80.40 CLI Reference Guide | 438

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

format {cef Specifies the format, Optio Optio N/A N/A N/A N/A
| syslog} in which the logs are nal nal
exported.
Default: syslog

R80.40 CLI Reference Guide | 439

cp_log_export

R80.40 CLI Reference Guide | 440

cp_log_export

R80.40 CLI Reference Guide | 441

cp_log_export

protocol Specifies the Layer Man Optio N/A N/A N/A N/A
{tcp | udp} 4 Transport protocol dator nal
to use (TCP or y
UDP).
There is no default
value.

R80.40 CLI Reference Guide | 442

cp_log_export

R80.40 CLI Reference Guide | 443

cp_log_export

target-port Specifies the Man Optio N/A N/A N/A N/A

<Target- listening port on the dator nal
Server-Port> target server, to y
which you export the
logs.

target- Specifies the IP Man Optio N/A N/A N/A N/A

server address or FQDN of dator nal
<Target- the target server, to y
Server> which you export the
logs.

R80.40 CLI Reference Guide | 444

cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

create_cert Issues a SIC certificate for the Security Management Server

<options> or Domain Management Server.
See "cpca_client create_cert" on page 97.

double_sign Creates a second signature for a certificate.

<options> See "cpca_client double_sign" on page 99.

R80.40 CLI Reference Guide | 445

cpca_client

Parameter Description

get_crldp <options> Shows how to access a CRL file from a CRL Distribution
Point.
See "cpca_client get_crldp" on page 101.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate
to a file.
See "cpca_client get_pubkey" on page 103.

init_certs <options> Imports a list of DNs for users and creates a file with
registration keys for each user.
See "cpca_client init_certs" on page 104.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 105.

revoke_cert Revokes a certificate issued by the ICA.

<options> See "cpca_client revoke_cert" on page 108.

revoke_non_exist_ Revokes a non-existent certificate issued by the ICA.

cert <options> See "cpca_client revoke_non_exist_cert" on page 111.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 112.

set_cert_validity Configures the default certificate validity period for new

<options> certificates.
See "cpca_client set_cert_validity" on page 114.

set_mgmt_tool Controls the ICA Management Tool.

<options> See "cpca_client set_mgmt_tool" on page 116.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options> See "cpca_client set_sign_hash" on page 121.

R80.40 CLI Reference Guide | 446

cpca_client create_cert

Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC |
USER | IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

R80.40 CLI Reference Guide | 447

cpca_client create_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the
Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path Specifies the PKCS12 file, which stores the certificate and keys.
to PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER Optional. Specifies the certificate kind.

| IKE | ADMIN_
PKG}

-c "<Comment Optional. Specifies the certificate comment (must enclose in double

for quotes).
Certificate>"

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

R80.40 CLI Reference Guide | 448

cpca_client double_sign

Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-i Imports the specified certificate (only in PEM format).

-o <Full Path Optional. Saves the certificate into the specified file.
to Output
File>

R80.40 CLI Reference Guide | 449

cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 450

cpca_client get_crldp

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <ICA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

R80.40 CLI Reference Guide | 451

cpca_client get_crldp

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cpca_client get_crldp

MyMGMT.checkpoint.com
[Expert@MyMGMT:0]

R80.40 CLI Reference Guide | 452

cpca_client get_pubkey

Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to

Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 453

cpca_client init_certs

Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for
each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-i <Full Imports the specified file.

Path to Make sure to use the full path.
Input File> Make sure that there is an empty line between each DN in the specified
file.
Example:
...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o <Full Saves the registration keys to the specified file.

Path to This command saves the error messages in the <Name of Output
Output File> File>.failures file in the same directory.

R80.40 CLI Reference Guide | 454

cpca_client lscert

Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid

| Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}]
[-ser <Certificate Serial Number>] [-dp <Certificate Distribution
Point>]

R80.40 CLI Reference Guide | 455

cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN

that matches the specified <SubString>.
This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with
LDAP} certificate kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with
Number> certificate serial number that matches the specified
serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

R80.40 CLI Reference Guide | 456

cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 457

cpca_client revoke_cert

Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

R80.40 CLI Reference Guide | 458

cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-n Specifies the certificate CN.

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate To see the serial number, run the "cpca_client lscert" on page 105
Serial command.
Number> Note - You can use the parameter "-s" only, or together with the
parameter "-n".

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

R80.40 CLI Reference Guide | 459

cpca_client revoke_cert

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 460

cpca_client revoke_non_exist_cert

Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input

File>

Parameters

Paramet
Description
er

-d Runs the cpca_client command under debug.

Note - This command saves the error messages in the <Name of Input
File>.failures file.

R80.40 CLI Reference Guide | 461

cpca_client search

Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-
max <Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the
command itself.
Best Practice - If you use this
parameter, then redirect the output
to a file, or use the script
command to save the entire CLI
session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that
does not contain spaces.

R80.40 CLI Reference Guide | 462

cpca_client search

Parameter Description

-where {dn | comment | serial | Optional. Specifies the certificate's field,

-kind {SIC | IKE | User | LDAP} Optional. Specifies the certificate kind
to search.
You can enter multiple values in this
format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.

-stat {Pending | Valid | Revoked | Optional. Specifies the certificate status

Expired | Renewed} to search.
You can enter multiple values in this
format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.

-max <Maximal Number of Results> Optional. Specifies the maximal number

of results to show.
n Range: 1 and greater
n Default: 200

-showfp {y | n} Optional. Specifies whether to show the

certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint
and thumbprint

R80.40 CLI Reference Guide | 463

cpca_client search

Example 1

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending
Valid Renewed

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 464

cpca_client set_mgmt_tool

Description
Controls the ICA Management Tool.
This tool is disabled by default.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

See sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] [{-a <Administrator DN> | -u <User
DN> | -c <Custom User DN>}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are

permitted to use the ICA Management Tool.

print Shows the configured administrators, users, or custom users that

are permitted to use the ICA Management Tool.

R80.40 CLI Reference Guide | 465

cpca_client set_mgmt_tool

Parameter Description

-a Optional. Specifies the DN of the administrator that is permitted to

<Administrator use the ICA Management Tool.
DN> Must specify the full DN as appears in SmartConsole
Procedure

1. Open Object Explorer > Users

Example:
-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the
ICA Management Tool.
Must specify the full DN as appears in SmartConsole:
Procedure

1. Open Object Explorer > Users

Example:
-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

R80.40 CLI Reference Guide | 466

cpca_client set_mgmt_tool

Parameter Description

-c <Custom Optional. Specifies the DN for the custom user that is permitted to
User DN> use the ICA Management Tool.
Must specify the full DN as appears in SmartConsole.
Procedure

1. Open Object Explorer > Users

Example:
-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

R80.40 CLI Reference Guide | 467

cpca_client set_mgmt_tool

To connect to the ICA Management Tool

cpca_client set_mgmt_tool add ...

3. In the command line on the Management Server, start the ICA Management Tool.

cpca_client set_mgmt_tool on

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

b. In the Store Location section, select the applicable option:

n Current User (this is the default)
n Local Machine

R80.40 CLI Reference Guide | 468

cpca_client set_mgmt_tool

6. In a web browser, connect to the ICA Management Tool:

https://<IP Address of the Management Server>:18265

7. A dialog box with this message appears:

Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R80.40 CLI Reference Guide | 469

cpca_client set_sign_hash

Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the
sha512} file hash.
The default algorithm is SHA-256.

R80.40 CLI Reference Guide | 470

cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

R80.40 CLI Reference Guide | 471

cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to
save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

R80.40 CLI Reference Guide | 472

cpinfo

R80.40 CLI Reference Guide | 473

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management You execute these commands locally on the

commands Servers, Check Point computers.
Security Gateways
and Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management
commands Server.
These changes affect the managed Security
Gateways and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management
commands Server.
These changes affect the licenses stored in the
local license repository.

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R80.40 CLI Reference Guide | 474

cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security
<options> Gateway or Management Server.
See "cplic check" on page 131.

contract Manages (deletes and installs) the Check Point Service Contract on
<options> the local Check Point computer.
See "cplic contract" on page 133.

db_add Applies only to a Management Server.

<options> Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 135.

R80.40 CLI Reference Guide | 475

cplic

Parameter Description

db_print Applies only to a Management Server.

<options> Shows the details of Check Point licenses stored in the license
repository on the Management Server.
See "cplic db_print" on page 137.

db_rm Applies only to a Management Server.

<options> Removes a license from the license repository on the Management
Server.
See "cplic db_rm" on page 139.

del <options> Deletes a Check Point license on a host, including unwanted

evaluation, expired, and other licenses.
See "cplic del" on page 140.

del <Object Detaches a Central license from a remote managed Security Gateway
Name> or Cluster Member.
<options> See "cplic del <object name>" on page 141.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster
Members into the license repository on the Management Server.
See "cplic get" on page 142.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 144.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 146.

put <Object Attaches one or more Central or Local licenses to a remote managed
Name> Security Gateways and Cluster Members.
<options> See "cplic put <object name>" on page 148.

upgrade Applies only to a Management Server.

<options> Upgrades licenses in the license repository with licenses in the
specified license file.
See "cplic upgrade" on page 151.

R80.40 CLI Reference Guide | 476

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

-v Product version, for which license information is requested.

{-c | - Outputs the number of licenses connected to this feature.

count}

R80.40 CLI Reference Guide | 477

cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u
cplic check 'cluster-u': 9 licenses
[Expert@GW]#

R80.40 CLI Reference Guide | 478

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

R80.40 CLI Reference Guide | 479

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/cp.contract file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R80.40 CLI Reference Guide | 480

cplic db_add

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

R80.40 CLI Reference Guide | 481

cplic db_add

Parameter Description

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -
l 192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

R80.40 CLI Reference Guide | 482

cplic db_print

Description
Shows the details of Check Point licenses stored in the license repository on the Management
Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x]
[{-t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name> <Object Name> is the name of the Security Gateway / Cluster Member
object as defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached} Useful, if the parameter "-all" is specified.

R80.40 CLI Reference Guide | 483

cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 484

cplic db_rm

Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the
"cplic del" on page 140 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

R80.40 CLI Reference Guide | 485

cplic del

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

<Object The name of the Security Gateway / Cluster Member object as defined
Name> in SmartConsole.

R80.40 CLI Reference Guide | 486

cplic del <object name>

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the
Address> specified IP address.
Note - If this parameter is used, then object name must be a
DAIP Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on
page 144 command.

R80.40 CLI Reference Guide | 487

cplic get

Syntax

cplic get {-h | -help}

cplic [-d] get
-all
<IP Address>
<Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the
managed network.

<IP The IP address of the Security Gateway / Cluster Member, from which
Address> licenses are to be retrieved.

<Host The name of the Security Gateway / Cluster Member object as defined in
Name> SmartConsole, from which licenses are to be retrieved.

R80.40 CLI Reference Guide | 488

cplic get

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 489

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 490

cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 491

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member, this command erases only

overwrite} the local licenses, but not central licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

R80.40 CLI Reference Guide | 492

cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for

a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 493

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and
Cluster Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F
<Output File>] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Feature>]

R80.40 CLI Reference Guide | 494

cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object, as
defined in SmartConsole.

-F <Output Saves the command output to the specified file.

File>

-l <License Installs the licenses from the <License file>.

File>

<Host> Hostname or IP address of the Security Management Server /

Domain Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the
license.
For example: CPSUITE-EVAL-3DES-vNG

R80.40 CLI Reference Guide | 495

cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R80.40 CLI Reference Guide | 496

cplic upgrade

Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l <Input Upgrades the licenses in the license repository and Check Point Security
File> Gateways / Cluster Members to match the licenses in the specified file.

R80.40 CLI Reference Guide | 497

cplic upgrade

cplic get -all

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

R80.40 CLI Reference Guide | 498

cplic upgrade

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

R80.40 CLI Reference Guide | 499

cpmiquerybin

cpmiquerybin
Description
The cpmiquerybin utility connects to a specified database, runs a user-defined query and
shows the query results.
The results can be a collection of Security Gateway sets or a tab-delimited list of specified
fields from each retrieved object.
The default database of the query tool is based on the shell environment settings.
To connect to a Domain Management Server database, run "mdsenv" on page 721 and define
the necessary environment variables.

Use the Domain Management Server name or IP address as the first parameter.

Notes:
n You can see complete documentation of the cpmiquerybin utility, with the full
query syntax, examples, and a list of common attributes in sk65181.
n The MISSING_ATTR string shows when you use an attribute name that does
not exist in the objects in query result.

Syntax

cpmiquerybin <query_result_type> <database> <table> <query> [-a

<attributes_list>]

R80.40 CLI Reference Guide | 500

cpmiquerybin

Parameters

Parameter Description

<query_ Query result in one of these formats:

result_type>
n attr - Returns values from one or more specified fields for each
object. Use the "-a" parameter followed by a comma separated
list of fields.
n object - Shows Security Gateway sets containing data of each
retrieved object.

<database> Name of the database file in quotes. For example, "mdsdb".

Use empty double quotes "" to run the query on the default database.

<table> Name of the database table that contains the data.

<query> One or more query strings in a comma separated list.

Use empty double quotes ("") to return all objects in the database
table.
You can use the asterisk character (*) as a wildcard replacement for
one or more matching characters in your query string.

-a If you use the "query_result_type" parameter, you must specify

<attributes_ one or more attributes in a comma-delimited list (without spaces) of
list> object fields.
You can return all object names with the special string: __name__

Return Values
n 0 - Query returns data successfully
n 1 - Query does not return data or there is a query syntax error

Example - Viewing the names of the currently defined network objects

[Expert@HostName:0]# cpmiquerybin attr "" network_objects "" -a name

DMZZone
WirelessZone
ExternalZone
InternalZone
AuxiliaryNet
LocalMachine_All_Interfaces
CPDShield
InternalNet
LocalMachine
DMZNet
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 501

cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management
Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

R80.40 CLI Reference Guide | 502

cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 156.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options> See "cppkg delete" on page 157.

get Updates the list of the SmartUpdate software packages in the

repository.
See "cppkg get" on page 159.

getroot Shows the path to the root directory of the repository (the value of
the environment variable $SUROOT).
See "cppkg getroot" on page 160.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 161.

setroot Configures the path to the root directory of the repository.

<options> See "cppkg setroot" on page 162.

R80.40 CLI Reference Guide | 503

cppkg add

Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 504

ppkg delete

Description
Deletes SmartUpdate software packages from the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]
cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>"
"<Minor Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the
delete interactive mode. The command shows the menu with applicable options.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

"< Specifies the product name. Enclose in double quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double quotes.

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 161
command.
n You must specify all optional parameters, or no parameters.

R80.40 CLI Reference Guide | 505

ppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 506

cppkg get

Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software
packages repository based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 507

cppkg getroot

Description
Shows the path to the root directory of the SmartUpdate software packages repository (the
value of the environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to :
/var/log/cpupgrade/suroot
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 508

cppkg print

Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 509

cppkg setroot

Description
Configures the path to the root directory of the SmartUpdate software packages repository.

the new repository. A package in the new location is overwritten by a

package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT in

the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh and

$CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 510

cpprod_util

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R80.40 CLI Reference Guide | 511

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the
output file is RegDump.

R80.40 CLI Reference Guide | 512

cpprod_util

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

R80.40 CLI Reference Guide | 513

cpprod_util

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 514

cpprod_util

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 515

cpprod_util

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP (DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 516

cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the
managed Security Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

R80.40 CLI Reference Guide | 517

cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote
managed Security Gateways.

and the Security Gateway.

l The cpd daemon must run.

l The cprid daemon must run.

Syntax

R80.40 CLI Reference Guide | 518

cprinstall

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options> See "cprinstall boot" on page 173.

cprestart Runs the cprestart command on the managed Security Gateway.

<options> See "cprinstall cprestart" on page 174.

cpstart Runs the cpstart command on the managed Security Gateway.

<options> See "cprinstall cpstart" on page 175.

cpstop Runs the cpstop command on the managed Security Gateway.

<options> See "cprinstall cpstop" on page 176.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options> See "cprinstall delete" on page 177.

install Installs Check Point products on the managed Security Gateway.

<options> See "cprinstall install" on page 179.

revert Restores the managed Security Gateway that runs on SecurePlatform OS

<options> from a snapshot saved on that Security Gateway.
See "cprinstall revert" on page 182.

show Displays all snapshot (backup) files on the managed Security Gateway
<options> that runs on SecurePlatform OS.
See "cprinstall show" on page 183.

snapshot Creates a snapshot on the managed Security Gateway that runs on

<options> SecurePlatform OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 184.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 185.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options> See "cprinstall uninstall" on page 187.

R80.40 CLI Reference Guide | 519

cprinstall

Parameter Description

verify Confirms these operations were successful:

R80.40 CLI Reference Guide | 520

cprinstall boot

Description
Reboots the managed Security Gateway.

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

R80.40 CLI Reference Guide | 521

cprinstall cprestart

Description
Runs the cprestart command on the managed Security Gateway.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

R80.40 CLI Reference Guide | 522

cprinstall cpstart

Description
Runs the cpstart command on the managed Security Gateway.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

R80.40 CLI Reference Guide | 523

cprinstall cpstop

Description
Runs the cpstop command on the managed Security Gateway.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-nopolicy Kills the Check Point daemons and Security Servers and unloads the
Security Policy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

R80.40 CLI Reference Guide | 524

cprinstall delete

Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

<Snapshot Specifies the name of the snapshot (backup) on SecurePlatform OS.

File>

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

R80.40 CLI Reference Guide | 525

cprinstall get

Description
n Gets details of the products and the operating system installed on the managed Security
Gateway.
n Updates the management database on the Security Management Server.

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Vendor Product Major Version Minor Version

R80.40 CLI Reference Guide | 526

cprinstall install

Description
Installs Check Point products on the managed Security Gateway.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object

Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 527

cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is
canceled in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing

the package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 528

cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

R80.40 CLI Reference Guide | 529

cprinstall revert

Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot
saved on that Security Gateway.

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 530

cprinstall show

Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

R80.40 CLI Reference Guide | 531

cprinstall snapshot

Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and
saves it on that Security Gateway.

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 183 command.

R80.40 CLI Reference Guide | 532

cprinstall transfer

Description
Transfers a software package from the repository to the managed Security Gateway without
installing the package.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 533

cprinstall transfer

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 534

cprinstall uninstall

Description
Uninstalls Check Point products on the managed Security Gateway.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

R80.40 CLI Reference Guide | 535

cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the

package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R80.40 CLI Reference Guide | 536

cprinstall verify

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

R80.40 CLI Reference Guide | 537

cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>" This parameter is optional.

Example 1 - Verification succeeds

Example 2 - Verification fails

R80.40 CLI Reference Guide | 538

cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R80.40 CLI Reference Guide | 539

cpstat

Parameter Description

R80.40 CLI Reference Guide | 540

cpstat

Parameter Description

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R80.40 CLI Reference Guide | 541

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R80.40 CLI Reference Guide | 542

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R80.40 CLI Reference Guide | 543

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the threshold_
config
command

Historical status persistency product, TableConfig, SourceConfig

values

R80.40 CLI Reference Guide | 544

cpstat

Examples
Example - Interfaces on a Security Gateway
[Expert@MyGW:0]# cpstat -f interfaces fw

[Expert@MyGW:0]#

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 545

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

[Expert@HostName:0]#

R80.40 CLI Reference Guide | 546

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 547

cpview

cpview
Overview of CPView

On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R80.40 CLI Reference Guide | 548

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R80.40 CLI Reference Guide | 549

cpwd_admin

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

R80.40 CLI Reference Guide | 550

cpwd_admin

Syntax

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 207.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 211.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 212.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 213.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 214.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 216.

R80.40 CLI Reference Guide | 551

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 217.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 218.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 223.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 224.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 227.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 228.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 230.

R80.40 CLI Reference Guide | 552

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R80.40 CLI Reference Guide | 553

cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ctx Text string up to On a VSX Gateway, configures the CTX value that is
128 characters assigned to monitored processes, for which no CTX
is specified.

display_ctx n 0 (default) On a VSX Gateway, configures whether the

n 1 WatchDog shows the CTX column in the output of
the cpwd_admin list command (between the
APP and the PID columns):
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

R80.40 CLI Reference Guide | 554

cpwd_admin config

Configuration Accepted
Description
Parameter Values

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

R80.40 CLI Reference Guide | 555

cpwd_admin config

Example

[Expert@HostName:0]# cpwd_admin config -p

[Expert@HostName:0]# cpwd_admin config -r

R80.40 CLI Reference Guide | 556

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 557

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 558

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 559

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 560

cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 561

cpwd_admin getpid

Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 562

cpwd_admin kill

Description
Terminates the WatchDog process cpwd.

Syntax

cpwd_admin kill

R80.40 CLI Reference Guide | 563

cpwd_admin list

Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 564

cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

R80.40 CLI Reference Guide | 565

cpwd_admin list

Example - Default output on a Security Gateway

R80.40 CLI Reference Guide | 566

cpwd_admin list

Example - Verbose output on a Management Server

R80.40 CLI Reference Guide | 567

cpwd_admin list

Example - Verbose output on a Security Gateway

R80.40 CLI Reference Guide | 568

cpwd_admin monitor_list

Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 204.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 569

cpwd_admin start

Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_
limit {<Limit> | u}]

Parameters

Parameter Description

-name Name, under which the cpwd_admin list command shows the
<Application monitored process in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

R80.40 CLI Reference Guide | 570

cpwd_admin start

Parameter Description

-command The command and its arguments to run.

-slp_timeout Configures the specified value of the "sleep_timeout"

<Timeout> configuration parameter.
See "cpwd_admin config" on page 207.

-retry_limit Configures the value of the "retry_limit" configuration

{<Limit> | u} parameter.
See "cpwd_admin config" on page 207.
n <Limit> - Tries to restart the process the specified number
of times
n u - Tries to restart the process unlimited number of times

R80.40 CLI Reference Guide | 571

cpwd_admin start

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 572

cpwd_admin start_monitor

Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes
actively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 573

cpwd_admin stop

Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows
Name> the monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable

Virtual System.

R80.40 CLI Reference Guide | 574

cpwd_admin stop

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit | Configures whether to inherit the environment variables from

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 575

cpwd_admin stop_monitor

Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 576

dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

Parameters

Parameter Description

-help Prints the general help.

-local Connects to the localhost (127.0.0.1) without using

username/password.
If you do not specify this parameter, the dbedit utility asks how to
connect.

R80.40 CLI Reference Guide | 577

dbedit

Parameter Description

-s Specifies the Security Management Server - by IP address or

<Management_ HostName.
Server> If you do not specify this parameter, the dbedit utility asks how to
connect.

-u Specifies the username, with which the dbedit utility connects to the
<Username> Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and
script_ ignores errors.
failure You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode
Reason_ (default mode).
Text>"

R80.40 CLI Reference Guide | 578

dbedit

Parameter Description

-d Specifies the name of the database, to which the dbedit utility should
<Database_ connect (for example, mdsdb).
Name>

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with Database Tool (GuiDBEdit Tool) (see sk13009).

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:
dbedit> -h

R80.40 CLI Reference Guide | 579

dbedit

Command Description, Syntax, Examples

update_all Description:
Saves all the modified objects.
Syntax:
dbedit> update_all

R80.40 CLI Reference Guide | 580

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 581

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 582

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 583

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 584

dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW

R80.40 CLI Reference Guide | 585

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 586

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 587

dbedit

Command Description, Syntax, Examples

R80.40 CLI Reference Guide | 588

dbedit

Command Description, Syntax, Examples

savesession Description:
Saves the session. You can run this command only when you start the
dbedit utility in session mode (with the "dbedit -session"
command).
Syntax:
dbedit> savesession

R80.40 CLI Reference Guide | 589

Syntax

fw [-d]
fetchlogs <options>
hastat <options>
kill <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security

<options> ($FWDIR/log/*.log*) or Audit ($FWDIR/log/*.adtlog*), from the
specified Check Point computer.
See "fw fetchlogs" on page 246.

hastat Shows information about Check Point computers in High Availability

<options> configuration and their states.
See "fw hastat" on page 248.

R80.40 CLI Reference Guide | 590

Parameter Description

kill Kills the specified Check Point process.

<options> See "fw kill" on page 249.

log Shows the content of Check Point log files - Security

<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 250.

logswitch Switches the current active Check Point log file - Security
<options> ($FWDIR/log/fw.log) or Audit ($FWDIR/log/fw.adtlog).
See "fw logswitch" on page 260.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/.log)

<options> or Audit ($FWDIR/log/*.adtlog*), located on the local computer or a
remote computer.
See "fw lslogs" on page 264.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log)

<options> or Audit ($FWDIR/log/*.adtlog), into a single log file.
See "fw mergefiles" on page 267.

repairlog Rebuilds pointer files for Check Point log files - Security
<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw repairlog" on page 270.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options> See "fw sam" on page 271.

R80.40 CLI Reference Guide | 591

fw fetchlogs

Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

R80.40 CLI Reference Guide | 592

fw fetchlogs

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 593

fw hastat

Description
Shows information about Check Point computers in High Availability configuration and their
states.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 594

fw kill

Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-t <Signal Specifies which signal to send to the Check Point process.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

R80.40 CLI Reference Guide | 595

fw log

Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters
described in this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-a Shows only Account log entries.

R80.40 CLI Reference Guide | 596

fw log

Parameter Description

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

R80.40 CLI Reference Guide | 597

fw log

Parameter Description

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with
the specified IP address or object name (as configured in
SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert
type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries,
and then specify the time for each log entry.

R80.40 CLI Reference Guide | 598

fw log

Parameter Description

-m Specifies the log unification mode:

-n Does not perform DNS resolution of the IP addresses in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log
entry.

-p Does not perform resolution of the port numbers in the log file (this is
the default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

R80.40 CLI Reference Guide | 599

fw log

Parameter Description

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the
"nature" of the log - for example, control, audit, accounting,
complementary, and so on).

-x <Start Shows only entries from the specified log entry number and below,
Entry Number> counting from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from
Number> the beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show

log entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

R80.40 CLI Reference Guide | 600

fw log

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes
the current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum

Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log <max_null>, or empty

Key

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc00000

00)

SequenceNum Log Sequence 1

Number

R80.40 CLI Reference Guide | 601

fw log

Field Header Description Example

Flags Internal flags 428292

that specify the
"nature" of the
log - for
example,
control, audit,
accounting,
complementary,
and so on

Action Action n accept

performed on n dropreject
this connection n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of MyGW

the Security
Gateway that
generated this
log

IfDir Traffic direction n <

through n >
interface:
n <-
Outbound
(sent by a
Security
Gateway)
n >-
Inbound
(received
by a
Security
Gateway)

R80.40 CLI Reference Guide | 602

fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security n daemon
Gateway n N/A
interface, on
which this traffic
was logged
If a Security
Gateway
performed some
internal action
(for example,
log switch), then
the log entry
shows daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Server.checkpoint.com.s6t98x
Gateway that
generated this
log

inzone Inbound Local

Security Zone

outzone Outbound External

Security Zone

service_id Name of the ftp

service used to
inspect this
connection

R80.40 CLI Reference Guide | 603

fw log

Field Header Description Example

src Object name or MyHost

IP address of
the connection's
source
computer

dst Object name or MyFTPServer

IP address of
the connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of 64933

the connection

ProductName Name of the n VPN-1 & FireWall-1

Check Point n Application Control
product that n FloodGate-1
generated this
log

ProductFamily Name of the Network

Check Point
product family
that generated
this log

Examples
Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

R80.40 CLI Reference Guide | 604

fw log

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

Example 4 - Show all log entries with action "drop"

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 605

fw logswitch

Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

R80.40 CLI Reference Guide | 606

fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

R80.40 CLI Reference Guide | 607

fw logswitch

Parameter Description

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 608

fw logswitch

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 609

fw lslogs

Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]
... [-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime |
etime}] [<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-r Reverses the sort order (descending order).

R80.40 CLI Reference Guide | 610

fw lslogs

Parameter Description

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or
Domain Management Server, then <Target> is the applicable
object's name or main IP address of the Check Point Computer as
configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 611

fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended
information

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse
order

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' -e -s name -r

Example 6 - Showing only log files specified by the patterns, from a managed Security
Gateway with main IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 612

fw mergefiles

Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of
Log File 1> <Name of Log File 2> ... <Name of Log File N> <Name of
Merged Log File>

R80.40 CLI Reference Guide | 613

fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

<Name of Log File 1> Specifies the log files to merge.

... <Name of Log File Notes:
N>
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

R80.40 CLI Reference Guide | 614

fw mergefiles

Parameter Description

<Name of Merged Log Specifies the output merged log file.

Example - Merging Security log files

R80.40 CLI Reference Guide | 615

fw repairlog

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/.log .logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/.adtlog .adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

R80.40 CLI Reference Guide | 616

fw sam

Note - To configure SAM Server settings for a Security Gateway or Cluster:

R80.40 CLI Reference Guide | 617

fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log
Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q}
<Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security
Gateway, on which the command is enforced. These messages show
whether the command was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of
Server> the Security Gateway that enforces the command.
The default is localhost.

R80.40 CLI Reference Guide | 618

fw sam

Parameter Description

-f Specifies the Security Gateway, on which to enforce the action.

R80.40 CLI Reference Guide | 619

fw sam

Parameter Description

-C Cancels the fw sam command to inhibit connections with the specified

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match
the specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

R80.40 CLI Reference Guide | 620

fw sam

Parameter Description

-I Inhibits (drops or rejects) new connections with the specified parameters,

and closes all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

R80.40 CLI Reference Guide | 621

fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the

connection.

any <IP> Matches either the Source IP address or the

Destination IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the

connections according to the netmask.

R80.40 CLI Reference Guide | 622

fw sam

Parameter Description

subany <IP> <Netmask> Matches either the Source IP address or

Destination IP address of connections according to
the netmask.

srv <Src IP> <Dest IP> Matches the specific Source IP address,
<Port> <Protocol> Destination IP address, Service (port number) and
Protocol.

subsrv <Src IP> <Netmask> Matches the specific Source IP address,

<Dest IP> <Netmask> <Port> Destination IP address, Service (port number) and
<Protocol> Protocol.
Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Matches the specific Source IP address, source
Netmask> <Dest IP> <Port> netmask, destination netmask, Service (port
<Protocol> number) and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination
<Dest Netmask> <Port> IP, destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service

<Protocol> (port number) and Protocol.

subdstsrv <Dest IP> Matches specific Destination IP address, Service

<Netmask> <Port> <Protocol> (port number) and Protocol.
Destination IP address is assigned according to
the netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to
the netmask.

R80.40 CLI Reference Guide | 623

fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the

specified keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

R80.40 CLI Reference Guide | 624

fw sam_policy

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

R80.40 CLI Reference Guide | 625

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R80.40 CLI Reference Guide | 626

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

R80.40 CLI Reference Guide | 627

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R80.40 CLI Reference Guide | 628

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R80.40 CLI Reference Guide | 629

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

R80.40 CLI Reference Guide | 630

fw sam_policy add

Parameter Description

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

R80.40 CLI Reference Guide | 631

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

R80.40 CLI Reference Guide | 632

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R80.40 CLI Reference Guide | 633

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

R80.40 CLI Reference Guide | 634

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

R80.40 CLI Reference Guide | 635

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

R80.40 CLI Reference Guide | 636

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

R80.40 CLI Reference Guide | 637

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

R80.40 CLI Reference Guide | 638

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

R80.40 CLI Reference Guide | 639

fw sam_policy add

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

R80.40 CLI Reference Guide | 640

fw sam_policy batch

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R80.40 CLI Reference Guide | 641

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

R80.40 CLI Reference Guide | 642

fw sam_policy del

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R80.40 CLI Reference Guide | 643

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n To see the Rule UID, run the "fw
sam_policy get" command.

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

R80.40 CLI Reference Guide | 644

fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R80.40 CLI Reference Guide | 645

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R80.40 CLI Reference Guide | 646

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 647

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

Example 3 - Printing a rule by its Rule UID

R80.40 CLI Reference Guide | 648

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R80.40 CLI Reference Guide | 649

fw sam_policy get

[Expert@HostName:0]# fw samp get

R80.40 CLI Reference Guide | 650

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 651

fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 652

fwm

Parameter Description

dbload Downloads the user database and network objects information to the
<options> specified targets
See "fwm dbload" on page 309.

exportcert Export a SIC certificate of the specified object to file.

<options> See "fwm exportcert" on page 310.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 311.

fingerprint Shows the Check Point fingerprint.

<options> See "fwm fingerprint" on page 313.

getpcap Fetches the IPS packet capture data from the specified Security
<options> Gateway.
See "fwm getpcap" on page 315.

ikecrypt Encrypts a secret with a key.

<options> See "fwm ikecrypt" on page 317.

load This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 362 command to load a policy to a
managed Security Gateway.
See "fwm load" on page 318.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.
See "fwm logexport" on page 319.

mds <options> Shows information and performs various operations on Multi-Domain

Server.
See "fwm mds" on page 324.

printcert Shows a SIC certificate's details.

<options> See "fwm printcert" on page 326.

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 332.

snmp_trap Sends an SNMP Trap to the specified host.

<options> See "fwm snmp_trap" on page 333.

unload Unloads the policy from the specified managed Security Gateways.
<options> See "fwm unload" on page 336.

R80.40 CLI Reference Guide | 653

fwm

Parameter Description

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 340.

verify This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 362 command to verify a policy.
See "fwm verify" on page 341.

R80.40 CLI Reference Guide | 654

fwm dbload

Description
Copies the user database and network objects information to specified managed servers with
one or more Management Software Blades enabled.

Important - This command is obsolete for R80 and higher.

Use the API command "install-database" to install the database on the
applicable servers.
See the Check Point Management API Reference.

R80.40 CLI Reference Guide | 655

fwm exportcert

Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

<Name of Specifies the name of the managed object, whose certificate you wish
Object> to export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish
to export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

R80.40 CLI Reference Guide | 656

fwm fetchfile

Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the fwopsec.conf or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/fwopsec.conf
n conf/fwopsec.v4x

-d <Local Specifies the local directory to save the fetched file.

Path>

<Source> Specifies the managed remote source computer, from which to fetch
the file.
Note - The local and the remote source computers must have
established SIC trust.

R80.40 CLI Reference Guide | 657

fwm fetchfile

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 658

fwm fingerprint

Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

R80.40 CLI Reference Guide | 659

fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.51,L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.52,L=Locality Name (eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 660

fwm getpcap

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p

Parameters

Parameter Description

-d Runs the command in debug mode.

-g Specifies the main IP address or Name of Security Gateway object as

-u ' Specifies the Unique ID of the packet capture file.

{<Capture To see the Unique ID of the packet capture file, open the applicable log
UID>}' file in SmartConsole > Logs & Monitor > Logs.

R80.40 CLI Reference Guide | 661

fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}'

/var/log/
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 662

fwm ikecrypt

Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must
then be stored in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties
window on the Encryption tab.

<Password> Specifies the password for the Endpoint VPN Client user.

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 663

fwm load

Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and higher.

Use the API command "install-policy" to load a policy on a managed Security
Gateway.
See the Check Point Management API Reference.

R80.40 CLI Reference Guide | 664

fwm logexport

Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog)
to an ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

-d Specifies the output delimiter between fields of log entries:

R80.40 CLI Reference Guide | 665

fwm logexport

Parameter Description

-t <Table Specifies the output delimiter inside table field.

Delimiter> Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a
comma (,).

-i <Input Specifies the name of the input log file.

-o <Output Specifies the name of the output file.

File> Note - If you do not specify the output log file explicitly, the command
prints its output on the screen.

-x <Start Starts exporting the log entries from the specified log entry number and
Entry below, counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number,
Entry counting from the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to

continue the export of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log

file (this is the default behavior).
This significantly speeds up the log processing.

R80.40 CLI Reference Guide | 666

fwm logexport

Parameter Description

-p Specifies to not to perform resolution of the port numbers in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

R80.40 CLI Reference Guide | 667

fwm logexport

The output of the fwm logexport command appears in tabular format.

Step Instructions

1 Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2 Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

based on a list of fields from the $FWDIR/conf/logexport_

default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS>

is based on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

R80.40 CLI Reference Guide | 668

fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host
Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 669

fwm mds

Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN
Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

R80.40 CLI Reference Guide | 670

fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.40 -
Build 11
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 671

fwm printcert

Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-
verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

R80.40 CLI Reference Guide | 672

fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

-obj <Name of Object> Specifies the name of the managed object, for which to
show the SIC certificate information.

-cert <Certificate Specifies the certificate nick name.

Nick Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

R80.40 CLI Reference Guide | 673

fwm printcert

R80.40 CLI Reference Guide | 674

fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 675

fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

*****
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 676

fwm printcert

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 677

fwm sic_reset

Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

R80.40 CLI Reference Guide | 678

fwm snmp_trap

Description
Sends an SNMPv1 Trap to the specified host.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

R80.40 CLI Reference Guide | 679

fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

-s <Specific Trap Specifies the unique trap type.

Number> Valid only of generic trap value is 6 (for
enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap
packets.

-c <SNMP Specifies the SNMP community.

Community>

<Target> Specifies the managed target host, to which to send the SNMP
Trap packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

R80.40 CLI Reference Guide | 680

fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on
the Security Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host 192.168.3.51

R80.40 CLI Reference Guide | 681

fwm unload

Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

l "cpstart" on page 957

n In addition, see the "fw unloadlocal" on page 1161 command.

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

R80.40 CLI Reference Guide | 682

fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or
... <GWN> Object Name as configured in SmartConsole.

R80.40 CLI Reference Guide | 683

fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 684

fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

R80.40 CLI Reference Guide | 685

fwm ver

Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.40 - Build 11
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 686

fwm verify

fwm verify
Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 362 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 687

inet_alert

Procedure

Step Instructions

1 Connect with SmartConsole to the applicable Security Management Server or

Domain Management Server, which manages the applicable Security Gateway
that should forward log messages to an external Management Station.

2 From the top left Menu, click Global properties.

3 Click on the [+] near the Log and Alert and click Alerts.

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Control Policy on the applicable Security Gateway.

R80.40 CLI Reference Guide | 688

inet_alert

Syntax

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some
command> | inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair

R80.40 CLI Reference Guide | 689

inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

These NetQuota and ServerQuota alerts execute the OS commands

specified in the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

R80.40 CLI Reference Guide | 690

ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing
debug information.

Statistics LDAP search statistics, such as:

Logging View the alert and warning logs.

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

R80.40 CLI Reference Guide | 691

ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check

Name> | all} Point processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Clears cache for all objects

l UserCacheObject - Clears cache for user objects

l TemplateCacheObject - Clears cache for template

objects
l TemplateExtGrpCacheObject - Clears cache for

external template group objects

n cachetrace {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Traces cache for all objects

l UserCacheObject - Traces cache for user objects

l TemplateCacheObject - Traces cache for template

objects
l TemplateExtGrpCacheObject - Traces cache for

external template group objects

n log {on | off}
l on - Creates LDAP logs

l off - Does not create LDAP logs

n stat {<Print Interval in Sec> | 0}

l <Print Interval in Sec> - How frequently to

collect the statistics

l 0 - Stops collecting the statistics

R80.40 CLI Reference Guide | 692

ldapcompare

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute>

<Value> | <Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

R80.40 CLI Reference Guide | 693

ldapcompare

Compare options

Option Description

-E [!]<Extension> Specifies the compare extensions.

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version
is 3.

-z Enables the quiet mode.

The command does not print anything. You can use
the command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

R80.40 CLI Reference Guide | 694

ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

l "chainingRequired"

l "referralsPreferred"

l "referralsRequired"

-h <LDAP Server> Specifies the LDAP Server computer by its IP address

or resolvable hostname.

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier

(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not

actually do it.

R80.40 CLI Reference Guide | 695

ldapcompare

Option Description

-N Specifies not to use the reverse DNS to canonicalize

SASL host name.

-o <Option>[=<Option Specifies the general options:

Parameter>] nettimeout={<Timeout in Sec> | none |
max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to

stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Specifies the SASL authorization identity (either

Identity> "dn:<DN>", or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator

password from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

R80.40 CLI Reference Guide | 696

ldapmemberconvert

Important - Back up the LDAP server database before you run this conversion utility.

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP

R80.40 CLI Reference Guide | 697

ldapmemberconvert

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly)
Attribute Name> deleting a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP

Attribute Name> "MemberOf" attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines,

ObjectClass which type of member to modify.
Value> You can specify multiple attribute values with this syntax:
-c <Member Object Class 1> -c <Member Object
Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a
new line:
<Group DN 1>
<Group DN 2>
...
<Group DN N>
Length of each line is limited to 256 characters.

R80.40 CLI Reference Guide | 698

ldapmemberconvert

Parameter Description

-g <Group DN> Specifies the Group or Template Distinguished Name, on which

to perform the conversion.
You can specify multiple Group DNs with this syntax:
-g <Group DN 1> -g <Group DN 2> ... -g
<Group DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-M <Number of Specifies the maximal number of simultaneous member LDAP

Updates> updates.
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in
number of entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups

For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for
their groups, then this conversion has to be applied on LDAP defined templates for their
groups.

R80.40 CLI Reference Guide | 699

ldapmemberconvert

R80.40 CLI Reference Guide | 700

ldapmemberconvert

Examples
Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these

attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o memberof -c
fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the
group entry is not modified.

R80.40 CLI Reference Guide | 701

ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the
parameter "-c fw1Person", but the object class of "template1" is "fw1Template".

R80.40 CLI Reference Guide | 702

ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF
format.

Syntax

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

R80.40 CLI Reference Guide | 703

ldapmodify

Parameter Description

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually

perform them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data
you enter on the screen).

R80.40 CLI Reference Guide | 704

ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Syntax

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified
TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

R80.40 CLI Reference Guide | 705

ldapsearch

Parameter Description

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

-F <Separator> Specifies the print separator character between attribute names

and their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Specifies to sort the results by the values of this attribute.

Attribute>

-t Specifies to write values to files in the /tmp/ directory.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximal number of entries to search on the LDAP

Search Entries> Server.

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

R80.40 CLI Reference Guide | 706

ldapsearch

Parameter Description

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command
retrieves all attributes.

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.

2. Connects to the LDAP Server with Base DN "cn=omi".

3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

R80.40 CLI Reference Guide | 707

mcd

mcd
Description
This command changes the current working directory to the specified directory in the $FWDIR
directory in the context of a Domain Management Server.

Syntax

mdsenv <IP Address or Name of Domain Management Server>

mcd <Name of Directory in $FWDIR>

R80.40 CLI Reference Guide | 708

mcd

Example

[Expert@MDS:0]# mdsstat
+-----------------------------------------------------------------------------------------------
------+
| Processes status checking
|
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| Type | Name | IP address | FWM | FWD | CPD | CPCA
|
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| MDS | - | 192.168.3.51 | up 15312 | up 15310 | up 10227 | up
15475 |
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| CMA | MyDomain_Server | 192.168.3.240 | up 17225 | up 17208 | up 17101 | up
18402 |
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| Total Domain Management Servers checked: 1 1 up 0 down
|
| Tip: Run mdsstat -h for legend
|
+-----------------------------------------------------------------------------------------------
------+
[Expert@MDS:0]#
[Expert@MDS:0]#
[Expert@MDS:0]# mdsenv MyDomain_Server
[Expert@MDS:0]#
[Expert@MDS:0]# mcd
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/
[Expert@MDS:0]#
[Expert@MDS:0]# pwd
/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1
[Expert@MDS:0]#
[Expert@MDS:0]# ls -1
av
bin
conf
cpm-server
database
doc
hash
lib
libsw
log
scripts
state
tmp
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 709

mcd

[Expert@MDS:0]# mcd av
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/av
[Expert@MDS:0]#
[Expert@MDS:0]# mcd bin
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/bin
[Expert@MDS:0]#
[Expert@MDS:0]# mcd conf
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/conf
[Expert@MDS:0]#
[Expert@MDS:0]# mcd log
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/log
[Expert@MDS:0]#
[Expert@MDS:0]# mcd scripts
changing to /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/scripts
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 710

mds_backup

mds_backup
Description
The mds_backup command backs up binaries and data from a Multi-Domain Server to a user
specified working directory.
You then copy the backup files from the working directory to external storage.
This command requires Multi-Domain Superuser privileges.
The mds_backup command runs the gtar and dump commands to back up all databases.
The collected information is stored in one *.tar file. The file name is a combination of the
backup date and time and is saved in the current working directory. For example:
13Sep2015-141437.mdsbk.tar

Backing up and restoring in Management High Availability environment:

R80.40 CLI Reference Guide | 711

mds_backup

Notes:
n Do not create or delete Domains or Domain Management Servers until the
backup operation completes.
n It is important not to run the mds_backup command from directories that are
not backed up.
For example, when you back up a Multi-Domain Server, do not run the mds_
backup command from the /opt/CPmds-<Current_Release>/ directory,
because it is a circular reference (backup of directory, in which it is necessary to
write files).
Run the mds_backup command from a location outside the product directory
tree to be backed up. This becomes the working directory.
n The mds_backup command does not collect the active Security log file
(*.log) and Audit log file (*.adtlog).
This is necessary to prevent inconsistencies during the read-write operations.
Best Practice - Perform a log switch before you start the backup
procedure.
n You can back up the Multi-Domain Server configuration without the log files.
This backup is typically significantly smaller than a full backup with logs.
To back up without log files, add this line to the file $MDSDIR/conf/mds_
exclude.dat configuration file:
log/*
n After the backup completes, copy the backup *.tar file, together with the mds_
restore, and gtar binary files, to your external backup location.

Syntax

mds_backup -h
mds_backup [-b] [-d <Target Directory>] [-g] [-i] [-l] [-L {all |
best}][-s] [-v]

R80.40 CLI Reference Guide | 712

mds_backup

Parameters

Parameter Description

-h Shows help text.

-b Batch mode - executes without asking anything (the parameter "-g"

is implied).

-d <Target Specifies the output directory.

Directory> If not specified explicitly, the backup file is saved to the current
directory.
You cannot save the backup file to the root directory.

-ds Disconnects all current sessions and discards their unpublished

changes before the backup starts.

-g Executes without prompting to disconnect GUI clients.

-i Includes the Hit Count database in the backup:

$FWDIR/conf/hit_count_rules_table.sqlite

-l Excludes logs from the backup.

-L {all | Locks all databases before the backup starts.

best}
n -L all - Does not start the backup, if it is not possible to lock
all databases
n -L best - Starts the backup even if it is not possible to lock all
databases

-s Stops Multi-Domain processes before the backup starts.

-v "Dry run" - Shows all files to be backed up, but does not perform the
backup operation.

-x Excludes binary files from the backup.

The binary files are listed in the $MDSDIR/conf/mds_binaries_
exclude.dat file

R80.40 CLI Reference Guide | 713

mds_restore

mds_restore
Description
Use the mds_restore command to restore a Multi-Domain Server / Multi-Domain Log Server
that was backed up with the "mds_backup" on page 711 command.

Important - You must restore on the server that runs same software version, from
which you collected this backup.
Example: If you collected a backup on a server with version "XX" and Jumbo Hotfix
Accumulator Take "YY", then you must restore on a server with version "XX" and
Jumbo Hotfix Accumulator Take "YY".
Best Practice - If the Multi-Domain Security Management environment has multiple
Multi-Domain Servers, restore all Multi-Domain Servers at the same time.
Backing up and restoring in Management High Availability environment:
n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R80.40 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

To restore a Multi-Domain Server:

1. Connect to the command line on the Multi-Domain Server.

2. Log in to the Expert mode.
3. Go to the directory where the backup file is located.
4. Run:

./mds_restore <backup_file>

5. If you restore on a Multi-Domain Server with a new IP address, configure the new
IP address.

R80.40 CLI Reference Guide | 714

mdscmd

mdscmd
Description
In versions lower than R80, this utility executed various commands on the Multi-Domain
Server.
Starting from R80, this command is obsolete.
You must use other commands. If there is no alternative command, then perform the
applicable action in SmartConsole.

Alternative command in R80 and

MDSCMD command in pre-R80 versions
above

mdscmd addadministrator <options> None

mdscmd adddomain <options> mgmt_cli add-domain

See "mgmt_cli" on page 737.

mdscmd addlogserver <options> mgmt_cli add-domain

See "mgmt_cli" on page 737.

mdscmd addmanagement <options> mgmt_cli add-domain

See "mgmt_cli" on page 737.

mdscmd assign-globalpolicy <options> mgmt_cli set global-

assignment
See "mgmt_cli" on page 737.

mdscmd assignadmin <options> mgmt_cli set-administrator

See "mgmt_cli" on page 737.

mdscmd assignguiclient <options> None

mdscmd deleteadministrator <options> None

mdscmd deletedomain <options> mgmt_cli delete-domain

See "mgmt_cli" on page 737.

mdscmd deletelogserver <options> None

R80.40 CLI Reference Guide | 715

mdscmd

Alternative command in R80 and

MDSCMD command in pre-R80 versions
above

mdscmd deletemanagement <options> mgmt_cli delete-domain

See "mgmt_cli" on page 737.

mdscmd disableglobaluse <options> None

mdscmd enableglobaluse <options> None

mdscmd install-globalpolicy mgmt_cli assign-global-

<options> assignment
See "mgmt_cli" on page 737.

mdscmd migratemanagement <options> None

mdscmd mirrormanagement <options> None

mdscmd reassign-globalpolicy mgmt_cli set global-

<options> assignment
mgmt_cli assign-global-
assignment
See "mgmt_cli" on page 737.

mdscmd remove-globalpolicy <options> mgmt_cli delete global-

assignment
See "mgmt_cli" on page 737.

mdscmd removeadmin <options> mgmt_cli set-administrator

See "mgmt_cli" on page 737.

mdscmd removeguiclient <options> None

mdscmd runcrossdomainquery <options> None

mdscmd startmanagement <options> mdsstart_customer

See "mdsstart_customer" on page 729.

mdscmd stopmanagement <options> mdsstop_customer

See "mdsstop_customer" on page 736.

R80.40 CLI Reference Guide | 716

mdsconfig

mdsconfig
Description
This command starts the Multi-Domain Server Configuration Program. This tool configures
specific settings for the installed Check Point products.

For the complete procedure, see the R80.40 Installation and Upgrade Guide.

Syntax

mdsconfig

R80.40 CLI Reference Guide | 717

mdsconfig

Menu Options

R80.40 CLI Reference Guide | 718

mdsconfig

Menu Option Description

Leading VIP Interfaces The Leading VIP Interfaces are real interfaces connected
to an external network.
These interfaces are used when you configure virtual IP
addresses for Domain Management Servers.

Licenses Manages Check Point licenses and contracts on this

server.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Groups Usually, the Multi-Domain Server is given group permission

for access and execution.
You may now name such a group or instruct the installation
procedure to give no group permissions to the server.
In the latter case, only the Super-User is able to access and
execute commands on the server.

Certificate's Fingerprint Shows the ICA's Fingerprint.

This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you
connect to it with SmartConsole.

Administrators Configures Check Point system administrators for this

server.

GUI Clients Configures the GUI clients that can use SmartConsole to
connect to this server.

Automatic Start of Multi- Shows and controls if Multi-Domain Server starts

Domain Server automatically during boot.

P1Shell Obsolete. Do not use this option anymore.

Important - This option and the p1shell command
are not supported (Known Limitation PMTR-45085).

Start Multi-Domain Server Configures a password to control the start of the Multi-
Password Domain Server.

IPv6 Support for Multi- Enables or disables the IPv6 Support on the Multi-Domain
Domain Server Server.
Important - R80.40 Multi-Domain Server does not
support IPv6 address configuration (Known Limitation
PMTR-14989).

R80.40 CLI Reference Guide | 719

mdsconfig

Menu Option Description

IPv6 Support for Existing Enables or disables the IPv6 Support on the Domain
Domain Management Management Servers.
Servers Important - R80.40 Multi-Domain Server does not
support IPv6 address configuration (Known Limitation
PMTR-14989).

Exit Exits from the Multi-Domain Server Configuration Program.

Example - Menu on a Multi-Domain Server

[Expert@MyMDS:0]# mdsconfig

Welcome to Multi-Domain Server Configuration Program

=================================================================
This program will let you re-configure your Multi-Domain Server configuration.

Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13):

R80.40 CLI Reference Guide | 720

mdsenv

mdsenv
Description
Use the mdsenv command to set shell environment variables to run commands on a specified
Domain Management Server.
When run without an argument, the command sets the shell for Multi-Domain Server level
commands ("mdsstart" on page 725, "mdsstop" on page 732, and so on).

Syntax

mdsenv [<Name or IP address of Domain Management Server>]

Parameters

Parameter Description

<Name or IP address of Domain Specifies the Domain Management Server by

Management Server> its name or IPv4 address.

R80.40 CLI Reference Guide | 721

mdsenv

Example

[Expert@MyMDS:0]# mdsstat
+-----------------------------------------------------------------
------------------------------------+
| Processes status checking
|
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| Type | Name | IP address | FWM | FWD
| CPD | CPCA |
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| MDS | - | 192.168.3.51 | up 10086 | up
11422 | up 5427 | up 11440 |
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| CMA | MyDomain_Server | 192.168.3.240 | up 10891 | up
8199 | up 7670 | up 9536 |
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| Total Domain Management Servers checked: 1 1 up 0 down
|
| Tip: Run mdsstat -h for legend
|
+-----------------------------------------------------------------
------------------------------------+
[Expert@MyMDS:0]#
[Expert@MyMDS:0]# mdsenv MyDomain_Server
[Expert@MyMDS:0]#
[Expert@MyMDS:0]# echo $FWDIR
/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1
[Expert@MyMDS:0]#

R80.40 CLI Reference Guide | 722

mdsquerydb

mdsquerydb
Description
The mdsquerydb is an advanced database query tool that administrators can use to run shell
scripts to get information from the Multi-Domain Security Management databases.
Use this command to get information from the Multi-Domain Server, Domain Management
Server, and Global databases.

Note - The system comes with pre-defined queries, defined in the

$MDSDIR/confqueries.conf configuration file. Do not change or delete these
queries.

Syntax

mdsquerydb <key_name> [-f <output_file_name>]

Parameters

Parameter Description

<key_name> Query key, which must be defined in the pre-defined queries

configuration file.

-f <output_ Send the query results to the specified file name. If this parameter is not
file_name> specified, the data is sent to the standard output.

Pre-Defined Query Keys

Keys for Multi-Domain environment:

----------------------------------
GlobalNetworkObjects Get name and type of all global network objects
NetworkObjects Get all Domains' internal Check Point installed network objects
Domains Get names of all Domains Irit B comment from QA Draft
Administrators Get names of all Administrators
MDSs Get names and IPs of all MDSs
DomainManagementServers Get names of all Domain Servers
GuiClients Get names and IPs of all gui clients
CMAs Backwards Compatibility (DomainManagementServers)
Customers Backwards Compatibility (Domains)
Keys for Domain environment:
----------------------------
NetworkObjects Get name and type of all network objects
Gateways Get names and IPs of all gateways

Example 1 - Retrieve list of all defined keys

[Expert@MDS:0]# mdsquerydb

R80.40 CLI Reference Guide | 723

mdsquerydb

Example 2 - Send a list of Domains in the Multi-Domain Server database to the standard
output

[Expert@MDS:0]# mdsenv
[Expert@MDS:0]# mdsquerydb Domains

Example 3 - Send a list of network objects in the global database to the /tmp/gateways.txt
file

[Expert@MDS:0]# mdsenv
[Expert@MDS:0]# mdsquerydb NetworkObjects -f /tmp/gateways.txt

Example 4 - Get a list of gateway objects in the Domain Management Server "DServer1"

[Expert@MDS:0]# mdsenv My_Domain_Server

[Expert@MDS:0]# mdsquerydb Gateways -f /tmp/gateways.txt

R80.40 CLI Reference Guide | 724

mdsstart

mdsstart
Description
Starts the Multi-Domain Server and all Domain Management Servers.
To start a specific Domain Management Server, see the "mdsstart_customer" on page 729
command.

Syntax

mdsstart [-m | -s]

Parameters

Parameter Description

-m Optional: Starts only the Multi-Domain Server and not the Domain
Management Servers.

-s Optional: Starts all the Domain Management Servers sequentially.

The command waits for each Domain Management Server to come up,
before it starts the next one.

Controlling the number of Domain Management Servers to start sequentially

By default, the system attempts to start up to 10 Domain Management Servers at the same
time.

You can decrease the amount of time it takes to start the Multi-Domain Server when there are
many Domain Management Servers.
To do this, set the value of the environment variable NUM_EXEC_SIMUL to the number of
Domain Management Servers that start at the same time.

R80.40 CLI Reference Guide | 725

mdsstart

Setting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Set the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=<Number of Domain
Management Servers>
Example:
[Expert@MDS:0]# export NUM_EXEC_SIMUL=5

4 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

Unsetting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Parameter Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Unset the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# unset NUM_EXEC_SIMUL

4 Make sure the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R80.40 CLI Reference Guide | 726

mdsstart

Setting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Add this line at the bottom of the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

Important - After this line, you must press Enter to add a new line.

Example:
export NUM_EXEC_SIMUL=5

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

R80.40 CLI Reference Guide | 727

mdsstart

Unsetting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP_with_
NUM_EXEC_SIMUL}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Remove this line from the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is not
set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R80.40 CLI Reference Guide | 728

mdsstart_customer

mdsstart_customer
Description
Starts the specified Domain Management Server, if it was stopped with the "mdsstop_
customer" on page 736 command.
To start the entire Multi-Domain Server, see the "mdsstart" on page 725 command.

Syntax

mdsstart_customer <IP address or Name of Domain Management Server>

Note - If the name of the Domain Management Server includes spaces, you must
surround it with quotes ("Name of Domain Management Server").

R80.40 CLI Reference Guide | 729

mdsstat

mdsstat
Description
This command shows the status of specific processes on the Multi-Domain Server and
Domain Management Servers.

Syntax

mdsstat [-h] [-m] [<Name or IP Address of Domain Management

Server>]

Parameters

Parameter Description

-h Displays help message.

-m Test status for Multi-Domain Server only.

<Name or IP address of Domain Specifies the Domain Management Server by

Management Server> its name or IPv4 address.

Possible Statuses of Processes

Status Description

up The process is up.

down The process is down.

pnd The process is pending initialization.

init The process is initializing.

N/A The process's PID is not yet available.

N/R The process is not relevant for this Multi-Domain Server.

R80.40 CLI Reference Guide | 730

mdsstat

Example

[Expert@MDS:0]# mdsstat
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS | - | 192.168.3.101 | up 17284 | up 17266 | up 17251 | up 17753 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA |DOM211_Server | 192.168.3.211 | up 32227 | up 32212 | up 25725 | up 32482 |
| CMA |DOM212_Server | 192.168.3.212 | up 4248 | up 4184 | up 4094 | up 4441 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 2 2 up 0 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 731

mdsstop

mdsstop
Description
Stops the Multi-Domain Server and all Domain Management Servers.
To stop a specific Domain Management Server, see the "mdsstop_customer" on page 736
command.

Syntax

mdsstop [-m | -s]

Parameters

Parameter Description

-m Optional: Stops only the Multi-Domain Server and not the Domain
Management Servers.

-s Optional: Stops all the Domain Management Servers sequentially.

The command waits for each Domain Management Server to stop, before it
stops the next one.

Controlling the number of Domain Management Servers to stop sequentially

By default, the system attempts to stop up to 10 Domain Management Servers at the same
time.

You can decrease the amount of time it takes to stop the Multi-Domain Server when there are
many Domain Management Servers.
To do this, set the value of the environment variable NUM_EXEC_SIMUL to the number of
Domain Management Servers that stop at the same time.

R80.40 CLI Reference Guide | 732

mdsstop

Setting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Set the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=<Number of Domain
Management Servers>
Example:
[Expert@MDS:0]# export NUM_EXEC_SIMUL=5

4 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

Unsetting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Parameter Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Unset the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# unset NUM_EXEC_SIMUL

4 Make sure the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R80.40 CLI Reference Guide | 733

mdsstop

Setting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Add this line at the bottom of the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

Important - After this line, you must press Enter to add a new line.

Example:
export NUM_EXEC_SIMUL=5

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

R80.40 CLI Reference Guide | 734

mdsstop

Unsetting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP_with_
NUM_EXEC_SIMUL}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Remove this line from the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is not
set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R80.40 CLI Reference Guide | 735

mdsstop_customer

mdsstop_customer
Description
Stops the specified Domain Management Server.
To stop the entire Multi-Domain Server, see the "mdsstop" on page 732 command.

Syntax

mdsstop_customer <IP address or Name of Domain Management Server>

Notes:
n If the name of the Domain Management Server includes spaces, you must
surround it with quotes ("Name of Domain Management Server").
n To start the specified Domain Management Server, run the "mdsstart_
customer" on page 729 command.

R80.40 CLI Reference Guide | 736

mgmt_cli

mgmt_cli
Description
The mgmt_cli tool works directly with the management database on your Management
Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles
(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe)
command and press Enter.
n For more information, see the Check Point Management API Reference.

R80.40 CLI Reference Guide | 737

migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R80.40 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

R80.40 CLI Reference Guide | 738

migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

n To import the management database and configuration:

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

export Exports the management database and applicable Check Point

configuration.

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.

R80.40 CLI Reference Guide | 739

migrate

Parameter Description

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

R80.40 CLI Reference Guide | 740

migrate

Parameter Description

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2019.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 741

migrate_server

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R80.40/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R80.40/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R80.40/log/migrate-2020 - 2024.06.14_11.21.39.log

R80.40 CLI Reference Guide | 742

migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R80.40 [-skip_
upgrade_tools_check]

n To export the management database and configuration:

n To import the management database and configuration:

Parameters

Parameter Description

-h Shows the built-in help.

export Exports the management database and applicable Check Point

configuration.

R80.40 CLI Reference Guide | 743

migrate_server

Parameter Description

import Imports the management database and applicable Check Point

verify Verifies the management database and applicable Check Point

configuration that were exported from another Management Server.

-v R80.40 Specifies the version, to which you plan to migrate / upgrade.

R80.40 CLI Reference Guide | 744

migrate_server

Parameter Description

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long time
to complete (depends on the number of logs and indexes).

R80.40 CLI Reference Guide | 745

migrate_server

Parameter Description

-n Disables the interactive mode.

R80.40 CLI Reference Guide | 746

migrate_server

Parameter Description

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.40/migrate-2020 - 2024.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R80.40/log/migrate-2020 - 2024.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 747

migrate_global_policies

migrate_global_policies
Description
This utility transfers (and upgrades, if necessary) the global configuration database from one
Multi-Domain Server to another Multi-Domain Server.

Notes:
n You can only use this command when the target Multi-Domain Server does not
have global configurations defined.
n This utility replaces all existing global configurations. Each existing global
configuration is saved with a *.pre_migrate extension.
n If you migrate only the global configurations (without the Domain Management
Servers) to a new Multi-Domain Server, disable all Security Gateways that are
enabled for global use.

Important - You cannot export an R80.X global configuration database and then use
this utility on an R80.X Multi-Domain Server.

Syntax

migrate_global_policies <Path>

Parameters

Parameter Description

<Path> The fully qualified path to the directory where the global policies files,
originally exported from the source Multi-Domain Server
($MDSDIR/conf/), are located.

Example
[email protected]_MDS:0]# migrate_global_policies /var/log/exported_global_db.22Jul2019-124547.tgz

R80.40 CLI Reference Guide | 748

queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 362 command to search in the management database for objects or policy rules
according to search parameters.

R80.40 CLI Reference Guide | 749

rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-
Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

R80.40 CLI Reference Guide | 750

rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Specifies the IPv4 address of the DAIP object

Address>

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the
Live> entry is valid.

R80.40 CLI Reference Guide | 751

sam_alert

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the "fw sam" command.

-o Specifies to print the input of this tool to the standard output (to use with
pipes in a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is "localhost".

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The
default is forever.

R80.40 CLI Reference Guide | 752

sam_alert

Parameter Description

-f Specifies the Security Gateway / Cluster object, on which to run the

<Security operation.
Gateway> Important - If you do not specify the target Security Gateway /
Cluster object explicitly, this command applies to all managed
Security Gateways and Clusters.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified

criteria, passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria

and closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

R80.40 CLI Reference Guide | 753

sam_alert

SAM v2 syntax

Syntax for SAM v2

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to
use with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the
action. The default is forever.

-f <Security Specifies the Security Gateway / Cluster object, on which to run

Gateway> the operation.
Important - If you do not specify the target Security
Gateway / Cluster object explicitly, this command applies
to all managed Security Gateways and Clusters.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single
quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is "sam_alert".

R80.40 CLI Reference Guide | 754

sam_alert

Parameter Description

-l {r | a} Specifies the log type for connections that match the specified
criteria:
n r - Regular
n a - Alert
Default is None.

-a {d | r| n | b Specifies the action to apply on connections that match the

| q | i} specified criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the

criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of

connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

R80.40 CLI Reference Guide | 755

stattest

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2> ...
<Regular_OID_N>

These are specified in the SNMP MIB files.

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_
oid.conf file.

R80.40 CLI Reference Guide | 756

stattest

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to

query by its IP address or resolvable
hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address

or resolvable hostname.
Note - Use only when you query a
remote host.

-l <Polling Interval> Specifies the time in seconds between

queries.
Note - Use only when you query a
Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which

to run consecutive queries.
Note - Use only when you query a
Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of

a Virtual Device to query.

-t <Timeout> Specifies the session timeout in

milliseconds.

<Regular_OID_1> <Regular_OID_2> Specifies the Regular OIDs to query.

... <Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

R80.40 CLI Reference Guide | 757

stattest

Parameter Description

<Statistical_OID_1> Specifies the Statistical OIDs to query.

<Statistical_OID_2> ... Notes:
<Statistical_OID_N>
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

R80.40 CLI Reference Guide | 758

threshold_config

For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Instructions

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain

Management Server:
[Expert@HostName:0]# mdsenv <Name or IP address of Domain
Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

R80.40 CLI Reference Guide | 759

threshold_config

Step Instructions

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).
Threshold Engine Configuration Options:
---------------------------------------

(1) Show policy name

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
See "cpwd_admin stop" on page 228.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"
See "cpwd_admin start" on page 224.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"
See "cpwd_admin list" on page 218.

11 In SmartConsole, install the Access Control Policy on Security Gateways and

Clusters.

R80.40 CLI Reference Guide | 760

threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file If you do not specify the path explicitly, the file is imported from the
current working directory.

(6) Configure Configures global settings:

global alert
settings
n How frequently alerts are sent (configured delay must be
greater than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to

R80.40 CLI Reference Guide | 761

threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Local Logging Mode Status Thresholds:

Mode Status -------------------------------------
(1) Local Logging Mode

(4) Log Server Log Server Connectivity Thresholds:

Connectivity -----------------------------------
(1) Connection with log server
(2) Connection with all log servers

R80.40 CLI Reference Guide | 762

threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

R80.40 CLI Reference Guide | 763

threshold_config

Server (MDS) and in the context of each individual Domain Management

Server.
l Thresholds that you configure in the context of the Multi-Domain Server

are for the Multi-Domain Server only.

l Thresholds that you configure in the context of a Domain Management

Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a

Domain Management Server, then configure the SNMP threshold both in

R80.40 CLI Reference Guide | 764

$MDSVERUTIL

$MDSVERUTIL
Description
This utility returns information about the Multi-Domain Server and Domain Management
Servers.
This utility is intended for internal use by Check Point scripts on the Multi-Domain Server.
You can use this utility to get some information about the Multi-Domain Server and Domain
Management Servers (for example, the names of all Domain Management Servers).

R80.40 CLI Reference Guide | 765

$MDSVERUTIL

Syntax

$MDSVERUTIL help

R80.40 CLI Reference Guide | 766

$MDSVERUTIL

$MDSVERUTIL
AllCMAs <options>
AllVersions
CMAAddonDir <options>
CMACompDir <options>
CMAFgDir <options>
CMAFw40Dir <options>
CMAFw41Dir <options>
CMAFwConfDir <options>
CMAFwDir <options>
CMAIp <options>
CMAIp6 <options>
CMALogExporterDir <options>
CMALogIndexerDir <options>
CMANameByFwDir <options>
CMANameByIp <options>
CMARegistryDir <options>
CMAReporterDir <options>
CMASmartLogDir <options>
CMASvnConfDir <options>
CMASvnDir <options>
ConfDirVersion <options>
CpdbUpParam <options>
CPprofileDir <options>
CPVer <options>
CustomersBaseDir <options>
DiskSpaceFactor <options>
InstallationLogDir <options>
IsIPv6Enabled
IsLegalVersion <options>
IsOsSupportsIPv6
LatestVersion
MDSAddonDir <options>
MDSCompDir <options>
MDSDir <options>
MDSFgDir <options>
MDSFwbcDir <options>
MDSFwDir <options>
MDSIp <options>
MDSIp6 <options>
MDSLogExporterDir <options>
MDSLogIndexerDir <options>
MDSPkgName <options>
MDSRegistryDir <options>
MDSReporterDir <options>

R80.40 CLI Reference Guide | 767

$MDSVERUTIL

MDSSmartLogDir <options>
MDSSvnDir <options>
MDSVarCompDir <options>
MDSVarDir <options>
MDSVarFwbcDir <options>
MDSVarFwDir <options>
MDSVarSvnDir <options>
MSP <options>
OfficialName <options>
OptionPack <options>
ProductName <options>
RegistryCurrentVer <options>
ShortOfficialName <options>
SmartCenterPuvUpgradeParam <options>
SP <options>
SVNPkgName <options>
SvrDirectory <options>
SvrParam <options>

Parameters

Parameter Description

help Shows the list of available commands.

AllCMAs <options> Returns the list of names of the configured Domain

Management Servers.
See "$MDSVERUTIL AllCMAs" on page 776.

AllVersions Returns the internal representation of versions,

this Multi-Domain Server recognizes.
See "$MDSVERUTIL AllVersions" on page 777.

CMAAddonDir <options> Returns the path to the Management Addon

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMAAddonDir" on
page 780.

CMACompDir <options> Returns the full path for the specified Backward
Compatibility Package in the context of the
specified Domain Management Server.
See "$MDSVERUTIL CMACompDir" on page 781.

R80.40 CLI Reference Guide | 768

$MDSVERUTIL

Parameter Description

CMAFgDir <options> Returns the full path for the $FGDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAFgDir" on page 782.

CMAFw40Dir <options> Returns the full path for the $FWDIR directory for
FireWall-1 4.0 in the context of the specified
Domain Management Server.
See "$MDSVERUTIL CMAFw40Dir" on page 783.

CMAFw41Dir <options> Returns the full path for the $FWDIR directory for
Edge devices (that are based on FireWall-1 4.1) in
the context of the specified Domain Management
Server.
Note - R80.40 does not support UTM-1 Edge
and Safe@Office devices. The information
about this command is provided only to
describe the existing syntax option until it is
removed completely.
See "$MDSVERUTIL CMAFw41Dir" on page 784.

CMAFwConfDir <options> Returns the full path for the $FWDIR/conf/

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMAFwConfDir" on
page 785.

CMAFwDir <options> Returns the full path for the $FWDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAFwDir" on page 786.

CMAIp <options> Returns the IPv4 address of the Domain

Management Server specified by its name.
See "$MDSVERUTIL CMAIp" on page 787.

CMAIp6 <options> Returns the IPv6 address of the Domain

Management Server specified by its name.
See "$MDSVERUTIL CMAIp6" on page 788.

CMALogExporterDir <options> Returns the full path for the $EXPORTERDIR

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMALogExporterDir" on
page 789.

R80.40 CLI Reference Guide | 769

$MDSVERUTIL

Parameter Description

CMALogIndexerDir <options> Returns the full path for the $INDEXERDIR

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMALogIndexerDir" on
page 790.

CMANameByFwDir <options> Returns the name of the Domain Management

Server based on the context of the current $FWDIR
directory.
See "$MDSVERUTIL CMANameByFwDir" on
page 791.

CMANameByIp <options> Returns the name of the Domain Management

Server based on the specified IPv4 address.
See "$MDSVERUTIL CMANameByIp" on
page 792.

CMARegistryDir <options> Returns the full path for the $CPDIR/registry/

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMARegistryDir" on
page 793.

CMAReporterDir <options> Returns the full path for the $RTDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAReporterDir" on
page 794.

CMASmartLogDir <options> Returns the full path for the $SMARTLOGDIR

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMASmartLogDir" on
page 795.

CMASvnConfDir <options> Returns the full path for the $CPDIR/conf/

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMASvnConfDir" on
page 796.

CMASvnDir <options> Returns the full path for the $CPDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMASvnDir" on page 797.

R80.40 CLI Reference Guide | 770

$MDSVERUTIL

Parameter Description

ConfDirVersion <options> Returns the internal Version ID based on the

context of the current $FWDIR/conf/ directory.
See "$MDSVERUTIL ConfDirVersion" on
page 798.

CpdbUpParam <options> Returns internal version numbers from the internal

database.
See "$MDSVERUTIL CpdbUpParam" on
page 799.

CPprofileDir <options> Returns the path to the directory that contains the
.CPprofile.sh and the .CPprofile.csh
shell scripts.
See "$MDSVERUTIL CPprofileDir" on page 800.

CPVer <options> Returns internal Check Point version number.

See "$MDSVERUTIL CPVer" on page 801.

CustomersBaseDir <options> Returns the full path for the

$MDSDIR/customers/ directory.
See "$MDSVERUTIL CustomersBaseDir" on
page 802.

DiskSpaceFactor <options> Returns the disk-space factor (the mds_setup

command uses this value during an upgrade).
See "$MDSVERUTIL DiskSpaceFactor" on
page 803.

InstallationLogDir Returns the full path for directory with all

<options> installation logs (/opt/CPInstLog/).
See "$MDSVERUTIL InstallationLogDir" on
page 804.

IsIPv6Enabled Returns true, if IPv6 is enabled in Gaia OS.

Returns false, if IPv6 is disabled in Gaia OS.
See "$MDSVERUTIL IsIPv6Enabled" on
page 805.

IsLegalVersion <options> Returns 0, if the specified internal Version ID is

legal.
Returns 1, if the specified internal Version ID is
illegal.
See "$MDSVERUTIL IsLegalVersion" on
page 806.

R80.40 CLI Reference Guide | 771

$MDSVERUTIL

Parameter Description

IsOsSupportsIPv6 Returns true, if the OS supports IPv6.

Returns false, if the OS does not support IPv6.
See "$MDSVERUTIL IsOsSupportsIPv6" on
page 807.

LatestVersion Returns the internal Version ID of the latest

installed version.
See "$MDSVERUTIL LatestVersion" on page 808.

MDSAddonDir <options> Returns the path to the Management Addon

directory in the MDS context.
See "$MDSVERUTIL MDSAddonDir" on
page 809.

MDSCompDir <options> Returns the full path for the specified Backward
Compatibility Package in the MDS context.
See "$MDSVERUTIL MDSCompDir" on page 810.

MDSDir <options> Returns the full path in the /opt/ directory to the
$MDSDIR directory.
See "$MDSVERUTIL MDSDir" on page 811.

MDSFgDir <options> Returns the full path for the $FGDIR directory in
the MDS context.
See "$MDSVERUTIL MDSFgDir" on page 812.

MDSFwbcDir <options> Returns the full path in the /opt/ directory (in the
MDS context) for the Backward Compatibility
directory for Edge devices.
See "$MDSVERUTIL MDSFwbcDir" on page 813.

MDSFwDir <options> Returns the full path in the /opt/ directory for the
$FWDIR directory in the MDS context.
See "$MDSVERUTIL MDSFwDir" on page 814.

MDSIp <options> Returns the IPv4 address of Multi-Domain Server.

See "$MDSVERUTIL MDSIp" on page 815.

MDSIp6 <options> Returns the IPv6 address of Multi-Domain Server.

See "$MDSVERUTIL MDSIp6" on page 816.

MDSLogExporterDir <options> Returns the full path for the $EXPORTERDIR

directory in the MDS context.
See "$MDSVERUTIL MDSLogExporterDir" on
page 817.

R80.40 CLI Reference Guide | 772

$MDSVERUTIL

Parameter Description

MDSLogIndexerDir <options> Returns the full path for the $INDEXERDIR

directory in the MDS context.
See "$MDSVERUTIL MDSLogIndexerDir" on
page 818.

MDSPkgName <options> Returns the name of the MDS software package.

See "$MDSVERUTIL MDSPkgName" on
page 819.

MDSRegistryDir <options> Returns the full path for the $CPDIR/registry/

directory in the MDS context.
See "$MDSVERUTIL MDSRegistryDir" on
page 820.

MDSReporterDir <options> Returns the full path for the $RTDIR directory in
the MDS context.
See "$MDSVERUTIL MDSReporterDir" on
page 821.

MDSSmartLogDir <options> Returns the full path for the $SMARTLOGDIR

directory in the MDS context.
See "$MDSVERUTIL MDSSmartLogDir" on
page 822.

MDSSvnDir <options> Returns the full path in the /opt/ directory for the
$CPDIR directory in the MDS context.
See "$MDSVERUTIL MDSSvnDir" on page 823.

MDSVarCompDir <options> Returns the full path in the /var/opt/ directory

for the specified Backward Compatibility Package
in the MDS context.
See "$MDSVERUTIL MDSVarCompDir" on
page 824.

MDSVarDir <options> Returns the full path in the /var/opt/ directory to

the $MDSDIR directory.
See "$MDSVERUTIL MDSVarCompDir" on
page 824.

MDSVarFwbcDir <options> Returns the full path in the /var/opt/ directory

(in the MDS context) for the Backward
Compatibility directory for Edge devices.
See "$MDSVERUTIL MDSVarFwbcDir" on
page 826.

R80.40 CLI Reference Guide | 773

$MDSVERUTIL

Parameter Description

MDSVarFwDir <options> Returns the full path in the /var/opt/ directory

for the $FWDIR directory in the MDS context.
See "$MDSVERUTIL MDSVarFwDir" on
page 827.

MDSVarSvnDir <options> Returns the full path in the /var/opt/ directory

for the $CPDIR directory in the MDS context.
See "$MDSVERUTIL MDSVarSvnDir" on
page 828.

MSP <options> Returns the Minor Service Pack version.

See "$MDSVERUTIL MSP" on page 829.

OfficialName <options> Returns the official version name.

See "$MDSVERUTIL OfficialName" on page 830.

OptionPack <options> Returns the internal Option Pack version.

See "$MDSVERUTIL OptionPack" on page 831.

ProductName <options> Returns the official name of the Multi-Domain

Server product.
See "$MDSVERUTIL ProductName" on page 832.

RegistryCurrentVer Returns the current internal version of Check Point

<options> Registry.
See "$MDSVERUTIL RegistryCurrentVer" on
page 833.

ShortOfficialName <options> Returns the short (without spaces) official version

name.
See "$MDSVERUTIL ShortOfficialName" on
page 834.

SmartCenterPuvUpgradeParam Returns the version to the Pre-Upgrade Verifier

<options> (PUV) in order for it to upgrade to that version.
See "$MDSVERUTIL
SmartCenterPuvUpgradeParam" on page 835.

SP <options> Returns the Service Pack version.

See "$MDSVERUTIL SP" on page 836.

SVNPkgName <options> Returns the name of the Secure Virtual Network

(SVN) package.
See "$MDSVERUTIL SVNPkgName" on
page 837.

R80.40 CLI Reference Guide | 774

$MDSVERUTIL

Parameter Description

SvrDirectory <options> Returns the full path for the SmartReporter

directory.
See "$MDSVERUTIL SvrDirectory" on page 838.

SvrParam <options> Returns the SmartReporter version.

See "$MDSVERUTIL SvrParam" on page 839.

R80.40 CLI Reference Guide | 775

$MDSVERUTIL AllCMAs

Description
Returns the list of names of the configured Domain Management Servers.

Syntax

$MDSVERUTIL AllCMAs [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL AllCMAs

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL AllCMAs -v VID_92

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 776

$MDSVERUTIL AllVersions

Description
Returns the internal representation of versions, this Multi-Domain Server recognizes.
You can you these internal version strings in other commands.
In addition, see these commands:
n "$MDSVERUTIL IsLegalVersion" on page 806
n "$MDSVERUTIL OfficialName" on page 830

Syntax

$MDSVERUTIL AllVersions

R80.40 CLI Reference Guide | 777

$MDSVERUTIL AllVersions

Mapping

Internal Version ID Official version

VID_94 R80.40

VID_93 R80.30

VID_92 R80.20

VID_91 R80

VID_90 R77.X

VID_89 R76

VID_88 R75.40VS

VID_87 R75.40

VID_86 R75.30

VID_85 R75.20

VID_84 R75

VID_83 R71.X

VID_80 R70.X

VID_65 NGX R65

VID_62 NGX R62

VID_NGX_61 NGX R61

VID_60 NGX R60

VID_541_A NG AI R55W

VID_541 NG AI R55

VID_54_VSX_R2 VSX NG AI R2

VID_54_VSX VSX NG AI 2.2N and VSX NG AI 2.3N

VID_54 NG AI R54

VID_53_VSX VSX NG AI

R80.40 CLI Reference Guide | 778

$MDSVERUTIL AllVersions

Internal Version ID Official version

VID_53 NG FP3

VID_52 NG FP2

VID_51 NG FP1

VID_41 4.1

Example

[Expert@MDS:0]# $MDSVERUTIL AllVersions

VID_94
VID_93
VID_92
VID_91
VID_90
VID_89
VID_88
VID_87
VID_86
VID_85
VID_84
VID_83
VID_80
VID_65
VID_62
VID_NGX_61
VID_61
VID_60
VID_541_A
VID_541
VID_54_VSX_R2
VID_54_VSX
VID_54
VID_53_VSX
VID_53
VID_52
VID_51
VID_41
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 779

$MDSVERUTIL CMAAddonDir

Description
Returns the path to the Management Addon directory in the context of the specified Domain
Management Server. Applies only to NG AI R55W version.
In addition, see the "$MDSVERUTIL MDSAddonDir" on page 809 command.

Syntax

$MDSVERUTIL CMAAddonDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAAddonDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPmgmt-R55W
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 780

$MDSVERUTIL CMACompDir

Description
Returns the full path for the specified Backward Compatibility Package in the context of the
specified Domain Management Server.
In addition, see these commands:
n "$MDSVERUTIL MDSCompDir" on page 810
n "$MDSVERUTIL MDSVarCompDir" on page 824

Syntax

$MDSVERUTIL CMACompDir -n <Name or IP address of Domain Management

Server> -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-n <Name or IP Specifies the Domain Management Server by its name or IPv4

address of Domain address.
Management Server>

-c <Name of Specifies the name of Backward Compatibility Package.

Backward The Backward Compatibility Package contains the applicable
Compatibility files to install policy on Security Gateways that run a lower
Package> version than the Multi-Domain Server.
To see the list of all Backward Compatibility Packages, run in
Expert mode:
ls -1 $MDSDIR/customers/<Name of Domain
Management Server>/ | grep CMP

Example

[Expert@MDS:0]# $MDSVERUTIL CMACompDir -n MyDomain_Server -c CPR77CMP-R80.40

/opt/CPmds-R80.40/customers/MyDomain_Server/CPR77CMP-R80.40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 781

$MDSVERUTIL CMAFgDir

Description
Returns the full path for the $FGDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSFgDir" on page 812 command.

Syntax

$MDSVERUTIL CMAFgDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fg1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fg1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 782

$MDSVERUTIL CMAFw40Dir

Description
Returns the full path for the $FWDIR directory for FireWall-1 4.0 in the context of the specified
Domain Management Server.

Syntax

$MDSVERUTIL CMAFw40Dir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 783

$MDSVERUTIL CMAFw41Dir

$MDSVERUTIL CMAFw41Dir
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Returns the full path for the $FWDIR directory for UTM-1 Edge devices (that are based on
FireWall-1 4.1) in the context of the specified Domain Management Server.

Syntax

$MDSVERUTIL CMAFw41Dir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPEdgecmp-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPEdgecmp-R77
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 784

$MDSVERUTIL CMAFwConfDir

Description
Returns the full path for the $FWDIR/conf/ directory in the context of the specified Domain
Management Server.

Syntax

$MDSVERUTIL CMAFwConfDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1/conf
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1/conf
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 785

$MDSVERUTIL CMAFwDir

Description
Returns the full path for the $FWDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSFwDir" on page 814 command.

Syntax

$MDSVERUTIL CMAFwDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-R80.40/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 786

$MDSVERUTIL CMAIp

Description
Returns the IPv4 address of the Domain Management Server specified by its name.
In addition, see the "$MDSVERUTIL MDSIp" on page 815 command.

Syntax

$MDSVERUTIL CMAIp -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAIp -n MyDomain_Server

192.168.3.240
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 787

$MDSVERUTIL CMAIp6

Description
Returns the IPv6 address of the Domain Management Server specified by its name.
In addition, see the "$MDSVERUTIL MDSIp6" on page 816 command.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL CMAIp6 -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv6 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

R80.40 CLI Reference Guide | 788

$MDSVERUTIL CMALogExporterDir

Description
Returns the full path for the $EXPORTERDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSLogExporterDir" on page 817 command.

Syntax

$MDSVERUTIL CMALogExporterDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMALogExporterDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPrt-R80.40/log_exporter
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 789

$MDSVERUTIL CMALogIndexerDir

Description
Returns the full path for the $INDEXERDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSLogIndexerDir" on page 818 command.

Syntax

$MDSVERUTIL CMALogIndexerDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMALogIndexerDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPrt-R80.40/log_indexer
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 790

$MDSVERUTIL CMANameByFwDir

Description
Returns the name of the Domain Management Server based on the context of the current
$FWDIR directory.

Syntax

$MDSVERUTIL CMANameByFwDir -d $FWDIR [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMANameByFwDir -d $FWDIR

MyDomain_Server
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 791

$MDSVERUTIL CMANameByIp

Description
Returns the name of the Domain Management Server based on the specified IPv4 address.

Syntax

$MDSVERUTIL CMANameByIp -i <IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-i <IP address of Domain Specifies the Domain Management Server by

Management Server> its IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMANameByIp -i 192.168.3.240

MyDomain_Server
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 792

$MDSVERUTIL CMARegistryDir

Description
Returns the full path for the $CPDIR/registry/ directory in the context of the specified
Domain Management Server.
In addition, see the "$MDSVERUTIL MDSRegistryDir" on page 820 command.

Syntax

$MDSVERUTIL CMARegistryDir -n <Name of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMARegistryDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPshrd-R80.40/registry
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 793

$MDSVERUTIL CMAReporterDir

Description
Returns the full path for the $RTDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSReporterDir" on page 821 command.

Syntax

$MDSVERUTIL CMAReporterDir -n <Name of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAReporterDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPrt-R80.40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 794

$MDSVERUTIL CMASmartLogDir

Description
Returns the full path for the $SMARTLOGDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSSmartLogDir" on page 822 command.

Syntax

$MDSVERUTIL CMASmartLogDir -n <Name of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASmartLogDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPSmartLog-R80.40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 795

$MDSVERUTIL CMASvnConfDir

Description
Returns the full path for the $CPDIR/conf/ directory in the context of the specified Domain
Management Server.

Syntax

$MDSVERUTIL CMASvnConfDir -n <Name of Domain Management Server> [-

v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASvnConfDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPshrd-R80.40/conf
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 796

$MDSVERUTIL CMASvnDir

Description
Returns the full path for the $CPDIR directory in the context of the specified Domain
Management Server.
In addition, see these commands:
n "$MDSVERUTIL MDSSvnDir" on page 823
n "$MDSVERUTIL MDSVarSvnDir" on page 828

Syntax

$MDSVERUTIL CMASvnDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASvnDir -n MyDomain_Server

/opt/CPmds-R80.40/customers/MyDomain_Server/CPshrd-R80.40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 797

$MDSVERUTIL ConfDirVersion

Description
Returns the internal Version ID based on the context of the current $FWDIR/conf/ directory.
For information about the internal Version ID, see the "$MDSVERUTIL AllVersions" on
page 777 command.

Syntax

$MDSVERUTIL ConfDirVersion -d $FWDIR/conf

Example

[Expert@MDS:0]# $MDSVERUTIL ConfDirVersion -d $FWDIR/conf

VID_92
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 798

$MDSVERUTIL CpdbUpParam

Description
Returns internal version numbers from the internal database.
In addition, see these commands:
n "$MDSVERUTIL MSP" on page 829
n "$MDSVERUTIL SP" on page 836

Syntax

$MDSVERUTIL CpdbUpParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam

6.0.5.1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_90

6.0.4.0
[Expert@MDS:0]#

Example 3

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_65

6.0.1.0
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 799

$MDSVERUTIL CPprofileDir

Description
Returns the path to the directory that contains the .CPprofile.sh and the
.CPprofile.csh shell scripts.

Syntax

$MDSVERUTIL CPprofileDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir

/opt/CPshrd-R80.40/tmp
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir -v VID_90

/opt/CPshrd-R77/tmp
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 800

$MDSVERUTIL CPVer

Description
Returns internal Check Point version number.

Syntax

$MDSVERUTIL CPVer [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CPVer

9.0
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CPVer -v VID_80

8.0
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 801

$MDSVERUTIL CustomersBaseDir

Description
Returns the full path for the $MDSDIR/customers/ directory.

Syntax

$MDSVERUTIL CustomersBaseDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir

/opt/CPmds-R80.40/customers
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir -v VID_90

/opt/CPmds-R77/customers
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 802

$MDSVERUTIL DiskSpaceFactor

Description
Returns the disk-space factor. The mds_setup command uses this value during an upgrade.

Syntax

$MDSVERUTIL DiskSpaceFactor [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL DiskSpaceFactor

1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 803

$MDSVERUTIL InstallationLogDir

Description
Returns the full path for directory with all installation logs (/opt/CPInstLog/).

Syntax

$MDSVERUTIL InstallationLogDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL InstallationLogDir

/opt/CPInstLog
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 804

$MDSVERUTIL IsIPv6Enabled

Description
Returns true, if IPv6 is enabled in Gaia OS.
Returns false, if IPv6 is disabled in Gaia OS.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL IsIPv6Enabled

R80.40 CLI Reference Guide | 805

$MDSVERUTIL IsLegalVersion

Description
Returns 0, if the specified internal Version ID is legal.
Returns 1, if the specified internal Version ID is illegal.

Syntax

$MDSVERUTIL IsLegalVersion -v <Version_ID>

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_92

0
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_123456

1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 806

$MDSVERUTIL IsOsSupportsIPv6

Description
Returns true, if the OS supports IPv6.
Returns false, if the OS does not support IPv6.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL IsOsSupportsIPv6

R80.40 CLI Reference Guide | 807

$MDSVERUTIL LatestVersion

Description
Returns the internal Version ID of the latest installed version.

Syntax

$MDSVERUTIL LatestVersion

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL LatestVersion

VID_92
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 808

$MDSVERUTIL MDSAddonDir

Description
Returns the path to the Management Addon directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAAddonDir" on page 780 command.

Syntax

$MDSVERUTIL MDSAddonDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSAddonDir

/opt/CPmgmt-R55W
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 809

$MDSVERUTIL MDSCompDir

Description
Returns the full path for the specified Backward Compatibility Package in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMACompDir" on page 781
n "$MDSVERUTIL MDSVarCompDir" on page 824

Syntax

$MDSVERUTIL MDSCompDir -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-c <Name of Specifies the name of Backward Compatibility Package.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSCompDir -c CPR77CMP-R80.40

/opt/CPR77CMP-R80.40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 810

$MDSVERUTIL MDSDir

Description
Returns the full path in the /opt/ directory to the $MDSDIR directory.
In addition, see the "$MDSVERUTIL MDSVarDir" on page 825 command.

Syntax

$MDSVERUTIL MDSDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSDir

/opt/CPmds-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSDir -v VID_90

/opt/CPmds-R77
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 811

$MDSVERUTIL MDSFgDir

Description
Returns the full path for the $FGDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAFgDir" on page 782 command.

Syntax

$MDSVERUTIL MDSFgDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir

/opt/CPsuite-R80.40/fg1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir -v VID_90

/opt/CPsuite-R77/fg1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 812

$MDSVERUTIL MDSFwbcDir

$MDSVERUTIL MDSFwbcDir
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Returns the full path in the /opt/ directory (in the MDS context) for the Backward
Compatibility directory for UTM-1 Edge devices.
This Backward Compatibility directory contains the applicable files to install policy on UTM-1
Edge devices.
In addition, see the "$MDSVERUTIL MDSVarFwbcDir" on page 826 command.

Syntax

$MDSVERUTIL MDSFwbcDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir

/opt/CPEdgecmp-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir -v VID_90

/opt/CPEdgecmp-R77
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 813

$MDSVERUTIL MDSFwDir

Description
Returns the full path in the /opt/ directory for the $FWDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL MDSVarFwDir" on page 827
n "$MDSVERUTIL CMAFwDir" on page 786

Syntax

$MDSVERUTIL MDSFwDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir

/opt/CPsuite-R80.40/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir -v VID_90

/opt/CPsuite-R77/fw1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 814

$MDSVERUTIL MDSIp

Description
Returns the IPv4 address of Multi-Domain Server.
In addition, see the "$MDSVERUTIL CMAIp" on page 787 command.

Syntax

$MDSVERUTIL MDSIp [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSIp

192.168.3.51
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 815

$MDSVERUTIL MDSIp6

Description
Returns the IPv6 address of Multi-Domain Server.
In addition, see the "$MDSVERUTIL CMAIp6" on page 788 command.

Known Limitation PMTR-14989 - Multi-Domain Server does not support IPv6

address configuration.

Syntax

$MDSVERUTIL MDSIp6 [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

R80.40 CLI Reference Guide | 816

$MDSVERUTIL MDSLogExporterDir

Description
Returns the full path for the $EXPORTERDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMALogExporterDir" on page 789 command.

Syntax

$MDSVERUTIL MDSLogExporterDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir

/opt/CPrt-R80.40/log_exporter
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 817

$MDSVERUTIL MDSLogIndexerDir

Description
Returns the full path for the $INDEXERDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMALogIndexerDir" on page 790 command.

Syntax

$MDSVERUTIL MDSLogIndexerDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir

/opt/CPrt-R80.40/log_indexer
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 818

$MDSVERUTIL MDSPkgName

Description
Returns the name of the MDS software package.
In addition, see the "$MDSVERUTIL SVNPkgName" on page 837 command.

Syntax

$MDSVERUTIL MDSPkgName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName

CPmds-R80.40-00
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName -v VID_90

CPmds-R77-00
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 819

$MDSVERUTIL MDSRegistryDir

Description
Returns the full path for the $CPDIR/registry/ directory in the MDS context.
In addition, see the "$MDSVERUTIL CMARegistryDir" on page 793 command.

Syntax

$MDSVERUTIL MDSRegistryDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir

/opt/CPshrd-R80.40/registry
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir -v VID_90

/opt/CPshrd-R77/registry
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 820

$MDSVERUTIL MDSReporterDir

Description
Returns the full path for the $RTDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAReporterDir" on page 794 command.

Syntax

$MDSVERUTIL MDSReporterDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir

/opt/CPrt-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir -v VID_91

/opt/CPrt-R80
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 821

$MDSVERUTIL MDSSmartLogDir

Description
Returns the full path for the $SMARTLOGDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMASmartLogDir" on page 795 command.

Syntax

$MDSVERUTIL MDSSmartLogDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir

/opt/CPSmartLog-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir -v VID_91

/opt/CPSmartLog-R80
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 822

$MDSVERUTIL MDSSvnDir

Description
Returns the full path in the /opt/ directory for the $CPDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMASvnDir" on page 797
n "$MDSVERUTIL MDSVarSvnDir" on page 828

Syntax

$MDSVERUTIL MDSSvnDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir

/opt/CPshrd-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir -v VID_91

/opt/CPshrd-R80
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 823

$MDSVERUTIL MDSVarCompDir

Description
Returns the full path in the /var/opt/ directory for the specified Backward Compatibility
Package in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMACompDir" on page 781
n "$MDSVERUTIL MDSCompDir" on page 810

Syntax

$MDSVERUTIL MDSVarCompDir -c <Name of Backward Compatibility

Package>

Parameters

Parameter Description

-c <Name of Specifies the name of Backward Compatibility Package.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSVarCompDir -c CPR77CMP-R80.40

/var/opt/CPR77CMP-R80.40
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 824

$MDSVERUTIL MDSVarDir

Description
Returns the full path in the /var/opt/ directory to the $MDSDIR directory.
In addition, see the "$MDSVERUTIL MDSDir" on page 811 command.

Syntax

$MDSVERUTIL MDSVarDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir

/var/opt/CPmds-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir -v VID_90

/var/opt/CPmds-R77
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 825

$MDSVERUTIL MDSVarFwbcDir

$MDSVERUTIL MDSVarFwbcDir
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Returns the full path in the /var/opt/ directory (in the MDS context) for the Backward
Compatibility directory for UTM-1 Edge devices.
This Backward Compatibility directory contains the applicable files to install policy on UTM-1
Edge devices.
In addition, see the "$MDSVERUTIL MDSFwbcDir" on page 813 command.

Syntax

$MDSVERUTIL MDSVarFwbcDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir

/var/opt/CPEdgecmp-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir -v VID_90

/var/opt/CPEdgecmp-R77
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 826

$MDSVERUTIL MDSVarFwDir

Description
Returns the full path in the /var/opt/ directory for the $FWDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL MDSFwDir" on page 814 command.

Syntax

$MDSVERUTIL MDSVarFwDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir

/var/opt/CPsuite-R80.40/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir -v VID_90

/var/opt/CPsuite-R77/fw1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 827

$MDSVERUTIL MDSVarSvnDir

Description
Returns the full path in the /var/opt/ directory for the $CPDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMASvnDir" on page 797
n "$MDSVERUTIL MDSSvnDir" on page 823

Syntax

$MDSVERUTIL MDSVarSvnDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir

/var/opt/CPshrd-R80.40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir -v VID_90

/var/opt/CPshrd-R77
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 828

$MDSVERUTIL MSP

Description
Returns the Minor Service Pack version.
In addition, see these commands:
n "$MDSVERUTIL SP" on page 836
n "$MDSVERUTIL CpdbUpParam" on page 799

Syntax

$MDSVERUTIL MSP [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MSP

9
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MSP -v VID_91

8
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 829

$MDSVERUTIL OfficialName

Description
Returns the official version name.
In addition, see the "$MDSVERUTIL ShortOfficialName" on page 834 command.

Syntax

$MDSVERUTIL OfficialName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL OfficialName

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_91

R80
[Expert@MDS:0]#

Example 3

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_65

NGX R65
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 830

$MDSVERUTIL OptionPack

Description
Returns the internal Option Pack version.

Syntax

$MDSVERUTIL OptionPack [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL OptionPack

3
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL OptionPack -v VID_90

1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 831

$MDSVERUTIL ProductName

Description
Returns the official name of the Multi-Domain Server product.

Syntax

$MDSVERUTIL ProductName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL ProductName

Multi-Domain Security Management
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL ProductName -v VID_65

Provider-1
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 832

$MDSVERUTIL RegistryCurrentVer

Description
Returns the current internal version of Check Point Registry.

Syntax

$MDSVERUTIL RegistryCurrentVer [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example

[Expert@MDS:0]# $MDSVERUTIL RegistryCurrentVer

6.0
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 833

$MDSVERUTIL ShortOfficialName

Description
Returns the short (without spaces) official version name.
In addition, see the "$MDSVERUTIL OfficialName" on page 830 command.

Syntax

$MDSVERUTIL ShortOfficialName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL ShortOfficialName

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# ShortOfficialName -v VID_65

NGX_65
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 834

$MDSVERUTIL SmartCenterPuvUpgradeParam

Description
Returns the version to the Pre-Upgrade Verifier (PUV) in order for it to upgrade to that version.

Syntax

$MDSVERUTIL SmartCenterPuvUpgradeParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_90

R77
[Expert@MDS:0]#

Example 3
[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_65
NGX_R65
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 835

$MDSVERUTIL SP

Description
Returns the Service Pack version.
In addition, see these commands:
n "$MDSVERUTIL MSP" on page 829
n "$MDSVERUTIL CpdbUpParam" on page 799

Syntax

$MDSVERUTIL SP [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SP
4
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SP -v VID_91

4
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 836

$MDSVERUTIL SVNPkgName

Description
Returns the name of the Secure Virtual Network (SVN) package. Applies to versions NGX R60
and above.
In addition, see the "$MDSVERUTIL MDSPkgName" on page 819 command.

Syntax

$MDSVERUTIL SVNPkgName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName

CPsuite-R80.40-00
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName -v VID_90

CPsuite-R77-00
[Expert@MDS:0]#

R80.40 CLI Reference Guide | 837

$MDSVERUTIL SvrDirectory

Description
Returns the full path for the SmartReporter directory.

Syntax

$MDSVERUTIL SvrDirectory [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

R80.40 CLI Reference Guide | 838

$MDSVERUTIL SvrParam

Description
Returns the SmartReporter version.

Syntax

$MDSVERUTIL SvrParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 777 command.

R80.40 CLI Reference Guide | 839

Creating a Domain Management Server with the 'mgmt_cli' Command

Creating a Domain Management Server with the

'mgmt_cli' Command
Prerequisites
n Name or Identifier of the Domain. For example: MyDomain
n Name or Identifier of the new Domain Management Server. For example: MyDMS
n IPv4 address for the new Domain Management Server.
n IPv4 Address for the Multi-Domain Server.
n The Multi-Domain Server username and password for a Multi-Domain Superuser, who
has permission to create the new Domain Management Server.

To create a new Domain Management Server

1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode with the Superuser credentials.
3. Create the Domain Management Server.
Run this command:

mgmt_cli add domain name <domain_name> servers.ip address

"<ipv4>" servers.name "<server_name>" servers.multi-domain-
server "<mdm_name>"

For more information, see "mgmt_cli" on page 737.

Example:

mgmt_cli add domain name "domain1" servers.ip-address

"192.0.2.1" servers.name "domain1_ManagementServer_1"
servers.multi-domain-server "primary_mdm"

4. Connect with SmartConsole to the new Domain Management Server to configure the
applicable settings.

R80.40 CLI Reference Guide | 840

SmartProvisioning Commands

SmartProvisioning Commands
For more information about SmartProvisioning, see the R80.40 SmartProvisioning
Administration Guide.
In addition, see "Security Management Server Commands" on page 40.

R80.40 CLI Reference Guide | 841

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

R80.40 CLI Reference Guide | 842

Managing Security through API

Configuring the API Server

To configure the API Server:

5. Configure the Startup Settings and the Access Settings.

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

Start option is deactivated.

Configuring Access Settings

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

R80.40 CLI Reference Guide | 843

Managing Security through API

api restart
Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

R80.40 CLI Reference Guide | 844

Check Point LSMcli Overview

Description
Check Point SmartLSM Command Line Utility (LSMcli) is a simple command line utility, an
alternative to SmartProvisioning SmartConsole GUI.
LSMcli performs SmartProvisioning GUI operations from a command line or through a script.

Notes:
n LSMcli can run from hosts other than SmartConsole clients. Make sure to define
the hosts, from which you run the LSMcli as GUI clients.
n The first time you run the LSMcli from a client, it shows the Management
Server's fingerprint. Confirm the fingerprint.
n In the LSMcli, commands can use the abbreviation ROBO (Remote
Office/Branch Office) gateways.
In SmartProvisioning GUI, these gateways are called SmartLSM Security
Gateways.

Syntax

LSMcli {-h | --help}

LSMcli [-d] <Mgmt Server> <Username> <Password> <Action>

Parameters

Parameter Description

[-d] Runs the command in the debug mode.

<Mgmt Specifies the Security Management Server or Domain Management Server

Server> by its Name or IPv4 address.

<Username> Specifies the username used in the standard Check Point authentication
method.

<Password> Specifies the password used in the standard Check Point authentication
method.

<Action> Specifies the function performed (see the next sub-sections for a complete
list of actions).

R80.40 CLI Reference Guide | 845

Check Point LSMcli Overview

Syntax Notation
Square brackets ([ ]) are used in the LSMcli utility syntax. These brackets are correct and
syntactically necessary.
This is an example of how they are used:
n A [b [c]] - means that for parameter A, you can provide b. If you provide b, you can
provide c.
n A [b] [c] - means that for parameter A, you can provide b, c, or b and c.
n A [b c] - means that for parameter A, you can provide b and c.

R80.40 CLI Reference Guide | 846

SmartLSM Security Gateway Management Actions

SmartLSM Security Gateway Management

Actions
This section describes commands that perform management actions on SmartLSM Gateways.

R80.40 CLI Reference Guide | 847

LSMcli AddROBO VPN1

Description
This command adds a new Check Point SmartLSM Security Gateway to SmartProvisioning
and assigns it a SmartLSM Security Profile.
If a one-time password is supplied, a SIC certificate is created.
If an IP address is also supplied, the SIC certificate is pushed to the SmartLSM Security
Gateway (in such cases, the SmartLSM Security Gateway SIC one-time password must be
initialized first).
If no IP address is supplied, the SIC certificate is pulled from the SmartLSM Security Gateway
afterwards.

You can also assign an IP address range to Dynamic Objects, and specify whether or not to
add them to the VPN domain.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO VPN1

<ROBOName> <Profile> [-RoboCluster=<OtherROBOName>] [-
O=<ActivationKey> [-I=<IP>]] [[-CA=<CaName> [-
R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]] [-
D]:<DynamicObjectName>=<IP1>[-<IP2] [-D]:...

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server

or Domain Management Server.

<Username> User name of standard Check Point authentication

method.

<Password> Password of standard Check Point authentication

method.

<RoboName> Name of a SmartLSM Security Gateway.

<Profile> Name of a SmartLSM Security Profile that was defined

in SmartConsole.

R80.40 CLI Reference Guide | 848

LSMcli AddROBO VPN1

Parameter Description

<OtherROBOName> Name for an already defined SmartLSM Security

Gateway that participates in the SmartLSM Cluster with
the newly created Security Gateway (if the "-
RoboCluster" argument is provided).

<ActivationKey> SIC one-time password (for this action, a certificate is

generated).

<IP> IP address of the Security Gateway (for this action, a

certificate is pushed to the Security Gateway).

<CaName> Name of the Trusted CA object (created from

SmartConsole).
The IKE certificate request is sent to this CA. Default is
Check Point Internal CA.

< Key identifier for third-party CA.

CertificateIdentifier#>

<AuthorizationKey> Authorization Key for third-party CA.

<DynamicObjectName> Name of the Dynamic Object.

<IP1> Single IP address for the Dynamic Object.

<IP1-IP2> Range of IP addresses for the Dynamic Object.

Example 1

This command adds a new SmartLSM Security Gateway MyRobo and assigns it the specified
SmartLSM Security Profile AnyProfile.
A SIC password and an IP address are supplied, so the SIC Activation Key can be sent to the
new SmartLSM Security Gateway.
A Dynamic Object called FirstDO is resolved to an IP address for this Security Gateway.

LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass -

I=192.0.2.4 -DE:FirstDO=192.0.2.100

Example 2

LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass -

I=10.10.10.1 -DE:FirstDO=10.10.10.5 -CA=OPSEC_CA -R=cert123 -
KEY=abc456

R80.40 CLI Reference Guide | 849

LSMcli ModifyROBO VPN1

Description
This command modifies a Check Point SmartLSM Security Gateway.
This action modifies the SmartProvisioning details for an existing SmartLSM Security Gateway
and can be used to update properties previously supplied by the user.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBO VPN1

<RoboName> ...

and at least one of these:

... [-P=Profile] [-RoboCluster={<OtherROBOName> | -NoRoboCluster}]

[-D:<DO Name>=<IP1>[-<IP2>] [-KeepDOs]...]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Profile> Name of a SmartLSM Security Profile that was defined in

SmartConsole.

< Name of the already defined SmartLSM Security Gateway that is to

OtherROBOName> participate in the Cluster with the newly created Security Gateway (if
the "-RoboCluster" argument is provided).

-NoRoboCluster This parameter is equivalent to the Remove Cluster operation in the

SmartProvisioning GUI.
When you issue a ModifyROBO VPN1 command with this argument
on a Security Gateway that participates in a cluster, the cluster is
removed.

<DO Name> Name of the Dynamic Object.

R80.40 CLI Reference Guide | 850

LSMcli ModifyROBO VPN1

Parameter Description

<IP1> Single IP address for the Dynamic Object.

<IP1-IP2> Range of IP addresses for the Dynamic Object.

-KeepDOs Keeps all existing dynamic objects in the dynamic objects list when
you add new dynamic objects.
If a dynamic object already exists in the list, its IP resolution is
updated.

If this flag is not specified, the dynamic objects list is deleted when
you use the LSMcli command to add new dynamic objects.

Example
This example resolves Dynamic Objects for the given Security Gateway.

LSMcli mySrvr name pass ModifyROBO VPN1 MyRobo -

D:MyEmailServer=123.45.67.8 -D:MySpecialNet=10.10.10.1-10.10.10.6

R80.40 CLI Reference Guide | 851

LSMcli ModifyROBOManualVPNDomain

Description
This command modifies the SmartLSM VPN Domain, to take effect when the VPN Domain
becomes defined as Manual.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyROBOManualVPNDomain <RoboName> {-Add=<FirstIP>-<LastIP> | -
Delete=<Index>} [-IfOverlappingIPRangesDetected={exit | ignore |
warn}

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security

Management Server or Domain Management
Server.

<Username> User name of standard Check Point

authentication method.

<Password> Password of standard Check Point

authentication method.

<RoboName> Name of the SmartLSM Security Gateway or

SmartLSM Cluster.

<FirstIP>-<LastIP> IP address range.

<Index> Value displayed by the "LSMcli ShowInfo" on

page 876 command or the "LSMcli
ShowROBOTopology" on page 865
command.

-IfOverlappingIPRangesDetected Optional.
Determines the course of action, if overlapping
IP address ranges are detected: exit, ignore,
or show a warning.

R80.40 CLI Reference Guide | 852

LSMcli ModifyROBOManualVPNDomain

Example 1

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -

Add=192.0.2.1-192.0.2.20

Example 2

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Delete=1

R80.40 CLI Reference Guide | 853

LSMcli ModifyROBOTopology VPN1

Description
This command modifies the SmartLSM VPN Domain configuration for a selected Security
Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBOTopology

VPN1 <RoboName> -VPNDomain={not_defined | external_ip_only |
topology | manual}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

VPNDomain Specifies the VPN Domain topology:

n not_defined - Equivalent to the Not Defined option on the
Topology tab of a SmartLSM Security Gateway in the
SmartProvisioning GUI (or in the output of the "LSMcli
ShowROBOTopology" on page 865 command).
n external_ip_only - Equivalent to the Only the external
interface configuration in the SmartProvisioning GUI.
n topology - Equivalent to the All IP Addresses behind the
Gateway based on Topology information configuration in the
SmartProvisioning GUI.
n manual - Equivalent to Manually defined. VPN domain is defined
according to the configuration made with the "LSMcli
ModifyROBOManualVPNDomain" on page 852 command.

Example

LSMcli mySrvr name pass ModifyROBOTopology VPN1 MyRobo -

VPNDomain=manual

R80.40 CLI Reference Guide | 854

LSMcli ModifyROBOInterface VPN1

Description
This command modifies the Internal Interface list.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyROBOInterface VPN1 <RoboName> <InterfaceName> -i=<IPAddress>
[-Netmask=<NetMask>] [-IfOverlappingIPRangesDetected={exit |
ignore | warn}]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security

Management Server Domain Management
Server.

<Username> User name of standard Check Point

authentication method.

<Password> Password of standard Check Point

authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<InterfaceName> Name of the existing interface.

<IPAddress> IP address of the interface.

<NetMask> Net mask of the interface.

-IfOverlappingIPRangesDetected Optional.
Determines the course of action, if overlapping
IP address ranges are detected: exit, ignore,
or show a warning.

Example

LSMcli mySrvr name pass ModifyROBOInterface VPN1 MyRobo eth0 -

i=192.0.2.1 -Netmask=255.255.255.0

R80.40 CLI Reference Guide | 855

LSMcli AddROBOInterface VPN1

Description
This command adds a new interface to the selected SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBOInterface

VPN1 <RoboName> <InterfaceName> -i=<IPAddress> -NetMask=<NetMask>

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of an existing interface.

InterfaceName>

<IPAddress> IP address of the interface.

<NetMask> Net mask of the interface.

Example

LSMcli mySrvr name pass AddROBOInterface VPN1 MyRobo eth0 -

i=192.0.2.1 -Netmask=255.255.255.0

R80.40 CLI Reference Guide | 856

LSMcli DeleteROBOInterface VPN1

Description
This command deletes an interface from the selected Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

DeleteROBOInterface VPN1 <RoboName> <InterfaceName>

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of an existing interface.

InterfaceName>

Example

LSMcli mySrvr name pass DeleteROBOInterface VPN1 MyRobo eth0

R80.40 CLI Reference Guide | 857

LSMcli ExportIke

Description
This command exports the IKE Certificate into a P12 file(encrypted with a provided password)
from SmartLSM Security Gateway, SmartLSM Cluster, or SmartLSM Cluster Member.
The default location of the exported file is the $FWDIR/conf/ directory.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ExportIke

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway, SmartLSM Cluster, or

SmartLSM Cluster Member, whose certificate is exported.

<Password> Password used to protect the p12 file.

<FileName> Destination file name (is created).

Example

LSMcli mySrvr name pass ExportIke MyROBO ajg42k93N MyROBOCert.p12

R80.40 CLI Reference Guide | 858

LSMcli ResetIke

Description
This command resets the IKE Certificate of a SmartLSM Security Gateway, SmartLSM
Cluster, or SmartLSM Cluster Member.
This action revokes the existing IKE certificate and creates a new one.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ResetIke

<RoboName> [-CA=<CaName> [-R=<CertificateIdentifier#>] [-
KEY=<AuthorizationKey>]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server

or Domain Management Server.

<Username> User name of standard Check Point authentication

method.

<Password> Password of standard Check Point authentication

method.

<RoboName> Name of the Security Gateway, SmartLSM Cluster, or

SmartLSM Cluster Member.

<CaName> Name of the Trusted CA object (created from

SmartConsole) the IKE certificate request is sent to this
CA.

< Key identifier of the specific certificate.

CertificateIdentifier>

<AuthorizationKey> Authorization Key to be sent to the CA for the certificate

retrieval.

Example

LSMcli mySrvr name pass ResetIke MyROBO -CA=OPSEC_CA -R=cer3452s -

KEY=ad23fgh

R80.40 CLI Reference Guide | 859

LSMcli Remove

Description
This command deletes a SmartLSM Security Gateway.
This action revokes all the certificates used by the SmartLSM Security Gateway, releases all
the licenses and, finally, removes the SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Remove <RoboName>

<ID>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the Security Gateway.

<ID> ID of the SmartLSM Security Gateway.

Use the "LSMcli Show" on page 863 command to check the ID of the
specific SmartLSM Security Gateway.

Example

LSMcli mySrvr name pass Remove MyRobo 0.0.0.251

R80.40 CLI Reference Guide | 860

LSMcli ResetSic

Description
This command resets the SIC Certificate of a SmartLSM Security Gateway or SmartLSM
Cluster Member.
This action revokes the Security Gateway's SIC certificate and creates a new one with the one-
time password provided by the user.
If an IP address is supplied for the SmartLSM Security Gateway, the SIC certificate is pushed
to the SmartLSM Security Gateway, in which case the SmartLSM Security Gateway SIC one-
time password must be initialized first.
Otherwise, if no IP address is given, the SIC certificate is later pulled from the SmartLSM
Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ResetSic

<RoboName> <ActivationKey> [-I=<IPAddress>]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM Cluster

Member.

< One-time password for the Secure Internal Communications with the
ActivationKey> SmartLSM Security Gateway.

<IPAddress> IP address of Security Gateway (for this action, the certificate is

pushed to the Security Gateway).

Example 1

LSMcli mySrvr name pass ResetSic MyROBO aw47q1

R80.40 CLI Reference Guide | 861

LSMcli ResetSic

Example 2

LSMcli mySrvr name pass ResetSic MyFixedIPROBO sp36rt1 -

I=10.20.30.1

R80.40 CLI Reference Guide | 862

LSMcli Show

Description
This command displays a list of existing Security Gateways.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Show [-N=<Gateway

Name>] [-F=<FilterFlags>]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Gateway Name of the Security Gateway to display.

Name> If the "-N" flag is not included, the command prints the existing Devices
work space, including SmartLSM Security Gateways.

- You can use these flags to filter the printed information:

F=<
FilterFlags>
n b - ID
n c - Cluster ID
n d - List of Dynamic Objects assigned to this SmartLSM Security
Gateways
n g - Gateway status
n i - IP address
n k - IKE DN
n l - Policy status
n n - Name
n p - SmartLSM Security Profile
n s - SIC DN
n t - Type
n v - Version
Note - To specify more than one filter flag, write them together.
Example: -F=bn

R80.40 CLI Reference Guide | 863

LSMcli Show

Example 1

LSMcli mySrvr name pass Show -N=MyRobo

Example 2

LSMcli mySrvr name pass Show -F=binpt

R80.40 CLI Reference Guide | 864

LSMcli ShowROBOTopology

Description
This command displays the Topology information of the SmartLSM Security Gateway.
It lists the defined Interfaces and their respective IP Addresses and Network Masks, and the
VPN Domain configuration.
You can use the indexes of the manually defined VPN domain IP address ranges, on the
displayed list, when you request to delete a range, with the "LSMcli
ModifyROBOManualVPNDomain" on page 852 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ShowROBOTopology

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of Security Gateway.

Example

LSMcli mySrvr name pass ShowROBOTopology MyRobo

R80.40 CLI Reference Guide | 865

LSMcli UpdateCO

Description
This command updates a Corporate Office (CO) Security Gateway.
This action updates the CO Security Gateway with up-to-date available information about the
VPN Domains of the SmartLSM Security Gateways.
Perform this action after you add a new SmartLSM Security Gateway to enable the CO
gateway to initiate a VPN tunnel to the new SmartLSM Security Gateway.
Alternatively, you can Install Policy on the CO gateway to obtain updated VPN Domain
information.

Note - This command supports CO Security Gateways only.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> UpdateCO {<COgw>

| COgwCluster}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<CoGw> Name of a CO gateway.

< Name of a cluster of CO gateways.

CoGwCluster>

Example

LSMcli mySrvr name pass UpdateCO MyCO

R80.40 CLI Reference Guide | 866

SmartUpdate Actions

SmartUpdate Actions
This section describes commands that perform SmartUpdate actions on SmartLSM Gateways.
Before you can install software on gateways, you must first load it to the Security Management
Server.

Best Practice - Run the "LSMcli VerifyInstall" on page 872 command to make sure
that the software is compatible.

Use the "LSMcli Install" on page 868 command to install the software.
Use the "LSMcli Uninstall" on page 870 command to uninstall the software.

R80.40 CLI Reference Guide | 867

LSMcli Install

Description
This command installs the specified software on the SmartLSM Security Gateway or
SmartLSM Cluster Member.

Note - Before you can install software on SmartLSM Security Gateways, you must
first load it to the Security Management Server.
Best Practice - Run the "LSMcli VerifyInstall" on page 872 command to make sure
that the software is compatible.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Install <RoboName>

<Product> <Vendor> <Version> <SP> [-P=<Profile>] [-boot] [-
DoNotDistribute]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major Version of the package.

<SP> Minor Version of the package.

<Profile> Assign a different SmartLSM Security Profile (already defined in

SmartConsole) after installation.

boot Reboot the SmartLSM Security Gateway after installation.

-DoNotDistribute Optional.
Install previously distributed packages.

R80.40 CLI Reference Guide | 868

LSMcli Install

Example

LSMcli mySrvr name pass Install MyRobo firewall checkpoint NG_AI

fcs -P=AnyProfile -boot

R80.40 CLI Reference Guide | 869

LSMcli Uninstall

Description
This command uninstalls the specified package from the SmartLSM Security Gateway or
SmartLSM Cluster Member.
You can use the "LSMcli ShowInfo" on page 876 command to see what products are installed
on the SmartLSM Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Uninstall

<RoboName> <Product> <Vendor> <Version> <SP> [-P=<Profile>] [-
boot]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major Version of the package.

<SP> Minor Version of the package.

<Profile> Assign a different SmartLSM Security Profile (already defined in

SmartConsole) after uninstall.

boot Reboot the SmartLSM Security Gateway after installation.

Example

LSMcli mySrvr name pass Uninstall MyRobo firewall checkpoint NG_AI

fcs -boot

R80.40 CLI Reference Guide | 870

LSMcli Distribute

Description
This command distributes a package from the Repository to the SmartLSM Security Gateway
or SmartLSM Cluster Member, but does not install it.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Distribute

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major version of the package.

<SP> Minor version of the package.

Example

LSMcli mySrvr name pass Distribute MyRobo fw1 checkpoint NG_AI R54

R80.40 CLI Reference Guide | 871

LSMcli VerifyInstall

Description
This command makes sure that the software is compatible to install on the SmartLSM Security
Gateway or SmartLSM Cluster Member.

Note - Note that this action does not perform an installation.

Best Practice - Run this command before you install the software on the SmartLSM
Security Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> VerifyInstall

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Product> Name of the package.

<Vendor> Name of the vendor of the package.

<Version> Major version of the package.

<SP> Minor version of the package.

Example

LSMcli mySrvr name pass VerifyInstall MyRobo firewall checkpoint

NG_AI fcs

R80.40 CLI Reference Guide | 872

LSMcli VerifyUpgrade

Description
This command verifies if you can upgrade a selected software on the SmartLSM Security
Gateway or SmartLSM Cluster Member.

Note - This command does not perform an installation.

Best Practice - Run this command before you run the "LSMcli Upgrade" on page 874
command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> VerifyUpgrade

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

Example

LSMcli mySrvr name pass VerifyUpgrade MyRobo

R80.40 CLI Reference Guide | 873

LSMcli Upgrade

Description
This command upgrades all the (appropriate) available software packages on the SmartLSM
Security Gateway or SmartLSM Cluster Member.

Best Practice - Run the "LSMcli VerifyUpgrade" on page 873 command before you
run this command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Upgrade <RoboName>

[-P=<Profile>] [-boot]

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

<Profile> Assign a different SmartLSM Security Profile (already defined in

SmartConsole) after installation.

boot Reboot the SmartLSM Security Gateway after the installation is finished.

Example

LSMcli mySrvr name pass Upgrade MyRobo -P=myprofile -boot

R80.40 CLI Reference Guide | 874

LSMcli GetInfo

Description
This command collects product information from the SmartLSM Security Gateway or
SmartLSM Cluster Member.

Important - If you upgrade any package manually instead of using SmartUpdate, you
must run this command before you run the "LSMcli ShowInfo" on page 876 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> GetInfo <RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

Example

LSMcli mySrvr name pass GetInfo MyRobo

R80.40 CLI Reference Guide | 875

LSMcli ShowInfo

Description
This command displays product information for the list of the products installed on the
SmartLSM Security Gateway or SmartLSM Cluster Member.

Important - Before you run this command, run the "LSMcli GetInfo" on page 875
command to make sure the information is up-to-date.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ShowInfo

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the Security Gateway.

Example

LSMcli mySrvr name pass ShowInfo MyRobo

R80.40 CLI Reference Guide | 876

LSMcli ShowRepository

Description
This command shows the list of the available products on the Management Server.
Use SmartUpdate to manage the products, load new products, remove products, and so on.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ShowRepository

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

Example

LSMcli mySrvr name pass ShowRepository

R80.40 CLI Reference Guide | 877

LSMcli Stop

Description
This command stops Security Gateway services on the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 169.
n This command supports Security Gateways, SmartLSM Security Gateways,
and SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Stop {<RoboName>

| <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Stop MyRobo

R80.40 CLI Reference Guide | 878

LSMcli Start

Description
This command starts Security Gateway services on the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 169.
n This command supports Security Gateways, SmartLSM Security Gateways,
and SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Start {<RoboName>

| <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Start MyRobo

R80.40 CLI Reference Guide | 879

LSMcli Restart

Description
This command restarts Security Gateway services on the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 169.
n This command supports Security Gateways, SmartLSM Security Gateways,
and SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Restart

{<RoboName> | <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Restart MyRobo

R80.40 CLI Reference Guide | 880

LSMcli Reboot

Description
This command reboots the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 169.
n This command supports Security Gateways, SmartLSM Security Gateways,
and SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> Reboot {<RoboName>

| <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass Reboot MyRobo

R80.40 CLI Reference Guide | 881

LSMcli Push Actions

These commands are used to push updated values, settings, and security rules to gateways.
After you create a gateway or a dynamic object in the SmartProvisioning system, you must
assign (push) a security policy to it.

R80.40 CLI Reference Guide | 882

LSMcli PushPolicy

Description
This command pushes a policy to the selected gateway.

Notes:
n The CPRID services must run on the selected gateway. See "cprid" on
page 169.
n This command supports Security Gateways, SmartLSM Security Gateways,
and SmartLSM Clusters.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> PushPolicy

{<RoboName> | <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway, or SmartLSM Cluster.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass PushPolicy MyRobo

R80.40 CLI Reference Guide | 883

LSMcli PushDOs

Description
This command updates a Dynamic Object's information on the SmartLSM Security Gateway or
SmartLSM Cluster Member.

Note - This command does not remove/release the IP address range for the deleted
Dynamic Object, but only adds new ones. To overcome this difficulty, run the "LSMcli
PushPolicy" on page 883 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> PushDOs <RoboName>

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM Cluster Member.

Example

LSMcli mySrvr name pass PushDOs MyRobo

R80.40 CLI Reference Guide | 884

LSMcli GetStatus

Description
This command fetches various statistics from the selected gateway.

Note - This command supports Security Gateways, SmartLSM Security Gateways,

and Gateway or SmartLSM Cluster Members.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> GetStatus

{<RoboName> | <GatewayName>}

Parameters

Parameter Description

<Mgmt Name or IP address of the Security Management Server or Domain

Server> Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<RoboName> Name of the SmartLSM Security Gateway or SmartLSM Cluster

Member.

< Name of the standard Security Gateway.

GatewayName>

Example

LSMcli mySrvr name pass GetStatus MyRobo

R80.40 CLI Reference Guide | 885

Managing SmartLSM Clusters with LSMcli

With the LSMcli command, you can define SmartLSM clusters, and configure most of the
options available in SmartProvisioning GUI (in the New SmartLSM Cluster wizard and in the
Edit windows).
This section lists unique commands for SmartLSM Clusters.
Other commands that also apply to SmartLSM Clusters:
n "LSMcli Distribute" on page 871
n "LSMcli GetInfo" on page 875
n "LSMcli GetStatus" on page 885
n "LSMcli Install" on page 868
n "LSMcli ModifyROBOManualVPNDomain" on page 852
n "LSMcli PushDOs" on page 884
n "LSMcli PushPolicy" on page 883
n "LSMcli Reboot" on page 881
n "LSMcli Reboot" on page 881
n "LSMcli ResetIke" on page 859
n "LSMcli ResetSic" on page 861
n "LSMcli Restart" on page 880
n "LSMcli ShowInfo" on page 876
n "LSMcli Start" on page 879
n "LSMcli Stop" on page 878
n "LSMcli Uninstall" on page 870
n "LSMcli Upgrade" on page 874
n "LSMcli VerifyInstall" on page 872
n "LSMcli VerifyUpgrade" on page 873

Note - There is no convert action for or to SmartLSM clusters.

R80.40 CLI Reference Guide | 886

LSMcli AddROBO VPN1Cluster

Description
This command defines a new SmartLSM cluster.
You can configure all of the options available in the New SmartLSM Cluster wizard of the
SmartProvisioning GUI.
The only exception is the configuration of Topology overrides (see "LSMcli
ModifyROBONetaccess VPN1Cluster" on page 891).

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO

VPN1Cluster <Profile> <MainIPAddress> <SuffixName> [-
S=<SubstitutedNamePart>] [-CA=<CaName> [-R=<KeyIdentifier#>] [-
KEY=<AuthorizationCode>]]

Parameters

Parameter Description SmartLSM GUI Location

<Mgmt Server> Name or IP address of the

Security Management Server or
Domain Management Server.

<Username> User name of standard Check

Point authentication method.

<Password> Password of standard Check

Point authentication method.

<Profile> Name of cluster Profile to which to New SmartLSM Cluster

map the new cluster. wizard.

<MainIPAddress> Main IP address of cluster. New SmartLSM Cluster

wizard.

<SuffixName> A suffix to be added to cluster and New SmartLSM Cluster

member Profile names. wizard.

<SubstitutedName A part of the Profile name to be SmartProvisioning GUI

Part> replaced by the suffix in the supports adding Prefix
previous field. and/or Suffix, not
substitution.

R80.40 CLI Reference Guide | 887

LSMcli AddROBO VPN1Cluster

Parameter Description SmartLSM GUI Location

<CaName> The name of the Trusted CA Double-click the

object, defined in SmartConsole, SmartLSM cluster object
to which a VPN certificate request > Edit window > VPN tab
is sent.

<KeyIdentifier#> Number to identify the specific Double-click the

certificate, once generated. SmartLSM cluster object
> Edit window > VPN tab

< Authorization Key to be sent to CA Double-click the

AuthorizationCode> to enable certificate retrieval. SmartLSM cluster object
> Edit window > VPN tab

R80.40 CLI Reference Guide | 888

LSMcli ModifyROBO VPN1Cluster

Description
You can change a SmartLSM cluster main IP address.
You can resolve a dynamic object for a SmartLSM cluster.

Syntax for changing the Main IP Address

You can change a SmartLSM cluster main IP address in the SmartProvisioning GUI (double-
click the SmartLSM cluster object > Edit window > Cluster tab), or with this command:

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBO

VPN1Cluster <ROBOClusterName> -I=<MainIPAddress>

Syntax for resolving a Dynamic Object

You can resolve a dynamic object for a SmartLSM cluster in the SmartProvisioning GUI
(double-click the SmartLSM cluster object > Edit window > Dynamic Objects tab), or with this
command:

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBO

VPN1Cluster <ROBOClusterName> -D:<DO Name>={<IP> | <IP1-IP2>}

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Profile> Name of cluster Profile to which to map the new cluster.

< Main IP address of cluster.

MainIPAddress>

<DO Name> Name of the Dynamic Object.

<IP> Single IP address.

<IP1-IP2> Range of IP addresses.

R80.40 CLI Reference Guide | 889

LSMcli ModifyROBOTopology VPN1Cluster

Description
You can set the VPN domain of a SmartLSM cluster in the SmartProvisioning GUI (double-
click the SmartLSM cluster object > Edit window > Topology tab), or with this command.

Note - When the VPN domain is set to Manual, the IP address ranges are those set in
the SmartProvisioning GUI, or with the "LSMcli ModifyROBOManualVPNDomain" on
page 852 command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> ModifyROBOTopology

VPN1Cluster <RoboClusterName> -VPNDomain={not_defined | external_
ip_only | topology | manual}

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM Cluster.

RoboClusterName>

VPNDomain Specifies the VPN Domain topology:

n not_defined - Equivalent to the Not Defined option on
the Topology tab of a SmartLSM Security Gateway in the
SmartProvisioning GUI (or in the output of the "LSMcli
ShowROBOTopology" on page 865 command).
n external_ip_only - Equivalent to the Only the external
interface configuration in the SmartProvisioning GUI.
n topology - Equivalent to the All IP Addresses behind the
Gateway based on Topology information configuration in
the SmartProvisioning GUI.
n manual - Equivalent to Manually defined. VPN domain is
defined according to the configuration made with the
"LSMcli ModifyROBOManualVPNDomain" on page 852
command.

R80.40 CLI Reference Guide | 890

LSMcli ModifyROBONetaccess VPN1Cluster

Description
For the actual SmartLSM cluster, you can override the profile topology definitions of a cluster
(virtual) interface in the SmartProvisioning GUI (double-click the SmartLSM cluster object >
Edit window > Topology tab), or with this command.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyROBONetaccess VPN1Cluster <ClusterName> <InterfaceName> -
Mode={by_profile|override} [-TopologyType={external|internal}] [-
DMZAccess={true|false}] [-InternalIP={not_defined|this|specific}
[-AllowedGroup=<GroupName>]] [-AntiSpoof={true|false} [-
AllowedGroup=<GroupName>][-SpoofTrack={none|log|alert}]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<ClusterName> Name of SmartLSM cluster.

< Name of the cluster (virtual) interface.

InterfaceName> If the interface's Network Objective (as defined in the Profile
topology) is Sync only (and not Cluster+Sync), there is no cluster
interface, only cluster member interface.
In this case, use the Network Objective (for example, 1st Sync) for
this parameter.

-Mode Specifies the configuration mode:

n by_profile - Configure as defined in the cluster Profile.
n override - Configure the settings here. In this case, specify
the "-TopologyType".

R80.40 CLI Reference Guide | 891

LSMcli ModifyROBONetaccess VPN1Cluster

Parameter Description

-TopologyType Specifies the interface topology:

n external - Leads out to the Internet.
n internal - Leads to the local network.

-DMZAccess Specifies whether this interfaces leads to DMZ (true), or not

(false).

-InternalIP Specifies the network behind an internal interface:

n not_defined - Network is not defined.
n this - Network is defined by the IP address and net mask of
this interface.
n specific - Network is defined by the value of the "-
AllowedGroup".

-AntiSpoof Specifies whether to perform Anti-Spoofing:

n true - Perform Anti-Spoofing based on interface topology. In
this case, optionally use the "-AllowedGroup" and "-
SpoofTrack".
n false- Do not perform Anti-Spoofing. If the interface is
internal, and the IP addresses behind the interface are not
defined, Anti-Spoofing is not possible.

-AllowedGroup If Anti-Spoofing is performed, specifies the Network Group object,

from which packets are not checked.
n If "-TopologyType=external", this parameter defines a
group, from which packets are not checked if Anti-Spoofing is
performed
n If "-TopologyType=internal", this parameter explicitly
defines the networks behind the internal interface.

-SpoofTrack If Anti-Spoofing is performed, specifies the tracking action when

spoofing is detected:
n none - No action
n log - Generate a log
n alert - Show an alert popup

R80.40 CLI Reference Guide | 892

LSMcli AddClusterSubnetOverride VPN1Cluster

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member interfaces
n IP addresses of cluster member interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the
individual SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM
Cluster wizard, or double-click the SmartLSM cluster object > Edit window > Topology tab), or
with this command.

Notes:
n If there is a set override value, and you want to change it, then use only the
"LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 895 command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only this
"AddClusterSubnetOverride" command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeleteClusterSubnetOverride VPN1Cluster" on page 897 command.
n To define overrides for a private (monitored or non-monitored) interface, use
one of these commands:
l "LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 899

l "LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 901

l "LSMcli DeletePrivateSubnetOverride VPN1ClusterMember" on page 903

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

AddClusterSubnetOverride VPN1Cluster <ROBOClusterName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>] [-CIP=<ClusterIPAddress> -
CNetMask=<ClusterNetMask>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"
n "-CIP" and "-CNetMask"

R80.40 CLI Reference Guide | 893

LSMcli AddClusterSubnetOverride VPN1Cluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster.

ROBOClusterName>

<InterfaceName> Name of cluster (virtual) interface, as defined in the Profile

topology.
Use the name of the cluster interface even if you set values for
cluster members' interfaces.
If the cluster interface's Network Objective (as defined in the
Profile topology) is Sync only (and not Cluster+Sync), there is no
cluster interface, only cluster member interface.
In this case use the Network Objective (for example, 1st Sync)
for this parameter.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system
of the cluster members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile,
produces complete IP addresses.

-CIP New IP address for the cluster (virtual) interface.

-CNetMask Net mask for the cluster (virtual) interface.

R80.40 CLI Reference Guide | 894

LSMcli ModifyClusterSubnetOverride VPN1Cluster

Notes:
n If there is a set override value, and you want to change it, then use only this
"ModifyClusterSubnetOverride" command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddClusterSubnetOverride VPN1Cluster" on page 893 command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeleteClusterSubnetOverride VPN1Cluster" on page 897 command.
n To define overrides for a private (monitored or non-monitored) interface, use
one of these commands:
l "LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 899

l "LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 901

l "LSMcli DeletePrivateSubnetOverride VPN1ClusterMember" on page 903

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyClusterSubnetOverride VPN1Cluster <ROBOClusterName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>] [-CIP=<ClusterIPAddress> -
CNetMask=<ClusterNetMask>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"
n "-CIP" and "-CNetMask"

R80.40 CLI Reference Guide | 895

LSMcli ModifyClusterSubnetOverride VPN1Cluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster.

ROBOClusterName>

<InterfaceName> Name of cluster (virtual) interface, as defined in the Profile

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system
of the cluster members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile,
produces complete IP addresses.

-CIP New IP address for the cluster (virtual) interface.

-CNetMask Net mask for the cluster (virtual) interface.

R80.40 CLI Reference Guide | 896

LSMcli DeleteClusterSubnetOverride VPN1Cluster

Notes:
n If there is a set override value, and you want to change it, then use only this
"LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 895 command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddClusterSubnetOverride VPN1Cluster" on page 893 command.
n To cancel a value and return to the value set by the Profile, use this
"DeleteClusterSubnetOverride" command.
n To define overrides for a private (monitored or non-monitored) interface, use
one of these commands:
l "LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 899

l "LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 901

l "LSMcli DeletePrivateSubnetOverride VPN1ClusterMember" on page 903

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

DeleteClusterSubnetOverride VPN1Cluster <ROBOClusterName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>] [-CIP=<ClusterIPAddress> -
CNetMask=<ClusterNetMask>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"
n "-CIP" and "-CNetMask"

R80.40 CLI Reference Guide | 897

LSMcli DeleteClusterSubnetOverride VPN1Cluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster.

ROBOClusterName>

<InterfaceName> Name of cluster (virtual) interface, as defined in the Profile

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system
of the cluster members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile,
produces complete IP addresses.

-CIP New IP address for the cluster (virtual) interface.

-CNetMask Net mask for the cluster (virtual) interface.

R80.40 CLI Reference Guide | 898

LSMcli AddPrivateSubnetOverride VPN1ClusterMember

Description
These settings in SmartLSM cluster objects get default values from their Profiles:
n Names of cluster member monitored interfaces or non-monitored interfaces
n IP addresses of cluster member monitored interfaces or non-monitored interfaces
These default values can (and in the case of IP addresses, usually must) be overridden for the
individual SmartLSM cluster.
You can edit the interface properties in the SmartProvisioning GUI (in the New SmartLSM
Cluster wizard, or double-click the SmartLSM cluster object > Edit window > Topology tab), or
with this command.

Notes:
n If there is a set override value, and you want to change it, then use only the
"LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 901
command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only this
"AddPrivateSubnetOverride" command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeletePrivateSubnetOverride VPN1ClusterMember" on page 903 command.
n To define overrides for a cluster interface, use one of these commands:
l "LSMcli AddClusterSubnetOverride VPN1Cluster" on page 893

l "LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 895

l "LSMcli DeleteClusterSubnetOverride VPN1Cluster" on page 897

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

AddPrivateSubnetOverride VPN1ClusterMember <ROBOMemberName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"

R80.40 CLI Reference Guide | 899

LSMcli AddPrivateSubnetOverride VPN1ClusterMember

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster member.

ROBOMemberName>

<InterfaceName> Name of cluster member private interface, as defined in the Profile

topology.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of
the cluster members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile,
produces complete IP addresses.

R80.40 CLI Reference Guide | 900

LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember

Notes:
n If there is a set override value, and you want to change it, then use only the
"ModifyPrivateSubnetOverride" command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 899
command.
n To cancel a value and return to the value set by the Profile, use the "LSMcli
DeletePrivateSubnetOverride VPN1ClusterMember" on page 903 command.
n To define overrides for a cluster interface, use one of these commands:
l "LSMcli AddClusterSubnetOverride VPN1Cluster" on page 893

l "LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 895

l "LSMcli DeleteClusterSubnetOverride VPN1Cluster" on page 897

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

ModifyPrivateSubnetOverride VPN1ClusterMember <ROBOMemberName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"

R80.40 CLI Reference Guide | 901

LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster member.

ROBOMemberName>

<InterfaceName> Name of cluster member private interface, as defined in the Profile

topology.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of
the cluster members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile,
produces complete IP addresses.

R80.40 CLI Reference Guide | 902

LSMcli DeletePrivateSubnetOverride VPN1ClusterMember

Notes:
n If there is a set override value, and you want to change it, then use only the
"LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember" on page 901
command.
n If the override value you want to set is not defined (except at the Profile level),
because it was never defined or because it was deleted, then use only the
"LSMcli AddPrivateSubnetOverride VPN1ClusterMember" on page 899
command.
n To cancel a value and return to the value set by the Profile, use the
"DeletePrivateSubnetOverride" command.
n To define overrides for a cluster interface, use one of these commands:
l "LSMcli AddClusterSubnetOverride VPN1Cluster" on page 893

l "LSMcli ModifyClusterSubnetOverride VPN1Cluster" on page 895

l "LSMcli DeleteClusterSubnetOverride VPN1Cluster" on page 897

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password>

DeletePrivateSubnetOverride VPN1ClusterMember <ROBOMemberName>
<InterfaceName> [-IName=<MembersInterfaceName>] [-
MNet=<MembersNetAddress>]

You must define at least one of these parameters:

n "-IName"
n "-MNet"

R80.40 CLI Reference Guide | 903

LSMcli DeletePrivateSubnetOverride VPN1ClusterMember

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or Domain

Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM cluster member.

ROBOMemberName>

<InterfaceName> Name of cluster member private interface, as defined in the Profile

topology.

-IName New name of the interface for cluster members.

The name must match the name defined in the operating system of
the cluster members.

-MNet New network address for cluster members.

This address, together with the host parts defined in the Profile,
produces complete IP addresses.

R80.40 CLI Reference Guide | 904

LSMcli RemoveCluster

Description
This command:
1. Revokes all the certificates used by the SmartLSM cluster and its members.
2. Releases all the licenses.
3. Deletes the SmartLSM cluster and member objects.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> RemoveCluster

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

< Name of the SmartLSM Cluster.

ROBOClusterName>

R80.40 CLI Reference Guide | 905

Using LSMcli Commands for Small Office Appliances

Using LSMcli Commands for Small Office

Appliances
This section describes LSMcli commands for managing Small Office Appliances and Small
Office Appliance Clusters.

R80.40 CLI Reference Guide | 906

LSMcli AddROBO <Appliance_Model>

Description
This command adds a Small Office Appliance Gateway.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO

<Appliance_Model> <ROBOName> <Profile> [-O=<ActivationKey> [-
I=<IP>]] [[-CA=<CaName> [-R=<CertificateIdentifier#>] [-
KEY=<AuthorizationKey>]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server

or Domain Management Server.

<Username> User name of standard Check Point authentication

method.

<Password> Password of standard Check Point authentication

method.

<Appliance_Model> Model of appliance:

n For 1100 appliances, enter: CPSG80
n For 1200R appliances, enter: 1200R
n For 1430 or 1450 appliances, enter: 1430/1450
n For 1470 or 1490 appliances, enter: 1470/1490
n For 1530 or 1550 appliances, enter: 1530/1550
n For 1570 or 1590 appliances, enter: 1570/1590

<RoboName> Name of a SmartLSM Security Gateway.

<Profile> Name of a SmartLSM Security Profile that was defined

in SmartConsole.

<ActivationKey> SIC one-time password (for this action, a certificate is

generated).

IP IP address of the gateway (for this action, a certificate is

pushed to the gateway).

R80.40 CLI Reference Guide | 907

LSMcli AddROBO <Appliance_Model>

Parameter Description

<CaName> Name of the Trusted CA object (created from

SmartConsole).
The IKE certificate request is sent to this CA. Default is
Check Point Internal CA.

< Key identifier for third-party CA.

CertificateIdentifier#>

<AuthorizationKey> Authorization Key for third-party CA.

Examples
n To add a 1100 appliance Security Gateway:

LSMcli 192.168.3.26 aa aaaa AddROBO CPSG80 Paris_GW small_

office_profile

n To add a 1470/1490 appliance Security Gateway:

LSMcli 192.168.3.26 aa aaaa AddROBO 1470/1490 Paris_GW small_

office_profile

R80.40 CLI Reference Guide | 908

LSMcli AddROBO <Appliance_Model>Cluster

Description
This command adds a Small Office Appliance Cluster.

Syntax

LSMcli [-d] <Mgmt Server> <Username> <Password> AddROBO

<Appliance_Model>Cluster <Profile> <MainIPAddress> <SuffixName> [-
S=<SubstitutedNamePart>] [-CA=<CaName> [-R=<KeyIdentifier#>] [-
KEY=<AuthorizationCode>]]

Parameters

Parameter Description

<Mgmt Server> Name or IP address of the Security Management Server or

Domain Management Server.

<Username> User name of standard Check Point authentication method.

<Password> Password of standard Check Point authentication method.

<Appliance_ Model of appliance:

Model>Cluster
n For 1100 appliances, enter: CPSG80Cluster
n For 1200R appliances, enter: 1200RCluster
n For 1430 or 1450 appliance, enter: 1430/1450Cluster
n For 1470 or 1490 appliance, enter: 1470/1490Cluster
n For 1530 or 1550 appliance, enter: 1530/1550Cluster
n For 1570 or 1590 appliance, enter: 1570/1590Cluster

<Profile> Name of cluster Profile to which to map the new cluster.

<MainIPAddress> Main IP address of cluster.

<SuffixName> A suffix to be added to cluster and member Profile names.

<SubstitutedName A part of the Profile name to be replaced by the suffix in the

Part> previous field.

<CaName> The name of the Trusted CA object, defined in SmartConsole,

to which a VPN certificate request is sent.

<KeyIdentifier#> Number to identify the specific certificate, once generated.

R80.40 CLI Reference Guide | 909

LSMcli AddROBO <Appliance_Model>Cluster

Parameter Description

< Authorization Key to be sent to CA to enable certificate

AuthorizationCode> retrieval.

Example
To add a 1450 cluster:

LSMcli 192.168.3.26 aa aaaa AddRobo 1430/1450Cluster cluster_

profile 1.1.1.1 Paris

R80.40 CLI Reference Guide | 910

Other LSMcli Commands for Small Office Appliances

n For all other commands on Small Office Appliance Gateways, replace the "VPN1" with
the "CPSG80", for all appliance types.
For example, change the profile (see "LSMcli ModifyROBO VPN1" on page 850):
l For a 1100 Security Gateway:

LSMcli 192.168.3.26 aa aaaa ModifyROBO CPSG80 Paris_GW -

P=second_small_office_profile

l For a 1200R Security Gateway:

LSMcli 192.168.3.26 aa aaaa ModifyROBO CPSG80 Paris_GW -

P=second_small_office_profile

n For all other commands on Small Office Appliance clusters, replace the "VPN1Cluster"
with the "CPSG80Cluster", for all appliance types (for example, in "LSMcli
ModifyROBO VPN1Cluster" on page 889).

R80.40 CLI Reference Guide | 911

Security Gateway Commands

For more information about Security Gateway, see the:
n R80.40 Security Management Administration Guide
n R80.40 Quantum Security Gateway Guide

R80.40 CLI Reference Guide | 912

comp_init_policy

comp_init_policy
Description
Generates, loads, or removes the Initial Policy on a Security Gateway, or a Cluster Member.
Until the Security Gateway or cluster administrator installs the user-defined Security Policy on
the Security Gateway or Cluster Members for the first time, security is enforced by an Initial
Policy.
The Initial Policy operates by adding Check Point "implied rules" to the Default Filter to allow
internal Check Point communication between the Management Server and the Security
Gateway / Cluster Member.

The Initial Policy also protects a Security Gateway or Cluster Members in these cases:
n During Check Point product upgrades.
n When a SIC certificate is reset on the Security Gateway or Cluster Member.
n When Check Point product license expires.
The Security Gateway enforces the Initial until an administrator installs a user-defined policy.
In subsequent boots, the Security Gateway loads the user-defined policy immediately after the
Default Filter.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Notes:
n You must run this command from the Expert mode.
n The Initial Policy overwrites the user-defined policy.
n Output of the "cpstat -f policy fw" command (see "cpstat" on page 958)
shows the name of this policy as "InitialPolicy".
n Security Gateway, or Cluster Member stores the installed Access Control Policy
in these directories:
l $FWDIR/state/__tmp/FW1/

l $FWDIR/state/local/FW1/

l $FWDIR/state/<Name of Cluster Object>/FW1/

n Refer to these related commands:

l "control_bootsec" on page 917

l "fwboot bootconf" on page 1172

l "fw defaultgen" on page 1046

l "fwboot default" on page 1185

R80.40 CLI Reference Guide | 913

comp_init_policy

Syntax

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U]

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G]

Parameters

Parameter Description

No The command runs with the last used parameter.

Parameters

-u Performs these steps:

-U
1. Removes an attribute :InitialPolicySafe (true) from the ": (FW1"
section the Check Point Registry file ($CPDIR/registry/HKLM_
registry.data).
2. Removes the "InitialPolicy" policy files from the
$FWDIR/state/local/FW1/ directory.

-g Performs these steps:

-G
1. Removes an attribute :InitialPolicySafe (true) from the ": (FW1"
section in the Check Point Registry file ($CPDIR/registry/HKLM_
registry.data).
2. Generates the "InitialPolicy" in the
$FWDIR/state/local/FW1/ directory.
You can use this parameter, if there is no Initial Policy generated yet.
If Initial Policy was already generated, make sure that after removing the
Initial Policy, you delete the $FWDIR/state/local/FW1/ directory on
the Security Gateway, or Cluster Member.
This parameter generates the Initial Policy and ensures that Security
Gateway loads it the next time it fetches a policy (at "cpstart", at next
boot, or with the "fw fetch localhost" command).
The "comp_init_policy -g" command only works, if currently there is
no policy installed on the Security Gateway, or Cluster Member.
If you run one of these pairs of the commands, the original policy is still
loaded:
n comp_init_policy -g
fw fetch localhost
n comp_init_policy -g
cpstart
n comp_init_policy -g
reboot

R80.40 CLI Reference Guide | 914

comp_init_policy

Example

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.40/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7744
-rw-r--r-- 1 admin root 20166 Jun 13 16:34 install_policy_report.txt
-rw-r--r-- 1 admin root 55 Jun 13 16:34 install_policy_report_timing.txt
-rw-r--r-- 1 admin root 37355 Jun 13 16:34 local.Sandbox-persistence.xml
... output was cut for brevity ...
-rw-r--r-- 1 admin root 2278 Jun 13 16:34 local.vsx_cluster_netobj
-rw-r--r-- 1 admin root 5172 Jun 13 16:34 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r--r-- 1 admin root 10328 Jun 13 16:34 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-r----- 1 admin root 14743 Jun 13 16:34 manifest.C
-rw-r--r-- 1 admin root 7381 Jun 13 16:34 policy.info
-rw-r--r-- 1 admin root 2736 Jun 13 16:34 policy.map
-rw-r--r-- 1 admin root 51 Jun 13 16:34 sig.map
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -u
erasing local state..
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -g
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 19:51 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 19:51 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 19:51 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 19:51 local.ft
-rw-rw---- 1 admin root 317 Jul 19 19:51 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 19:51 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 19:51 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 19:51 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 19:51 local.magic
-rw-rw---- 1 admin root 3 Jul 19 19:51 local.set
-rw-rw---- 1 admin root 51 Jul 19 19:51 sig.map
[Expert@GW:0]#

R80.40 CLI Reference Guide | 915

comp_init_policy

Unloading the user-defined policy

If the installed Access Control Policy prevents administrator access to the Security Gateway or
drops traffic incorrectly, you need to uninstall the current user-defined policy and install the
updated policy from the Management Server.
Follow these steps to keep your Security Gateway and your networks protected when you
uninstall the user-defined policy:
1. Connect to the problematic Security Gateway / each Cluster Member through the
console port.

Warning - If you connect over SSH, the "Initial Policy" blocks your connection.

2. Log in to the Expert mode.

3. Back up the current user-defined policy files:

cd $FWDIR/state/local/
tar cvf /var/log/FW1_Policy_Bkp.tar FW1

4. Remove the current user-defined policy files:

rm $FWDIR/state/local/FW1/*

5. Generate the default Check Point policy called "InitialPolicy":

comp_init_policy

6. Load the "Initial Policy":

fw fetch local

7. Make sure the "Initial Policy" is loaded:

cpstat -f policy fw | head -n 3

8. In SmartConsole, make the required changes and install the Access Control policy on
the Security Gateway / Cluster.

R80.40 CLI Reference Guide | 916

control_bootsec

control_bootsec
Description
Controls the boot security - loading of both the Default Filter policy (defaultfilter) and the
Initial Policy (InitialPolicy) during boot on a Security Gateway, or a Cluster Member.

Warning - If you disable the boot security, you leave your Security Gateway, or a
Cluster Member without any protection during the boot. Before you disable the boot
security, we recommend to disconnect your Security Gateway, or a Cluster Member
from the network completely.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Notes:
n You must run this command from the Expert
mode.
n The changes made with this command survive
reboot.
n Refer to these related commands:
l "comp_init_policy" on page 913

l "fwboot bootconf" on page 1172

l "fw defaultgen" on page 1046

l "fwboot default" on page 1185

Syntax

[Expert@GW:0]# $FWDIR/bin/control_bootsec [-g | -G]

[Expert@GW:0]# $FWDIR/bin/control_bootsec {-r | -R}

R80.40 CLI Reference Guide | 917

control_bootsec

Parameters

Parameter Description

No Enables the boot security:

Parameter
-g 1. Executes the "$FWDIR/boot/fwboot bootconf set_def
$FWDIR/boot/default.bin" command that updates the path to
-G
the Default Filter policy in the $FWDIR/boot/boot.conf file to point
to the correct policy file (DEFAULT_FILTER_PATH
/etc/fw.boot/default.bin).
2. Executes the "$FWDIR/bin/comp_init_policy -g" command
that:
a. Removes the attribute ":InitialPolicySafe (true)" from the
section ": (FW1" in the Check Point Registry (the
$CPDIR/registry/HKLM_registry.data file).
b. Generates the Initial Policy files in the
$FWDIR/state/local/FW1/ directory.

-r Disables the boot security:

-R
1. Executes the "$FWDIR/boot/fwboot bootconf set_def"
command that updates the path to the Default Filter policy in the
$FWDIR/boot/boot.conf file to point nowhere (DEFAULT_
FILTER_PATH 0).
2. Executes the "$FWDIR/bin/comp_init_policy -u" command
that:
a. Adds the attribute ":InitialPolicySafe (true)" to the section ":
(FW1" in the Check Point Registry (the
$CPDIR/registry/HKLM_registry.data file).
b. Deletes all files in the $FWDIR/state/local/FW1/ directory.

R80.40 CLI Reference Guide | 918

control_bootsec

Example 1 - Disabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.40/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7736
-rw-rw---- 1 admin root 11085 Jul 19 20:16 install_policy_report.txt
-rw-rw---- 1 admin root 56 Jul 19 20:16 install_policy_report_timing.txt
-rw-rw---- 1 admin root 37355 Jul 19 20:16 local.Sandbox-persistence.xml
-rw-rw---- 1 admin root 3 Jul 19 20:16 local.ad_query_profiles
... ... ...
-rw-r----- 1 admin root 14743 Jul 19 20:16 manifest.C
-rw-rw---- 1 admin root 7381 Jul 19 20:16 policy.info
-rw-rw---- 1 admin root 2736 Jul 19 20:16 policy.map
-rw-rw---- 1 admin root 51 Jul 19 20:16 sig.map
[Expert@GW:0]#

[Expert@GW:0]# $FWDIR/bin/control_bootsec -r
Disabling boot security
FW-1 will not load a default filter on boot
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

:InitialPolicySafe (true)
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

R80.40 CLI Reference Guide | 919

control_bootsec

Example 2 - Enabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.40/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# control_bootsec -g
Enabling boot security
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH /opt/CPsuite-R80.40/fw1/boot/default.bin
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 20:22 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 20:22 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 20:22 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 20:22 local.ft
-rw-rw---- 1 admin root 317 Jul 19 20:22 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 20:22 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 20:22 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 20:22 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 20:22 local.magic
-rw-rw---- 1 admin root 3 Jul 19 20:22 local.set
-rw-rw---- 1 admin root 51 Jul 19 20:22 sig.map
[Expert@GW:0]#

R80.40 CLI Reference Guide | 920

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Syntax on a Security Gateway

cp_conf
-h
adv_routing <options>
auto <options>
corexl <options>
fullha <options>
ha <options>
intfs <options>
lic <options>
sic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

R80.40 CLI Reference Guide | 921

cp_conf

Parameter Description

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 58.

adv_routing Enables or disables the Advanced Routing feature on this Security

<options> Gateway.
Important - Do not use these outdated commands. To configure
Advanced Routing, see the R80.40 Gaia Advanced Routing
Administration Guide.

auto Shows and configures the automatic start of Check Point products
<options> during boot.
See "cp_conf auto" on page 61.

ca <options> n Configures the Certificate Authority's (CA) Fully Qualified Domain

Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 63.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 65.

corexl Enables or disables CoreXL on this Security Gateway.

<options> See "cp_conf corexl" on page 926.

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 69.

fullha Manages Full High Availability Cluster.

<options> See "cp_conf fullha" on page 928.

ha <options> Enables or disables cluster membership on this Security Gateway.

See "cp_conf ha" on page 929.

intfs Sets the topology of interfaces on a Security Gateway, which you

<options> manage with SmartProvisioning.
See "cp_conf intfs" on page 930.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 71.

sic Manages SIC on this Security Gateway.

<options> See "cp_conf sic" on page 934.

R80.40 CLI Reference Guide | 922

cp_conf

Parameter Description

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R80.40 Gaia Administration Guide -
Chapter System Management - Section SNMP.

R80.40 CLI Reference Guide | 923

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Syntax

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 924

cp_conf auto

Example from a Security Gateway

[Expert@GW:0] cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed.

[Expert@GW:0]#

R80.40 CLI Reference Guide | 925

cp_conf corexl

Description
Enables or disables CoreXL.
For more information, see the R80.40 Performance Tuning Administration Guide.

Important:
n This command is for Check Point use only.
To configure CoreXL, use the Check Point CoreXL option in the "cpconfig" on
page 936 menu.
n After all changes in CoreXL configuration on the Security Gateway, you must
reboot it.
n In Custer, you must configure all the Cluster Members in the same way.

Syntax
n To enable CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall
instances:

cp_conf corexl [-v] enable [n] [-6 k]

n To disable CoreXL:

cp_conf corexl [-v] disable

The related command is:"fwboot corexl" on page 1176.

Parameters

Parameter Description

-v Leaves the high memory (vmalloc) unchanged.

n Denotes the number of IPv4 CoreXL Firewall instances.

k Denotes the number of IPv6 CoreXL Firewall instances.

R80.40 CLI Reference Guide | 926

cp_conf corexl

Example
Currently, the Security Gateway runs two IP4v CoreXL Firewall instances (KERN_INSTANCE_
NUM = 2).
We change the number of IP4v CoreXL Firewall instances to three.

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2 | 7 | 28
1 | Yes | 1 | 0 | 11
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 2
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cp_conf corexl -v enable 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# reboot
.. ... ...
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 7 | 28
1 | Yes | 2 | 0 | 11
2 | Yes | 1 | 4 | 10
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 927

cp_conf fullha

Description
Manages the state of the Full High Availability Cluster:
n Enables the Full High Availability Cluster
n Disables the Full High Availability Cluster
n Deletes the Full High Availability peer
n Shows the Full High Availability state

Important - To configure a Full High Availability cluster, follow the R80.40 Installation
and Upgrade Guide.

Syntax

cp_conf fullha
enable
del_peer
disable
state

Parameters

Parameter Description

enable Enables the Full High Availability on this computer.

del_peer Deletes the Full High Availability peer from the configuration.

disable Disables the Full High Availability on this computer.

state Shows the Full High Availability state on this computer.

Example

[Expert@Cluster_Member:0]# cp_conf fullha state

FullHA is currently enabled
[Expert@Cluster_Member:0]#

R80.40 CLI Reference Guide | 928

cp_conf ha

Description
Enables or disables cluster membership on this Security Gateway.

Important - This command is for Check Point use only. To configure cluster
membership, you must use the "cpconfig" on page 936 command.
For more information, see the R80.40 ClusterXL Administration Guide.

Syntax

cp_conf ha {enable | disable} [norestart]

Parameters

Parameter Description

enable Enables cluster membership on this Security Gateway.

This command is equivalent to the option Enable cluster membership for
this gateway in the "cpconfig" on page 936 menu.

disable Disables cluster membership on this Security Gateway.

This command is equivalent to the option Disable cluster membership for
this gateway in the "cpconfig" on page 936 menu.

norestart Optional: Specifies to apply the configuration change without the restart of
Check Point services. The new configuration takes effect only after reboot.

Example 1 - Enable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

Example 2 - Disable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 929

cp_conf intfs

Description
Sets the topology of interfaces on a Security Gateway, which you manage with
SmartProvisioning.
For more information, see the R80.40 SmartProvisioning Administration Guide.

Syntax

cp_conf intfs
get
set
auxiliary <Name of Interface>
DMZ <Name of Interface>
external <Name of Interface>
internal <Name of Interface>

Parameters

Parameter Description

get Shows the list of configured interfaces.

set Configures the topology of the specified interface:

n auxiliary
n DMZ
n external
n internal

R80.40 CLI Reference Guide | 930

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Syntax

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R80.40 CLI Reference Guide | 931

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 135.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 140.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 144.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 932

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R80.40 CLI Reference Guide | 933

cp_conf sic

Description
Manages SIC on the Security Gateway.
For additional information, see sk65764: How to reset SIC.

Note - This command corresponds to the option Secure Internal Communication in

the "cpconfig" on page 936 menu.

Syntax

cp_conf
-h
sic
cert_pull <Management Server> <DAIP GW object>
init <Activation Key> [norestart]
state

Parameters

Parameter Description

-h Shows the built-in usage.

cert_pull For DAIP Security Gateways, pulls a SIC certificate from the
<Management Server> specified Management Server for the specified DAIP
<DAIP GW object> Security Gateway:
n <Management Server> - IPv4 address or HostName of
the Security Management Server or Domain
Management Server
n <DAIP GW object> - Name of the DAIP Security
Gateway object as configured in SmartConsole

init <Activation Resets the one-time SIC activation key.

Key> [norestart] The optional parameter "norestart" specifies not to restart
Check Point services.

state Shows the current state of the SIC Trust.

R80.40 CLI Reference Guide | 934

cp_conf sic

Example

[Expert@MyGW:0]# cp_conf sic state

Trust State: Trust established

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 935

cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool configures specific settings for the installed Check Point products.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this
Security Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration
Guide - Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Secure Internal Manages SIC on the Security Gateway or Cluster

Communication Member.
This change requires a restart of Check Point services on
the Security Gateway or Cluster Member.
For more information, see:
n The R80.40 Security Management Administration
Guide.
n sk65764: How to reset SIC.

R80.40 CLI Reference Guide | 936

cpconfig

Menu Option Description

Enable cluster membership Enables the cluster membership on the Security Gateway.
for this gateway This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.

Disable cluster membership Disables the cluster membership on the Security Gateway.
for this gateway This change requires a reboot of the Security Gateway.
For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.

Enable Check Point Per Enables Virtual System Load Sharing on the VSX Cluster
Virtual System State Member.
For more information, see the R80.40 VSX Administration
Guide.

Disable Check Point Per Disables Virtual System Load Sharing on the VSX Cluster
Virtual System State Member.
For more information, see the R80.40 VSX Administration
Guide.

Enable Check Point Enables Check Point ClusterXL for Bridge mode.
ClusterXL for Bridge This change requires a reboot of the Cluster Member.
Active/Standby For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.

Disable Check Point Disables Check Point ClusterXL for Bridge mode.
ClusterXL for Bridge This change requires a reboot of the Cluster Member.
Active/Standby For more information, see the:
n R80.40 Installation and Upgrade Guide.
n R80.40 ClusterXL Administration Guide.

Check Point CoreXL Manages CoreXL on the Security Gateway or Cluster

Member.
After all changes in CoreXL configuration, you must reboot
the Security Gateway or Cluster Member.
For more information, see the R80.40 Performance Tuning
Administration Guide.

R80.40 CLI Reference Guide | 937

cpconfig

Menu Option Description

Automatic start of Check Shows and controls which of the installed Check Point
Point Products products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Check Point CoreXL
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

R80.40 CLI Reference Guide | 938

cpinfo

R80.40 CLI Reference Guide | 939

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert Mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local Management You execute these commands locally on the Check

licensing Servers, Point computers.
commands Security
Gateways and
Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management Server.
commands These changes affect the managed Security Gateways
and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management Server.
commands These changes affect the licenses stored in the local
license repository.

For more about managing licenses, see the R80.40 Security Management Administration
Guide.

Syntax for Local Licensing on a Security Gateway or Cluster Member

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R80.40 CLI Reference Guide | 940

cplic

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

{-h | - Shows the applicable built-in usage.

help}

check Confirms that the license includes the feature on the local Security
<options> Gateway or Security Management Server.
See "cplic check" on page 942.

contract Manages (deletes and installs) the Check Point Service Contract on the
<options> local Check Point computer.
See "cplic contract" on page 944.

del Deletes a Check Point license on a host, including unwanted evaluation,

<options> expired, and other licenses.
See "cplic del" on page 946.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 947.

put Installs and attaches licenses on a Check Point computer.

<options> See "cplic put" on page 949.

R80.40 CLI Reference Guide | 941

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

-v Product version, for which license information is requested.

{-c | - Outputs the number of licenses connected to this feature.

count}

R80.40 CLI Reference Guide | 942

cplic check

Parameter Description

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

Example from a Security Gateway

Example from a Cluster Member

[Expert@GW]# cplic check cluster-u
cplic check 'cluster-u': license valid
[Expert@GW]#
[Expert@GW]# cplic check -c cluster-u
cplic check 'cluster-u': 9 licenses
[Expert@GW]#

R80.40 CLI Reference Guide | 943

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

R80.40 CLI Reference Guide | 944

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/cp.contract file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R80.40 CLI Reference Guide | 945

cplic del

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 144
command.

<Object The name of the Security Gateway / Cluster Member object as defined
Name> in SmartConsole.

R80.40 CLI Reference Guide | 946

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member, this command prints all installed
licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 947

cplic print

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 948

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member, this command erases only

overwrite} the local licenses, but not central licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

R80.40 CLI Reference Guide | 949

cplic put

Parameter Description

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member for

a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 950

cpprod_util

Syntax

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R80.40 CLI Reference Guide | 951

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of Check Point Registry ($CPDIR/registry/HKLM_

registry.data) in the current working directory. The name of the
output file is RegDump.

R80.40 CLI Reference Guide | 952

cpprod_util

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

R80.40 CLI Reference Guide | 953

cpprod_util

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 954

cpprod_util

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

Example - Checking if this Security Gateway is configured as a VSX Gateway

[Expert@MyGW:0]# cpprod_util FwIsVSX
0
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the QoS blade is enabled

[Expert@MyGW:0]# cpprod_util FwIsFloodGate
1
[Expert@MyGW:0]#

Example - Checking if on this Security Gateway the SmartProvisioning is enabled

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured in Bridge Mode

[Expert@MyGW:0]# cpprod_util FwIsBridge
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is a member of Full HA cluster

[Expert@MyGW:0]# cpprod_util FwIsFullHA
0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 955

cpprod_util

Example - Checking if this Security Gateway is configured with Dynamically Assigned IP (DAIP)
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

Example - Checking if this Security Gateway is configured with IPv6 addresses

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 956

cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Syntax

cpstart [-fwflag {-default | -proc | -driver}]

Log Files
n $CPDIR/cpstart.log
n /opt/CPInstLog/cpstart_error.log

R80.40 CLI Reference Guide | 957

cpstat

cpstat
Description
Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R80.40 CLI Reference Guide | 958

cpstat

Parameter Description

R80.40 CLI Reference Guide | 959

cpstat

Parameter Description

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway, and some flags are supported only by a
Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R80.40 CLI Reference Guide | 960

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R80.40 CLI Reference Guide | 961

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R80.40 CLI Reference Guide | 962

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the threshold_
config
command

Historical status persistency product, TableConfig, SourceConfig

values

R80.40 CLI Reference Guide | 963

cpstat

Examples
Example - Interfaces on a Security Gateway
[Expert@MyGW:0]# cpstat -f interfaces fw

[Expert@MyGW:0]#

Example - Policy on a Security Gateway

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 964

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

[Expert@HostName:0]#

R80.40 CLI Reference Guide | 965

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 966

cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Syntax

cpstop [-fwflag {-default | -proc | -driver}]

Parameters

Important - These parameters are for Check Point internal use. Do not use them,
unless explicitly instructed by Check Point Support or R&D to do so.

Parameter Description

-fwflag - n Shuts down Check Point processes

default n Loads the Default Filter policy (defaultfilter)

-fwflag - n Shuts down Check Point processes

proc n Keeps the currently loaded kernel policy
n Maintains the Connections table, so that after you run the "cpstart" on
page 957 command, you do not experience dropped packets
because they are "out of state"

Note - Only security rules that do not use user space processes continue to
work.

-fwflag - Unloads the Check Point kernel modules.

driver Therefore, no policy is loaded.
Warning - This leaves your Security Gateway, or a Cluster Member
without protection. Before you run this command, we recommend to
disconnect your Security Gateway, or a Cluster Member from the
network completely.

R80.40 CLI Reference Guide | 967

cpview

cpview
Overview of CPView

On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R80.40 CLI Reference Guide | 968

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R80.40 CLI Reference Guide | 969

dynamic_objects

dynamic_objects
Description
Manages dynamic objects and their applicable ranges of IP addresses on the Security
Gateway.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Workflow

Step Instructions

1 In SmartConsole:
1. Define the applicable dynamic object.
2. Install the Access Control Policy on the Security Gateway.

2 On the Security Gateway, run the dynamic_objects command to:

1. Create the applicable dynamic object with the same name
2. Assign the applicable ranges of IP address to the new dynamic
object.

R80.40 CLI Reference Guide | 970

dynamic_objects

Syntax
n To show all configured dynamic objects and their ranges of IP addresses:

dynamic_objects -l

n To create a new dynamic object (and assign a range of IP addresses to it):

dynamic_objects -n <object_name> [-r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -a]

n To add a new a range of IP addresses to the specific existing dynamic object:

dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -a

n To delete a range of IP addresses from the specific existing dynamic object:

dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>] -d

n To update the specific existing dynamic object (and assign a different range of IP
addresses to it):

dynamic_objects -u <object_name> [-r <FromIP1> <ToIP2> ...

[<FromIPx> <ToIPy>]]

n To compare the configured dynamic objects and objects configured in SmartConsole:

dynamic_objects -c

n To delete the specific existing dynamic object (and all ranges of IP addresses assigned
to it):

dynamic_objects -do <object_name>

n To delete all the existing dynamic objects (and all ranges of IP addresses assigned to
them):

dynamic_objects -e

R80.40 CLI Reference Guide | 971

dynamic_objects

Parameters

Parameter Description

<object_name> Specifies the name of the object:

n As configured in SmartConsole
n As configured with the "dynamic_objects -n
<object name>" command

-r <FromIP1> Specifies the ranges of IP addresses in the format of pairs:

<ToIP2> ... <From_IP_Address> <To_IP_Address>
[<FromIPx>
<ToIPy>] For example, to specify two ranges, from 192.168.2.30 to
192.168.2.40 and from 192.168.2.50 to 192.168.2.60, enter
these four IP addresses:
192.168.2.30 192.168.2.40 192.168.2.50
192.168.2.60

-a Adds the specified ranges of IP addresses to the specified

dynamic object.

-c Compare the dynamic objects in the dynamic objects database

($FWDIR/database/dynamic_objects.db) and in the
$FWDIR/conf/objects.C file.

-d Deletes range of IP addresses from the dynamic object.

-do Deletes the specified dynamic object.

-e Deletes all configured dynamic objects from the dynamic objects

database ($FWDIR/database/dynamic_objects.db).

-l Lists the configured dynamic objects in the dynamic objects

database ($FWDIR/database/dynamic_objects.db).

-n Creates a new dynamic object.

-u Updates the specified dynamic object.

If you specify a range of IP addresses, then the new range
replaces all current ranges that are currently assigned to this
dynamic object.

R80.40 CLI Reference Guide | 972

dynamic_objects

Example 1 - Create a new dynamic object named "bigserver" and assign to it the range of
IP addresses 192.168.2.30-192.168.2.40
Run either these two commands:
dynamic_objects -n bigserver
dynamic_objects -o bigserver -r 192.168.2.30 192.168.2.40 -a

Or this single command:

dynamic_objects -n bigserver -r 192.168.2.20 192.168.2.40 -a

Example 2 - Update the ranges of IP addresses assigned to the dynamic object named
"bigserver" from the current range to the new range 192.168.2.60-192.168.2.80
dynamic_objects -u bigserver -r 192.168.2.60 192.168.2.80

R80.40 CLI Reference Guide | 973

cpwd_admin

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

R80.40 CLI Reference Guide | 974

cpwd_admin

Syntax

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 207.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 211.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 212.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 213.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 214.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 216.

R80.40 CLI Reference Guide | 975

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 217.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 218.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 223.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 224.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 227.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 228.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 230.

R80.40 CLI Reference Guide | 976

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R80.40 CLI Reference Guide | 977

cpwd_admin config

Configuration Accepted
Description
Parameter Values

default_ctx Text string up to On a VSX Gateway, configures the CTX value that is
128 characters assigned to monitored processes, for which no CTX
is specified.

display_ctx n 0 (default) On a VSX Gateway, configures whether the

n 1 WatchDog shows the CTX column in the output of
the cpwd_admin list command (between the
APP and the PID columns):
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

R80.40 CLI Reference Guide | 978

cpwd_admin config

Configuration Accepted
Description
Parameter Values

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

R80.40 CLI Reference Guide | 979

cpwd_admin config

Example

[Expert@HostName:0]# cpwd_admin config -p

[Expert@HostName:0]# cpwd_admin config -r

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the cpstop and cpstart commands (which restart all
Check Point processes).

Syntax

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

R80.40 CLI Reference Guide | 980

cpwd_admin config

Parameter Description

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the cpwd_admin
config -a command.

-p Shows the WatchDog configuration

parameters that user added with
the cpwd_admin config -a
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

Configuration Accepted
Description
Parameter Values

default_ctx Text string up to On a VSX Gateway, configures the CTX value that is
128 characters assigned to monitored processes, for which no CTX
is specified.

display_ctx n 0 (default) On a VSX Gateway, configures whether the

n 1 WatchDog shows the CTX column in the output of
the cpwd_admin list command (between the
APP and the PID columns):
n 0 - Does not show the CTX column
n 1 - Shows the CTX column

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

R80.40 CLI Reference Guide | 981

cpwd_admin config

Configuration Accepted
Description
Parameter Values

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

R80.40 CLI Reference Guide | 982

cpwd_admin config

("CheckPoint Repository Set"

Example

[Expert@HostName:0]# cpwd_admin config -p

[Expert@HostName:0]# cpwd_admin config -r

R80.40 CLI Reference Guide | 983

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Syntax on a Management Server

cpwd_admin del -name <Application Name>

Syntax on a Security Gateway

cpwd_admin del -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 984

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Syntax on a Management Server

cpwd_admin detach -name <Application Name>

Syntax on a Security Gateway

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 985

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 986

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin flist [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 987

cpwd_admin flist

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.40/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 988

cpwd_admin getpid

Description
Shows the PID of a WatchDog monitored process.

Syntax for a Management Server

cpwd_admin getpid -name <Application Name>

Syntax for a Security Gateway

cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 218 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On VSX Gateway, specifies the context of the applicable Virtual
System.

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 989

cpwd_admin kill

Description
Terminates the WatchDog process cpwd.

Syntax

cpwd_admin kill

R80.40 CLI Reference Guide | 990

cpwd_admin list

Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server

cpwd_admin list [-full]

Syntax on a Security Gateway

cpwd_admin list [-full] [-ctx <VSID>]

Parameters

Parameter Description

-full Shows the verbose output.

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual System.

R80.40 CLI Reference Guide | 991

cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

CTX On a VSX Gateway, shows the VSID, in which the monitored process
runs.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 207).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 204):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

R80.40 CLI Reference Guide | 992

cpwd_admin list

Example - Default output on a Security Gateway

R80.40 CLI Reference Guide | 993

cpwd_admin list

Example - Verbose output on a Management Server

R80.40 CLI Reference Guide | 994

cpwd_admin list

Example - Verbose output on a Security Gateway

R80.40 CLI Reference Guide | 995

cpwd_admin monitor_list

Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 204.

Syntax

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 996

cpwd_admin start

Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Syntax on a Security Gateway

cpwd_admin start -name <Application Name> [-ctx <VSID>] -path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>] [-slp_timeout <Timeout>] [-retry_
limit {<Limit> | u}]

Parameters

Parameter Description

-name Name, under which the cpwd_admin list command shows the
<Application monitored process in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable Virtual
System.

R80.40 CLI Reference Guide | 997

cpwd_admin start

Parameter Description

-command The command and its arguments to run.

-slp_timeout Configures the specified value of the "sleep_timeout"

<Timeout> configuration parameter.
See "cpwd_admin config" on page 207.

-retry_limit Configures the value of the "retry_limit" configuration

{<Limit> | u} parameter.
See "cpwd_admin config" on page 207.
n <Limit> - Tries to restart the process the specified number
of times
n u - Tries to restart the process unlimited number of times

R80.40 CLI Reference Guide | 998

cpwd_admin start

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 999

cpwd_admin start_monitor

Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes
actively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 1000

cpwd_admin stop

Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Syntax on a Security Gateway

cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path

"<Full Path to Executable>" -command "<Command Syntax>" [-env
{inherit | <Env_Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows
Name> the monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-ctx <VSID> On a VSX Gateway, specifies the context of the applicable

Virtual System.

R80.40 CLI Reference Guide | 1001

cpwd_admin stop

Parameter Description

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

-env {inherit | Configures whether to inherit the environment variables from

Example
For the list of process and the applicable syntax, see sk97638.

R80.40 CLI Reference Guide | 1002

cpwd_admin stop_monitor

Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 204 command.

Syntax

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 1003

fw
Description
n Fetches and unloads Threat Prevention policy.
n Controls the Firewall module.
n Generates the Default Filter policy files.
n Fetches the policy from the Management Server, peer Cluster Member, or local
directory.
n Fetches the specified Security or Audit log files from the specified Check Point computer.
n Shows the list of interfaces and their IP addresses.
n Shows information about Check Point computers in High Availability configuration and
their states.
n Controls ISP links in ISP Redundancy configuration.
n Kills the specified Check Point processes.
n Shows a list of hosts protected by the Security Gateway.
n Shows the content of Check Point log files.
n Switches the current active log file.
n Shows a list of Security or Audit log files.
n Merges several input log files into a single log file.
n Runs FW Monitor to capture the traffic that passes through the Security Gateway.
n Rebuilds pointer files for Security or Audit log files.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.
n Shows the contents of the Unified Policy kernel tables.
n Shows the currently installed policy.
n Shows and deletes the contents of the specified kernel tables.
n Executes the offline Unified Policy.
n Removes all policies from the Security Gateway or Cluster Member.
n Shows the Security Gateway major and minor version number and build number.

R80.40 CLI Reference Guide | 1004

Syntax

fw [-d] [-i]
amw <options>
ctl <options>
defaultgen
fetch <options>
fetchlogs <options>
getifs
hastat <options>
isp_link <options>
kill <options>
lichosts <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>
showuptables <options>
stat
tab <options>
unloadlocal
up_execute <options>
ver <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-i Specifies the CoreXL Firewall instance.

See "fw -i" on page 1008.

amw <options> Fetches and unloads Threat Prevention policy.

See "fw amw" on page 1009.

R80.40 CLI Reference Guide | 1005

Parameter Description

ctl Controls the Firewall module.

See "fw ctl" on page 1012.

defaultgen Generates the Default Filter policy files.

See "fw defaultgen" on page 1046.

fetch Fetches the policy from the Management Server, peer Cluster
<options> Member, or local directory.
See "fw fetch" on page 1048.

fetchlogs Fetches the specified Security log files ($FWDIR/log/.log) or

<options> Audit log files ($FWDIR/log/*.adtlog*) from the specified Check
Point computer.
See "fw fetchlogs" on page 1051.

getifs Shows the list with this information:

n The name of interfaces, to which the Check Point Firewall kernel
attached.
n The IP addresses assigned to the interfaces.
See "fw getifs" on page 1053.

hastat Shows information about Check Point computers in High Availability

<options> configuration and their states.
See "fw hastat" on page 1054.

isp_link Controls ISP links in the ISP Redundancy configuration.

<options> See "fw isp_link" on page 1055.

kill Kills the specified Check Point processes.

<options> See "fw kill" on page 1056.

lichosts Shows a list of hosts protected by the Security Gateway.

<options> See "fw lichosts" on page 1057.

log <options> Shows the content of Check Point log files - Security
($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 1058.

logswitch Switches the current active log file - Security ($FWDIR/log/fw.log)

<options> or Audit ($FWDIR/log/fw.adtlog).
See "fw logswitch" on page 1068.

R80.40 CLI Reference Guide | 1006

Parameter Description

lslogs Shows a list of Security log files ($FWDIR/log/.log) or Audit log

<options> files ($FWDIR/log/*.adtlog*) residing on the local computer or a
remote computer.
See "fw lslogs" on page 1072.

mergefiles Merges several input log files - Security ($FWDIR/log/*.log) or

<options> Audit ($FWDIR/log/*.adtlog) - into a single log file.
See "fw mergefiles" on page 1075.

monitor Runs FW Monitor to capture the traffic that passes through the
<options> Security Gateway.
See "fw monitor" on page 1078.

repairlog Rebuilds pointer files for Security log files ($FWDIR/log/*.log) or

<options> Audit ($FWDIR/log/*.adtlog) log files.
See "fw repairlog" on page 1112.

sam <options> Manages the Suspicious Activity Monitoring (SAM) rules.

See "fw sam" on page 1113.

sam_policy Manages the Suspicious Activity Policy editor.

<options> See "fw sam_policy" on page 1121.

showuptables Shows the contents of the Unified Policy kernel tables.

<options> See "fw showuptables" on page 1148.

stat Shows the currently installed policy.

See "fw stat" on page 1149.

tab <options> Shows and deletes the contents of the specified kernel tables.
See "fw tab" on page 1152.

unloadlocal Uninstalls all policies from the Security Gateway or Cluster Member.
See "fw unloadlocal" on page 1161.

up_execute Executes the offline Unified Policy.

<options> See "fw up_execute" on page 1165.

ver <options> Shows the Security Gateway major and minor version number and
build number.
See "fw ver" on page 1168.

R80.40 CLI Reference Guide | 1007

fw -i

Description
By default, the "fw" on page 1004 commands apply to the entire Security Gateway.
The fw commands show aggregated information for all CoreXL Firewall instances.
The fw -i commands apply to the specified CoreXL Firewall instance.

Syntax

fw -i <ID of CoreXL Firewall instance> <Command>

Parameters

Parameter Description

<ID of CoreXL Specifies the ID of the CoreXL Firewall instance.

Firewall To see the available IDs, run the "fw ctl multik stat" on page 1518
instance> command.

<Command> Only these commands support the fw -i syntax:

n fw -i <ID> conntab ...
n fw -i <ID> ctl get ...
n fw -i <ID> ctl leak ...
n fw -i <ID> ctl pstat ...
n fw -i <ID> ctl set ...
n fw -i <ID> monitor ...
n fw -i <ID> tab ...

For details and additional parameters for any of these

commands, refer to the corresponding entry for each command.

Example 1 - Show the Connections table for CoreXL Firewall instance #1

fw -i 1 tab -t connections

Example 2 - Show various internal statistics for CoreXL Firewall instance #1

fw -i 1 ctl pstat

R80.40 CLI Reference Guide | 1008

fw amw

Description
Fetches and unloads Threat Prevention policy.
Threat Prevention policy applies to these Software Blades:
n Anti-Bot
n Anti-Spam
n Anti-Virus
n IPS
n Threat Emulation
n Threat Extraction

Syntax
n To fetch the Threat Prevention policy from the Management Server:

fw [-d] amw fetch -f [-i] [-n] [-r]

n To fetch the Threat Prevention policy from a peer Cluster Member, and, if it fails, then
from the Management Server:

fw [-d] amw fetch -f -c [-i] [-n] [-r]

n To fetch the Threat Prevention policy from the specified Check Point computer(s):

fw [-d] amw fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

n To fetch the Threat Prevention policy stored locally on the Security Gateway:

fw [-d] amw fetch local [-nu]

fw [-d] amw fetch localhost [-nu]

n To fetch the Threat Prevention policy stored locally on the Security Gateway in the
specified directory:

fw [-d] amw fetchlocal [-lu] -d <Full Path to Directory>

n To unload the current Threat Prevention policy:

fw [-d] amw unload

R80.40 CLI Reference Guide | 1009

fw amw

Parameters

Parameter Description

fw -d amw Runs the command in debug mode.

... Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

fw amw Fetches the Threat Prevention policy from the specified Check Point
fetch computer(s).
These can be a Management Server, or a peer Cluster Member.

fw amw Fetches the Threat Prevention policy that is stored locally on the Security
fetch local Gateway in the $FWDIR/state/local/AMW/ directory.
fw amw
fetch
localhost

fw amw Fetches the Threat Prevention policy that stored locally on the Security
fetchlocal Gateway in the specified directory.

fw amw Unloads the current Threat Prevention policy from the Security Gateway.
unload Important - This significantly decreases the security on the Security
Gateway. This is the same as if you disable the Threat Prevention
Software Blades on the Security Gateway.

-c Specifies that you fetch the policy from a peer Cluster Member.
Notes:
n Must also use the "-f" parameter.
n Works only in cluster.

-f Specifies that you fetch the policy from a Management Server listed in
the $FWDIR/conf/masters file.

-i On a Security Gateway with dynamically assigned IP address (DAIP),

specifies to ignore the SIC name and object name.

-lu Specifies to perform a late update - to load signatures just after the
Security Gateway copies the policy files to the local directory
$FWDIR/state/local/AMW/.

-n Specifies not to load the fetched policy, if it is the same as the policy
already located on the Security Gateway.

-nu Specifies not to update the currently installed policy.

R80.40 CLI Reference Guide | 1010

fw amw

Parameter Description

-r On a Cluster Member, specifies to ignore this option in SmartConsole

Install Policy window:
For gateway clusters, if installation on a cluster member fails, do not
install on that cluster
Best Practice - Use this parameter if a peer Cluster Member is
Down.

<Master 1> Specifies the Check Point computer(s), from which to fetch the Threat
[<Master 2> Prevention policy.
...] You can fetch the Threat Prevention policy from the Management
Server, or a peer Cluster Member.
Notes:
n If you fetch the Threat Prevention policy from the Management
Server, you can enter one of these:
l The main IP address of the Management Server object.

l The object name of the Management Server.

l The hostname that the Security Gateway resolves to the

main IP address of the Management Server.

n If you fetch the Threat Prevention policy from a peer Cluster
Member, you can enter one of these:
l The main IP address of the Cluster Member object.

l The IP address of the Sync interface on the Cluster

Member.
n If the fetch from the first specified <Master> fails, the Security
Gateway fetches the policy from the second specified
<Master> , and so on. If the Security Gateway fails to connect
to each specified <Masters>, the Security Gateway fetches
the policy from the localhost.
n If you do not specify the <Masters> explicitly, the Security
Gateway fetches the policy from the localhost.

-d <Full Specifies local directory on the Security Gateway, from which to fetch the
Path to Threat Prevention policy files.
Directory>

Example

[Expert@MyGW:0]# fw amw fetch local

Installing Threat Prevention policy from local
Fetching Threat Prevention policy succeeded
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1011

fw ctl

Description
Controls the Firewall kernel module.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

fw [-d] ctl
arp <options>
bench <options>
block <options>
chain
conn
conntab <options>
cpasstat <options>
debug <options>
get <options>
iflist
install
kdebug <options>
pstat <options>
set <options>
tcpstrstat <options>
uninstall

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

arp Shows the configured Proxy ARP entries based on the

<options> $FWDIR/conf/local.arp file on the Security Gateway.
See "fw ctl arp" on page 1015.

R80.40 CLI Reference Guide | 1012

fw ctl

Parameter Description

bench Runs the CPU benchmark tests that collect these statistics:
<options>
n FireWall Lock Statistics
n Outbound Packets Statistics
n Inbound Packets Statistics
See "fw ctl bench" on page 1016.

block Blocks all connections to, from, and through the Security Gateway.
<options> See "fw ctl block" on page 1018.

chain Shows the list of Firewall Chain Modules.

See "fw ctl chain" on page 1019.

conn Shows the list of Firewall Connection Modules.

See "fw ctl conn" on page 1021.

conntab Shows formatted list of current connections from the Connections

<options> kernel table (ID 8158).
See "fw ctl conntab" on page 1023.

cpasstat Generates statistics report about Check Point Active Streaming (CPAS).
<options> See "fw ctl cpasstat" on page 1027.

debug Generates kernel debug messages from Check Point Firewall kernel to
<options> a debug buffer.
See "'fw ctl debug' and 'fw ctl kdebug'" on page 1028.

dlpkstat Generates statistics report about Data Loss Prevention kernel module.
<options> See "fw ctl dlpkstat" on page 1029.

get Shows the value of the specified kernel parameter.

<options> See "fw ctl get" on page 1030.

iflist Shows the list with this information:

n The name of interfaces, to which the Check Point Firewall kernel
attached.
n The internal numbers of the interfaces in the Check Point Firewall
kernel.
See "fw ctl iflist" on page 1032.

install Tells the operating system to start passing packets to Firewall.

See "fw ctl install" on page 1033.

R80.40 CLI Reference Guide | 1013

fw ctl

Parameter Description

kdebug Generates kernel debug messages from Check Point Firewall kernel to
<options> a debug buffer.
See "'fw ctl debug' and 'fw ctl kdebug'" on page 1028.

leak Generates leak detection report.

<options> See "fw ctl leak" on page 1034.

pstat Shows Security Gateway various internal statistics.

<options> See "fw ctl pstat" on page 1037.

set Configures the specified value for the specified kernel parameter.
<options> See "fw ctl set" on page 1040.

tcpstrstat Generates statistics report about TCP Streaming.

<options> See "fw ctl tcpstrstat" on page 1043.

uninstall Tells the operating system to stop passing packets to Firewall, and
unloads the current Security Policy.
See "fw ctl uninstall" on page 1045.

R80.40 CLI Reference Guide | 1014

fw ctl arp

Description
Shows the configured Proxy ARP entries based on the $FWDIR/conf/local.arp file on the
Security Gateway.
For more information about the Proxy ARP, see sk30197.

Syntax

fw [-d] ctl arp

[-h]
[-n]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-h Shows the built-in help.

-n Specifies not to resolve hostnames.

R80.40 CLI Reference Guide | 1015

fw ctl bench

Description
The benchmark mechanism provides a way to measure the time spent in the code between
two points.
This command runs the CPU benchmark tests that collect these statistics:
n FireWall Lock Statistics
n Outbound Packets Statistics
n Inbound Packets Statistics.

Note - This command writes the output of these tests to the dmesg.

Syntax

fw [-d] ctl bench

-h
lock
[{ioctl | packet} [<Limit>]]
[stop]
packet [{<Limit> | stop}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-h Shows the built-in help.

R80.40 CLI Reference Guide | 1016

fw ctl bench

Parameter Description

lock Runs the lock benchmark that collects the FireWall Lock Statistics.
[ioctl[ Available options:
<Limit>]]
[packet
n No parameters - Starts the lock benchmark.
[<Limit>]]
n ioctl - Calculates the IOCTL flow statistics.
[stop]
n packet - Calculates the packet flow statistics.
n <Limit> - Specifies the time limit (in seconds) for the
benchmark to run. Default is 10 seconds. Maximum is 200
seconds.
n stop - Stops the current lock benchmark.

packet Runs the packet benchmark test that collects these statistics:
[{<Limit> |
stop}]
n Outbound Packets Statistics
n Inbound Packets Statistics
Available options:
n No parameters - Starts the packet benchmark.
n <Limit> - Specifies the time limit (in seconds) for the
benchmark to run. Default is 10 seconds. Maximum is 200
seconds.
n stop - Stops the current packet benchmark.

R80.40 CLI Reference Guide | 1017

fw ctl block

Description
Blocks all connections to, from, and through the Security Gateway.

Important - The "fw ctl block on" command immediately blocks all connections
without a prompt and regardless the currently installed policy. To unblock the
connections, you must either reboot the Security Gateway, or connect to the Security
Gateway over a serial console (or Lights Out Management Card) and run the "fw
ctl block off" command.

Syntax

fw [-d] ctl block

off
on

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

off Removes the block of all connections.

on Blocks all connections.

R80.40 CLI Reference Guide | 1018

fw ctl chain

Description
Shows the list of Firewall Chain Modules.
This list shows various inspection Chain Modules, through which the traffic passes on this
Security Gateway.
The available Chain Modules depend on the configuration and enabled Software Blades.

Important - In Cluster, outputs of this command must be the same on all the Cluster
Members.

Syntax

fw [-d] ctl chain

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1019

fw ctl chain

Example

[Expert@MyGW:0]# fw ctl chain

in chain (23):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -7d000000 (ffffffff8a96ee80) (00000003) vpn multik forward in
4: - 2000000 (ffffffff8a97d830) (00000003) vpn decrypt (vpn)
5: - 1fffffa (ffffffff8a9533a0) (00000001) l2tp inbound (l2tp)
6: - 1fffff8 (ffffffff8b67f0e0) (00000001) Stateless verifications (in) (asm)
7: - 1fffff7 (ffffffff8b67ec00) (00000001) fw multik misc proto forwarding
8: - 1fffff2 (ffffffff8a982aa0) (00000003) vpn tagging inbound (tagging)
9: - 1fffff0 (ffffffff8a983460) (00000003) vpn decrypt verify (vpn_ver)
10: 0 (ffffffff8b85a950) (00000001) fw VM inbound (fw)
11: 1 (ffffffff8a97ed70) (00000003) vpn policy inbound (vpn_pol)
12: 2 (ffffffff8b681700) (00000001) fw SCV inbound (scv)
13: 3 (ffffffff8a982130) (00000003) vpn before offload (vpn_in)
14: 4 (ffffffff8b0fa5c0) (00000003) QoS inbound offload chain module
15: 5 (ffffffff8b574730) (00000003) fw offload inbound (offload_in)
16: 10 (ffffffff8b84c9c0) (00000001) fw post VM inbound (post_vm)
17: 100000 (ffffffff8b807970) (00000001) fw accounting inbound (acct)
18: 22000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath inbound chain mod (fg_sched)
19: 7f730000 (ffffffff8b3d3aa0) (00000001) passive streaming (in) (pass_str)
20: 7f750000 (ffffffff8b17dff0) (00000001) TCP streaming (in) (cpas)
21: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (in) (ipopt_res)
22: 7fb00000 (ffffffff8a9fe8a0) (00000001) Cluster Late Correction (ha_for)
out chain (19):
0: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (ffffffff8a96ee60) (00000003) vpn multik forward out
2: - 1ffffff (ffffffff8a97fb70) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (ffffffff8b168640) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (ffffffff8b3d3aa0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (ffffffff8a982aa0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (ffffffff8b67f0e0) (00000001) Stateless verifications (out) (asm)
7: 0 (ffffffff8b85a950) (00000001) fw VM outbound (fw)
8: 10 (ffffffff8b84c9c0) (00000001) fw post VM outbound (post_vm)
9: 2000000 (ffffffff8a982900) (00000003) vpn policy outbound (vpn_pol)
10: 15000000 (ffffffff8b0fac30) (00000003) QoS outbound offload chain modul (fg_pol)
11: 1ffffff0 (ffffffff8a951790) (00000001) l2tp outbound (l2tp)
12: 20000000 (ffffffff8a978280) (00000003) vpn encrypt (vpn)
13: 21000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath outbound chain mod (fg_sched)
14: 7f000000 (ffffffff8b807970) (00000001) fw accounting outbound (acct)
15: 7f700000 (ffffffff8b17cb10) (00000001) TCP streaming post VM (cpas)
16: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (out) (ipopt_res)
17: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
18: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1020

fw ctl conn

Description
Shows the list of Firewall Connection Modules.
This list shows various inspection Connection Modules, through which the traffic passes on
this Security Gateway.
The available Connection Modules depend on the configuration and enabled Software Blades.

Important - In Cluster, outputs of this command must be the same on all the Cluster
Members.

Syntax

fw [-d] ctl conn

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1021

fw ctl conn

Example

[Expert@MyGW:0]# fw ctl conn

Registered connections modules:
No. Name Newconn Packet End Reload Dup
Type Dup Handler
Connectivity level 0:
1: Accounting 1: Accounting 0000000000000000 0000000000000000 FFFFFFFF8B8395A0
0000000000000000 Special FFFFFFFF8B831720
2: Authentication 2: Authentication FFFFFFFF8B3150A0 0000000000000000 0000000000000000
0000000000000000 Special FFFFFFFF8B34FCC0
8: NAT 8: NAT 0000000000000000 0000000000000000 FFFFFFFF8B6D1AF0
0000000000000000 Special FFFFFFFF8B6B8410
9: RTM 9: RTM 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
10: RTM2 10: RTM2 0000000000000000 0000000000000000 FFFFFFFF8B014970
0000000000000000 None
11: SPII 11: SPII FFFFFFFF8B412060 0000000000000000 FFFFFFFF8B41AF40
FFFFFFFF8B4016A0 None
13: VPN 13: VPN FFFFFFFF8A965440 0000000000000000 FFFFFFFF8AA4CC40
0000000000000000 Special FFFFFFFF8AA60490
Connectivity level 1:
13: VPN 13: VPN 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1022

fw ctl conntab

Description
Shows formatted list of current connections from the Connections kernel table (ID 8158).
Use this command if you want to see the simplified information about the current connections.

Best Practices:
n Use the "fw ctl conntab" command to see the simplified information about
the current connections.
n Use the "fw tab -t connections -f" command ("fw tab" on page 1152) to
see the detailed (and more technical) information about the current
connections.

Syntax

Important - You can specify many parameters at the same time.

fw [-d] ctl conntab

{-h | -help}
-sip=<Source IP Address in Decimal Format>
-sport=<Port Number in Decimal Format>
-dip=<Destination IP Address>
-dport=<Port Number in Decimal Format>
-proto=<Protocol Name>
-service=<Name of Service>
-rule=<Rule Number in Decimal Format>

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-sip=<Source IP Address in Filters the output by the specified Source IP

Decimal Format> address.

R80.40 CLI Reference Guide | 1023

fw ctl conntab

Parameter Description

-sport=<Port Number in Filters the output by the specified Source Port

Decimal Format> number.
See IANA Service Name and Port Number
Registry.

-dip=<Destination IP Address Filters the output by the specified Destination IP

in Decimal Format> address.

-dport=<Port Number in Filters the output by the specified Destination

Decimal Format> Port number.
See IANA Service Name and Port Number
Registry.

-proto=<Protocol Name> Filters the output by the specified Protocol name.

For example:
n TCP
n UDP
n ICMP
See IANA Protocol Numbers.

-service=<Name of Service> See the names of Services in SmartConsole, or

in the output of this command.

-rule=<Rule Number in Decimal See your Rule Base in SmartConsole, or in the

Format> output of the command.

Examples
Example 1 - Default output
[Expert@MyGW:0]# fw ctl conntab
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3593/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481),
Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,59249], dest=[192.168.204.1,53], UDP); 20/40, rule=0, service=domain-udp(335), Ifnsout=1, conn
modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,37892], dest=[192.168.204.1,53], UDP); 20/40, rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1,
conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 2 - Filter by a destination port

[Expert@MyGW:0]# fw ctl conntab -dport=22
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3594/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481),
Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1024

fw ctl conntab

Example 3 - Filter by a destination port

[Expert@MyGW:0]# fw ctl conntab -dport=53
<(outbound, src=[192.168.204.40,33585], dest=[192.168.204.1,53], UDP); 39/40, rule=0, service=domain-udp(335), Ifnsout=1, conn
modules: Authentication, FG-1>
<(outbound, src=[192.168.204.40,56661], dest=[192.168.204.1,53], UDP); 39/40, rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1,
conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 4 - Filter by a source port

[Expert@MyGW:0]# fw ctl conntab -sport=54201
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3600/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481),
Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 5 - Filter by a protocol

[Expert@MyGW:0]# fw ctl conntab -proto=UDP
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 37/40, rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1,
conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 6 - Filter by a protocol

[Expert@MyGW:0]# fw ctl conntab -proto=TCP
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3596/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481),
Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 7 - Filter by a service

[Expert@MyGW:0]# fw ctl conntab -service=domain-udp
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 35/40, rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1,
conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 8 - Filter by a rule number

[Expert@MyGW:0]# fw ctl conntab -rule=2
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3597/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481),
Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

Example 9 - Filter by a destination IP address, destination port, protocol, and service

[Expert@MyGW:0]# fw ctl conntab -dip=192.168.204.40 -dport=22 -proto=TCP -service=ssh
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3599/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481),
Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1025

fw ctl conntab

Example 10 - Formatted detailed output from the Connections table (for comparison)
[Expert@MyGW:0]# fw tab -t connections -f

Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
(+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync,
aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited;
LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----
------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 54201; Dest: 192.168.204.1; DPort: 53; Protocol: udp;
CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1; Ifnsout: 1; Bits:
0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----
------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 54201; Protocol: udp;
CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 54201; Dest_1: 192.168.204.1; DPort_1: 53; Protocol_1: udp; FW_
symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----
------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 54201; Protocol: tcp;
CPTFMT_sep_1: ->; Direction_2: 0; Source_2: 192.168.204.1; SPort_2: 54201; Dest_2: 192.168.204.40; DPort_2: 22; Protocol_2: tcp; FW_
symval: 2053; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----
------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 54201; Dest: 192.168.204.40; DPort: 22; Protocol: tcp;
CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits:
02007800000f9000; Expires: 3596/3600; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----
------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 44966; Protocol: udp;
CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 44966; Dest_1: 192.168.204.1; DPort_1: 53; Protocol_1: udp; FW_
symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----
------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 44966; Dest: 192.168.204.1; DPort: 53; Protocol: udp;
CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits:
0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1026

fw ctl cpasstat

Description
Generates statistics report about Check Point Active Streaming (CPAS).

Syntax

fw [-d] ctl cpasstat [-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-r Resets the counters.

R80.40 CLI Reference Guide | 1027

'fw ctl debug' and 'fw ctl kdebug'

Description
These commands generate kernel debug messages from Check Point Firewall kernel to a
debug buffer.
For more information, see the R80.40 Quantum Security Gateway Guide - Chapter Kernel
Debug on Security Gateway.

R80.40 CLI Reference Guide | 1028

fw ctl dlpkstat

Description
Generates statistics report about Data Loss Prevention, inspected HTTP requests, and
Identity Awareness Captive Portal.
This report contains these statistics:

Category Information

DLP Kernel Statistics Information Emails and HTTP requests

User Mode Responses Statistics Emails and HTTP requests

Identity Awareness - Captive Portal HTTP requests redirected to the Captive Portal

Identity Awareness - Fetch Users Synchronous and asynchronous Identity

Statistics Awareness queries
Best Practice - This report is very useful when you:
n Debug problems with HTTP protocol that occur under traffic stress.
n Examine the traffic shape (for example, to know how many HTTP "POST" and
HTTP "GET" requests pass through the Security Gateway).

Syntax

fw [-d] ctl dlpkstat [-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-r Resets the counters.

R80.40 CLI Reference Guide | 1029

fw ctl get

Description
Shows the current value of the specified kernel parameter.

Notes:
n Kernel parameters let you change the advanced behavior of your Security
Gateway.
n There are two types of kernel parameters - integer and string.
n Security Gateway gets the names and the default values of the kernel
parameters from these kernel module files:
l $FWDIR/boot/modules/fw_kern_64.o

l $FWDIR/boot/modules/fw_kern_64_v6.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64_v6.o

l $PPKDIR/boot/modules/sim_kern_64.o

l $PPKDIR/boot/modules/sim_kern_64_v6.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o

n Refer to the related command "fw ctl set" on page 1040.

n Refer to the related article sk33156: Creating a file with all the kernel
parameters and their values

Syntax

fw [-d] ctl get

int <Name of Integer Kernel Parameter> [-a]
str <Name of String Kernel Parameter> [-a]

R80.40 CLI Reference Guide | 1030

fw ctl get

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

<Name of Integer Kernel Specifies the name of the integer kernel

Parameter> parameter.

<Name of String Kernel Specifies the name of the string kernel

Parameter> parameter.

-a Specifies to search for this kernel parameter in

this order:
1. In $FWDIR/boot/modules/fw_*.o
2. In $PPKDIR/boot/modules/sim_*.o

Example for an integer kernel parameter

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit -a

FW:
fw_kdprintf_limit = 100
PPAK 0: fw_kdprintf_limit = 10
[Expert@MyGW:0]#

Example for a string kernel parameter

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset -a

FW:
fileapp_default_encoding_charset = 'UTF-8'
PPAK 0: Get failed.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1031

fw ctl iflist

Description
Shows the list with this information:
n The name of interfaces, to which the Check Point Firewall kernel attached.
n The internal numbers of the interfaces in the Check Point Firewall kernel.

Notes:
n This list shows all detected interfaces, even if there are no IP addresses
assigned on them.
n You use this list when you analyze a kernel debug, which shows only the
internal numbers of the interfaces (for example, ifn=2).
n Related "cpstat" on page 958 commands:
l cpstat -f ifconfig os

l cpstat -f interfaces fw

Syntax

fw [-d] ctl iflist

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

Example

[Expert@MyGW:0]# fw ctl iflist

fw ctl iflist
1 : eth0
2 : eth1
3 : eth2
4 : eth3
5 : eth4
6 : eth5
7 : eth6
8 : eth7
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1032

fw ctl install

Description
Tells the operating system to start passing packets to Firewall.
This command runs automatically when the Security Gateway or an administrator runs the
"cpstart" on page 957 command.

Warning - If you run the "fw ctl uninstall" on page 1045 command and then the "fw
ctl install" command, it does not restore the Security Policy.
You must run one of these commands: "fw fetch" on page 1048, or "cpstart" on
page 957.

Syntax

fw [-d] ctl install

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1033

fw ctl leak

Description
Generates leak detection report. This report is for Check Point use only.

Important - This command save the report into the active /var/log/messages file
and the dmesg buffer.

Syntax

fw [-d] ctl leak

{-h | -help}
[{-a | -A}] [-t <Internal Object Type>] [-o <Internal Object
ID>]
[-d] [-l] [-p]
[-s]

Parameters

Parameter Description

fw -d ctl leak Runs the command in debug mode.

... Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the built-in help.

-a Specifies to perform leak detection for potential leaks.

This parameter is mutually exclusive with the parameter "-A".

-A Specifies to perform leak detection for all leaks.

This parameter is mutually exclusive with the parameter "-a".

-d Dumps object data.

This parameter is mutually exclusive with the parameter "-s".

-l Prints the action log.

This parameter is mutually exclusive with the parameter "-s".

-o <Internal Specifies to perform leak detection for the specified internal object ID.
Object ID>

R80.40 CLI Reference Guide | 1034

fw ctl leak

Parameter Description

-p Purges the internal objects from the lists.

This parameter is mutually exclusive with the parameter "-s".

-s Shows summary only.

This parameter is mutually exclusive with the parameters "-d", "-l",
and "-p".

-t <Internal Specifies the internal object types, for which to perform leak
Object Type> detection.
Available internal object types are:
n chain
n connh
n cookie
n kbuf
n num

If you do not specify the internal object type explicitly, the command
performs leak detection for all internal object types.

Procedure

Step Instructions

1 Connect to the command line on the Security Gateway.

2 Log in to the Expert mode.

3 Back up the current /var/log/messages file:

[Expert@GW_HostName:0]# cp -v
/var/log/messages{,_BKP}

4 Delete the information from the current /var/log/messages file:

[Expert@GW_HostName:0]# echo '' >
/var/log/messages

5 Delete the information from the current dmesg buffer:

[Expert@GW_HostName:0]# dmesg -c

6 Generate the leak detection report (see the Syntax section above):
[Expert@GW_HostName:0]# fw [-d] ctl leak
<options>

R80.40 CLI Reference Guide | 1035

fw ctl leak

Step Instructions

7 Make sure the command generated the leak detection report:

[Expert@GW_HostName:0]# dmesg
[Expert@GW_HostName:0]# cat /var/log/messages

8 Collect the leak detection report:

[Expert@GW_HostName:0]# cp -v
/var/log/messages{,_LEAK_DETECTION}

9 Analyze the leak detection report:

/var/log/messages_LEAK_DETECTION

Example

[Expert@MyGW:0]# cp -v /var/log/messages{,_BKP}
`/var/log/messages' -> `/var/log/messages_BKP'
[Expert@MyGW:0]#
[Expert@MyGW:0]# echo '' > /var/log/messages
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg -c
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl leak -s
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg
[fw4_0];fwleak_report: type chain - 0 objects
[fw4_0];fwleak_report: type cookie - 0 objects
[fw4_0];fwleak_report: type kbuf - 0 objects
[fw4_0];fwleak_report: type connh - 0 objects
[fw4_1];fwleak_report: type chain - 0 objects
[fw4_1];fwleak_report: type cookie - 0 objects
[fw4_1];fwleak_report: type kbuf - 0 objects
[fw4_1];fwleak_report: type connh - 0 objects
[fw4_2];fwleak_report: type chain - 0 objects
[fw4_2];fwleak_report: type cookie - 0 objects
[fw4_2];fwleak_report: type kbuf - 0 objects
[fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /var/log/messages
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_0];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_1];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2019 MyGW kernel: [fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]
[Expert@MyGW:0]# cp -v /var/log/messages{,_LEAK_DETECTION}
`/var/log/messages' -> `/var/log/messages_LEAK_DETECTION'
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1036

fw ctl pstat

Description
Shows Security Gateway various internal statistics:
n System Capacity Summary
n Hash kernel memory (hmem) statistics
n System kernel memory (smem) statistics
n Kernel memory (kmem) statistics
n Cookies
n Connections
n Fragments
n NAT
n Handles

Syntax

Important - You can specify many parameters at the same time.

fw [-d] ctl pstat [-c] [-h] [-k] [-l] [-m] [-o] [-s] [-v {4 | 6}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-c Shows detailed CoreXL Dispatcher statistics:

n fwmultik_global_stats splits for each CoreXL Firewall
instance.
n fwmultik_gconn_stats for each CPU.
n fwmultik_stats for each CPU.

-h Shows additional Hash kernel memory (hmem) statistics.

-k Shows additional Kernel memory (kmem) statistics.

R80.40 CLI Reference Guide | 1037

fw ctl pstat

Parameter Description

-l Shows Handles statistics.

-m Shows general CoreXL Dispatcher statistics.

-o Shows additional Cookies statistics.

-s Shows additional System kernel memory (smem) statistics.

-v 4 Shows statistics for IPv4 (-v 4) traffic only, or for IPv6 (-v 4) traffic only.
-v 6 Default is to show statistics for both IPv4 and IPv6 traffic.

R80.40 CLI Reference Guide | 1038

fw ctl pstat

Examples
Example 1 - fw ctl pstat
[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

Total memory allocated: 742391808 bytes in 181248 (4096 bytes) blocks using 1 pool
Total memory bytes used: 0 unused: 742391808 (100.00%) peak: 68247020
Total memory blocks used: 0 unused: 181248 (100%) peak: 17227
Allocations: 2193027 alloc, 0 failed alloc, 2154121 free

System kernel memory (smem) statistics:

Total memory bytes used: 913975068 peak: 1165010872
Total memory bytes wasted: 7883999
Blocking memory bytes used: 4896272 peak: 6916084
Non-Blocking memory bytes used: 909078796 peak: 1158094788
Allocations: 13217 alloc, 0 failed alloc, 10027 free, 0 failed free
vmalloc bytes used: 908585924 expensive: no

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2204456 alloc, 0 failed alloc
2162587 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1039

fw ctl set

Description
Configures the specified value for the specified kernel parameter.

Important:
n In a Cluster, you must configure all the Cluster Members in the same way.
n In VSX Gateway, the configured values of kernel parameters apply to all
existing Virtual Systems and Virtual Routers.
n The configuration made with this command without the "-f" flag does not
survive reboot.
To make this configuration permanent, you must edit one of the applicable
configuration files:
l $FWDIR/boot/modules/fwkern.conf

l $FWDIR/boot/modules/vpnkern.conf

l $PPKDIR/conf/simkern.conf

n For complete procedures, see "Working with Kernel Parameters on Security

Gateway" on page 1861.

Notes:
n Kernel parameters control the advanced behavior of your Security Gateway.
n There are two types of kernel parameters - integer and string.
n Security Gateway gets the names and the default values of the kernel
parameters from these kernel module files:
l $FWDIR/boot/modules/fw_kern_64_3_10_64.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64_v6.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64_sp.o

l $FWDIR/boot/modules/fw_kern_64_3_10_64_sp_v6.o

l $PPKDIR/boot/modules/adp_kern_64_3_10_64.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64.o

l $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o

n Refer to the related command "fw ctl get" on page 1030.

n Refer to the related article sk33156: Creating a file with all the kernel
parameters and their values

Syntax

fw [-d] ctl set [-f]

int <Name of Integer Kernel Parameter> <Integer Value>
str <Name of String Kernel Parameter> '<String Value>'

R80.40 CLI Reference Guide | 1040

fw ctl set

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

-f Automatically makes the required changes in the

corresponding configuration file to survive reboot:
n $FWDIR/boot/modules/fwkern.conf
n $FWDIR/boot/modules/vpnkern.conf
n $PPKDIR/conf/simkern.conf

<Name of Integer Specifies the name of the integer kernel parameter.

Kernel Parameter>

<Integer Value> Specifies the integer value for the integer kernel parameter.

<Name of String Specifies the name of the string kernel parameter.

Kernel Parameter>

'<String Value>' Specifies the string value for the string kernel parameter.

Example for an integer kernel parameter (does not survive reboot)

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 100
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set int fw_kdprintf_limit 50
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 50
[Expert@MyGW:0]#

Example for an integer kernel parameter (survives reboot)

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 100
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set -f int fw_kdprintf_limit 50
"fwkern.conf" was updated successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 50
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1041

fw ctl set

Example for a string kernel parameter

[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str '__print__'
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = '__print__'
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str ''
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = ''
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1042

fw ctl tcpstrstat

Description
Generates statistics report about TCP Streaming.

Syntax

fw [-d] ctl tcpstrstat

[-p]
[-r]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-p Shows verbose statistics.

-r Resets the counters.

R80.40 CLI Reference Guide | 1043

fw ctl tcpstrstat

Example 1 - Default output

[Expert@MyGW:0]# fw ctl tcpstrstat

General Counters:
=================
Connections:
Concurrent num of connections ............. 0
Concurrent num of si connections .......... 0
Packets:
Total num of packets ...................... 2567
Total packets in bytes .................... 202394
Concurrent num of async packets ........... 0
Memory:
Allocated memory in bytes ................. 0
Referenced skbuffs num .................... 0
Referenced skbuffs size in bytes .......... 0
External packet references................. 0
Allocated memory per connection ........... 0
Rejected packets/connections:
Total num of rejected packets ............. 0
Dropped packets/connections:
Total num of dropped packets .............. 0
Stripped/Truncated packets:
Total num of stripped packets ............. 0
Total num of truncated packets ............ 0
Paused packets:
Total num of c2s|s2c paused packets ....... 0 | 0
Concurrent num of UDP held packets ........ 0

Applications Counters:
======================
Application Name: ASPII_MT
Connections:
Total num of connections .................. 954
Concurrent num of connections ............. 0
Total num of c2s|s2c connections .......... 954 | 954
Concurrent num of c2s|s2c connections ..... 0 | 0
Packets:
Total num of c2s|s2c data packets ......... 2567 | 0
Total c2s|s2c data packets in bytes ....... 130518 | 0

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1044

fw ctl uninstall

Description
1. Tells the operating system to stop passing packets to Firewall.
2. Unloads the current Security Policy.
3. Unloads the current Firewall Chain Modules (see "fw ctl chain" on page 1019).
4. Unloads the current Firewall Connection Modules except for RTM (see "fw ctl conn" on
page 1021).

Warnings:

1. If you run the "fw ctl uninstall" command, the networks behind the
Security Gateway become unprotected.
2. If you run the "fw ctl uninstall" command and then the "fw ctl install" on
page 1033 command, it does not restore the Security Policy.
You must run one of these commands: "fw fetch" on page 1048, or "cpstart" on
page 957.

Syntax

fw [-d] ctl uninstall

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1045

fw defaultgen

Description
Manually generates the Default Filter policy files.
Refer to these related commands:
n "comp_init_policy" on page 913
n "control_bootsec" on page 917
n "fwboot default" on page 1185
n "fwboot bootconf" on page 1172

Syntax

fw [-d] defaultgen

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

defaultgen Generates the Default Filter policy files:

n For IPv4 traffic:
$FWDIR/state/default.bin
n For IPv6 traffic:
$FWDIR/state/default.bin6

If the Default Filter policy file already exists, the command creates a
backup copy ($FWDIR/state/default.bin.bak and
$FWDIR/state/default.bin6.bak).

R80.40 CLI Reference Guide | 1046

fw defaultgen

Example

[Expert@MyGW:0]# fw defaultgen
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
hostaddr(MyGW) failed
Backing up default.bin6 as default.bin6.bak
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1047

fw fetch

Description
Fetches the Security Policy from the specified host and installs it to the kernel.

Syntax
n To fetch the policy from the Management Server:

fw [-d] fetch -f [-i] [-n] [-r]

n To fetch the policy from a peer Cluster Member, and, if it fails, then from the
Management Server:

fw [-d] fetch -f -c [-i] [-n] [-r]

n To fetch the policy from the specified Check Point computer(s):

fw [-d] fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]

n To fetch the policy stored locally on the Security Gateway in the default directory
$FWDIR/state/:

fw [-d] fetch local [-nu]

fw [-d] fetch localhost [-nu]

n To fetch the policy stored locally on the Security Gateway in the specified directory:

fw [-d] fetchlocal -d <Full Path to Directory>

Parameters

Parameter Description

fw -d fetch... Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

R80.40 CLI Reference Guide | 1048

fw fetch

Parameter Description

-c Specifies that you fetch the policy from a peer Cluster Member.
Notes:
n Must also use the "-f" parameter.
n Works only in cluster.

-f Specifies that you fetch the policy from a Management Server listed
in the $FWDIR/conf/masters file.

-i On a Security Gateway with dynamically assigned IP address

(DAIP), specifies to ignore the SIC name and object name.

-n Specifies not to load the fetched policy, if it is the same as the policy
already located on the Security Gateway.

-nu Specifies not to update the currently installed policy.

-r On a Cluster Member, specifies to ignore this option in

SmartConsole Install Policy window:
For gateway clusters, if installation on a cluster member fails, do
not install on that cluster
Best Practice - Use this parameter if a peer Cluster Member is
Down.

R80.40 CLI Reference Guide | 1049

fw fetch

Parameter Description

<Master 1> Specifies the Check Point computer(s), from which to fetch the
[<Master 2> policy.
...] You can fetch the policy from the Management Server, or a peer
Cluster Member.
Notes:
n If you fetch the policy from the Management Server, you
can enter one of these:
l The main IP address of the Management Server

object.
l The object name of the Management Server.

l The hostname that the Security Gateway resolves to

the main IP address of the Management Server.

n If you fetch the policy from a peer Cluster Member, you
can enter one of these:
l The main IP address of the Cluster Member object.

l The IP address of the Sync interface on the Cluster

Member.
n If the fetch from the first specified <Master> fails, the
Security Gateway fetches the policy from the second
specified <Master> , and so on. If the Security Gateway
fails to connect to each specified <Masters>, the
Security Gateway fetches the policy from the localhost.
n If you do not specify the <Masters> explicitly, the
Security Gateway fetches the policy from the localhost.

-d <Full Path Specifies the local directory on the Security Gateway, from which to
to Directory> fetch the policy files.

R80.40 CLI Reference Guide | 1050

fw fetchlogs

Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

R80.40 CLI Reference Guide | 1051

fw fetchlogs

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 1052

fw getifs

Description
Shows the list with this information:
n The name of interfaces, to which the Check Point Firewall kernel attached.
n The IP addresses assigned to the interfaces.

Notes:
n This list shows only interfaces that have IP addresses assigned on
them.
n Related "cpstat" on page 958 commands:
l cpstat -f ifconfig os

l cpstat -f interfaces fw

Syntax

fw [-d] getifs

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

Example

[Expert@MyGW:0]# fw getifs
localhost eth0 192.168.30.40 255.255.255.0
localhost eth1 172.30.60.80 255.255.255.0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1053

fw hastat

Description
Shows information about Check Point computers in High Availability configuration and their
states.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1054

fw isp_link

Description
Controls the state of ISP Links in the ISP Redundancy configuration on Security Gateway.
See the R80.40 Quantum Security Gateway Guide.

Syntax

fw [-d] isp_link
{-h | -help}
[<Name of Object>] <Name of ISP Link>
down
up

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-h | - Shows the built-in usage.

help}

<Name of Only when you run this command on a Management Server:

Object> The name of the Security Gateway or Cluster Member object as defined in
SmartConsole (from the left navigation panel, click Gateways & Servers).

<Name of The name of the ISP Link as defined in the Security Gateway or Cluster
ISP Link> object:
1. In SmartConsole, from the left navigation panel, click Gateways &
Servers.
2. Open the Security Gateway or Cluster object.
3. From the left tree, click Other > ISP Redundancy.

down Changes the state of the specified ISP Link to DOWN.

up Changes the state of the specified ISP Link to UP.

R80.40 CLI Reference Guide | 1055

fw kill

Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-t <Signal Specifies which signal to send to the Check Point process.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

R80.40 CLI Reference Guide | 1056

fw lichosts

Description
Shows IP addresses of internal hosts that Security Gateway detected and counted based on
the installed license.

Syntax

fw [-d] lichosts [-l] [-x]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-l Shows the output in the long format.

-x Shows the output in the hexadecimal format.

Example

[Expert@MyGW:0]# fw lichosts
License allows an unlimited number of hosts
[Expert@MyGW:0]

Related SK article
sk10200 - 'too many internal hosts' error in /var/log/messages on Security Gateway.

R80.40 CLI Reference Guide | 1057

fw log

Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters
described in this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-a Shows only Account log entries.

R80.40 CLI Reference Guide | 1058

fw log

Parameter Description

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

R80.40 CLI Reference Guide | 1059

fw log

Parameter Description

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with
the specified IP address or object name (as configured in
SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert
type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries,
and then specify the time for each log entry.

R80.40 CLI Reference Guide | 1060

fw log

Parameter Description

-m Specifies the log unification mode:

-n Does not perform DNS resolution of the IP addresses in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log
entry.

-p Does not perform resolution of the port numbers in the log file (this is
the default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

R80.40 CLI Reference Guide | 1061

fw log

Parameter Description

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the
"nature" of the log - for example, control, audit, accounting,
complementary, and so on).

-x <Start Shows only entries from the specified log entry number and below,
Entry Number> counting from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from
Number> the beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show

log entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

R80.40 CLI Reference Guide | 1062

fw log

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes
the current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum

Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log <max_null>, or empty

Key

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc00000

00)

SequenceNum Log Sequence 1

Number

R80.40 CLI Reference Guide | 1063

fw log

Field Header Description Example

Flags Internal flags 428292

that specify the
"nature" of the
log - for
example,
control, audit,
accounting,
complementary,
and so on

Action Action n accept

performed on n dropreject
this connection n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of MyGW

the Security
Gateway that
generated this
log

IfDir Traffic direction n <

through n >
interface:
n <-
Outbound
(sent by a
Security
Gateway)
n >-
Inbound
(received
by a
Security
Gateway)

R80.40 CLI Reference Guide | 1064

fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security n daemon
Gateway n N/A
interface, on
which this traffic
was logged
If a Security
Gateway
performed some
internal action
(for example,
log switch), then
the log entry
shows daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Server.checkpoint.com.s6t98x
Gateway that
generated this
log

inzone Inbound Local

Security Zone

outzone Outbound External

Security Zone

service_id Name of the ftp

service used to
inspect this
connection

R80.40 CLI Reference Guide | 1065

fw log

Field Header Description Example

src Object name or MyHost

IP address of
the connection's
source
computer

dst Object name or MyFTPServer

IP address of
the connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of 64933

the connection

ProductName Name of the n VPN-1 & FireWall-1

Check Point n Application Control
product that n FloodGate-1
generated this
log

ProductFamily Name of the Network

Check Point
product family
that generated
this log

Examples
Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

R80.40 CLI Reference Guide | 1066

fw log

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

Example 4 - Show all log entries with action "drop"

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1067

fw logswitch

Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

R80.40 CLI Reference Guide | 1068

fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

R80.40 CLI Reference Guide | 1069

fw logswitch

Parameter Description

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1070

fw logswitch

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.40/fw1/log/fw.log
/opt/CPsuite-R80.40/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1071

fw lslogs

Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]
... [-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime |
etime}] [<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-r Reverses the sort order (descending order).

R80.40 CLI Reference Guide | 1072

fw lslogs

Parameter Description

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or
Domain Management Server, then <Target> is the applicable
object's name or main IP address of the Check Point Computer as
configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 1073

fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended
information

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse
order

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' -e -s name -r

Example 6 - Showing only log files specified by the patterns, from a managed Security
Gateway with main IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1074

fw mergefiles

Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of
Log File 1> <Name of Log File 2> ... <Name of Log File N> <Name of
Merged Log File>

R80.40 CLI Reference Guide | 1075

fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

<Name of Log File 1> Specifies the log files to merge.

... <Name of Log File Notes:
N>
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

R80.40 CLI Reference Guide | 1076

fw mergefiles

Parameter Description

<Name of Merged Log Specifies the output merged log file.

Example - Merging Security log files

R80.40 CLI Reference Guide | 1077

fw monitor

Description
Firewall Monitor is the Check Point traffic capture tool.
In a Security Gateway, traffic passes through different inspection points - Chain Modules in the
Inbound direction and then in the Outbound direction (see "fw ctl chain" on page 1019).
The FW Monitor tool captures the traffic at each Chain Module in both directions.
You can later analyze the captured traffic with the same FW Monitor tool, or with special tools
like Wireshark.

Notes:
n Only one instance of "fw monitor" can run at a time.
n You can stop the "fw monitor" instance in one of these ways:
l In the shell, in which the "fw monitor" instance runs, press CTRL + C

keys
l In another shell, run this command: fw monitor -U

n Each time you run the FW Monitor, it compiles its temporary policy files
($FWDIR/tmp/monitorfilter.*).
n From R80.20, the FW Monitor is able to show the traffic accelerated with
SecureXL.
n For more information, see sk30583 and How to use FW Monitor.

Syntax for IPv4

fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co
<Number of Outbound Packets>] [-e <INSPECT Expression> | -f
{<INSPECT Filter File> | -}] [-F "<Source IP>,<Source Port>,<Dest
IP>,<Dest Port>,<Protocol Number>"] [-i] [-l <Length>] [-m
{i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI
<Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T]
[-u | -s] [-U] [-v <VSID>] [-x <Offset>[,<Length>] [-w]]

R80.40 CLI Reference Guide | 1078

fw monitor

Syntax for IPv6

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co
<Number of Outbound Packets>] [-e <INSPECT Expression> | -f
{<INSPECT Filter File> | -}] [-F "<Source IP>,<Source Port>,<Dest
IP>,<Dest Port>,<Protocol Number>"] [-i] [-l <Length>] [-m
{i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI
<Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T]
[-u | -s] [-U] [-v <VSID>] [-x <Offset>[,<Length>] [-w]]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

-d Runs the command in debug mode and shows some information

-D about how the FW Monitor starts and compiles the specified
INSPECT filter:
n -d
Simple debug output.
n -D
Verbose output.

Note - You can specify both parameters to show more

information.

-ci <Number of Specifies how many packets to capture.

Inbound Packets> The FW Monitor stops the traffic capture if it counted the specified
-co <Number of number of packets.
Outbound
n -ci
Packets>
Specifies the number of inbound packets to count.
n -co
Specifies the number of inbound packets to count

Best Practice - You can use the "-ci" and the "-co"
parameters together. This is especially useful during large
volumes of traffic. In such scenarios, FW Monitor may bind so
many resources (for writing to the console, or to a file) that
recognizing the break sequence (CTRL+C) might take a very
long time.

R80.40 CLI Reference Guide | 1079

fw monitor

Parameter Description

-e <INSPECT Captures only specific packets of non-accelerated traffic:

Expression>
n "-e <INSPECT Expression>"
or
-f {<INSPECT Defines the INSPECT filter expression on the command line.
Filter File> |
n "-f <INSPECT Filter File>"
-} Reads the INSPECT filter expression from the specified file.
You must enter the full path and name of the plain-text file
that contains the INSPECT filter expression.
n "-f -"
Reads the INSPECT filter expression from the standard
input. After you enter the INSPECT filter expression, you
must enter the ^D (CTRL+D) as the EOF (End Of File)
character.

Warning - These INSPECT filters do not apply to the

accelerated traffic.
Important - Make sure to enclose the INSPECT filter
expression correctly in single quotes (ASCII value 39) or
double quotes (ASCII value 34).
Notes:
n Refer to the $FWDIR/lib/fwmonitor.def file for
useful macro definitions.
n See syntax examples below ("Examples for the "-e"
parameter" on page 1095).

-F "<Source Specifies the capture filter (for both accelerated and non-
IP>,<Source accelerated traffic):
Port>,<Dest
IP>,<Dest
n <Source IP> - Specifies the source IP address
Port>,<Protocol
n <Source Port> - Specifies the source Port Number (see
Number>" IANA Service Name and Port Number Registry)
n <Dest IP> - Specifies the destination IP address
n <Dest Port> - Specifies the destination Port Number (see
IANA Service Name and Port Number Registry)
n <Protocol Number> - Specifies the Protocol Number (see
IANA Protocol Numbers)

R80.40 CLI Reference Guide | 1080

fw monitor

Parameter Description

Notes:
n See syntax examples below ("Examples for the "-F"
parameter" on page 1109).
n The "-F" parameter uses these Kernel Debug Filters.
For more information, see the R80.40 Quantum Security
Gateway Guide - Chapter Kernel Debug on Security
Gateway - Section Kernel Debug Filters.
l For the Source IP address:

simple_debug_filter_saddr_<N> "<IP
Address>"
l For the Source Ports:
simple_debug_filter_sport_<N> <1-
65535>
l For the Destination IP address:
simple_debug_filter_daddr_<N> "<IP
Address>"
l For the Destination Ports:
simple_debug_filter_dport_<N> <1-
65535>
l For the Protocol Number:
simple_debug_filter_proto_<N> <0-
254>
n Value 0 means "any".
n This parameter supports up to 5 capture filters (up to 5
instances of the "-F" parameter in the syntax).
The FW Monitor performs the logical "OR" between all
specified simple capture filters.

-H Creates an IP address filter.

For more information, see the R80.40 Quantum Security Gateway
Guide - Chapter Kernel Debug on Security Gateway - Section
Kernel Debug Filters.
This parameter supports up to 3 capture filters (up to 3 instances of
the "-H" parameter in the syntax).
Example - Capture only HTTP traffic to and from the Host 1.1.1.1:
fw ctl debug –H "1.1.1.1"

R80.40 CLI Reference Guide | 1081

fw monitor

Parameter Description

-i Flushes the standard output.

Note - This parameter is valid only with the "-v <VSID>"
parameter.
Best Practice - Use this parameter to make sure FW Monitor
immediately writes the captured data for each packet to the
standard output. This is especially useful if you want to kill a
running FW Monitor process, and want to be sure that FW
Monitor writes all the data to the specified file.

-l <Length> Specifies the maximal length of the captured packets. FW Monitor

reads only the specified number of bytes from each packet.
Notes:
n This parameter is optional.
n With this parameter you can capture only the headers
from each packet (for example, IP and TCP) and omit
the payload. This decreases the size of the output file.
This also helps the internal FW Monitor buffer not to fill
too fast.
n Make sure to capture the minimal required number of
bytes, to capture the Layer 3 IP header and Layer 4
Transport header.

R80.40 CLI Reference Guide | 1082

fw monitor

Parameter Description

-m {i, I, o, O, Specifies the capture mask (inspection point) in relation to Chain

e, E} Modules, in which the FW Monitor captures the traffic.
These are the inspection points, through which each packet
passes on a Security Gateway.
n -m i
Pre-Inbound only (before the packet enters a Chain Module
in the inbound direction)
n -m I
Post-Inbound only (after the packet passes a Chain Module
in the inbound direction)
n -m o
Pre-Outbound only (before the packet enters a Chain Module
in the outbound direction)
n -m O
Post-Outbound only (after the packet passes through a
Chain Module in the outbound direction)
n -m e
Pre-Outbound VPN only (before the packet enters a VPN
Chain Module in the outbound direction)
n -m E
Post-Outbound VPN only (after the packet passes through a
VPN Chain Module in the outbound direction)

R80.40 CLI Reference Guide | 1083

fw monitor

Parameter Description

Notes:
n You can specify several capture masks (for example, to see
NAT on the egress packets, enter "... -m o O ...").
n You can use this capture mask parameter "-m {i, I, o,
O, e, E}" together with the chain module position
parameter "-p{i | I | o | O}".
n In the inbound direction:
l All chain positions before the FireWall Virtual Machine

module are Pre-Inbound (the "fw ctl chain" on

page 1019 command shows this module as "fw VM
inbound").
l All chain modules after the FireWall Virtual Machine

module are Post-Inbound.

n In the outbound direction:
l All chain position before the FireWall Virtual Machine

module are Pre-Outbound.

l All chain modules after the FireWall Virtual Machine

module are Post-Outbound.

n By default, the FW Monitor captures the traffic only in the
FireWall Virtual Machine module.
n The packet direction relates to each specific packet, and not
to the connection's direction.
n The letters "q" and "Q" after the inspection point mean that
the QoS policy is applied to the interface.

Example packet flows:

n From a Client to a Server through the FireWall Virtual
Machine module:
[Client] --> ("i") {FW VM attached to eth1}
("I") [Security Gateway] ("o") {FW VM
attached to eth2} ("O") --> [Server]
n From a Server to a Client through the FireWall Virtual
Machine module:
[Client] <-- ("O") {FW VM attached to eth1}
("o") [Security Gateway] ("I") {FW VM
attached to eth2} ("i") <-- [Server]

R80.40 CLI Reference Guide | 1084

fw monitor

Parameter Description

-o <Output File> Specifies the output file, to which FW Monitor writes the captured
raw data.
Important - If you do not specify the path explicitly, FW
Monitor creates this output file in the current working directory.
Because this output file can grow very fast to very large size,
we always recommend to specify the full path to the largest
partition /var/log/.
The format of this output file is the same format used by tools like
snoop (refer to RFC 1761).
You can later analyze the captured traffic with the same FW
Monitor tool, or with special tools like Wireshark.

-pi <Position> Inserts the FW Monitor Chain Module at the specified position
-pI <Position> between the kernel Chain Modules (see the "fw ctl chain" on
-po <Position> page 1019).
-pO <Position> If the FW Monitor writes the captured data to the specified output
or file (with the parameter "-o <Output File>"), it also writes the
-p all [-a] position of the FW Monitor chain module as one of the fields.
You can insert the FW Monitor Chain Module in these positions
only:
n -pi <Position>
Inserts the FW Monitor Chain Module in the specified Pre-
Inbound position.
n -pI <Position>
Inserts the FW Monitor Chain Module in the specified Post-
Inbound position.
n -po <Position>
Inserts the FW Monitor Chain Module in the specified Pre-
Outbound position.
n -pO <Position>
Inserts the FW Monitor Chain Module in the specified Post-
Outbound position
n -p all [-a]
Inserts the FW Monitor Chain Module at all positions (both
Inbound and Outbound).
Warning - This parameter causes very high load on the
CPU, but provides the most complete traffic capture.
The "-a" parameter specifies to use absolute chain
positions. This parameter changes the chain ID from a
relative value (which only makes sense with the matching
output from the "fw ctl chain" on page 1019 command) to an
absolute value.

R80.40 CLI Reference Guide | 1085

fw monitor

Parameter Description

Notes:
n <Position> can be one of these:
l A relative position number

In the output of the "fw ctl chain" on page 1019

command, refer to the numbers in the leftmost column
(for example, 0, 5, 14).
l A relative position alias

In the output of the "fw ctl chain" on page 1019

command, refer to the internal chain module names in
the rightmost column in the parentheses (for example,
sxl_in, fw, cpas).
l An absolute position

In the output of the "fw ctl chain" on page 1019

command, refer to the numbers in the second column
from the left (for example, -7fffffff, -1fffff8, 7f730000). In
the syntax, you must write these numbers in the
hexadecimal format (for example, -0x7fffffff, -0x1fffff8,
0x7f730000).
n You can use this chain module position parameter "-p{i |
I| o | O} ..." together with the capture mask parameter
"-m {i, I, o, O, e, E}".
n In the inbound direction:
l All chain positions before the FireWall Virtual Machine

module are Pre-Inbound (the "fw ctl chain" on

page 1019 command shows this module as "fw VM
inbound").
l All chain modules after the FireWall Virtual Machine

module are Post-Inbound.

n In the outbound direction:
l All chain position before the FireWall Virtual Machine

module are Pre-Outbound.

l All chain modules after the FireWall Virtual Machine

module are Post-Outbound.

n By default, the FW Monitor captures the traffic only in the
FireWall Virtual Machine module.
n The chain module position parameters "-p{i | I| o |
O} ..." parameters do not apply to the accelerated traffic,
which is still monitored at the default inbound and outbound
positions.
n For more information about the inspection points, see the
applicable table below.

R80.40 CLI Reference Guide | 1086

fw monitor

Parameter Description

-T Shows the timestamp for each packet:

DDMMMYYYY HH:MM:SS.mmmmmm
Best Practice - Use this parameter if you do not save the
output to a file, but print it on the screen.

-u Shows UUID for each packet (it is only possible to print either the
or UUID, or the SUUID - not both):
-s
n -u
Prints connection's Universal-Unique-ID (UUID) for each
packet
n -s
Prints connection's Session UUID (SUUID) for each packet

-U Removes the simple capture filters specified with this parameter:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest
Port>,<Protocol Number>"

-v <VSID> On a VSX Gateway or VSX Cluster Member, captures the packets

on the specified Virtual System or Virtual Router.
By default, FW Monitor captures the packets on all Virtual Systems
and Virtual Routers.
Example:
fw monitor -v 4 -e "accept;" -o /var/log/fw_
mon.cap

-w Captures the entire packet, instead of only the header.

Must be used together with one of these parameters:
n -o <Output File>
n -x <Offset>[,<Length>]

R80.40 CLI Reference Guide | 1087

fw monitor

Parameter Description

-x <Offset> Specifies the position in each packet, where the FW Monitor starts
[,<Length>] to capture the data from each packet.
Optionally, it is also possible to limit the amount of data the FW
Monitor captures.
n <Offset>
Specifies how many bytes to skip from the beginning of each
packet. FW Monitor starts to capture the data from each
packet only after the specified number of bytes.
n <Length>
Specifies the maximal length of the captured packets. FW
Monitor reads only the specified number of bytes from each
packet.
For example, to skip over the IP header and TCP header, enter "-x
52,96"

Inspection points in Security Gateway and in the FW Monitor output

Note - The Inbound and Outbound traffic direction relates to each specific packet, and not to
the connection.

R80.40 CLI Reference Guide | 1088

fw monitor

n Inbound

Notion of inspection
Name of inspection Relation to the FireWall
point
point Virtual Machine
in the FW Monitor output

Pre-Inbound Before the inbound FireWall i (for example, eth4:i)

Post-Inbound After the inbound FireWall VM I (for example, eth4:I)

Pre-Inbound VPN Inbound before decrypt id (for example,

eth4:id)

Post-Inbound VPN Inbound after decrypt ID (for example,

eth4:ID)

Pre-Inbound QoS Inbound before QoS iq (for example,

eth4:iq)

Post-Inbound QoS Inbound after QoS IQ (for example,

eth4:IQ)

n Outbound

Notion of inspection
Name of inspection Relation to the FireWall
point
point Virtual Machine
in the FW Monitor output

Pre-Outbound Before the outbound FireWall o (for example, eth4:o)

Post-Outbound After the outbound FireWall O (for example, eth4:O)

Pre-Outbound VPN Outbound before encrypt e (for example, eth4:e)

Post-Outbound VPN Outbound after encrypt E (for example, eth4:E)

Pre-Outbound QoS Outbound before QoS oq (for example,

eth4:oq)

Post-Outbound QoS Outbound after QoS OQ (for example,

eth4:OQ)

R80.40 CLI Reference Guide | 1089

fw monitor

Generic Examples
Example 1 - Default syntax
[Expert@MyGW:0]# fw monitor
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:I[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31790
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a47
... ... ...
monitor: caught sig 2
monitor: unloading
[Expert@MyGW:0]#

Example 2 - Showing timestamps in the output for each packet

[Expert@MyGW:0]# fw monitor -T
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] 12Sep2018 19:08:05.453947 eth0:oq[124]: 192.168.3.53 -> 172.20.168.16 (TCP)
len=124 id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.453960 eth0:OQ[124]: 192.168.3.53 -> 172.20.168.16 (TCP)
len=124 id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454059 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP)
len=252 id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454064 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP)
len=252 id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454072 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP)
len=252 id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454074 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP)
len=252 id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.463165 eth0:iq[40]: 172.20.168.16 -> 192.168.3.53 (TCP)
len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
[vs_0][fw_1] 12Sep2018 19:08:05.463177 eth0:IQ[40]: 172.20.168.16 -> 192.168.3.53 (TCP)
len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
monitor: unloading
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1090

fw monitor

Example 3 - Capturing only three Pre-Inbound packets at the FireWall Virtual Machine module
[Expert@MyGW:0]# fw monitor -m i -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31905
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e683b
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31906
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e68ef
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31907
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e69a3
monitor: unloading
Read 3 inbound packets and 0 outbound packets
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1091

fw monitor

Example 4 - Inserting the FW Monitor chain is before the chain #2 and capture only three Pre-
Inbound packets

R80.40 CLI Reference Guide | 1092

fw monitor

[Expert@MyGW:0]# fw ctl chain

in chain (15):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
5: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
6: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
7: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
8: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
10: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
11: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
12: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
13: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
14: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
6: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
7: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
8: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
9: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
12: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
13: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw monitor -pi 2 -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800001 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
3: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)

R80.40 CLI Reference Guide | 1093

fw monitor

13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1228]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=1228 id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=1228 id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP)
len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40
id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=1356 id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=1356 id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP)
len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40
id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=1356 id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=1356 id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[412]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=412 id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[412]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=412 id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP)
len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40
id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[716]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=716 id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[716]: 192.168.204.40 -> 192.168.204.1 (TCP)
len=716 id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
monitor: unloading
Read 3 inbound packets and 5 outbound packets
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1094

fw monitor

Example 5 - Showing list of Chain Modules with the FW Monitor, when you do not change the
default capture positions
[Expert@MyGW:0]# fw ctl chain
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#

Examples for the "-e" parameter

Example 1 - Capture everything

[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_

mon.cap

Example 2 - Capture traffic to / from specific hosts

To specify a host, you can use one of these expressions:

n Use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to
both Source IP address and Destination IP address
n Use a specific Source IP address "src=<IP_Address_in_Doted_Decimal_
format>" and a specific Destination IP address "dst=<IP_Address_in_Doted_
Decimal_format>"

Example filters:

R80.40 CLI Reference Guide | 1095

fw monitor

n Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host

(y.y.y.y), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((src=x.x.x.x ,
dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o
/var/log/fw_mon.cap

n Capture everything between hosts X,Z and hosts Y,Z in all Firewall kernel chains:

[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or

dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o
/var/log/fw_mon.cap

n Capture everything to/from host X or to/from host Y or to/from host Z:

[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host

(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((src=x.x.x.x or
dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z
or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap

Example 3 - Capture traffic to / from specific ports

Note - You must specify port numbers in Decimal format. Refer to the
/etc/services file on the Security Gateway, or to IANA Service Name and Port
Number Registry.

To specify a port, you can use one of these expressions:

n Use "port(<IANA_Port_Number>)", which applies to both Source Port and
Destination Port
n Use a specific Source Port "sport=<IANA_Port_Number>" and a specific
Destination Port "dport=<IANA_Port_Number>"
n In addition:
l For specific TCP port, you can use "tcpport(<IANA_Port_Number>)",
which applies to both Source TCP Port and Destination TCP Port
l For specific UDP port, you can use "udpport(<IANA_Port_Number>)",
which applies to both Source UDP Port and Destination UDP Port
Example filters:

R80.40 CLI Reference Guide | 1096

fw monitor

n Capture everything to/from port X:

[Expert@HostName]# fw monitor -e "port(x), accept;" -o

/var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "(sport=x or dport=x),
accept;" -o /var/log/fw_mon.cap

n Capture everything except port X:

[Expert@HostName]# fw monitor -e "((sport=!x) or

(dport=!x)), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "not (sport=x or dport=x),
accept;" -o /var/log/fw_mon.cap

n Capture everything except SSH:

[Expert@HostName]# fw monitor -e "((sport!=22) or

(dport!=22)), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "not (sport=22 or
dport=22), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "not tcpport(22), accept;"
-o /var/log/fw_mon.cap

n Capture everything to/from host X except SSH:

[Expert@HostName]# fw monitor -e "(host(x.x.x.x) and

(sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((src=x.x.x.x or
dst=x.x.x.x) and (not (sport=22 or dport=22))), accept;" -o
/var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "(host(x.x.x.x) and not
tcpport(22)), accept;" -o /var/log/fw_mon.cap

n Capture everything except NTP:

[Expert@HostName]# fw monitor -e "not udpport(123), accept;"

-o /var/log/fw_mon.cap

Example 4 - Capture traffic over specific protocol

Note - You must specify protocol numbers in Decimal format. Refer to the
/etc/protocols file on the Security Gateway, or to IANA Protocol Numbers.

To specify a protocol, you can use one of these expressions:

R80.40 CLI Reference Guide | 1097

fw monitor

n Use "ip_p=<IANA_Protocol_Number>"
Examples:
l To specify TCP protocol with byte offset, use "ip_p=6"
l To specify UDP protocol with byte offset, use "ip_p=11"
l To specify ICMP protocol with byte offset, use "ip_p=1"
n Use "accept [9:1]=<IANA_Protocol_Number>"
Examples:
l To specify TCP protocol with byte offset, use "accept [9:1]=6"
l To specify UDP protocol with byte offset, use "accept [9:1]=11"
l To specify ICMP protocol with byte offset, use "accept [9:1]=1"
n In addition, you can explicitly use these expressions to specify protocols:
Summary Table

Which protocol to On which port(s) traffic is

Expression
specify captured

TCP N/A "tcp, accept;"

UDP N/A "udp, accept;"

ICMPv4 N/A "icmp, accept;"

or
"icmp4, accept;"

ICMPv6 N/A "icmp6, accept;"

HTTP TCP 80 "http, accept;"

HTTPS TCP 443 "https, accept;"

PROXY TCP 8080 "proxy, accept;"

DNS UDP 53 "dns, accept;"

IKE UDP 500 "ike, accept;"

NAT-T UDP 4500 "natt, accept;"

ESP and IKE IP proto 50 and UDP 500 "vpn, accept;"

R80.40 CLI Reference Guide | 1098

fw monitor

Which protocol to On which port(s) traffic is

Expression
specify captured

All VPN-related data: a. IP proto 50 "vpnall,

a. ESP
b. UDP 2746
accept;"

b. IPsec over UDP

c. UDP 500
c. IKE
d. UDP 4500
d. NAT-T
e. TCP 18264
e. CRL
f. UDP 259
f. RDP
g. UDP 18234
g. Tunnel Test
h. TCP 264
h. Topology
i. TCP 1701
i. L2TP
j. UDP 18233
j. SCV
k. TCP 443 + TCP 444
k. Multi-Portal
l. and so on
l. and so on

Multi-Portal connections TCP 443 and TCP 444 "multi, accept;"

SSH TCP 22 "ssh, accept;"

FTP TCP 20 and TCP 21 "ftp, accept;"

Telnet TCP 23 "telnet,

accept;"

SMTP TCP 25 "smtp, accept;"

POP3 TCP 110 "pop3, accept;"

Example filters:

R80.40 CLI Reference Guide | 1099

fw monitor

n Filter to capture everything on protocol X:

[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o

/var/log/fw_mon.cap

n Filter to capture rverything on protocol X and port Z on protocol Y:

[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port

(Z)), accept;" -o /var/log/fw_mon.cap

n Filter to capture capture everything TCP between host X and host Y:

[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or

host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "tcp, host(x.x.x.x) or host
(y.y.y.y), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "accept [9:1]=6 ,
((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y ,
dst=x.x.x.x));"
[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x ,
dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o
/var/log/fw_mon.cap

Example 5 - Capture traffic with specific protocol options

Note - Refer to the $FWDIR/lib/tcpip.def file on Security Gateway.

Summary Table for IPv4

Option Description Expression Example

Source IPv4 address of the IPv4 ip_src = fw monitor -e "ip_

packet <IPv4_ src = 192.168.22.33,
Address> accept;"

Destination IPv4 address of the ip_dst = fw monitor -e "ip_

IPv4 packet <IPv4_ dst = 192.168.22.33,
Address> accept;"

Time To Live of the IPv4 packet ip_ttl = fw monitor -e "ip_

<Number> ttl = 255, accept;"

Total Length of the IPv4 packet in ip_len = fw monitor -e "ip_

bytes <Length_in_ len = 64, accept;"
Bytes>

R80.40 CLI Reference Guide | 1100

fw monitor

Option Description Expression Example

TOS field of the IPv4 packet ip_tos = fw monitor -e "ip_

<Number> tos = 0, accept;"

IANA Protocol Number (either in ip_p = Example for TCP:

Dec or in Hex) encapsulated in the <IANA_ fw monitor -e "ip_p
IPv4 packet Protocol_ = 6, accept;"
Number> Examples for UDP:
fw monitor -e "ip_p
= 17, accept;"
fw monitor -e "ip_p
= 0x11, accept;"
Example for ICMPv4:
fw monitor -e "ip_p
= 1, accept;"

Summary Table for IPv6

Option Description Expression Example

Source IPv6 address of the ip_src6p = fw monitor -e "ip_src6p =

IPv6 packet <IPv6_ 0:0:0:0:0:ffff:c0a8:1621,
Address> accept;"

Destination IPv6 address of ip_dst6p = fw monitor -e "ip_dst6p =

the IPv6 packet <IPv6_ 0:0:0:0:0:ffff:c0a8:1621,
Address> accept;"

Payload Length of the IPv6 ip_len6 = fw monitor -e "ip_len6 =

packet in bytes <Length_in_ 1000, accept;"
Bytes>

Hop Limit ("Time To Live") of ip_ttl6 = fw monitor -e "ip_ttl6 =

the IPv6 packet <Number> 255, accept;"

Next Header of the IPv6 ip_p6 = fw monitor -e "ip_p6 = 6,

packet - encapsulated IANA <IANA_ accept;"
Protocol Number Protocol_
Number>

R80.40 CLI Reference Guide | 1101

fw monitor

Summary Table for TCP

Option Description Expression Example

SYN flag is set in TCP syn fw monitor -e "ip_p =

packet 6, syn, accept;"

ACK flag is set in TCP ack fw monitor -e "ip_p =

packet 6, ack, accept;"

RST flag is set in TCP rst fw monitor -e "ip_p =

packet 6, rst, accept;"

FIN flag is set in TCP fin fw monitor -e "ip_p =

packet 6, fin, accept;"

First packet of TCP first fw monitor -e "ip_p =

connection 6, first, accept;"
(SYN flag is set, but ACK
flag is not set in TCP
packet)

Not the first packet of TCP not_first fw monitor -e "ip_p =

connection 6, not_first, accept;"
(SYN flag is not set in TCP
packet)

Established TCP established fw monitor -e "ip_p =

connection 6, established,
(either ACK flag is set, or accept;"
SYN flag is not set in TCP
packet)

Last packet of TCP last fw monitor -e "ip_p =

connection 6, last, accept;"
(both ACK flag and FIN flag
are set in TCP packet)

End of TCP connection tcpdone fw monitor -e "ip_p =

(either RST flag is set, or 6, tcpdone, accept;"
FIN flag is set in TCP
packet)

R80.40 CLI Reference Guide | 1102

fw monitor

Option Description Expression Example

General way to match the th_flags = <Sum_

TCP
flags inside in TCP packets of_Flags_Hex_ Example
Flag
Values>
SYN fw monitor
(0x2) -e "th_
flags =
0x2,
accept;"

ACK fw monitor
(0x10) -e "th_
flags =
0x10,
accept;"

PSH fw monitor
(0x8) -e "th_
flags =
0x8,
accept;"

FIN fw monitor
(0x1) -e "th_
flags =
0x1,
accept;"

RST fw monitor
(0x4) -e "th_
flags =
0x4,
accept;"

URG fw monitor
(0x20) -e "th_
flags =
0x20,
accept;"

R80.40 CLI Reference Guide | 1103

fw monitor

Option Description Expression Example

TCP
Example
Flag

SYN + fw monitor
ACK -e "th_
flags =
0x12,
accept;"

PSH + fw monitor
ACK -e "th_
flags =
0x18,
accept;"

FIN + fw monitor
ACK -e "th_
flags =
0x11,
accept;"

RST + fw monitor
ACK -e "th_
flags =
0x14,
accept;"

TCP source port th_sport = fw monitor -e "th_

<Port_Number> sport = 59259,
accept;"

TCP destination port th_dport = fw monitor -e "th_

<Port_Number> dport = 22, accept;"

TCP sequence number th_seq = Example for Dec format:

(either in Dec or in Hex) <Number> fw monitor -e "th_seq
= 3937833514, accept;"
Example for Hex format:
fw monitor -e "th_seq
= 0xeab6922a, accept;"

R80.40 CLI Reference Guide | 1104

fw monitor

Option Description Expression Example

TCP acknowledged th_ack = Example for Dec format:

number (either in Dec or in <Number> fw monitor -e "th_ack
Hex) = 509054325, accept;"
Example for Hex format:
fw monitor -e "th_ack
= 0x1e578d75, accept;"

Summary Table for UDP

Option
Expression Example
Description

UDP source uh_sport = <Port_ fw monitor -e "uh_sport = 53,

port Number> accept;"

UDP uh_dport = <Port_ fw monitor -e "uh_dport = 53,

destination port Number> accept;"

Summary Table for ICMPv4

Option Description Expression Example

ICMPv4 packets with specified icmp_type = fw monitor -e "icmp_

Type <Number> type = 0, accept;"

ICMPv4 packets with specified icmp_code = fw monitor -e "icmp_

Code <Number> code = 0, accept;"

ICMPv4 packets with specified icmp_id = fw monitor -e "icmp_id

Identifier <Number> = 20583, accept;"

ICMPv4 packets with specified icmp_seq = fw monitor -e "icmp_seq

Sequence number <Number> = 1, accept;"

ICMPv4 Echo Request packets echo_req fw monitor -e "echo_

(Type 8, Code 0) req, accept;"

ICMPv4 Echo Reply packets echo_reply fw monitor -e "echo_

(Type 0, Code 0) reply, accept;"

ICMPv4 Echo Request and ping fw monitor -e "ping,

ICMPv4 Echo Reply packets accept;"

R80.40 CLI Reference Guide | 1105

fw monitor

Option Description Expression Example

Traceroute packets as traceroute fw monitor -e

implemented in Unix OS "traceroute, accept;"
(UDP packets on ports above
30000 and
with TTL<30; or ICMP Time
exceeded packets)

Traceroute packets as tracert fw monitor -e "tracert,

implemented in Windows OS accept;"
(ICMP Request packets with
TTL<30;
or ICMP Time exceeded
packets)

Length of ICMPv4 packets icmp_ip_len fw monitor -e "icmp_ip_

= <length> len = 84, accept;"

Summary Table for ICMPv6

Option Description Expression Example

ICMPv6 packets with icmp6_type = fw monitor -e "icmp6_type

specified Type <Number> = 1, accept;"

ICMPv6 packets with icmp6_code = fw monitor -e "icmp6_code

specified Code <Number> = 3, accept;"

Example 6 - Capture specific bytes in packets

Syntax:

fw monitor -e "accept [ <Offset> : <Length> , <Byte Order> ]

<Relational-Operator> <Value>;"

Parameters:

Parameter Explanation

<Offset> Specifies the offset relative to the beginning of the IP packet from
where the value should be read.

R80.40 CLI Reference Guide | 1106

fw monitor

Parameter Explanation

<Length> Specifies the number of bytes:

n 1 = byte
n 2 = word
n 4 = dword
If length is not specified, FW Monitor assumes 4 (dword).

<Byte Order> Specifies the byte order:

n b = big endian, or network order
n l = little endian, or host order

If order is not specified, FW Monitor assumes little endian byte

order.

<Relational- Relational operator to express the relation between the packet data
Operator and the value:
n < - less than
n > - greater than
n <= - less than or equal to
n >= - greater than
n = or is - equal to
n != or is not - not equal to

<Value> One of the data types known to INSPECT (for example, an IP

address, or an integer).

Explanations:
n The IP-based protocols are stored in the IP packet as a byte at offset 9.
l To filter based on a Protocol encapsulated into IP, use this syntax:

[Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_

Protocol_Number>;"

n The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12
(Source address) and at offset 16 (Destination address).

R80.40 CLI Reference Guide | 1107

fw monitor

l To filter based on a Source IP address, use this syntax:

[Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_

Address_in_Doted_Decimal_format>;"

l To filter based on a Destination IP address, use this syntax:

[Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_

Address_in_Doted_Decimal_format>;"

n The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and
at offset 22 (Destination port).
l To filter based on a Source port, use this syntax:

[Expert@HostName]# fw monitor -e "accept

[20:2,b]=<Port_Number_in_Decimal_format>;"

l To filter based on a Destination port, use this syntax:

[Expert@HostName]# fw monitor -e "accept

[22:2,b]=<Port_Number_in_Decimal_format>;"

Example filters:
n Capture everything between host X and host Y:

[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x

, [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y ,
[16:4,b]=x.x.x.x));"

n Capture everything on port X:

[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or

[22:2,b]=x;" -o /var/log/fw_mon.cap

Example 7 - Capture traffic to/from specific network

You must specify the network address and length of network mask (number of bits).
There are 3 options:

Traffic direction Expression

To or From a "net(<Network_IP_Address>, <Mask_Length>),

network accept;"

R80.40 CLI Reference Guide | 1108

fw monitor

Traffic direction Expression

To a network "to_net(<Network_IP_Address>, <Mask_Length>),

accept;"

From a network "from_net(<Network_IP_Address>, <Mask_Length>),

accept;"

Example filters:
n Capture everything to/from network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "net(192.168.33.0, 24),

accept;"

n Capture everything sent to network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24),

accept;"

n Capture everything sent from network 192.168.33.0 / 24:

[Expert@HostName]# fw monitor -e "from_net(192.168.33.0,

24), accept;"

Example 8 - Filter out irrelevant "noise"

Filter in only TCP protocol, and HTTP and HTTPS ports

Filter out the SSH and FW Logs

[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not

(sport=22 or dport=22)) and (not (sport=257 or dport=257)) and
((dport=80 or dport=443) or (sport=80 or sport=443);" -o
/var/log/fw_mon.cap

Examples for the "-F" parameter

You can specify up to 5 capture filters with this parameter (up to 5 instances of the "-F"
parameter in the syntax).
The FW Monitor performs the logical "OR" between all specified simple capture filters.
Value 0 is used as "any".

R80.40 CLI Reference Guide | 1109

fw monitor

Example 1 - Capture everything

[Expert@HostName]# fw monitor -F "0,0,0,0,0" -o /var/log/fw_

mon.cap

Example 2 - Capture traffic to / from specific hosts

n Capture all traffic from Source IP x.x.x.x (any port) to Destination IP y.y.y.y (any port),
over all protocols:

[Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -o

/var/log/fw_mon.cap

n Capture all traffic between Host x.x.x.x (any port) and Host y.y.y.y (any port), over all
protocols:

[Expert@HostName]# fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -F

"y.y.y.y,0, x.x.x.x ,0,0" -o /var/log/fw_mon.cap

Example 3 - Capture traffic to / from specific ports

n Capture traffic from any Source IP from Source Port X to any Destination IP to
Destination Port Y, over all protocols:

[Expert@HostName]# fw monitor -F "0,x,0,y,0" -o /var/log/fw_

mon.cap

n Capture traffic between all hosts, between Port X and Port Y, over all protocols:

[Expert@HostName]# fw monitor -F "0,x,0,y,0" -F "0,y,0,x,0"

-o /var/log/fw_mon.cap

Example 4 - Capture traffic over specific protocol

n Capture traffic between all hosts, between all ports, over a Protocol with assigned
number X:

[Expert@HostName]# fw monitor -F "0,0,0,0,x" -o /var/log/fw_

mon.cap

Example 5 - Capture traffic between specific hosts between specific ports over specific protocol

[Expert@HostName]# fw monitor -F "a.a.a.a,b,c.c.c.c,d,e" -F

"c.c.c.c,d,a.a.a.a,b,e" -o /var/log/fw_mon.cap

To capture only HTTP traffic between the Client 1.1.1.1 and the Server 2.2.2.2:

R80.40 CLI Reference Guide | 1110

fw monitor

fw montior –F "1.1.1.1,0,2.2.2.2,80,6" –F
"2.2.2.2,80,1.1.1.1,0,6" -o /var/log/fw_mon.cap

R80.40 CLI Reference Guide | 1111

fw repairlog

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/.log .logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/.adtlog .adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

R80.40 CLI Reference Guide | 1112

fw sam

Note - To configure SAM Server settings for a Security Gateway or Cluster:

R80.40 CLI Reference Guide | 1113

fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log
Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q}
<Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security
Gateway, on which the command is enforced. These messages show
whether the command was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of
Server> the Security Gateway that enforces the command.
The default is localhost.

R80.40 CLI Reference Guide | 1114

fw sam

Parameter Description

-f Specifies the Security Gateway, on which to enforce the action.

R80.40 CLI Reference Guide | 1115

fw sam

Parameter Description

-C Cancels the fw sam command to inhibit connections with the specified

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match
the specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

R80.40 CLI Reference Guide | 1116

fw sam

Parameter Description

-I Inhibits (drops or rejects) new connections with the specified parameters,

and closes all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

R80.40 CLI Reference Guide | 1117

fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the

connection.

any <IP> Matches either the Source IP address or the

Destination IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the

connections according to the netmask.

R80.40 CLI Reference Guide | 1118

fw sam

Parameter Description

subany <IP> <Netmask> Matches either the Source IP address or

Destination IP address of connections according to
the netmask.

srv <Src IP> <Dest IP> Matches the specific Source IP address,
<Port> <Protocol> Destination IP address, Service (port number) and
Protocol.

subsrv <Src IP> <Netmask> Matches the specific Source IP address,

<Dest IP> <Netmask> <Port> Destination IP address, Service (port number) and
<Protocol> Protocol.
Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Matches the specific Source IP address, source
Netmask> <Dest IP> <Port> netmask, destination netmask, Service (port
<Protocol> number) and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination
<Dest Netmask> <Port> IP, destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service

<Protocol> (port number) and Protocol.

subdstsrv <Dest IP> Matches specific Destination IP address, Service

<Netmask> <Port> <Protocol> (port number) and Protocol.
Destination IP address is assigned according to
the netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to
the netmask.

R80.40 CLI Reference Guide | 1119

fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the

specified keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

R80.40 CLI Reference Guide | 1120

fw sam_policy

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

R80.40 CLI Reference Guide | 1121

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R80.40 CLI Reference Guide | 1122

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

R80.40 CLI Reference Guide | 1123

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R80.40 CLI Reference Guide | 1124

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R80.40 CLI Reference Guide | 1125

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

R80.40 CLI Reference Guide | 1126

fw sam_policy add

Parameter Description

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

R80.40 CLI Reference Guide | 1127

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

R80.40 CLI Reference Guide | 1128

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R80.40 CLI Reference Guide | 1129

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

R80.40 CLI Reference Guide | 1130

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

R80.40 CLI Reference Guide | 1131

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

R80.40 CLI Reference Guide | 1132

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

R80.40 CLI Reference Guide | 1133

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

R80.40 CLI Reference Guide | 1134

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

R80.40 CLI Reference Guide | 1135

fw sam_policy add

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

R80.40 CLI Reference Guide | 1136

fw sam_policy batch

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R80.40 CLI Reference Guide | 1137

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

R80.40 CLI Reference Guide | 1138

fw sam_policy del

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R80.40 CLI Reference Guide | 1139

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n To see the Rule UID, run the "fw
sam_policy get" command.

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

R80.40 CLI Reference Guide | 1140

fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R80.40 CLI Reference Guide | 1141

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R80.40 CLI Reference Guide | 1142

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 1143

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

Example 3 - Printing a rule by its Rule UID

R80.40 CLI Reference Guide | 1144

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R80.40 CLI Reference Guide | 1145

fw sam_policy get

[Expert@HostName:0]# fw samp get

R80.40 CLI Reference Guide | 1146

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 1147

fw showuptables

Description
Shows the formatted contents of the Unified Policy kernel tables.

Syntax

fw [-d] showuptables
[-h]
[-i]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-h Shows the built-in usage.

-i Shows the implied rules layers.

R80.40 CLI Reference Guide | 1148

fw stat

Description
Shows the following information about the policy on the Security Gateway:
n Name of the installed policy.
n Date of the last policy installation.
n Names of the interfaces protected by the installed policy, and in which direction the
policy protects them.

Important - This command is outdated and exists only for backward compatibility with
very old versions. Use the "cpstat -f policy fw" command instead (see
"cpstat" on page 958).

Syntax

fw [-d] stat [-l | -s] [<Name of Object>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

No Shows default output - all information is on one line.

Parameters

R80.40 CLI Reference Guide | 1149

fw stat

Parameter Description

-l Shows long output.

Shows each interface and its protected traffic direction is on a separate
line.
In addition, shows this information:
n Total - Number of packets the Security Gateway received on this
interface
n Reject - Number of packets the Security Gateway rejected on this
interface
n Drop - Number of packets the Security Gateway dropped on this
interface
n Accept - Number of packets the Security Gateway accepted on this
interface
n Log - Whether Security Gateway sends its logs from this interface (0
- no, 1 - yes)

-s Shows short output.

Shows each interface and its protected traffic direction is on a separate
line.

<Name of Specifies the name of the Security Gateway or Cluster Member object (as
Object> defined in SmartConsole), from which to show the information. Use this
parameter only on the Management Server.
This requires the established SIC with that Check Point computer.

Example 1 - Default output

[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost MyGW_Policy 10Sep2018 14:01:25 : [>eth0] [<eth0] [>eth1]
[Expert@MyGW:0]#

Example 2 - Short output

[Expert@MyGW:0]# fw stat -s
HOST IF POLICY DATE
localhost >eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost <eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost >eth1 MyGW_Policy 10Sep2018 14:01:25 :
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1150

fw stat

Example 3 - Long output

[Expert@MyGW:0]# fw stat -l
HOST IF POLICY DATE TOTAL REJECT DROP ACCEPT LOG
localhost >eth0 MyGW_Policy 10Sep2018 14:01:25 : 14377 0 316 14061 1
localhost <eth0 MyGW_Policy 10Sep2018 14:01:25 : 60996 0 0 60996 0
localhost >eth1 MyGW_Policy 10Sep2018 14:01:25 : 304 0 304 0 0
[Expert@MyGW:0]#

Example 4 - Long output from the Management Server

[Expert@MGMY:0]# fw stat -l MyGW

HOST IF POLICY DATE TOTAL REJECT DROP ACCEPT LOG
MyGW >eth0 MyGW_Policy 12Sep2018 16:34:56 : 120113 0 0 120113 0
MyGW <eth0 MyGW_Policy 12Sep2018 16:34:56 : 10807 0 0 10807 0
MyGW >eth2 MyGW_Policy 12Sep2018 16:34:56 : 3 0 0 3 0
MyGW <eth2 MyGW_Policy 12Sep2018 16:34:56 : 3 0 0 3 0
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1151

fw tab

Description
Shows data from the specified Security Gateway kernel tables.
This command also changes the content of dynamic kernel tables. You cannot change the
content of static kernel tables.
Kernel tables (also known as State tables) store data that the Firewall and other Software
Blades use to inspect packets. These kernel tables are a critical component of Stateful
Inspection.

Best Practices:
n Use the "fw tab -t connections -f" command to see the detailed (and
more technical) information about the current connections in the Connections
kernel table (ID 8158).
n Use the "fw ctl conntab" on page 1023 command to see the simplified
information about the current connections in the Connections kernel table (ID
8158).

Syntax

fw [-d]
{-h | -help}
[-v] [-t <Table>] [-c | -s] [-f] [-z] [-o <Output File>] [-
r] [-u | -m <Limit>] [-a -e "<Entry>"] [ -x [-e "<Entry>"]] [-y]
[<Name of Object>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

{-h | - Shows the built-in usage.

help}

R80.40 CLI Reference Guide | 1152

fw tab

Parameter Description

-t <Table> Specifies the kernel table by its name of unique ID.

To see the names and IDs of the available kernel tables, run:
fw tab -s
Because the output of this command is very long, we recommend to
redirect it to a file. For example:
fw tab -s > /tmp/output.txt

-a -e Adds the specified entry to the specified kernel table.

"<Entry>" If a kernel table has the expire attribute, when you add an entry with the
"-a -e <Entry>" parameter, the new entry gets the default table timeout.
You can use this parameter only on the local Security Gateway.
Warning - If you add a wrong entry, you can make your Security
Gateway unresponsive.

-c Shows formatted kernel table data in the common format. This is the
default.

-e Specifies the entry in the kernel table.

"<Entry>"
Important - Each kernel table has its own internal format.

-f Shows formatted kernel table data. For example, shows:

n All IP addresses and port numbers in the decimal format.
n All dates and times in human readable format.

Note - Each table can use a different style.

Important - If the specified kernel table is large, this consumes a large

amount of RAM. This can make your Security Gateway unresponsive.

-o <Output Saves the output in the specified file in the CL format as a Check Point
File> Firewall log.
You can later open this file with the "fw log" on page 1058 command.
If you do not specify the full path explicitly, this command saves the output
file in the current working directory.

-m <Limit> Specifies the maximal number of kernel table entries to show.

This command counts the entries from the beginning of the kernel table.

-r Resolves IP addresses in the formatted output.

-s Shows a short summary of the kernel table data.

R80.40 CLI Reference Guide | 1153

fw tab

Parameter Description

-u Specifies to show an unlimited number of kernel table entries.

Important - If the specified kernel table is large, this consumes a large
amount of RAM. This can make your Security Gateway unresponsive.

-v Shows the CoreXL Firewall instance number as a prefix for each line.

-x [-e Deletes all entries or the specified entry from the specified kernel table.
<Entry>] You can use this parameter only on the local Security Gateway.
Warning - If you delete a wrong entry, you can break the current
connections through your Security Gateway. This includes the remote
SSH connection.

-y Specifies not to show a prompt before Security Gateway executes a

command.
For example, this applies to the parameters "-a" and "-x".

-z In the Connections table (ID 8158) shows only connections in Slow Path
(F2F) and the reason why acceleration is not possible for each connection.
These are connections that SecureXL cannot accelerate and forwards to
the Firewall.
See the corresponding example (with the legend) below.
Note - This parameter is available in the R80.40 Jumbo Hotfix
Accumulator Take 40 and above.

R80.40 CLI Reference Guide | 1154

fw tab

Example 1 - Show the summary of all kernel tables

[Expert@MyGW:0]# fw tab -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost vsx_firewalled 0 1 1 0
localhost firewalled_list 1 2 2 0
localhost external_firewalled_list 2 0 0 0
localhost management_list 3 2 2 0
localhost external_management_list 4 0 0 0
localhost log_server_list 5 0 0 0
localhost ips1_sensors_list 6 0 0 0
localhost all_tcp_services 7 141 141 0
localhost tcp_services 8 1 1 0
... ...
localhost connections 8158 2 56 2
... ...
localhost up_251_rule_to_clob_uuid 14083 0 0 0
... ...
localhost urlf_cache_tbl 29 0 0 0
localhost proxy_outbound_conn_tbl 30 0 0 0
localhost dns_cache_tbl 31 0 0 0
localhost appi_referrer_table 32 0 0 0
localhost uc_hits_htab 33 0 0 0
localhost uc_cache_htab 34 0 0 0
localhost uc_incident_to_instance_htab 35 0 0 0
localhost fwx_cntl_dyn_ghtab 36 0 0 0
localhost frag_table 37 0 0 0
localhost dos_blacklist_notifs 38 0 0 0
[Expert@MyGW:0]#

Example 2 - Show the raw data from the Connections table

[Expert@MyGW:0]# fw tab -t connections

localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs
21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002,
000001e1, 00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff,
ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000; 1996/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d,
c0a8cc28, 00000016, 00000006> (00000805)
<00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002,
000001e1, 00000000, 5b9679de, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff,
ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edaa98, ffffc200, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000; 3597/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000c9f6, 00000006> -> <00000000, c0a8cc01, 0000c9f6,
c0a8cc28, 00000016, 00000006> (00000805)
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1155

fw tab

Example 3 - Show the formatted data from the Connections table

[Expert@MyGW:0]# fw tab -t connections -f

Using cptfmt
Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_
Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive
aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152,
unlimited; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily:
Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction:
1; Source: 192.168.204.40; SPort: 55411; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_
sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1;
Ifnsout: 1; Bits: 0000780000000000; Expires: 2/40; LastUpdateTime: 10Sep2018 20:30:48;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction:
0; Source: 192.168.204.1; SPort: 53901; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_
sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1;
Ifnsout: -1; Bits: 02007800000f9000; Expires: 2002/3600; LastUpdateTime: 10Sep2018 20:30:48;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction:
1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_
sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40;
DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName:
VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction:
0; Source: 192.168.204.1; SPort: 51702; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_
sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1;
Ifnsout: -1; Bits: 02007800000f9000; Expires: 3600/3600; LastUpdateTime: 10Sep2018 20:30:48;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction:
1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 51702; Protocol: tcp; CPTFMT_
sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 51702; Dest_1: 192.168.204.40;
DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName:
VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction:
0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 55411; Protocol: udp; CPTFMT_
sep_1: ->; Direction_2: 1; Source_2: 192.168.204.40; SPort_2: 55411; Dest_2: 192.168.204.1;
DPort_2: 53; Protocol_2: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 20:30:48; ProductName:
VPN-1 & FireWall-1; ProductFamily: Network;
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1156

fw tab

Example 4 - Show only two entries from the Connections table

[Expert@MyGW:0]# fw tab -t connections -m 2

R80.40 CLI Reference Guide | 1157

fw tab

Example 5 - Show the raw data from the Connections table and show the IDs of CoreXL
Firewall instances for each entry

[Expert@MyGW:0]# fw tab -t 8158 -v

localhost:
-------- connections --------
dynamic, id 8158, num ents 6, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs
21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
[fw_0] <00000001, c0a80335, 00004710, c0a803f0, 00008652, 00000006> -> <00000000, c0a803f0,
00008652, c0a80335, 00004710, 00000006> (00000805)
[fw_0] <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006; 0002d001, 00046000,
10000000, 0000000e, 00000000, 5b9a4129, 00030000, 3503a8c0, c0000000, ffffffff, ffffffff,
00000001, 00000001, 00000800, 00000000, 80008080, 00000000, 00000000, 338ea330, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 3162/3600>
[fw_0] <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006; 0001c001, 00044000,
12000000, 0000000f, 00000000, 5b8fed6a, 00030001, 3503a8c0, c0000000, 00000001, 00000001,
ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 337b0978, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 3599/3600>
[fw_0] <00000000, c0a803f0, 0000470f, c0a80335, 00008adf, 00000006> -> <00000001, c0a80335,
00008adf, c0a803f0, 0000470f, 00000006> (00000806)
[fw_0] <00000001, c0a80334, 00004710, c0a803f0, 0000a659, 00000006> -> <00000000, c0a803f0,
0000a659, c0a80334, 00004710, 00000006> (00000805)
[fw_0] <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006; 0001c001, 00044100,
12000000, 0000000f, 00000000, 5b8feabb, 0000007a, 3403a8c0, c0000000, ffffffff, ffffffff,
ffffffff, ffffffff, 00000000, 10000000, 04000080, 00000000, 00000000, 3364aed0, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 3484/3600>
[fw_1] <00000001, c0a80334, 00004710, c0a803f0, 0000bc74, 00000006> -> <00000000, c0a803f0,
0000bc74, c0a80334, 00004710, 00000006> (00000805)
[fw_1] <00000001, c0a80335, 00000016, ac14a810, 0000e056, 00000006> -> <00000000, ac14a810,
0000e056, c0a80335, 00000016, 00000006> (00000805)
[fw_1] <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006; 0001c001, 00044000,
00000003, 000001df, 00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001,
ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33410370, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600>
[fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100,
12000000, 0000000f, 00000000, 5b8fe89b, 00000001, 3403a8c0, c0000001, ffffffff, ffffffff,
ffffffff, ffffffff, 00000000, 10000000, 04000080, 00000000, 00000000, 335841e0, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600>
[fw_2] <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006; 0001c001, 00044000,
12000000, 0000000f, 00000000, 5b8fed7e, 00030000, 3503a8c0, c0000002, 00000001, 00000001,
ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33337660, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 3556/3600>
[fw_2] <00000001, c0a80335, 00004710, c0a803f0, 0000ab74, 00000006> -> <00000000, c0a803f0,
0000ab74, c0a80335, 00004710, 00000006> (00000805)
[fw_2] <00000001, c0a80335, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000,
00001fb4, c0a80335, 00001fb4, 00000011> (00000805)
[fw_2] <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011; 00010001, 00004000,
00000003, 00000028, 00000000, 5b8fed76, 00030000, 3503a8c0, c0000002, 00000001, ffffffff,
ffffffff, ffffffff, 00000800, 08000000, 00000084, 00000000, 00000000, 336d4e30, ffffc200,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 38/40>
[fw_2] <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011; 00010001, 00004100,
00000003, 00000028, 00000000, 5b8fed72, 0000025f, 3403a8c0, c0000002, ffffffff, ffffffff,
ffffffff, ffffffff, 00000000, 10000000, 04000084, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000; 39/40>
[fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000,
00001fb4, c0a80334, 00001fb4, 00000011> (00000805)
Table fetched in 3 chunks
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1158

fw tab

Example 6 - Show only Slow Path (F2F) entries from the Connections table
Legend

Column Description

Dir The direction of the connection:

n 0 - Client to Server (request)
n 1 - Server to Client (response).

Source IP Source IP address of the connection.

SPort Source Port of the connection.

See IANA Service Name and Port Number Registry.

Destination Destination IP address of the connection

DPort Destination Port of the connection.

See IANA Service Name and Port Number Registry.

PR Protocol number of the connection:

n 6 - TCP
n 17 - UDP
See IANA Protocol Numbers

FW State Connection state in the Firewall.

Expires How many seconds remain before the connection expires (based on
the maximum expiration time).
Also, refer to the "Duration" column.
For example, 1990/3600 means:
n The maximum expiration time is 3600 seconds.
n If the connection remains idle for the next 1990 seconds, it
expires from the Firewall Connections table.

SXL ID SecureXL Instance ID.

Currently not used.

Reason Reason for why SecureXL cannot accelerate this connection.

Total Pkts The number of packets transferred in this connection.

Total Bytes The number of bytes transferred in this connection.

R80.40 CLI Reference Guide | 1159

fw tab

Column Description

Duration How many seconds this connection is open.

Also, refer to the "Expires" column.

Last Seen How many seconds passed since the last packet transferred in this
connection.

[Expert@MyGW:0]# fw tab -t connections -z

Dir Source IP SPort Destination IP DPort PR FW State Expires SXL ID
Reason Total Pkts Total Bytes Duration Last Seen
--- --------------- ----- --------------- ----- -- --------------- ------------- ------
-------------------------------- ---------- ----------- ---------- -----------
1 172.23.7.34 60660 172.23.39.5 53 17 UDP 3/40 N/A
Local connection 2 601B 37s 37s
1 172.23.7.34 22 172.20.38.105 65509 6 Link
0 172.20.38.105 64285 172.23.7.34 22 6 TCP Estab. 3600/3600 N/A
Local incoming connection 192 20.16KB 38s 0s
0 172.23.7.86 67 255.255.255.255 68 17 UDP 30/40 N/A
Local incoming connection 556 178.09KB 107h58m33s 9s
0 172.20.38.105 65509 172.23.7.34 22 6 TCP Estab. 1990/3600 N/A
Local incoming connection 122 27.15KB 107h58m27s 107h53m54s
0 0.0.0.0 0 224.0.0.1 0 2 IGMP 21/60 N/A
Local incoming connection 1 36B 107h27m43s 107h27m43s
1 172.23.7.34 22 172.20.38.105 64285 6 Link
0 172.23.39.5 53 172.23.7.34 60660 17 Link
0 172.23.39.5 53 172.23.7.34 60048 17 Link
1 172.23.7.34 18192 172.23.7.32 47062 6 Link
0 172.20.38.105 64286 172.23.7.34 22 6 TCP Estab. 3567/3600 N/A
Local incoming connection 44 10.58KB 33s 33s
0 172.23.7.32 47062 172.23.7.34 18192 6 TCP Estab. 3591/3600 N/A
Local incoming connection 40 12.57KB 9s 9s
1 172.23.7.34 60048 172.23.39.5 53 17 UDP 2/40 N/A
Local connection 2 602B 38s 38s
1 172.23.7.34 22 172.20.38.105 64286 6 Link
1 172.23.7.34 52786 172.23.39.5 53 17 UDP 2/40 N/A
Local connection 2 553B 38s 38s
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1160

fw unloadlocal

Description
Uninstalls all policies from the Security Gateway or Cluster Member.

Warning:
1. The "fw unloadlocal" command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the Security Gateway (Cluster Member).
2. The "fw unloadlocal" command removes all policies from the Security
Gateway (Cluster Member). This means that the Security Gateway (Cluster
Member) accepts all incoming connections destined to all active interfaces
without any filtering or protection enabled.

Notes
n If it is necessary to remove the current policy, but keep the Security Gateway (Cluster
Member) protected, then run the "comp_init_policy" on page 913 command on the
Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of these
commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch" on page 1048
l "cpstart" on page 957
n See the related command "fwm unload" on page 336.

Syntax

fw [-d] unloadlocal

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1161

fw unloadlocal

Example

R80.40 CLI Reference Guide | 1162

fw unloadlocal

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: My_Policy
Policy install time: Tue Oct 23 18:23:14 2018
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

[Expert@MyGW:0]# fw unloadlocal

Uninstalling Security Policy from all.all@MyGW

Done.
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

R80.40 CLI Reference Guide | 1163

fw unloadlocal

net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw fetch localhost

Installing Security Policy My_Policy on all.all@MyGW
Fetching Security Policy from localhost succeeded
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1164

fw up_execute

Description
Executes the offline Unified Policy.
This command only supports:
n Source IP address, Destination IP address, and objects that contain an IP address
n Simple services objects (based on destination port, source port, and protocol)
n Protocol detection
n Application detection

These are not supported:

n Implied rules
n All other objects are not supported (Security Zone, Access Roles, Domain Objects,
Updatable Objects, Dynamic Objects, Other/DCERPC service, Content awareness,
VPN, Resource, Mobile Access application, Time Objects, and so on)

Syntax

fw [-d] up_execute ipp=<IANA Protocol Number> [src=<Source IP>]

[dst=<Destination IP>] [sport=<Source Port>] [dport=<Destination
Port>] [protocol=<Protocol Detection Name>]
[application=<Application/Category Name 1>
[application=<Application/Category Name 2> ...]]

Parameters

Parameter Description

No Parameters Shows the built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1165

fw up_execute

Parameter Description

ipp=<IANA Protocol Number> IANA Protocol Number in the Hexadecimal

format.
Important - This parameter is always
mandatory.
For example:
n TCP = 6
n UDP = 17
n ICMP = 1
See IANA Protocol Numbers.

src=<Source IP> Source IP address.

dst=<Destination IP> Destination IP address.

sport=<Source Port> Source Port number in the Decimal format.

See IANA Service Name and Port Number
Registry.

dport=<Destination Port> Destination Port number in the Decimal format.

Important - This parameter is mandatory
for the TCP (6) and UDP (17) protocols.
See IANA Service Name and Port Number
Registry.

protocol=<Protocol Detection Protocol detection name (HTTP, HTTPS, and

Name> so on).

application=< Name of the Application/Category as defined in

Application/Category Name> SmartConsole.
You can specify multiple applications.

R80.40 CLI Reference Guide | 1166

fw up_execute

Example 1

[Expert@MyGW:0]# fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

Example 2

[Expert@MyGW:0]# fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP application=Facebook

application=Opera

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1167

fw ver

Description
Shows this information about the Security Gateway software:
n Major version
n Minor version
n Build number
n Kernel build number

Syntax

fw [-d] ver [-k] [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

ver Shows:
n Major version
n Minor version
n Build number

-k n Shows:
n Major version
n Minor version
n Build number
n Kernel build number

-f <Output Saves the output to the specified file.

File> If you do not specify the full path explicitly, this command saves the output
file in the current working directory.

R80.40 CLI Reference Guide | 1168

fw ver

Example 1

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R80.40 - Build 123
[Expert@MyGW:0]#

Example 2

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R80.40 - Build 456
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1169

fwboot

fwboot
Description
Configures Check Point boot options.

Important - Most of these commands are for Check Point use only.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot
bootconf <options>
corexl <options>
cpuid <options>
default <options>
fwboot_ipv6 <options>
fwdefault <options>
ha_conf <options>
ht <options>
multik_reg <options>
post_drv <options>

Parameters

Parameter Description

bootconf Shows and configures the security boot options.

<options> See "fwboot bootconf" on page 1172.

corexl Configures and monitors the CoreXL.

<options> See "fwboot corexl" on page 1176.

cpuid Shows the number of available CPUs and CPU cores on this Security
<options> Gateway.
See "fwboot cpuid" on page 1183.

default Loads the specified Default Filter policy on this Security Gateway.
<options> See "fwboot default" on page 1185.

fwboot_ipv6 Shows the internal memory address of the hook function for the
<options> specified CoreXL Firewall instance.
See "fwboot fwboot_ipv6" on page 1186.

R80.40 CLI Reference Guide | 1170

fwboot

Parameter Description

fwdefault Loads the specified Default Filter policy on this Security Gateway.
<options> See "fwboot fwdefault" on page 1187.

ha_conf Configures the cluster mechanism during boot.

<options> See "fwboot ha_conf" on page 1188.

ht <options> This command is obsolete and not supported.

See "fwboot ht" on page 1189.

multik_reg Shows the internal memory address of the registration function for the
<options> specified CoreXL Firewall instance.
See "fwboot multik_reg" on page 1190.

post_drv Loads the Firewall driver for CoreXL during boot.

<options> See "fwboot post_drv" on page 1192.

R80.40 CLI Reference Guide | 1171

fwboot bootconf

Description
Configures boot security options.

Notes:
n You must run this command from the Expert mode.
n The settings are saved in the
$FWDIR/boot/boot.conf file.
Warning - To avoid issues, do not edit the
$FWDIR/boot/boot.conf file manually. Edit the
file only with this command.
n Refer to these related commands:
l "fwboot corexl" on page 1176

l "control_bootsec" on page 917

Syntax to show the current boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

get_corexl
get_core_override
get_def
get_ipf
get_ipv6
get_kernnum
get_kern6num

Syntax to configure the boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

set_corexl {0 | 1}
set_core_override <number>
set_def [</path/filename>]
set_ipf {0 | 1}
set_ipv6 {0 | 1}
set_kernnum <number>
set_kern6num <number>

R80.40 CLI Reference Guide | 1172

fwboot bootconf

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

get_corexl Shows if the CoreXL is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the COREXL_INSTALLED.

get_core_ Shows the number of overriding CPU cores.

override The SMT (HyperThreading) feature (sk93000) uses this
configuration to set the number of CPU cores after reboot.
Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the CORE_OVERRIDE.

get_def Shows the configured path and the name of the Default Filter policy
file (default is $FWDIR/boot/default.bin).
Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the DEFAULT_FILTER_PATH.

get_ipf Shows if the IP Forwarding during boot is enabled or disabled:

n 0 - disabled (Security Gateway does not forward traffic
between its interfaces during boot)
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the CTL_IPFORWARDING.

get_ipv6 Shows if the IPv6 support is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the IPV6_INSTALLED.

get_kernnum Shows the configured number of IPv4 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the KERN_INSTANCE_NUM.

R80.40 CLI Reference Guide | 1173

fwboot bootconf

Parameter Description

get_kern6num Shows the configured number of IPv6 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the KERN6_INSTANCE_NUM.

set_corexl {0 | Enables or disables CoreXL:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the COREXL_INSTALLED.
n To configure CoreXL, use the "cpconfig" on page 936
menu.

set_core_ Configures the number of overriding CPU cores.

override The SMT (HyperThreading) feature (sk93000) uses this
<number> configuration to set the number of CPU cores after reboot.
Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the CORE_OVERRIDE.

set_def Configures the path and the name of the Default Filter policy file
[< (default is $FWDIR/boot/default.bin).
/path/filename Notes:
>]
n In the $FWDIR/boot/boot.conf file, refer to the value
of the DEFAULT_FILTER_PATH.
n If you do not specify the path and the name explicitly,
then the value of the DEFAULT_FILTER_PATH is set to
0.
As a result, Security Gateway does not load a Default
Filter during boot.

Best Practice - The best location for this file is the

$FWDIR/boot/ directory.

set_ipf {0 | 1} Configures the IP forwarding during boot:

n 0 - disables (forbids the Security Gateway to forward traffic
between its interfaces during boot)
n 1 - enables

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the CTL_IPFORWARDING.

R80.40 CLI Reference Guide | 1174

fwboot bootconf

Parameter Description

set_ipv6 {0 | Enables or disables the IPv6 Support:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the IPV6_INSTALLED.
n Configure the IPv6 Support in Gaia Portal, or Gaia Clish.
See the R80.40 Gaia Administration Guide.

set_kernnum Configures the number of IPv4 CoreXL Firewall instances.

<number> Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 936
menu.

set_kern6num Configures the number of IPv6 CoreXL Firewall instances.

<number> Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN6_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 936
menu.

R80.40 CLI Reference Guide | 1175

fwboot corexl

Description
Configures and monitors the CoreXL.

Note - The settings are saved in the $FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the $FWDIR/boot/boot.conf file manually.

Edit the file only with this command.

Syntax to show CoreXL configuration

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

core_count
curr_instance4_count
curr_instance6_count
def_instance4_count
def_instance6_count
eligible
installed
max_instance4_count
max_instances4_32bit
max_instances4_64bit
max_instance6_count
max_instances_count
max_instances_32bit
max_instances_64bit
min_instance_count
unsupported_features

R80.40 CLI Reference Guide | 1176

fwboot corexl

Syntax to configure CoreXL

Important:
n The configuration commands are for Check Point use only. To configure
CoreXL, use the Check Point CoreXL option in the "cpconfig" on page 936
menu.
n After all changes in CoreXL configuration on the Security Gateway, you must
reboot it.
n In a Cluster, you must configure all the Cluster Members in the same way.

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

def_by_allowed [n]
default
[-v] disable
[-v] enable [n] [-6 k]
vmalloc_recalculate

Parameters

Parameter Description

No Shows the built-in help with available parameters.

Parameters

core_count Returns the number of CPU cores on this computer.

Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl core_
count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1177

fwboot corexl

Parameter Description

curr_ Returns the current configured number of IPv4 CoreXL Firewall instances.
instance4_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

curr_ Returns the current configured number of IPv6 CoreXL Firewall instances.
instance6_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl curr_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
[Expert@MyGW:0]#

def_by_ Sets the default configuration for CoreXL according to the specified
allowed allowed number of CPU cores.
[n]

default Sets the default configuration for CoreXL.

R80.40 CLI Reference Guide | 1178

fwboot corexl

Parameter Description

def_ Returns the default number of IPv4 CoreXL Firewall instances for this
instance4_ Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

def_ Returns the default number of IPv4 CoreXL Firewall instances for this
instance6_ Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_
instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

[-v] Disables CoreXL.

disable
n -v - Leaves the high memory (vmalloc) unchanged.
See the "cp_conf corexl" on page 926 command.

eligible Returns whether CoreXL can be enabled on this Security Gateway.

n 0 - CoreXL cannot be enabled
n 1 - CoreXL can be enabled
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
eligible
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1179

fwboot corexl

Parameter Description

[-v] Enables CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6
enable [n] Firewall instances.
[-6 k]
n -v - Leaves the high memory (vmalloc) unchanged.
n n - Denotes the number of IPv4 CoreXL Firewall instances.
n k - Denotes the number of IPv6 CoreXL Firewall instances.
See the "cp_conf corexl" on page 926 command.

installed Returns whether CoreXL is installed (enabled) on this Security Gateway.

n 0 - CoreXL is not enabled
n 1 - CoreXL is enabled
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
installed
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances
instance4_ for this Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance4_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances
instances for a Security Gateway that runs Gaia with 32-bit kernel.
4_32bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_32bit
[Expert@MyGW:0]# echo $?
14
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1180

fwboot corexl

Parameter Description

max_ Returns the maximal allowed number of IPv4 CoreXL Firewall instances
instances for a Security Gateway that runs Gaia with 64-bit kernel.
4_64bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances4_64bit
[Expert@MyGW:0]# echo $?
38
[Expert@MyGW:0]#

max_ Returns the maximal allowed number of IPv6 CoreXL Firewall instances
instance6_ for this Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instance6_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances
instances_ (IPv4 and IPv6) for this Security Gateway.
count
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_count
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

max_ Returns the total maximal allowed number of CoreXL Firewall instances
instances_ for a Security Gateway that runs Gaia with 32-bit kernel.
32bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_32bit
[Expert@MyGW:0]# echo $?
16
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1181

fwboot corexl

Parameter Description

max_ Returns the total maximal allowed number of CoreXL Firewall instances
instances_ for a Security Gateway that runs Gaia with 64-bit kernel.
64bit
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_
instances_64bit
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#

min_ Returns the minimal allowed number of IPv4 CoreXL Firewall instances.
instance_
count Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl min_
instance_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#

vmalloc_ Updates the value of the vmalloc parameter in the

recalculat /boot/grub/grub.conf file.
e

unsupporte Returns 1 if at least one feature is configured, which CoreXL does not
d_features support.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
unsupported_features
corexl unsupported feature: QoS is configured.
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1182

fwboot cpuid

Description
Shows the number of available CPUs and CPU cores on this Security Gateway.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot cpuid

{-h | -help | --help}
-c
--full
ht_aware
-n
--possible

Parameters

Parameter Description

No Shows the IDs of the available CPU cores on this Security Gateway.
Parameters
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid
3 2 1 0
[Expert@MyGW:0]#

-c Counts the number of available CPU cores on this Security Gateway.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -c
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1183

fwboot cpuid

Parameter Description

--full Shows a full map of the available CPUs and CPU cores on this Security
Gateway.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --full
cpuid phys_id core_id thread_id
0 0 0 0
1 2 0 0
2 4 0 0
3 6 0 0
[Expert@MyGW:0]#

ht_aware Shows the CPU cores in the order of their awareness of Hyper-Threading.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid ht_aware
3 2 1 0
[Expert@MyGW:0]#

-n Counts the number of available CPUs on this Security Gateway.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

-- Counts the number of possible CPU cores.

possible The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --
possible
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1184

fwboot default

Description
Loads the specified Default Filter policy on this Security Gateway.

Notes:
n You must run this command from the Expert mode.
n This command is the same as the "fwboot fwdefault" on page 1187
command.
n Refer to these related commands:
l "fw defaultgen" on page 1046

l "fwboot bootconf" on page 1172

l "control_bootsec" on page 917

l "comp_init_policy" on page 913

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot default <Default Filter

Policy File>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Default Filter Policy Specifies the full path and name of the Default Filter
File> policy file.
The default is $FWDIR/boot/default.bin

Example

[Expert@MyGW:0]# $FWDIR/boot/fwboot default $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]

R80.40 CLI Reference Guide | 1185

fwboot fwboot_ipv6

Description
Shows the internal memory address of the hook function for the specified CoreXL Firewall
instance.

Important - This command is for Check Point use only.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot fwboot_ipv6 <Number of

CoreXL Firewall instance> hook [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available

parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

-d Shows the decimal 64-bit address of the hook

function.

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 0 hook

0xffffffff89f8fc00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 1 hook

0xffffffff8cd71c00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 2 hook

0xffffffff8fb53c00
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1186

fwboot fwdefault

Description
Loads the specified Default Filter policy on this Security Gateway.

Notes:
n You must run this command from the Expert mode.
n This command is the same as the "fwboot default" on
page 1185command.
n Refer to these related commands:
l "fw defaultgen" on page 1046

l "fwboot bootconf" on page 1172

l "control_bootsec" on page 917

l "comp_init_policy" on page 913

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot fwdefault <Default Filter

Policy File>

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

<Default Filter Policy Specifies the full path and name of the Default Filter
File> policy file.
The default file is $FWDIR/boot/default.bin

Example

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwdefault $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]

R80.40 CLI Reference Guide | 1187

fwboot ha_conf

Description
Configures the cluster mechanism during boot.

Important - This command is for Check Point use only.

Notes:
n You must run this command from the Expert mode.
n Refer to these related commands:
l "fw defaultgen" on page 1046

l "fwboot bootconf" on page 1172

l "control_bootsec" on page 917

l "comp_init_policy" on page 913

n To install a cluster, see the R80.40 Installation and Upgrade Guide.

n To configure a cluster , see the R80.40 Installation and Upgrade Guide and
R80.40 ClusterXL Administration Guide.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ha_conf

R80.40 CLI Reference Guide | 1188

fwboot ht

fwboot ht
Important - This command is obsolete and is not supported. To configure SMT
(HyperThreading) feature, follow sk93000.

R80.40 CLI Reference Guide | 1189

fwboot multik_reg

Description
Shows the internal memory address of the registration function for the specified CoreXL
Firewall instance.

Important - This command is for Check Point use only.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of

CoreXL Firewall instance> {ipv4 | ipv6} [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available

parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

ipv4 Specifies to work with IPv4 CoreXL Firewall

instances.

ipv6 Specifies to work with IPv6 CoreXL Firewall

instances.

-d Shows the decimal 64-bit address of the hook

function.

R80.40 CLI Reference Guide | 1190

fwboot multik_reg

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 0 ipv4

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 1 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 2 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1191

fwboot post_drv

Description
Loads the Firewall driver for CoreXL during boot.

Important:
n This command is for Check Point use only.
n If you run this command, Security Gateway can block all traffic. In such case,
you must connect to the Security Gateway over a console and restart Check
Point services with the "cpstop" on page 967 and "cpstart" on page 957
commands. Alternatively, you can reboot the Security Gateway.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot post_drv {ipv4 | ipv6}

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

ipv4 Loads the IPv4 Firewall driver for CoreXL.

ipv6 Loads the IPv6 Firewall driver for CoreXL.

R80.40 CLI Reference Guide | 1192

sam_alert

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam" on page 271 and "fw sam_policy" on page 279 commands.

SAM v1 syntax

Syntax for SAM v1

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the "fw sam" command.

-o Specifies to print the input of this tool to the standard output (to use with
pipes in a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is "localhost".

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The
default is forever.

R80.40 CLI Reference Guide | 1193

sam_alert

Parameter Description

-f Specifies the Security Gateway / Cluster object, on which to run the

<Security operation.
Gateway> Important - If you do not specify the target Security Gateway /
Cluster object explicitly, this command applies to all managed
Security Gateways and Clusters.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified

criteria, passes through the Security Gateway.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria

and closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

R80.40 CLI Reference Guide | 1194

sam_alert

SAM v2 syntax

Syntax for SAM v2

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the fw sam command.

-O Specifies to print the input of this tool to the standard output (to
use with pipes in a CLI syntax).

-S <SAM Server> the SAM server to be contacted. Default is localhost

-t <Time> Specifies the time (in seconds), during which to enforce the
action. The default is forever.

-f <Security Specifies the Security Gateway / Cluster object, on which to run

Gateway> the operation.
Important - If you do not specify the target Security
Gateway / Cluster object explicitly, this command applies
to all managed Security Gateways and Clusters.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single
quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is "sam_alert".

R80.40 CLI Reference Guide | 1195

sam_alert

Parameter Description

-l {r | a} Specifies the log type for connections that match the specified
criteria:
n r - Regular
n a - Alert
Default is None.

-a {d | r| n | b Specifies the action to apply on connections that match the

| q | i} specified criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the

criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of

connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

R80.40 CLI Reference Guide | 1196

stattest

Syntax
n To query a Regular OID:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2> ...
<Regular_OID_N>

These are specified in the SNMP MIB files.

Statistical OIDs take some time to "initialize".

For example, to calculate an average, it is necessary to collect enough samples.
Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_
oid.conf file.

R80.40 CLI Reference Guide | 1197

stattest

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to

query by its IP address or resolvable
hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address

or resolvable hostname.
Note - Use only when you query a
remote host.

-l <Polling Interval> Specifies the time in seconds between

queries.
Note - Use only when you query a
Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which

to run consecutive queries.
Note - Use only when you query a
Statistical OID.

-v <VSID> On a VSX Gateway, specifies the context of

a Virtual Device to query.

-t <Timeout> Specifies the session timeout in

milliseconds.

<Regular_OID_1> <Regular_OID_2> Specifies the Regular OIDs to query.

... <Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

R80.40 CLI Reference Guide | 1198

stattest

Parameter Description

<Statistical_OID_1> Specifies the Statistical OIDs to query.

<Statistical_OID_2> ... Notes:
<Statistical_OID_N>
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

R80.40 CLI Reference Guide | 1199

usrchk

usrchk
Description
Controls the UserCheck daemon (usrchkd).

Syntax

usrchk
hits <options>
incidents <options>
debug <options>

Note - You can also enter partial names of the sub-commands and their options.

R80.40 CLI Reference Guide | 1200

usrchk

Parameters

Parameter Description

No Parameter Shows the built-in help.

This applies to sub-commands as well.
For example, run just the "usrchk hits" command.

hits Shows user hits (violations).

<options> The available options are:

n Show user hits:

l List all existing hits:

usrchk hits list all

l Show hits for a specified user:
usrchk hits list user <UserName>
l Show hits for a specified interaction object:
usrchk hits list uci <Name of UserCheck
Interaction Object>

n Clear user hits:

l Clear all existing hits:

usrchk hits clear all

l Clear hits for a specified user:
usrchk hits clear user <UserName>
l Clear hits for a specified interaction object:
usrchk hits clear uci <Name of UserCheck
Interaction Object>

n Database operations:
l Reload hits from the database:

usrchk hits db reload

l Update hits changes in the database:
usrchk hits db reload update

R80.40 CLI Reference Guide | 1201

usrchk

Parameter Description

incidents Sends emails to users about incidents.

<options> The available option is:
n Send emails to users about their expiring email violations:
usrchk incidents expiring

debug Controls the debug of the UserCheck daemon.

<options> The available options are:

n Enable the debug:

usrchk debug on
Important - After you run this command "usrchk debug
on", you must run the command "usrchk debug set ..."
to configure the required filter.
Important - When you enable the debug, it affects the
performance of the usrchkd daemon. Make sure to disable
the debug after you complete your troubleshooting.

n Disable the debug:

usrchk debug off

n Filter which debug logs UserCheck writes to the log file based on
the specified Debug Topics and Severity:
usrchk debug set <Topic Name> <Severity>
The available Debug Topics are:
l all

l Check Point Support provides more specific topics, based

on the reported issue

The available Severities are:
l all

l critical

l events

l important

l surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:
usrchk debug set all all

n Show the UserCheck current debug status:

usrchk debug stat

R80.40 CLI Reference Guide | 1202

usrchk

Parameter Description

n Unset the specified Debug Topic(s):

usrchk debug unset <Topic Name>

n Reset all debug topics:

usrchk debug reset

n Rotate the UserCheck log files:

usrchk debug

n Show the memory consumption by the usrchkd daemon:

usrchk debug memory

n Show and set the number of indentation spaces in the

$FWDIR/log/usrchk.elg file.
usrchk debug spaces [<0 - 5>]
You can specify the number of spaces:
l 0 (this is the default)

l 1

l 2

l 3

l 4

l 5

Notes:
n To show all UserCheck interaction objects, run:
usrchk hits list all
n You can run a command that contains "user <UserName>"
only if:
l Identity Awareness is enabled on the Security Gateway.

l User object is used in the same policy rules as

UserCheck objects.

R80.40 CLI Reference Guide | 1203

ClusterXL Commands

ClusterXL Commands
For more information about Check Point cluster, see the R80.40 ClusterXL Administration
Guide.

R80.40 CLI Reference Guide | 1204

ClusterXL Configuration Commands

Description
These commands let you configure internal behavior of the Clustering Mechanism.

Important:
n We do not recommend that you run these commands. These commands must
be run automatically only by the Security Gateway or the Check Point Support.
n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

Notes:
n In Gaia Clish:
Enter the set cluster<ESC><ESC> to see all the available commands.
n In Expert mode:
Run the cphaconf command see all the available commands.
You can run the cphaconf commands only from the Expert mode.
n Syntax legend:
1. Curly brackets or braces { }:
Enclose a list of available commands or parameters, separated by the
vertical bar |, from which user can enter only one.
2. Angle brackets < >:
Enclose a variable - a supported value user needs to specify explicitly.
3. Square brackets or brackets [ ]:
Enclose an optional command or parameter, which user can also enter.
n You can include these commands in scripts to run them automatically.
The meaning of each command is explained in the next sections.

Table: ClusterXL Configuration Commands

Description Command in Command in
of Command Gaia Clish Expert Mode

Configure how to show the Cluster set cluster cphaconf mem_id_mode

Member in local ClusterXL logs - by its member {id | name}
Member ID or its Member Name (see idmode {id
"Configuring the Cluster Member ID Mode | name}
in Local Logs" on page 1209)

R80.40 CLI Reference Guide | 1205

ClusterXL Configuration Commands

Table: ClusterXL Configuration Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Register a single Critical Device (Pnote) N / A cphaconf set_pnote -

on the Cluster Member (see "Registering d <Name of Device> -
a Critical Device" on page 1210) t <Timeout in Sec> -
s {ok|init|problem}
[-p] [-g] register

Unregister a single Critical Device (Pnote) N / A cphaconf set_pnote -

on the Cluster Member (see d <Name of Device>
"Unregistering a Critical Device" on [-p] [-g] unregister
page 1214)

Report (change) a state in a single Critical N / A cphaconf set_pnote -

Device (Pnote) on the Cluster Member d <Name of Device> -
(see "Reporting the State of a Critical s {ok|init|problem}
Device" on page 1215) [-g] report

Register several Critical Devices (Pnotes) N / A cphaconf set_pnote -

from a file on the Cluster Member (see f <Name of File> [-
"Registering Critical Devices Listed in a g] register
File" on page 1217)

Unregister all Critical Devices (Pnotes) on N / A cphaconf set_pnote -

the Cluster Member (see "Unregistering a [-g] unregister
All Critical Devices" on page 1219)

Configure the Cluster Control Protocol set cluster cphaconf ccp_encrypt

(CCP) Encryption on the Cluster Member member {off | on}
(see "Configuring the Cluster Control ccpenc {off cphaconf ccp_
Protocol (CCP) Settings" on page 1220) | on} encrypt_key <Key
String>

Configure the Cluster Forwarding Layer set cluster cphaconf forward

on the Cluster Member (controls the member {off | on}
forwarding of traffic between Cluster forwarding
Members) {off | on}
Note - For Check Point use only.

Print the current cluster configuration as N / A cphaconf debug_data

loaded in the kernel on the Cluster
Member (for details, see sk93306)

R80.40 CLI Reference Guide | 1206

ClusterXL Configuration Commands

Table: ClusterXL Configuration Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Start internal failover between N / A cphaconf failover_

subordinate interfaces of specified bond bond <bond_name>
interface - only in Bond High Availability
mode (for details, see sk93306)

Configure what happens during a failover N / A cphaconf enable_

after a Bond already failed over internally bond_failover <bond_
(for details, see sk93306) name>

Initiate manual cluster failover (see set cluster clusterXL_admin

"Initiating Manual Cluster Failover" on member {down | up}
page 1221) admin {down
| up}

Configure the minimal number of required N / A cphaconf bond_ls

subordinate interfaces for Bond Load {set <Bond Name>
Sharing (see "Configuring the Minimal <Value> | remove
Number of Required Subordinate <Bond Name>}
Interfaces for Bond Load Sharing" on
page 1225)

Configuring Link Monitoring on the Cluster N / A N / A

Interfaces (see "Configuring Link
Monitoring on the Cluster Interfaces" on
page 1228)

Configuring the Multi-Version Cluster N / A cphaconf mvc {off

Mechanism (see "Configuring the Multi- | on}
Version Cluster Mechanism" on
page 1231)

List of the Gaia Clish "set cluster member" commands

set cluster member admin {down | up} [permanent]

set cluster member ccpenc {off | on}
set cluster member forwarding {off | on}
set cluster member idmode {id | name}
set cluster member mvc {off | on}

R80.40 CLI Reference Guide | 1207

ClusterXL Configuration Commands

List of the Expert mode "cphaconf" commands

Note - Some commands are not applicable to 3rd party clusters.

cphaconf [-D] <options> start

cphaconf stop
cphaconf [-t <Sync IF 1>...] [-d <Non-Monitored IF 1>...] add
cphaconf clear-secured
cphaconf clear-non-monitored
cphaconf debug_data
cphaconf delete_link_local [-vs <VSID>] <IF name>
cphaconf set_link_local [-vs <VSID>] <IF name> <Cluster IP>
cphaconf mem_id_mode {id | name}
cphaconf failover_bond <bond_name>
cphaconf [-s] {set | unset | get} var <Kernel Parameter Name>
[<Value>]
cphaconf bond_ls {set <Bond Name> <Value> | remove <Bond Name>}
cphaconf set_pnote -d <Device> -t <Timeout in sec> -s {ok | init |
problem} [-p] [-g] register
cphaconf set_pnote -f <File> [-g] register
cphaconf set_pnote -d <Device> [-p] [-g] unregister
cphaconf set_pnote -a [-g] unregister
cphaconf set_pnote -d <Device> -s {ok | init | problem} [-g]
report
cphaconf ccp_encrypt {off | on}
cphaconf ccp_encrypt_key <Key String>

R80.40 CLI Reference Guide | 1208

Configuring the Cluster Member ID Mode in Local Logs

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
This command configures how to show the Cluster Member in the local ClusterXL logs - by its
Member ID (default), or its Member Name.
This configuration affects these local logs:
n /var/log/messages
n dmesg
n $FWDIR/log/fwd.elg

See "Viewing the Cluster Member ID Mode in Local Logs" on page 1275.

Syntax

Shell Command

Gaia Clish set cluster member idmode {id | name}

Expert mode cphaconf mem_id_mode {id | name}

Example

[Expert@Member1:0]# cphaprob names

Current member print mode in local logs is set to: ID

[Expert@Member1:0]#
[Expert@Member1:0]# cphaconf mem_id_mode name

Member print mode in local logs: NAME

[Expert@Member1:0]#
[Expert@Member1:0]# cphaprob names

Current member print mode in local logs is set to: NAME

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1209

Registering a Critical Device

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
You can add a user-defined critical device to the default list of critical devices. Use this
command to register <device> as a critical process, and add it to the list of devices that must
run for the Cluster Member to be considered active. If <device> fails, then the Cluster Member
is seen as failed.
If a Critical Device fails to report its state to the Cluster Member in the configured timeout, the
Critical Device, and by design the Cluster Member, are seen as failed.

Define the status of the Critical Device that is reported to ClusterXL upon registration.
This initial status can be one of these:
n ok - Critical Device is alive.
n init - Critical Device is initializing. The Cluster Member is Down. In this state, the Cluster
Member cannot become Active.
n problem - Critical Device failed. If this state is reported to ClusterXL, the Cluster Member
immediately goes Down. This causes a failover.

Syntax

Shell Command

Gaia N/A
Clish

Expert cphaconf set_pnote -d <Name of Critical Device> -t

mode <Timeout in Sec> -s {ok | init | problem} [-p] [-g]
register

Notes:
n The "-t" flags specifies how frequently to expect the periodic reports from this
Critical Device.
If no periodic reports should be expected, then enter the value 0 (zero).
n The "-p" flag makes these changes permanent (survive reboot).
n The "-g" flag applies the command to all configured Virtual Systems.

R80.40 CLI Reference Guide | 1210

Registering a Critical Device

Restrictions
n Total number of critical devices (pnotes) on Cluster Member is limited to 16.
n Name of any critical device (pnote) on Cluster Member is limited to 15 characters, and
must not include white spaces.

Related topics
n "Viewing Critical Devices" on page 1243
n "Reporting the State of a Critical Device" on page 1215
n "Registering Critical Devices Listed in a File" on page 1217
n "Unregistering a Critical Device" on page 1214
n "Unregistering All Critical Devices" on page 1219

R80.40 CLI Reference Guide | 1211

Registering a Critical Device

Example use case

This example assumes that all other Critical Devices report their statues as "ok".
Do these steps on each Cluster Member:
1. Create a shell script that does these actions:
a. Examine the used space in the critical disk partitions.
b. If the used space in these partitions:
n Is above the threshold, then register a user-defined Critical Device and report
its status as "problem".
As a result, the Cluster Member changes its cluster state to "Down" (if there is
at least one Cluster Member in the status "Active").
n Is below the threshold, then register a user-defined Critical Device and report
its status as "ok".
As a result, the Cluster Member changes its cluster state to "Standby" or
"Active".
Example script syntax:

#!/bin/bash

# Get the used % in the partition lv_current

var_lv_current=$(df -h | grep lv_current | awk '{print $5}'|
sed 's/[%]//')
# Get the used % in the partition lv_log
var_lv_log=$(df -h | grep lv_log | awk '{print $5}'| sed 's/
[%]//')

if [ "$var_lv_current" -gt 90 -o "$var_lv_log" -gt 90 ];

then
# If the partition is full, then bring the cluster
member down
$FWDIR/bin/cphaconf set_pnote -d Storage -s problem
report
else
# If the partition is free enough, then bring the
cluster member up
$FWDIR/bin/cphaconf set_pnote -d Storage -s ok report
$FWDIR/bin/cphaconf set_pnote -d Storage unregister
fi

R80.40 CLI Reference Guide | 1212

Registering a Critical Device

2. Configure a scheduled job to run this shell script at the relevant time intervals.
See the R80.40 Gaia Administration Guide.

R80.40 CLI Reference Guide | 1213

Unregistering a Critical Device

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
This command unregisters a user-defined Critical Device (Pnote). This means that this device
is no longer considered critical.
If a Critical Device was registered with a state "problem", before you ran this command, then
after you run this command, the status of the Cluster Member depends only on the states of
the remaining Critical Devices.

Syntax

Shell Command

Gaia Clish N/A

Expert cphaconf set_pnote -d <Name of Critical Device> [-p] [-g]

mode unregister

Notes:
n The "-p" flag makes these changes permanent.
This means that after you reboot, these Critical Devices remain
unregistered.
n The "-g" flag applies the command to all configured Virtual Systems.

Related topics
n "Viewing Critical Devices" on page 1243
n "Reporting the State of a Critical Device" on page 1215
n "Registering a Critical Device" on page 1210
n "Registering Critical Devices Listed in a File" on page 1217
n "Unregistering All Critical Devices" on page 1219

R80.40 CLI Reference Guide | 1214

Reporting the State of a Critical Device

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
This command manually reports (changes) the state of a Critical Device to ClusterXL.
The reported state can be one of these:
n ok - Critical Device is alive.
n init - Critical Device is initializing. The Cluster Member is Down. In this state, the Cluster
Member cannot become Active.
n problem - Critical Device failed. If this state is reported to ClusterXL, the Cluster Member
immediately goes Down. This causes a failover.
If a Critical Device fails to report its state to the Cluster Member within the defined timeout, the
Critical Device, and by design the Cluster Member, are seen as failed. This is true only for
Critical Devices with timeouts. If a Critical Device is registered with the "-t 0" parameter, there
is no timeout. Until the Critical Device reports otherwise, the state of the Critical Device is
considered to be the last reported state.

Syntax

Shell Command

Gaia N/A
Clish

Expert cphaconf set_pnote -d <Name of Critical Device> -s {ok |

mode init | problem} [-g] report

Notes:
n The "-g" flag applies the command to all configured Virtual Systems.
n If the "<Name of Critical Device>" reports its state as "problem", then
the Cluster Member reports its state as failed.

R80.40 CLI Reference Guide | 1215

Reporting the State of a Critical Device

Related topics
n "Viewing Critical Devices" on page 1243
n "Registering a Critical Device" on page 1210
n "Registering Critical Devices Listed in a File" on page 1217
n "Unregistering a Critical Device" on page 1214
n "Unregistering All Critical Devices" on page 1219

R80.40 CLI Reference Guide | 1216

Registering Critical Devices Listed in a File

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
This command registers all the user-defined Critical Devices listed in the specified file.
This file must be a plain-text ASCII file, with each Critical Device defined on a separate line.
Each definition must contain three parameters, which must be separated by a space or a tab
character:

<Name of Device> <Timeout> <Status>

Where:

Parameter Description

<Name of The name of the Critical Device.

Device>
n Maximal name length is 15 characters
n The name must not include white spaces (space or tab characters).

<Timeout> If the Critical Device <Name of Device> fails to report its state to the
Cluster Member within this specified number of seconds, the Critical Device
(and by design the Cluster Member), are seen as failed.
For no timeout, use the value 0 (zero).

<Status> The Critical Device <Name of Device> reports one of these statuses to
the Cluster Member:
n ok - Critical Device is alive.
n init- Critical Device is initializing. The Cluster Member is Down. In
this state, the Cluster Member cannot become Active.
n problem - Critical Device failed. If this state is reported to ClusterXL,
the Cluster Member immediately goes Down. This causes a failover.

R80.40 CLI Reference Guide | 1217

Registering Critical Devices Listed in a File

Syntax

Shell Command

Gaia Clish N/A

Expert cphaconf set_pnote -f /<Path>/<Name of File> [-g]

mode register

Note - The "-g" flag applies the command to all configured Virtual Systems.

Related topics
n "Viewing Critical Devices" on page 1243
n "Reporting the State of a Critical Device" on page 1215
n "Registering a Critical Device" on page 1210
n "Unregistering a Critical Device" on page 1214
n "Unregistering All Critical Devices" on page 1219

R80.40 CLI Reference Guide | 1218

Unregistering All Critical Devices

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
This command unregisters all critical devices from the Cluster Member.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaconf set_pnote -a [-g] unregister

Notes:
n The "-a" flag specifies that all Pnotes must be unregistered
n The "-g" flag applies the command to all configured Virtual
Systems

R80.40 CLI Reference Guide | 1219

Configuring the Cluster Control Protocol (CCP) Settings

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
Cluster Members configure the Cluster Control Protocol (CCP) mode automatically.

Important - In R80.40, the CCP always runs in the unicast mode.

You can configure the Cluster Control Protocol (CCP) Encryption on the Cluster Members.
See "Viewing the Cluster Control Protocol (CCP) Settings" on page 1280.

Syntax for configuring the Cluster Control Protocol (CCP) Encryption

Shell Command

Gaia Clish set cluster member ccpenc {off | on}

Expert mode cphaconf ccp_encrypt {off | on}

cphaconf ccp_encrypt_key <Key String>

R80.40 CLI Reference Guide | 1220

Initiating Manual Cluster Failover

Description
This commands initiates a manual cluster failover (see sk55081).

Syntax

Shell Command

Gaia Clish set cluster member admin {down | up}

Expert mode clusterXL_admin {down | up}

R80.40 CLI Reference Guide | 1221

Initiating Manual Cluster Failover

Example

R80.40 CLI Reference Guide | 1222

Initiating Manual Cluster Failover

[Expert@Member1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE Member1

2 11.22.33.246 0% STANDBY Member2

Active PNOTEs: None

... ...

[Expert@Member1:0]#

[Expert@Member1:0]# clusterXL_admin down

This command does not survive reboot. To make the change permanent, please run 'set cluster
member admin down/up permanent' in clish or add '-p' at the end of the command in expert mode
Setting member to administratively down state ...
Member current state is DOWN
[Expert@Member1:0]#

[Expert@Member1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 0% DOWN Member1

2 11.22.33.246 100% ACTIVE Member2

Active PNOTEs: ADMIN

Last member state change event:

Event Code: CLUS-111400
State change: ACTIVE -> DOWN
Reason for state change: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 19:35:06 2019

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 19:35:06 2019

Cluster failover count:

Failover counter: 2
Time of counter reset: Sun Sep 8 16:08:34 2019 (reboot)

[Expert@Member1:0]#

[Expert@Member1:0]# clusterXL_admin up
This command does not survive reboot. To make the change permanent, please run 'set cluster
member admin down/up permanent' in clish or add '-p' at the end of the command in expert mode
Setting member to normal operation ...
Member current state is STANDBY
[Expert@Member1:0]#

[Expert@Member1:0]# cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 0% STANDBY Member1

2 11.22.33.246 100% ACTIVE Member2

Active PNOTEs: None

Last member state change event:

R80.40 CLI Reference Guide | 1223

Initiating Manual Cluster Failover

Event Code: CLUS-114802

State change: DOWN -> STANDBY
Reason for state change: There is already an ACTIVE member in the cluster (member 2)
Event time: Sun Sep 8 19:37:03 2019

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 19:35:06 2019

Cluster failover count:

Failover counter: 2
Time of counter reset: Sun Sep 8 16:08:34 2019 (reboot)

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1224

Configuring the Minimal Number of Required Subordinate Interfaces for Bond Load Sharing

Configuring the Minimal Number of Required Subordinate

Interfaces for Bond Load Sharing
Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
ClusterXL considers a bond in Load Sharing mode to be in the "down" state when fewer than a
minimal number of required subordinate interfaces stay in the "up" state.
By default, the minimal number of required subordinate interfaces, which must stay in the "up"
state in a bond of n subordinate interfaces is n-1.

If one more subordinate interface fails (when n-2 subordinate interfaces stay in the "up" state),
ClusterXL considers the bond interface to be in the "down" state, even if the bond contains
more than two subordinate interfaces.
If a smaller number of subordinate interfaces can pass the expected traffic, you can configure
explicitly the minimal number of required subordinate interfaces.
Divide your maximal expected traffic speed by the speed of your subordinate interfaces and
round up the result to find an applicable minimal number of required subordinate interfaces.

Notes:
n Cluster Members save the configuration in the $FWDIR/conf/cpha_bond_
ls_config.conf file.
n The commands below save the changes in this file.
n Each line in the file has this syntax:
<Name of Bond Interface> <Minimal Number of Required
Subordinate Interfaces>

In addition, see "Viewing Bond Interfaces" on page 1256.

Syntax to add the minimal number of required subordinate interfaces for a specific Bond
interface

Shell Command

Gaia N/A
Clish

Expert cphaconf bond_ls set <Name of Bond Interface> <Minimal

mode Number of Required Subordinate Interfaces>

R80.40 CLI Reference Guide | 1225

Configuring the Minimal Number of Required Subordinate Interfaces for Bond Load Sharing

Syntax to remove the configured minimal number of required subordinate interfaces for a
specific Bond interface

Shell Command

Gaia Clish N/A

Expert mode cphaconf bond_ls remove <Name of Bond Interface>

Syntax to see the current configuration of the minimal number of required subordinate
interfaces

Shell Command

Gaia Clish N/A

Expert mode cat $FWDIR/conf/cpha_bond_ls_config.conf

Procedure

Step Instructions

1 Connect to the command line on each Cluster Member.

2 Log in to the Expert mode.

3 Add or remove the minimal number of required subordinate interfaces for a

specific Bond interface:
cphaconf bond_ls set <Bond> <Minimal Number of
Subordinate Interfaces>
cphaconf bond_ls remove <Bond>

4 Examine the configuration:

cat $FWDIR/conf/cpha_bond_ls_config.conf

5 In SmartConsole, install the Access Control policy on this cluster object.

R80.40 CLI Reference Guide | 1226

Configuring the Minimal Number of Required Subordinate Interfaces for Bond Load Sharing

Example

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf

# ... (truncated for brevity) ...
# Example:
# bond0 2

[Expert@Member1:0]#

[Expert@Member1:0]# cphaconf bond_ls set bond1 2

Set operation succeeded

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf

# ... (truncated for brevity) ...
# Example:
# bond0 2

bond1 2
[Expert@Member1:0]#

[Expert@Member1:0]# cphaconf bond_ls remove bond1

Remove operation succeeded

[Expert@Member1:0]#

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf

# ... (truncated for brevity) ...
# Example:
# bond0 2

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1227

Configuring Link Monitoring on the Cluster Interfaces

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Description
This procedure configures the Cluster Member to monitor only the physical link on the cluster
interfaces (instead of monitoring the Cluster Control Protocol (CCP) packets):
n If a link disappears on the configured interface, the Cluster Member changes the
interface's state to DOWN.
This causes the Cluster Member to change its state to DOWN.
n If a link appears again on the configured interface, the Cluster Member changes the
interface's state back to UP.
This causes the Cluster Member to change its state back to ACTIVE or STANDBY.
See "Viewing Cluster State" on page 1237.

R80.40 CLI Reference Guide | 1228

Configuring Link Monitoring on the Cluster Interfaces

Procedure

Step Instructions

1 Connect to the command line on the Cluster Member.

2 Log in to the Expert mode.

3 See if the $FWDIR/conf/cpha_link_monitoring.conf file already exists:

stat $FWDIR/conf/cpha_link_monitoring.conf

4 If the $FWDIR/conf/cpha_link_monitoring.conf file already exists,

create a backup copy:
cp -v $FWDIR/conf/cpha_link_monitoring.conf{,_BKP}
If the $FWDIR/conf/cpha_link_monitoring.conf file does not exist,
create it:
touch $FWDIR/conf/cpha_link_monitoring.conf

5 Edit the $FWDIR/conf/cpha_link_monitoring.conf file:

vi $FWDIR/conf/cpha_link_monitoring.conf

6 n To monitor the link only on specific interfaces:

Enter the names of the applicable interfaces - each name on a new
separate line.
Example:
eth2
eth4

n To monitor the link on all interfaces:

Enter only this word:
all

7 Save the changes in the file and exit the editor.

R80.40 CLI Reference Guide | 1229

Configuring Link Monitoring on the Cluster Interfaces

Step Instructions

8 Reboot the Cluster Member.

Important - This can cause a failover.

Best Practices:
n In High Availability cluster
1. Perform the configuration steps on all Cluster Members
2. Reboot all the Standby Cluster Members
3. Initiate a manual failover on the Active Cluster Member
4. Reboot the former Active Cluster Member
n In Load Sharing Unicast cluster
1. Perform the configuration steps on all Cluster Members
2. Reboot all the non-Pivot Cluster Members
3. Initiate a manual failover on the Pivot Cluster Member
4. Reboot the former Pivot Cluster Member
n In Load Sharing Multicast cluster
1. Perform the configuration steps on all Cluster Members
2. Reboot all Cluster Members except one
3. Initiate a manual failover on the remaining Cluster Member
4. Reboot the remaining Cluster Member

Note - See "Initiating Manual Cluster Failover" on page 1221.

R80.40 CLI Reference Guide | 1230

Configuring the Multi-Version Cluster Mechanism

Description
This command changes the state of the Multi-Version Cluster (MVC) Mechanism - enable or
disable it.

Important:
n The MVC Mechanism is disabled by default.
n For limitations of the MVC Mechanism, see the R80.40 Installation and Upgrade
Guide > Chapter Upgrading Gateways and Clusters > Section Upgrading
ClusterXL, VSX Cluster, VRRP Cluster > Section Multi-Version Cluster
Upgrade.

Syntax

Shell Command

Gaia Clish set cluster member mvc {off | on}

Expert mode cphaconf mvc {off | on}

Parameters

Parameter Description

off Disables the MVC Mechanism on this Cluster Member.

on Enables the MVC Mechanism on this Cluster Member.

Notes:
n This command does not provide an output. To view the current state of the MVC
Mechanism, see "Viewing the State of the Multi-Version Cluster Mechanism" on
page 1281.
n The change made with this command survives reboot.
n If a specific scenario requires you to disable the MVC Mechanism before the
first start of an R80.40 Cluster Member (for example, immediately after an
upgrade to R80.40), then disable it before the first policy installation on this
Cluster Member.

R80.40 CLI Reference Guide | 1231

ClusterXL Monitoring Commands

Description
Use the monitoring commands to make sure that the cluster and the Cluster Members work
properly, and to define Critical Devices. A Critical Device (also known as a Problem
Notification, or pnote) is a special software device on each Cluster Member, through which the
critical aspects for cluster operation are monitored. When the critical monitored component on
a Cluster Member fails to report its state on time, or when its state is reported as problematic,
the state of that member is immediately changed to 'Down'.

Syntax

Notes:
n In Gaia Clish:
Enter the show cluster<ESC><ESC> to see all the available commands.
n In Expert mode:
Run the cphaprob command see all the available commands.
You can run the cphaprob commands from Gaia Clish as well.
n Syntax legend:
1. Curly brackets or braces { }:
Enclose a list of available commands or parameters, separated by the
vertical bar |, from which user can enter only one.
2. Angle brackets < >:
Enclose a variable - a supported value user needs to specify explicitly.
3. Square brackets or brackets [ ]:
Enclose an optional command or parameter, which user can also enter.
n You can include these commands in scripts to run them automatically.
The meaning of each command is explained in the next sections.

Table: ClusterXL Monitoring Commands

Description Command in Command in
of Command Gaia Clish Expert Mode

Show states of Cluster Members and their names show cluster cphaprob [-
(see "Viewing Cluster State" on page 1237) state vs <VSID>]
state

Show Critical Devices (Pnotes) and their states on show cluster cphaprob [-
the Cluster Member (see "Viewing Critical members pnotes l] [-ia] [-
Devices" on page 1243) {all | e] list
problem}

R80.40 CLI Reference Guide | 1232

ClusterXL Monitoring Commands

Table: ClusterXL Monitoring Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Show cluster interfaces on the cluster member show cluster cphaprob [-

(see "Viewing Cluster Interfaces" on page 1251) members vs all] [-
interfaces a] [-m] if
{all | secured
| virtual |
vlans}

Show cluster bond configuration on the Cluster show cluster cphaprob

Member (see "Viewing Bond Interfaces" on bond {all | show_bond
page 1256) name <bond_ [<bond_
name>} name>]

Show groups of bonds on the Cluster Member N / A cphaprob

(see "Viewing Bond Interfaces" on page 1256) show_bond_
groups

Show (and reset) cluster failover statistics on the show cluster cphaprob [-
Cluster Member (see "Viewing Cluster Failover failover reset {-c |
Statistics" on page 1261) [reset {count -h}] [-l
| history}] <count>]
show_
failover

Show information about the software version show cluster cphaprob

(including hotfixes) on the local Cluster Member release release
and its matches/mismatches with other Cluster
Members (see "Viewing Software Versions on
Cluster Members" on page 1263)

Show Delta Sync statistics on the Cluster Member show cluster cphaprob [-
(see "Viewing Delta Synchronization" on statistics reset]
page 1264) sync [reset] syncstat

Show Delta Sync statistics for the Connections show cluster cphaprob [-
table on the Cluster Member (see "Viewing Cluster statistics reset]
Delta Sync Statistics for Connections Table" on transport ldstat
page 1272) [reset]

Show the Cluster Control Protocol (CCP) mode on show cluster cphaprob [-
the Cluster Member (see "Viewing Cluster members vs all] -a
Interfaces" on page 1251) interfaces if
virtual

R80.40 CLI Reference Guide | 1233

ClusterXL Monitoring Commands

Table: ClusterXL Monitoring Commands (continued)

Description Command in Command in
of Command Gaia Clish Expert Mode

Show the IGMP membership of the Cluster show cluster cphaprob

Member (see "Viewing IGMP Status" on members igmp igmp
page 1271)

Show cluster unique IP's table on the Cluster show cluster cphaprob
Member (see "Viewing Cluster IP Addresses" on members ips tablestat
page 1273) show cluster cphaprob -m
members tablestat
monitored

Show the Cluster Member ID Mode in local logs - show cluster cphaprob
by Member ID (default) or Member Name (see members idmode names
"Viewing the Cluster Member ID Mode in Local
Logs" on page 1275)

Show interfaces, which the RouteD monitors on show ospf cphaprob

the Cluster Member when you configure OSPF interfaces routedifcs
(see "Viewing Interfaces Monitored by RouteD" on [detailed]
page 1276)

Show roles of RouteD daemon on Cluster show cluster cphaprob

Members (see "Viewing Roles of RouteD Daemon roles roles
on Cluster Members" on page 1277)

Show Cluster Correction Statistics (see "Viewing N / A cphaprob

Cluster Correction Statistics" on page 1278) [{-d | -f |
-s}] corr

Show the Cluster Control Protocol (CCP) mode show cluster cphaprob -a
(see "Viewing the Cluster Control Protocol (CCP) members if
Settings" on page 1280) interfaces
virtual

Show the Cluster Control Protocol (CCP) show cluster cphaprob

Encryption settings (see "Viewing the Cluster members ccpenc ccp_encrypt
Control Protocol (CCP) Settings" on page 1280)

Shows the state of the Multi-Version Cluster (see show cluster N / A

"Viewing the State of the Multi-Version Cluster members mvc
Mechanism" on page 1281)

Show Full Connectivity Upgrade statistics (see N / A cphaprob

"Viewing Full Connectivity Upgrade Statistics" on fcustat
page 1282)

R80.40 CLI Reference Guide | 1234

ClusterXL Monitoring Commands

List of the Gaia Clish "show cluster" commands

show cluster
bond
all
name <Name of Bond>
failover
members
ccpenc
idmode
igmp
interfaces
all
secured
virtual
vlans
ips
monitored
mvc
pnotes
all
problem
release
roles
state
statistics
sync [reset]
transport [reset]

R80.40 CLI Reference Guide | 1235

ClusterXL Monitoring Commands

List of the Expert mode Expert mode "cphaprob" commands

Note - Some commands are not applicable to 3rd party clusters.

cphaprob [-vs <VSID>] state

cphaprob [-reset {-c | -h}] [-l <count>] show_failover
cphaprob names
cphaprob [-reset] [-a] syncstat
cphaprob [-reset] ldstat
cphaprob [-l] [-i[a]] [-e] list
cphaprob [-vs all] [-a] [-m] if
cphaprob show_bond [<bond_name>]
cphaprob show_bond_groups
cphaprob igmp
cphaprob fcustat
cphaprob [-m] tablestat
cphaprob routedifcs
cphaprob roles
cphaprob release
cphaprob ccp_encrypt
cphaprob [{-d | -f | -s}] corr

R80.40 CLI Reference Guide | 1236

Viewing Cluster State

Description
This command monitors the cluster status (after you set up the cluster).

Syntax

Shell Command

Gaia Clish 1. set virtual-system

<VSID>
2. show cluster state

Expert mode cphaprob [-vs <VSID>] state

Example

Member1> show cluster state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 11.22.33.245 100% ACTIVE(!) Member1

2 11.22.33.246 0% DOWN Member2

Active PNOTEs: COREXL

Last member state change event:

Event Code: CLUS-116505
State change: INIT -> ACTIVE(!)
Reason for state change: All other machines are dead (timeout), FULLSYNC PNOTE
Event time: Sun Sep 8 15:28:39 2019
v Cluster failover count:
Failover counter: 0
Time of counter reset: Sun Sep 8 15:28:21 2019 (reboot)

Member1>

Description of the "cphaprob state" command output fields:

R80.40 CLI Reference Guide | 1237

Viewing Cluster State

Table: Description of the output fields

Field Description

Cluster Can be one of these:

Mode
n Load Sharing (Multicast).
n Load Sharing (Unicast).
n High Availability (Primary Up).
n High Availability (Active Up).
n Virtual System Load Sharing
n For third-party clustering products: Service, refer to Clustering
Definitions and Terms, for more information.

ID n In the High Availability mode - indicates the Cluster Member priority,

as configured in the cluster object in SmartConsole.
n In Load Sharing mode - indicates the Cluster Member ID, as
configured in the cluster object in SmartConsole.

Unique Usually, shows the IP addresses of the Sync interfaces.

Address In some cases, can show IP addresses of other cluster interfaces.

Assigned n In the ClusterXL High Availability mode - shows the Active Cluster
Load Member with 100% load, and all other Standby Cluster Members with
0% load.
n In ClusterXL Load Sharing modes (Unicast and Multicast) - shows all
Active Cluster Members with 100% load.

State n In the ClusterXL High Availability mode, only one Cluster Member in a
fully-functioning cluster must be ACTIVE, and the other Cluster
Members must be in the STANDBY state.
n In the ClusterXL Load Sharing modes (Unicast and Multicast), all
Cluster Members in a fully-functioning cluster must be ACTIVE.
n In 3rd-party clustering configuration, all Cluster Members in a fully-
functioning cluster must be ACTIVE. This is because this command
only reports the status of the Full Synchronization process.
See the summary table below.

Name Shows the names of Cluster Members' objects as configured in

SmartConsole.

Active Shows the Critical Devices that report theirs states as "problem" (see
PNOTEs "Viewing Critical Devices" on page 1243).

R80.40 CLI Reference Guide | 1238

Viewing Cluster State

Table: Description of the output fields (continued)

Field Description

Last Shows information about the last time this Cluster Member changed its
member cluster state.
state
change
event

Event Code Shows an event code.

For information, see sk125152.

State Shows the previous cluster state and the new cluster state of this Cluster
change Member.

Reason for Shows the reason why this Cluster Member changed its cluster state.
state
change

Event time Shows the date and the time when this Cluster Member changed its cluster
state.

Last cluster Shows information about the last time a cluster failover occurred.
failover
event

Transition to Shows which Cluster Member became the new Active.

new
ACTIVE

Reason Shows the reason for the last cluster failover.

Event time Shows the date and the time of the last cluster failover.

Cluster Shows information about the cluster failovers.

failover
count

Failover Shows the number of cluster failovers since the boot.

counter Notes:
n This value survives reboot.
n This counter is synchronized between Cluster Members.

Time of Shows the date and the time of the last counter reset, and the reset initiator.
counter
reset

R80.40 CLI Reference Guide | 1239

Viewing Cluster State

When you examine the state of the Cluster Member, consider whether it forwards packets, and
whether it has a problem that prevents it from forwarding packets. Each state reflects the result
of a test on critical devices. This table shows the possible cluster states, and whether or not
they represent a problem.
Table: Description of the cluster states
Is this
Cluster Forwarding
Description state a
State packets?
problem?

ACTIVE Everything is OK. Yes No

ACTIVE(!) A problem was detected, but the Cluster Yes Yes

ACTIVE(!F) Member still forwards packets, because it
ACTIVE(!P) is the only member in the cluster, or
ACTIVE because there are no other Active
(!FP) members in the cluster. In any other
situation, the state of the member is Down.
n ACTIVE(!) - See above.
n ACTIVE(!F) - See above. Cluster
Member is in the freeze state.
n ACTIVE(!P) - See above. This is
the Pivot Cluster Member in Load
Sharing Unicast mode.
n ACTIVE(!FP) - See above. This is
the Pivot Cluster Member in Load
Sharing Unicast mode and it is in the
freeze state.

DOWN One of the Critical Devices reports its state No Yes

as "problem" (see "Viewing Critical
Devices" on page 1243).

LOST The peer Cluster Member lost connectivity No Yes

to this local Cluster Member (for example,
while the peer Cluster Member is
rebooted).

R80.40 CLI Reference Guide | 1240

Viewing Cluster State

Table: Description of the cluster states (continued)

Is this
Cluster Forwarding
Description state a
State packets?
problem?

READY State Ready means that the Cluster No No

Member recognizes itself as a part of the
cluster and is literally ready to go into
action, but, by design, something prevents
it from taking action. Possible reasons that
the Cluster Member is not yet Active
include:
n Not all required software
components were loaded and
initialized yet and/or not all
configuration steps finished
successfully yet. Before a Cluster
Member becomes Active, it sends a
message to the rest of the Cluster
Members, to check if it can become
Active. In High Availability mode it
checks if there is already an Active
member and in Load Sharing Unicast
mode it checks if there is a Pivot
member already. The member
remains in the Ready state until it
receives the response from the rest
of the Cluster Members and decides
which, which state to choose next
(Active, Standby, Pivot, or non-
Pivot).
n Software installed on this Cluster
Member has a higher version than all
the other Cluster Members. For
example, when a cluster is upgraded
from one version of Check Point
Security Gateway to another, and the
Cluster Members have different
versions of Check Point Security
Gateway, the Cluster Members with
the new version have the Ready
state, and the Cluster Members with
the previous version have the
Active/Active Attention state.

R80.40 CLI Reference Guide | 1241

Viewing Cluster State

Table: Description of the cluster states (continued)

Is this
Cluster Forwarding
Description state a
State packets?
problem?

This applies only when the Multi-

Version Cluster Mechanism is
disabled (see "Viewing the State of
the Multi-Version Cluster
Mechanism" on page 1281).
See sk42096 for a solution.

STANDBY Applies only to a High Availability mode. No No

Means that the Cluster Member waits for
an Active Cluster Member to fail in order to
start packet forwarding.

BACKUP Applies only to a VSX Cluster in Virtual No No

System Load Sharing mode with three or
more Cluster Members configured.
State of a Virtual System on a third (and so
on) VSX Cluster Member.

INIT The Cluster Member is in the phase after No No

the boot and until the Full Sync completes.

R80.40 CLI Reference Guide | 1242

Viewing Critical Devices

Description
There are a number of built-in Critical Devices, and the Administrator can define additional
Critical Devices.
When a Critical Device reports its state as a "problem", the Cluster Member reports its state
as "DOWN".
To see the list of Critical Devices on a Cluster Member, and of all the other Cluster Members,
run the commands listed below on the Cluster Member.
Table: Built-in Critical Devices
Meaning of
Meaning of the
Critical Device Description the "OK"
"problem" state
state

Problem Monitors all the Critical Devices. None of the At least one of
Notification Critical the Critical
Devices on Devices on this
this Cluster Cluster Member
Member reports its state
report its state as "problem".
as problem.

Init Monitors if "HA module" was This Cluster

initialized successfully. See Member
sk36372. receives
cluster state
information
from peer
Cluster
Members.

Interface Monitors the state of cluster All cluster At least one of

Active Check interfaces. interfaces on the cluster
this Cluster interfaces on
Member are this Cluster
up (CCP Member is down
packets are (CCP packets
sent and are not sent
received on all and/or received
cluster on time).
interfaces).

R80.40 CLI Reference Guide | 1243

Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of
Meaning of the
Critical Device Description the "OK"
"problem" state
state

Load Currently is not used (see

Balancing sk36373).
Configuration

Recovery Monitors the state of a Virtual State of a State of a Virtual

Delay System (see sk92353). Virtual System cannot
System can be changed yet
be changed on this Cluster
on this Cluster Member.
Member.

CoreXL Monitors CoreXL configuration Number of Number of

Configuration for inconsistencies on all Cluster configured configured
Members. CoreXL CoreXL Firewall
Firewall instances on
instances on this Cluster
this Cluster Member is
Member is the different from
same as on all peer Cluster
peer Cluster Members.
Members. Important - A
Cluster Member
with a greater
number of
CoreXL Firewall
instances
changes its
state to DOWN.

Fullsync Monitors if Full Sync on this This Cluster This Cluster

Cluster Member completed Member Member was
successfully. completed not able to
Full Sync complete Full
successfully. Sync.

Policy Monitors if the Security Policy is This Cluster Security Policy

installed. Member is not currently
successfully installed on this
installed Cluster
Security Member.
Policy.

R80.40 CLI Reference Guide | 1244

Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of
Meaning of the
Critical Device Description the "OK"
"problem" state
state

fwd Monitors the Security Gateway fwd daemon fwd daemon on

process called fwd. on this Cluster this Cluster
Member Member did not
reported its report its state
state on time. on time.

cphad Monitors the ClusterXL process cphamcset cphamcset

called cphamcset. daemon on daemon on this
also see the this Cluster Cluster Member
$FWDIR/log/cphamcset.elg Member did not report its
file. reported its state on time.
state on time.

routed Monitors the Gaia process called routed routed

routed. daemon on daemon on this
this Cluster Cluster Member
Member did not report its
reported its state on time.
state on time.

cvpnd Monitors the Mobile Access cvpnd cvpnd daemon

back-end process called cvpnd. daemon on on this Cluster
This pnote appears if Mobile this Cluster Member did not
Access Software Blade is Member report its state
enabled. reported its on time.
state on time.

ted Monitors the Threat Emulation ted daemon ted daemon on

process called ted. on this Cluster this Cluster
Member Member did not
reported its report its state
state on time. on time.

R80.40 CLI Reference Guide | 1245

Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of
Meaning of the
Critical Device Description the "OK"
"problem" state
state

VSX Monitors all Virtual Systems in On VS0, Minimum of

VSX Cluster. means that blocking states
states of all of all Virtual
Virtual Systems is not
Systems are "active" (the
not Down on VSIDs will be
this Cluster printed on the
Member. line
On other Problematic
Virtual VSIDs:) on this
Systems, Cluster
means that Member.
VS0 is alive
on this Cluster
Member.

Instances This Critical Device appears in The number There is a

VSX HA mode (not VSLS) of CoreXL mismatch
cluster. Firewall between the
instances in number of
the received CoreXL Firewall
CCP packet instances in the
matches the received CCP
number of packet and the
loaded number of
CoreXL loaded CoreXL
Firewall Firewall
instances on instances on
this VSX this VSX Cluster
Cluster Member or this
Member or Virtual System
this Virtual (see sk106912).
System.

Hibernating This pnote appears in VSX VSLS This Virtual

mode cluster with 3 and more System is in
Cluster Members. This pnote "Backup"
shows if this Virtual System is in (hibernated)
"Backup" (hibernated) state. Also state on this
see sk114557. Cluster
Member.

R80.40 CLI Reference Guide | 1246

Viewing Critical Devices

Table: Built-in Critical Devices (continued)

Meaning of
Meaning of the
Critical Device Description the "OK"
"problem" state
state

admin_down Monitors the Critical Device User ran the

"admin_down". clusterXL_
admin down
command on
this Cluster
Member.
See "The
clusterXL_
admin Script" on
page 1294.

host_monitor Monitors the Critical Device All monitored At least one of

"host_monitor". IP addresses the monitored IP
User executed the on this Cluster addresses on
$FWDIR/bin/clusterXL_ Member this Cluster
monitor_ips script. replied to Member did not
See "The clusterXL_monitor_ips pings. reply to at least
Script" on page 1298. one ping.

A name of a user Administrator executed the All monitored At least one of

space process $FWDIR/bin/clusterXL_ user space the monitored
(except fwd, monitor_process script. processes on user space on
routed, cvpnd, See "The clusterXL_monitor_ this Cluster this Cluster
ted) process Script" on page 1302. Member are Member
running. processes is not
running.

Syntax

Shell Command

Gaia Clish show cluster members pnotes {all | problem}

Expert mode cphaprob [-l] [-ia] [-e] list

R80.40 CLI Reference Guide | 1247

Viewing Critical Devices

Where:

Command Description

show cluster Shows the list of all Critical Devices

members pnotes
all

show cluster Prints the list of all the "Built-in Devices" and the
members pnotes "Registered Devices" that report their state as "problem"
problem

cphaprob -l Shows the list of all Critical Devices

cphaprob -i When there are no issues on the Cluster Member, shows:

list There are no pnotes in problem state
When a Critical Device reports a problem, prints only the Critical
Device that reports its state as "problem".

cphaprob -ia When there are no issues on the Cluster Member, shows:
list There are no pnotes in problem state
When a Critical Device reports a problem, prints the Critical Device
"Problem Notification" and the Critical Device that reports its
state as "problem"

cphaprob -e When there are no issues on the Cluster Member, shows:

list There are no pnotes in problem state
When a Critical Device reports a problem, prints only the Critical
Device that reports its state as "problem"

Related topics
n "Reporting the State of a Critical Device" on page 1215
n "Registering a Critical Device" on page 1210
n "Registering Critical Devices Listed in a File" on page 1217
n "Unregistering a Critical Device" on page 1214
n "Unregistering All Critical Devices" on page 1219

R80.40 CLI Reference Guide | 1248

Viewing Critical Devices

Examples
Example 1 - Critical Device 'fwd'

Critical Device fwd reports its state as problem because the fwd process is down.

[Expert@Member1:0]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Device Name: Recovery Delay

Current state: OK

Device Name: CoreXL Configuration

Current state: OK

Registered Devices:

Device Name: Fullsync

Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: Policy

Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: routed

Registration number: 2
Timeout: none
Current state: OK
Time since last report: 940.3 sec

Device Name: fwd

Registration number: 3
Timeout: 30 sec
Current state: problem
Time since last report: 1782.9 sec
Process Status: DOWN

Device Name: cphad

Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 1778.3 sec
Process Status: UP

Device Name: VSX

Registration number: 5
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

Device Name: Init

Registration number: 6
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1249

Viewing Critical Devices

Example 2 - Critical Device 'CoreXL Configuration'

Critical Device CoreXL Configuration reports its state as problem because the
numbers of CoreXL Firewall instances do not match between the Cluster Members.

[Expert@Member1:0]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Device Name: Recovery Delay

Current state: OK

Device Name: CoreXL Configuration

Current state: problem (non-blocking)

Registered Devices:

Device Name: Fullsync

Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: Policy

Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1753.7 sec

Device Name: routed

Registration number: 2
Timeout: none
Current state: OK
Time since last report: 940.3 sec

Device Name: fwd

Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 1782.9 sec
Process Status: UP

Device Name: cphad

Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 1778.3 sec
Process Status: UP

Device Name: VSX

Registration number: 5
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

Device Name: Init

Registration number: 6
Timeout: none
Current state: OK
Time since last report: 1773.3 sec

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1250

Viewing Cluster Interfaces

Description
This command shows the state of the Cluster Member interfaces and the virtual cluster
interfaces.
ClusterXL treats the interfaces as Critical Devices. ClusterXL makes sure that interfaces can
send and receive CCP packets.
ClusterXL also sets the required minimal number of functional interfaces to the largest number
of functional interfaces ClusterXL detected since the last reboot. If the number of functional
interfaces is less than the required number, ClusterXL declares the Cluster Member as failed
and starts a failover. The same applies to the synchronization interfaces, where only good
synchronization interfaces are counted.
When an interface is DOWN, it means that the interface cannot receive or send CCP packets,
or both. An interface may also be able to receive, but not send CCP packets. The time you see
in the command's output is the number of seconds that elapsed since the interface was last
able to receive or send a CCP packet.

Syntax

Shell Command

Gaia Clish 1. set virtual-system <VSID>

2. show cluster members interfaces {all | secured |
virtual | vlans}

Expert cphaprob [-vs all] [-a] [-m] if

mode

R80.40 CLI Reference Guide | 1251

Viewing Cluster Interfaces

Where:

Command Description

show cluster members Shows full list of all cluster interfaces:

interfaces all
n including the number of required interfaces
n including Network Objective
n including VLAN monitoring mode, or list of
monitored VLAN interfaces

show cluster members Shows only cluster interfaces (Cluster and Sync)
interfaces secured and their states:
n without Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

show cluster members Shows full list of cluster virtual interfaces and their
interfaces virtual states:
n including the number of required interfaces
n including Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

show cluster members Shows only monitored VLAN interfaces

interfaces vlans

cphaprob if Shows only cluster interfaces (Cluster and Sync)

and their states:
n without Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

cphaprob -a if Shows full list of cluster interfaces and their states:

n including the number of required interfaces
n including Network Objective
n without VLAN monitoring mode
n without monitored VLAN interfaces

R80.40 CLI Reference Guide | 1252

Viewing Cluster Interfaces

Command Description

cphaprob -a -m if Shows full list of all cluster interfaces and their

states:
n including the number of required interfaces
n including Network Objective
n including VLAN monitoring mode, or list of
monitored VLAN interfaces

Output
The output of these commands must be identical to the configuration in the cluster object's
Network Management page in SmartConsole.

Example

[Expert@Member1:0]# cphaprob -a -m if

CCP mode: Manual (Unicast)

Required interfaces: 4
Required secured interfaces: 1

Interface Name: Status:

eth0 UP
eth1 (S) UP
eth2 (LM) UP
bond1 (LS) UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 3

eth0 192.168.3.247
eth2 44.55.66.247
bond1 77.88.99.247

No VLANs are monitored on the member

[Expert@Member1:0]#

Description of the "cphaprob -a -m if" command output fields:

Table: Description of the output fields
Field, or Text Description

CCP mode Shows the CCP mode.

The default mode is Unicast.
Important - In R80.40, the CCP always runs in the
unicast mode.

R80.40 CLI Reference Guide | 1253

Viewing Cluster Interfaces

Table: Description of the output fields (continued)

Field, or Text Description

Required interfaces Shows the total number of monitored cluster interfaces,

including the Sync interface.
This number is based on the configuration of the cluster
object > Network Management page.

Required secured Shows the total number of the required Sync interfaces.
interfaces This number is based on the configuration of the cluster
object > Network Management page.

Non-Monitored This means that Cluster Member does not monitor the state
of this interface.
In SmartConsole, in the cluster object > Network
Management page, administrator configured the Network
Type Private for this interface.

UP This means that Cluster Member monitors the state of this

interface.
The current cluster state of this interface is UP, which means
this interface can send and receive CCP packets.
In SmartConsole, in the cluster object > Network
Management page, administrator configured one of these
Network Types for this interface: Cluster, Sync, or Cluster +
Sync.

DOWN This means that Cluster Members monitors the state of this
interface.
The current cluster state of this interface is DOWN, which
means this interface cannot send CCP packets, receive CCP
packets, or both.
In SmartConsole, in the cluster object > Network
Management page, administrator configured one of these
Network Types for this interface: Cluster, Sync, or Cluster +
Sync.

(S) This interface is a Sync interface.

In SmartConsole, in the cluster object > Network
Management page, administrator configured one of these
Network Types for this interface: Sync, or Cluster + Sync.

R80.40 CLI Reference Guide | 1254

Viewing Cluster Interfaces

Table: Description of the output fields (continued)

Field, or Text Description

(LM) This interface is configured in the $FWDIR/conf/cpha_

link_monitoring.conf file.
Cluster Member monitors only the link on this interface (does
not monitor the received or sent CCP packets).
See "Configuring Link Monitoring on the Cluster Interfaces"
on page 1228.

(HA) This interface is a Bond interface in High Availability mode.

(LS) This interface is a Bond interface in Load Sharing mode.

Virtual cluster interfaces Shows the total number of the configured virtual cluster
interfaces.
This number is based on the configuration of the cluster
object > Network Management page.

No VLANs are monitored Shows the VLAN monitoring mode - there are no VLAN
on the member interfaces configured on the cluster interfaces.

Monitoring mode is Shows the VLAN monitoring mode - there are some VLAN
Monitor all VLANs: All interfaces configured on the cluster interfaces, and Cluster
VLANs are monitored Member monitors all VLAN IDs.

Monitoring mode is Shows the VLAN monitoring mode - there are some VLAN
Monitor specific VLAN: interfaces configured on the cluster interfaces, and Cluster
Only specified VLANs are Member monitors only specific VLAN IDs.
monitored

R80.40 CLI Reference Guide | 1255

Viewing Bond Interfaces

Description
This command shows the configuration of bond interfaces and their subordinate interfaces.

Syntax

Shell Command

Gaia Clish 1. show cluster bond {all | name <bond_

name>}
2. show bonding groups

Expert mode cphaprob show_bond [<bond_name>]

cphaprob show_bond_groups

Where:

Command Description

show cluster bond all Shows configuration of all configured bond

show bonding groups interfaces
cphaprob show_bond

show cluster bond name <bond_ Shows configuration of the specified bond
name> interface
cphaprob show_bond <bond_
name>

cphaprob show_bond_groups Shows the configured Groups of Bonds and their

settings.

R80.40 CLI Reference Guide | 1256

Viewing Bond Interfaces

Examples
Example 1 - 'cphaprob show_bond'
[Expert@Member2:0]# cphaprob show_bond

|Ws |Slaves |Slaves

Legend:
-------
UP! - Bond interface state is UP, yet attention is required
Slaves configured - number of slave interfaces configured on the bond
Slaves link up - number of operational slaves
Slaves required - minimal number of operational slaves required for bond to be UP

[Expert@Member2:0]#

Member2> show bonding groups

Bonding Interface: 1
Bond Configuration
xmit-hash-policy Not configured
down-delay 200
primary Not configured
lacp-rate Not configured
mode active-backup
up-delay 200
mii-interval 100
Bond Interfaces
eth3
eth4
Member2>

Description of the output fields for the "cphaprob show_bond" and "show cluster
bond all" commands:

Table: Description of the output fields

Field Description

Bond name Name of the Gaia bonding group.

Mode Bonding mode of this Gaia bonding group.

One of these:
n High Availability
n Load Sharing

State State of the Gaia bonding group:

n UP - Bond interface is fully operational
n UP! - Bond interface state is UP, yet attention is required
n DOWN - Bond interface failed

Slaves Total number of physical subordinate interfaces configured in this Gaia

configured bonding group.

R80.40 CLI Reference Guide | 1257

Viewing Bond Interfaces

Table: Description of the output fields (continued)

Field Description

Slaves link Number of operational physical subordinate interfaces in this Gaia

up bonding group.

Slaves Minimal number of operational physical subordinate interfaces required

required for the state of this Gaia bonding group to be UP.

Example 2 - 'cphaprob show_bond <bond_name>'

[Expert@Member2:0]# cphaprob show_bond bond1

Bond name: bond1

Bond mode: High Availability
Bond status: UP

Configured slave interfaces: 2

In use slave interfaces: 2
Required slave interfaces: 1

Slave name | Status | Link

----------------+-----------------+-------
eth4 | Active | Yes
eth3 | Backup | Yes

[Expert@Member2:0]#

Description of the output fields for the "cphaprob show_bond <bond_name>" and
"show cluster bond name <bond_name>" commands:
Table: Description of the output fields
Field Description

Bond name Name of the Gaia bonding group.

Bond mode Bonding mode of this Gaia bonding group. One of these:
n High Availability
n Load Sharing

Bond status Status of the Gaia bonding group. One of these:

n UP - Bond interface is fully operational
n UP! - Bond interface state is UP, yet attention is required
n DOWN - Bond interface failed

Configured Total number of physical subordinate interfaces configured in this Gaia

slave bonding group.
interfaces

R80.40 CLI Reference Guide | 1258

Viewing Bond Interfaces

Table: Description of the output fields (continued)

Field Description

In use Number of operational physical subordinate interfaces in this Gaia

subordinate bonding group.
interfaces

Required Minimal number of operational physical subordinate interfaces required

subordinate for the state of this Gaia bonding group to be UP.
interfaces

Slave name Names of physical subordinate interfaces configured in this Gaia

bonding group.

Status Status of physical subordinate interfaces in this Gaia bonding group.

One of these:
n Active - In High Availability or Load Sharing bonding mode. This
subordinate interface is currently handling traffic.
n Backup - In High Availability bonding mode only. This
subordinate interface is ready and can support internal bond
failover.
n Not Available - In High Availability or Load Sharing bonding
mode. The physical link on this subordinate interface is lost, or
this Cluster Member is in status Down. The bond cannot failover
internally in this state.

Link State of the physical link on the physical subordinate interfaces in this
Gaia bonding group. One of these:
n Yes - Link is present
n No - Link is lost

Example 3 - 'cphaprob show_bond_groups'

[Expert@Member2:0]# cphaprob show_bond_groups

| Required | Bonds | Bonds

Legend:
---------
Bonds in group - a list of the bonds in the bond group
Required active bonds - number of required active bonds
[Expert@Member2:0]#

Description of the output fields for the "cphaprob show_bond_groups" command:

R80.40 CLI Reference Guide | 1259

Viewing Bond Interfaces

Table: Description of the output fields

Field Description

Group of bonds Name of the Group of Bonds.

name

State State of the Group of Bonds. One of these:

n UP - Group of Bonds is fully operational
n DOWN - Group of Bonds failed

Required active Number of required active bonds in this Group of Bonds.

bonds

Bonds in group Names of the Gaia bond interfaces configured in this Group of
Bonds.

Bonds status State of the Gaia bond interface. One of these:

n UP - Bond interface is fully operational
n DOWN - Bond interface failed

R80.40 CLI Reference Guide | 1260

Viewing Cluster Failover Statistics

Description
This command shows the cluster failover statistics on the Cluster Member:
n Number of failovers that happened
n Failover reason
n The time of the last failover event

Syntax to show the statistics

Shell Command

Gaia Clish show cluster failover

Expert mode cphaprob [-l <number>] show_failover

Syntax to reset the statistics

Shell Command

Gaia Clish show cluster failover reset {count | history}

Expert mode cphaprob -reset {-c | -h} show_failover

Parameters

Parameter Description

-l <number> Specifies how many of last failover events to show (between 1 and 50)

count Resets the counter of failover events

-c

history Resets the history of failover events

-h

R80.40 CLI Reference Guide | 1261

Viewing Cluster Failover Statistics

Example

[Expert@Member1:0]# cphaprob show_failover

Last cluster failover event:

Transition to new ACTIVE: Member 2 -> Member 1
Reason: ADMIN_DOWN PNOTE
Event time: Sun Sep 8 18:21:44 2019

Cluster failover count:

Failover counter: 1
Time of counter reset: Sun Sep 8 16:08:34 2019 (reboot)

Cluster failover history (last 20 failovers since reboot/reset on Sun Sep 8 16:08:34 2019):

No. Time: Transition: CPU: Reason:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -
1 Sun Sep 8 18:21:44 2019 Member 2 -> Member 1 01 ADMIN_DOWN PNOTE

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1262

Viewing Software Versions on Cluster Members

Description
This command shows information about the software version (including private hotfixes) on
the local Cluster Member and its matches / mismatches with other Cluster Members.

Syntax

Shell Command

Gaia Clish show cluster release

Expert mode cphaprob release

Example

[Expert@Member1:0]# cphaprob release

Release: R80.40 T136

Kernel build: 994000117

FW1 build: 994000116
FW1 private fixes: None

ID SW release

1 (local) R80.40 T136

2 R80.40 T136

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1263

Viewing Delta Synchronization

Heavily loaded clusters and clusters with geographically separated members pose special
challenges.
High connection rates, and large distances between the members can lead to delays that
affect the operation of the cluster.
Monitor the operation of the State Synchronization mechanism in highly loaded and distributed
clusters.

Perform these troubleshooting steps:

1. Examine the Delta Sync statistics counters:

Shell Command

Gaia Clish show cluster statistics sync

Expert mode cphaprob syncstat

2. Change the values of the applicable synchronization global configuration parameters.

3. Reset the Delta Sync statistics counters:

Shell Command

Gaia Clish show cluster statistics sync reset

Expert mode cphaprob -reset syncstat

4. Examine the Delta Sync statistics to see if the problem is solved.

5. Solve any identified problem.

R80.40 CLI Reference Guide | 1264

Viewing Delta Synchronization

Example output of the "show cluster statistics sync" and "cphaprob syncstat"
commands from a Cluster Member:

Delta Sync Statistics

Sync status: OK

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent messages:
Total generated sync messages................ 26079
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 1

Received messages:
Total received updates....................... 3710
Received retransmission requests............. 0

Sync Interface:
Name......................................... eth1
Link speed................................... 1000Mb/s
Rate......................................... 46000 [Bps]
Peak rate.................................... 46000 [Bps]
Link usage................................... 0%
Total........................................ 376827[KB]

Queue sizes (num of updates):

Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Sun Sep 8 16:09:15 2019 (triggered by fullsync).

Each section of the output is described below.

The "Sync status:" section

This section shows the status of the Delta Sync mechanism. One of these:
n Sync status: OK
n Sync status: Off - Full-sync failure
n Sync status: Off - Policy installation failure
n Sync status: Off - Cluster module not started
n Sync status: Off - SIC failure
n Sync status: Off - Full-sync checksum error
n Sync status: Off - Full-sync received queue is full

R80.40 CLI Reference Guide | 1265

Viewing Delta Synchronization

n Sync status: Off - Release version mismatch

n Sync status: Off - Connection to remote member timed-out
n Sync status: Off - Connection terminated by remote member
n Sync status: Off - Could not start a connection to remote
member
n Sync status: Off - cpstart
n Sync status: Off - cpstop
n Sync status: Off - Manually disabled sync
n Sync status: Off - Was not able to start for more than X
second
n Sync status: Off - Boot
n Sync status: Off - Connectivity Upgrade (CU)
n Sync status: Off - cphastop
n Sync status: Off - Policy unloaded
n Sync status: Off - Hibernation
n Sync status: Off - OSU deactivated
n Sync status: Off - Sync interface down
n Sync status: Fullsync in progress
n Sync status: Problem (Able to send sync packets, unable to
receive sync packets)
n Sync status: Problem (Able to send sync packets, saving
incoming sync packets)
n Sync status: Problem (Able to send sync packets, able to
receive sync packets)
n Sync status: Problem (Unable to send sync packets, unable to
receive sync packets)
n Sync status: Problem (Unable to send sync packets, saving
incoming sync packets)
n Sync status: Problem (Unable to send sync packets, able to
receive sync packets)

The "Drops:" section

This section shows statistics for drops on the Delta Sync network.

R80.40 CLI Reference Guide | 1266

Viewing Delta Synchronization

Table: Description of the output fields

Field Description

Lost Shows how many Delta Sync updates this Cluster Member considers as
updates lost (based on sequence numbers in CCP packets).
If this counter shows a value greater than 0, this Cluster Member lost
Delta Sync updates.
Possible mitigation:
Increase the size of the Sending Queue and the size of the Receiving
Queue:
n Increase the size of the Sending Queue, if the counter Received
reject notification is increasing.
n Increase the size of the Receiving Queue, if the counter Received
reject notification is not increasing.

Lost bulk Shows how many times this Cluster Member missed Delta Sync updates.
update (bulk update = twice the size of the local receiving queue)
events This counter increases when this Cluster Member receives a Delta Sync
update with a sequence number much greater than expected. This
probably indicates some networking issues that cause massive packet
drops.
This counter increases when the amount of missed Delta Sync updates
is more than twice the local Receiving Queue Size.
Possible mitigation:
n If the counter's value is steady, this might indicate a one-time
synchronization problem that can be resolved by running manual
Full Sync. See sk37029.
n If the counter's value keeps increasing, probable there are some
networking issues. Increase the sizes of both the Receiving Queue
and Sending Queue.

Oversized Shows how many oversized Delta Sync updates were discarded before
updates not sending them.
sent This counter increases when Delta Sync update is larger than the local
Fragments Queue Size.
Possible mitigation:
n If the counter's value is steady, increase the size of the Sending
Queue.
n If the counter's value keeps increasing, contact Check Point
Support.

R80.40 CLI Reference Guide | 1267

Viewing Delta Synchronization

The "Sync at risk:" section

This section shows statistics that the Sending Queue is at full capacity and rejects Delta
Sync retransmission requests.
Table: Description of the output fields
Field Description

Sent reject Shows how many times this Cluster Member rejected Delta Sync
notifications retransmission requests from its peer Cluster Members, because this
Cluster Member does not hold the requested Delta Sync update
anymore.

Received Shows how many reject notifications this Cluster Member received
reject from its peer Cluster Members.
notification

The "Sent updates:" section

This section shows statistics for Delta Sync updates sent by this Cluster Member to its peer
Cluster Members.
Table: Description of the output fields
Field Description

Total generated Shows how many Delta Sync updates were generated.
sync messages This counts the Delta Sync updates, Retransmission Requests,
Retransmission Acknowledgments, and so on.

Sent Shows how many times this Cluster Member asked its peer Cluster
retransmission Members to retransmit specific Delta Sync update(s).
requests Retransmission requests are sent when certain Delta Sync updates
(with a specified sequence number) are missing, while the sending
Cluster Member already received Delta Sync updates with
advanced sequences.
Note - Compare the number of Sent retransmission requests to the
Total generated sync messages of the other Cluster Members.
A large counter's value can imply connectivity problems. If the
counter's value is unreasonably high (more than 30% of the Total
generated sync messages of other Cluster Members), contact
Check Point Support equipped with the entire output and a detailed
description of the network topology and configuration.

Sent Shows how many times this Cluster Member retransmitted specific
retransmission Delta Sync update(s) at the requests from its peer Cluster Members.
updates

R80.40 CLI Reference Guide | 1268

Viewing Delta Synchronization

Table: Description of the output fields (continued)

Field Description

Peak fragments Shows the peak amount of fragments in the Fragments Queue on
per update this Cluster Member (usually, should be 1).

The "Received updates:" section

This section shows statistics for Delta Sync updates that were received by this Cluster
Member from its peer Cluster Members.
Table: Description of the output fields
Field Description

Total received Shows the total number of Delta Sync updates this Cluster Member
updates received from its peer Cluster Members.
This counts only Delta Sync updates (not Retransmission Requests,
Retransmission Acknowledgments, and others).

Received Shows how many retransmission requests this Cluster Member

retransmission received from its peer Cluster Members.
requests A large counter's value can imply connectivity problems. If the
counter's value is unreasonably high (more than 30% of the Total
generated sync messages on this Cluster Member), contact Check
Point Support equipped with the entire output and a detailed
description of the network topology and configuration.

The "Queue sizes (num of updates):" section

This section shows the sizes of the Delta Sync queues.

Table: Description of the output fields

Field Description

Sending Shows the size of the cyclic queue, which buffers all the Delta Sync
queue size updates that were already sent until it receives an acknowledgment from
the peer Cluster Members.
This queue is needed for retransmitting the requested Delta Sync
updates.
Each Cluster Member has one Sending Queue.
Default: 512 Delta Sync updates, which is also the minimal value.

R80.40 CLI Reference Guide | 1269

Viewing Delta Synchronization

Table: Description of the output fields (continued)

Field Description

Receiving Shows the size of the cyclic queue, which buffers the received Delta
queue size Sync updates in two cases:
n When Delta Sync updates are missing, this queue is used to hold
the remaining received Delta Sync updates until the lost Delta
Sync updates are retransmitted (Cluster Members must keep the
order, in which they save the Delta Sync updates in the kernel
tables).
n This queue is used to re-assemble a fragmented Delta Sync
update.

Each Cluster Member has one Receiving Queue.

Default: 256 Delta Sync updates, which is also the minimal value.

Fragments Shows the size of the queue, which is used to prepare a Delta Sync
queue size update before moving it to the Sending Queue.
Notes:
n This queue must be smaller than the Sending Queue.
n This queue must be significantly smaller than the Receiving
Queue.
Default: 50 Delta Sync updates, which is also the minimal value.

The "Timers:" section

This section shows the Delta Sync timers.

Field Description

Delta Sync Shows the interval at which this Cluster Member sends the Delta Sync
interval (ms) updates from its Sending Queue.
The base time unit is 100ms (or 1 tick).
Default: 100 ms, which is also the minimum value.
See Increasing the Sync Timer.

The "Reset on XXX (triggered XXX)" section

Shows the date and the time of last statistics reset.

In parentheses, it shows how the last statistics was triggered - "manually", or "by
fullsync".

R80.40 CLI Reference Guide | 1270

Viewing IGMP Status

Description
This command shows the IGMP membership status.

Syntax

Shell Command

Gaia Clish show cluster members igmp

Expert mode cphaprob igmp

Example

[Expert@Member1:0]# cphaprob igmp

IGMP Membership: Enabled

Supported Version: 2
Report Interval [sec]: 60

IGMP queries are replied only by Operating System

Interface Host Group Multicast Address Last ver. Last Query[sec]

------------------------------------------------------------------------------
eth0 224.168.3.247 01:00:5e:28:03:f7 N/A N/A
eth1 224.22.33.250 01:00:5e:16:21:fa N/A N/A
eth2 224.55.66.247 01:00:5e:37:42:f7 N/A N/A

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1271

Viewing Cluster Delta Sync Statistics for Connections Table

Description
This command shows Delta Sync statistics about the operations performed in the Connections
Kernel Table (id 8158).
The output shows operations such as creating a new connection (SET), updating a connection
(REFRESH), deleting a connection (DELETE), and so on.

Syntax

Shell Command

Gaia Clish show cluster statistics transport [reset]

Expert mode cphaprob [-reset] ldstat

The "reset" flag resets the kernel statistics, which were collected since the last reboot or
reset.

Example

[Expert@Member1:0]# cphaprob ldstat

Operand Calls Bytes Average Ratio %

----------------------------------------------------------
ERROR 0 0 0 0
SET 354 51404 145 33
RENAME 0 0 0 0
REFRESH 1359 70668 52 46
DELETE 290 10440 36 6
SLINK 193 12352 64 8
UNLINK 0 0 0 0
MODIFYFIELDS 91 7280 80 4
RECORD DATA CONN 0 0 0 0
COMPLETE DATA CONN 0 0 0 0

Total bytes sent: 161292 (0 MB) in 1797 packets. Average 89

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1272

Viewing Cluster IP Addresses

Description
This command shows the IP addresses and interfaces of the Cluster Members.

Syntax to see all interfaces

Shell Command

Gaia Clish show cluster members ips

Expert mode cphaprob tablestat

Syntax to see only the monitored interfaces

Note - These commands are available in R80.40 Jumbo Hotfix Accumulator Take 100
and higher (PRHF-13935).

Shell Command

Gaia Clish show cluster members monitored

Expert mode cphaprob -m tablestat

R80.40 CLI Reference Guide | 1273

Viewing Cluster IP Addresses

Example

Note - To see name of interfaces that correspond to numbers in the "Interface"

column, run the "fw ctl iflist" on page 1032 command.
[Expert@Member1:0]# cphaprob tablestat

---- Unique IP's Table ----

Member Interface IP-Address

------------------------------------------

(Local)
0 1 192.168.3.245
0 2 11.22.33.245
0 3 44.55.66.245

1 1 192.168.3.246
1 2 11.22.33.246
1 3 44.55.66.246

------------------------------------------

[Expert@Member1:0]#
[Expert@Member1:0]# fw ctl iflist
1 : eth0
2 : eth1
3 : eth2
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1274

Viewing the Cluster Member ID Mode in Local Logs

Description
This command shows how the local ClusterXL logs show the Cluster Member - by its Member
ID (default), or its Member Name.
See "Configuring the Cluster Member ID Mode in Local Logs" on page 1209.

Syntax

Shell Command

Gaia Clish show cluster members idmode

Expert mode cphaprob names

Example

[Expert@Member1:0]# cphaprob names

Current member print mode in local logs is set to: ID

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1275

Viewing Interfaces Monitored by RouteD

Description
This command shows the interfaces, which the RouteD daemon monitors on the Cluster
Member when you configure OSPF.
The idea is that if you configure OSPF, Cluster Member monitors these interfaces and does
not bring up the Cluster Member unless RouteD daemon says it is OK to bring up the Cluster
Member. This is used mainly in ClusterXL High Availability Primary Up configuration to avoid
premature failbacks.

Syntax

Shell Command

Gaia Clish show ospf interfaces [detailed]

Expert mode cphaprob routedifcs

Example 1

[Expert@Member1:0]# cphaprob routedifcs

No interfaces are registered.

[Expert@Member1:0]#

Example 2

[Expert@Member1:0]# cphaprob routedifcs

Monitored interfaces registered by routed:

eth0
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1276

Viewing Roles of RouteD Daemon on Cluster Members

Description
This command shows on which Cluster Member the RouteD daemon runs as a Master.

Notes:
n In ClusterXL High Availability, the RouteD daemon must run as a Master only
on the Active Cluster Member.
n In ClusterXL Load Sharing, the RouteD daemon must run as a Master only on
one of the Active Cluster Members and as a Non-Master on all other Cluster
Members.
n In VRRP Cluster, the RouteD daemon must run as a Master only on the VRRP
Master Cluster Member.

Syntax

Shell Command

Gaia Clish show cluster role

Expert mode cphaprob roles

Example

[Expert@Member1:0]# cphaprob roles

ID Role

1 (local) Master
2 Non-Master

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1277

Viewing Cluster Correction Statistics

Description
This command shows the Cluster Correction Statistics on each Cluster Member.
The Cluster Correction Layer (CCL) is a mechanism that deals with asymmetric connections.
The CCL provides connections stickiness by "correcting" the packets to the correct Cluster
Member:
n In most cases, the CCL makes the correction from the CoreXL SND.
n In some cases (like Dynamic Routing, or VPN), the CCL makes the correction from the
Firewall or SecureXL.

In some cases, ClusterXL needs to send some data along with the corrected packet (currently,
only in VPN). For such packets, the output shows "with metadata".

Note - For more information about CoreXL, see the R80.40 Performance Tuning
Administration Guide.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaprob [{-d | -f | -s}] corr

Where:

Command Description

cphaprob corr Shows Cluster Correction Statistics for all traffic.

cphaprob -d Shows Cluster Correction Statistics for CoreXL SND only.

corr

cphaprob -f Shows Cluster Correction Statistics for CoreXL Firewall instances

corr only.

cphaprob -s Shows Cluster Correction Statistics for SecureXL only.

corr

R80.40 CLI Reference Guide | 1278

Viewing Cluster Correction Statistics

Example 1 - For all traffic

[Expert@Member1:0]# cphaprob corr

Getting stats for SXL device 0, may take a few seconds...

Cluster Correction Stats (All Traffic):

------------------------------------------------------
Sent packets: 156 (0 with metadata)
Sent bytes: 34,568
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
Local asymmetric conns: 0
[Expert@Member1:0]#

Example 2 - For CoreXL SND only

[Expert@Member1:0]# cphaprob -d corr

Cluster Correction Stats (Dispatcher Corrections only):

------------------------------------------------------
Sent packets: 0 (0 with metadata)
Sent bytes: 0
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
[Expert@Member1:0]#

Example 3 - For CoreXL Firewall instances only

[Expert@Member1:0]# cphaprob -f corr

Cluster Correction Stats (Firewall instances only):

Example 4 - For SecureXL only

[Expert@Member1:0]# cphaprob -s corr

Getting stats for SXL device 0, may take a few seconds...

Cluster Correction Stats (SXL Devices only):

R80.40 CLI Reference Guide | 1279

Viewing the Cluster Control Protocol (CCP) Settings

Description
n You can view the Cluster Control Protocol (CCP) mode on the Cluster Members.
n You can view the Cluster Control Protocol (CCP) Encryption on the Cluster Members -
enabled or disabled (and the encryption key).
See "Configuring the Cluster Control Protocol (CCP) Settings" on page 1220

Syntax for viewing the Cluster Control Protocol (CCP) mode

Shell Command

Gaia Clish show cluster members interfaces virtual

Expert mode cphaprob -a if

Important - In R80.40, the CCP always runs in the unicast mode.

Syntax for viewing the Cluster Control Protocol (CCP) Encryption

Shell Command

Gaia Clish show cluster members ccpenc

Expert mode cphaprob ccp_encrypt

cphaprob ccp_encrypt_key

R80.40 CLI Reference Guide | 1280

Viewing the State of the Multi-Version Cluster Mechanism

Description
This command shows the state of the Multi-Version Cluster (MVC) Mechanism - enabled (ON)
or disabled (OFF).
See "Configuring the Multi-Version Cluster Mechanism" on page 1231.

Syntax

Shell Command

Gaia Clish show cluster members mvc

Expert mode cphaprob mvc

Example

Member1> show cluster members mvc

Member1>

R80.40 CLI Reference Guide | 1281

Viewing Full Connectivity Upgrade Statistics

Description
This command shows the Full Connectivity Upgrade statistics when you upgrade between
minor versions.

Syntax

Shell Command

Gaia Clish N/A

Expert mode cphaprob fcustat

Example

[Expert@Member1:0]# cphaprob fcustat

During FCU....................... no
Connection module map............ none

Table id map (remote->local)..... none

Table handlers ..................

8151 --> 0x0x7f97c421d860 (sip_state)
8158 --> 0x0x7f97c43d8e30 (connections)
LD handlers......................
ok - 0
failed - 0

Global handlers ................. none

[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1282

cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool configures specific settings for the installed Check Point products.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this
Security Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration
Guide - Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Secure Internal Manages SIC on the Security Gateway or Cluster

R80.40 CLI Reference Guide | 1283

cpconfig

Menu Option Description

Enable Check Point Per Enables Virtual System Load Sharing on the VSX Cluster
Virtual System State Member.
For more information, see the R80.40 VSX Administration
Guide.

Disable Check Point Per Disables Virtual System Load Sharing on the VSX Cluster
Virtual System State Member.
For more information, see the R80.40 VSX Administration
Guide.

Check Point CoreXL Manages CoreXL on the Security Gateway or Cluster

Member.
After all changes in CoreXL configuration, you must reboot
the Security Gateway or Cluster Member.
For more information, see the R80.40 Performance Tuning
Administration Guide.

R80.40 CLI Reference Guide | 1284

cpconfig

Menu Option Description

Automatic start of Check Shows and controls which of the installed Check Point
Point Products products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

(11) Exit

Enter your choice (1-11) :

R80.40 CLI Reference Guide | 1285

cphastart

cphastart
Description
Starts the cluster configuration on a Cluster Member after it was stopped with the "cphastop"
on page 1287 command.

Best Practice - To start a Cluster Member, use the "cpstart" on page 957 command.

Note - This command does not initiate a Full Synchronization on the Cluster Member.

Syntax

cphastart
[-h]
[-d]

Parameters

Parameter Description

-h Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.
Refer to:
n These lines in the output file:
prepare_command_args: -D ... start
/opt/CPsuite-R80.40/fw1/bin/cphaconf clear-secured
/opt/CPsuite-R80.40/fw1/bin/cphaconf -D ...
(truncated here for brevity)... start
n The $FWDIR/log/cphastart.elg log file.

R80.40 CLI Reference Guide | 1286

cphastop

cphastop
Description
Stops the cluster software on a Cluster Member.

Best Practice - To stop a Cluster Member, use the "cpstop" on page 967 command.

Notes:
n This command stops the Cluster Member from passing traffic.
n This command stops the State Synchronization between this Cluster Member
and its peer Cluster Members.
n After you run this command, you can still open connections directly to this
Cluster Member.
n To start the cluster software, run the "cphastart" on page 1286 command.

Syntax

cphastop

R80.40 CLI Reference Guide | 1287

cp_conf fullha

cp_conf fullha
Description
Manages the state of the Full High Availability Cluster:
n Enables the Full High Availability Cluster
n Disables the Full High Availability Cluster
n Deletes the Full High Availability peer
n Shows the Full High Availability state

Important - To configure a Full High Availability cluster, follow the R80.40 Installation
and Upgrade Guide.

Syntax

cp_conf fullha
enable
del_peer
disable
state

Parameters

Parameter Description

enable Enables the Full High Availability on this computer.

del_peer Deletes the Full High Availability peer from the configuration.

disable Disables the Full High Availability on this computer.

state Shows the Full High Availability state on this computer.

Example

[Expert@Cluster_Member:0]# cp_conf fullha state

FullHA is currently enabled
[Expert@Cluster_Member:0]#

R80.40 CLI Reference Guide | 1288

cp_conf ha

cp_conf ha
Description
Enables or disables cluster membership on this Security Gateway.

Syntax

cp_conf ha {enable | disable} [norestart]

Parameters

Parameter Description

enable Enables cluster membership on this Security Gateway.

This command is equivalent to the option Enable cluster membership for
this gateway in the "cpconfig" on page 936 menu.

disable Disables cluster membership on this Security Gateway.

This command is equivalent to the option Disable cluster membership for
this gateway in the "cpconfig" on page 936 menu.

norestart Optional: Specifies to apply the configuration change without the restart of
Check Point services. The new configuration takes effect only after reboot.

Example 1 - Enable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1289

cp_conf ha

Example 2 - Disable the cluster membership without restart of Check Point services

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1290

fw hastat

fw hastat
Description
Shows information about Check Point computers in High Availability configuration and their
states.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1291

fw hastat

Example - Querying the local Cluster Member

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#

R80.40 CLI Reference Guide | 1292

fwboot ha_conf

fwboot ha_conf
Description
Configures the cluster mechanism during boot.

Important - This command is for Check Point use only.

Notes:
n You must run this command from the Expert mode.
n Refer to these related commands:
l "fw defaultgen" on page 1046

l "fwboot bootconf" on page 1172

l "control_bootsec" on page 917

l "comp_init_policy" on page 913

n To install a cluster, see the R80.40 Installation and Upgrade Guide.

n To configure a cluster , see the R80.40 Installation and Upgrade Guide and
R80.40 ClusterXL Administration Guide.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot ha_conf

R80.40 CLI Reference Guide | 1293

The clusterXL_admin Script

Description
You can use the clusterXL_admin script to initiate a manual fail-over from a Cluster Member.
Location of this script on your Cluster Members is:

$FWDIR/bin/clusterXL_admin

Script Workflow
This shell script does one of these:
n Registers a Critical Device called "admin_down" and reports the state of that Critical
Device as "problem".
This gracefully changes the state of the Cluster Member to "DOWN".
n Reports the state of the registered Critical Device "admin_down" as "ok".
This gracefully changes the state of the Cluster Member to "UP".
Then, the script unregisters the Critical Device "admin_down".
For more information, see sk55081.

R80.40 CLI Reference Guide | 1294

The clusterXL_admin Script

Example

R80.40 CLI Reference Guide | 1295

The clusterXL_admin Script

#! /bin/csh -f
#
# The script will cause the machine to get into down state, thus the member will not filter
packets.
# It will supply a simple way to initiate a failover by registering a new device in problem
state when
# a failover is required and will unregister the device when wanting to return to normal
operation.
# USAGE:
# clusterXL_admin <up|down>

set PERSISTENT = ""

# checking number of arguments

if ( $#argv > 2 || $#argv < 1 ) then
echo "clusterXL_admin : Invalid Argument Count"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
else if ( "$1" != "up" && "$1" != "down" ) then
echo "clusterXL_admin : Invalid Argument ($1)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
else if ( $#argv == 2 ) then
if ( "$2" != "-p" ) then
echo "clusterXL_admin : Invalid Argument ($2)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
endif
set PERSISTENT = "-p"
endif

#checking if cpha is started

$FWDIR/bin/cphaprob stat | grep "Cluster" > /dev/null
if ($status) then
echo "HA is not started"
exit 1
endif

# Inform the user that the command can run with persistent mode.
if ("$PERSISTENT" != "-p") then
echo "This command does not survive reboot. To make the change permanent, please run
'set cluster member admin down/up permanent' in clish or add '-p' at the end of the command in
expert mode"
endif

if ( $1 == "up" ) then
echo "Setting member to normal operation ..."
$FWDIR/bin/cphaconf set_pnote -d admin_down $PERSISTENT unregister > & /dev/null
if ( `uname` == 'IPSO' ) then
sleep 5
else
sleep 1
endif

set stateArr = `$FWDIR/bin/cphaprob stat | grep "local"`

$FWDIR/bin/cphaprob stat | egrep "Sync only|Bridge Mode" > /dev/null

#If it's third party or bridge mode, use column 4 , otherwise 5
if ($status) then
set state = $stateArr[5]
else
set state = $stateArr[4]
endif

echo "Member current state is $state"

if (($state != "Active" && $state != "Standby") && ($state != "ACTIVE" && $state !=
"STANDBY" && $state != "ACTIVE(!)")) then
echo "Operation failed: member is still down, please run 'show cluster members
pnotes problem' in clish or 'cphaprob list' in expert mode for further details"
endif
exit 0
endif

R80.40 CLI Reference Guide | 1296

The clusterXL_admin Script

if ( $1 == "down" ) then
echo "Setting member to administratively down state ..."
$FWDIR/bin/cphaconf set_pnote -d admin_down -t 0 -s problem $PERSISTENT register > &
/dev/null
sleep 1

set stateArr = `$FWDIR/bin/cphaprob stat | grep "local"`

$FWDIR/bin/cphaprob stat | egrep "Sync only|Bridge Mode" > /dev/null

#If it's third party or bridge mode, use column 4 , otherwise 5
if ($status) then
set state = $stateArr[5]
else
set state = $stateArr[4]
endif

echo "Member current state is $state"

if ( $state == "Active attention" || $state == "ACTIVE(!)" ) then
echo "All the members within the cluster have problem/s and the local member was
chosen to become active"
else
if ( $state != "Down" && $state != "DOWN" ) then
echo "Operation failed: member is still down, please run 'show cluster
members pnotes problem' in clish or 'cphaprob list' in expert mode for further details"
endif
endif
exit 0
else
echo "clusterXL_admin : Invalid Option ($1)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
endif

R80.40 CLI Reference Guide | 1297

The clusterXL_monitor_ips Script

Description
You can use the clusterXL_monitor_ips script to ping a list of predefined IP addresses and
change the state of the Cluster Member to DOWN or UP based on the replies to these pings. For
this script to work, you must write the IP addresses in the $FWDIR/conf/cpha_hosts file -
each IP address on a separate line. This file does not support comments or spaces.
Location of this script on your Cluster Members is:

$FWDIR/bin/clusterXL_monitor_ips

Script Workflow
1. Registers a Critical Device called "host_monitor" with the status "ok".
2. Starts to send pings to the list of predefined IP addresses in the $FWDIR/conf/cpha_
hosts file.
3. While the script receives responses to its pings, it does not change the status of that
Critical Device.
4. If the script does not receive a response to even one ping, it reports the state of that
Critical Device as "problem".
This gracefully changes the state of the Cluster Member to DOWN.

If the script receives responses to its pings again, it changes the status of that Critical
Device to "ok" again.

For more information, see sk35780.

Important - You must do these changes on all Cluster Members.

R80.40 CLI Reference Guide | 1298

The clusterXL_monitor_ips Script

Example

R80.40 CLI Reference Guide | 1299

The clusterXL_monitor_ips Script

#!/bin/sh
#
# The script tries to ping the hosts written in the file $FWDIR/conf/cpha_hosts. The names (must
be resolveable) ot the IPs of the hosrs must be written in seperate lines.
# the file must not contain anything else.
# We ping the given hosts every number of seconds given as parameter to the script.
# USAGE:
# cpha_monitor_ips X silent
# where X is the number of seconds between loops over the IPs.
# if silent is set to 1, no messages will appear on the console
#
# We initially register a pnote named "host_monitor" in the problem notification mechanism
# when we detect that a host is not responding we report the pnote to be in "problem" state.
# when ping succeeds again - we report the pnote is OK.

silent=0

if [ -n "$2" ]; then
if [ $2 -le 1 ]; then
silent=$2
fi
fi
hostfile=$FWDIR/conf/cpha_hosts
arch=`uname -s`
if [ $arch = "Linux" ]
then
#system is linux
ping="ping -c 1 -w 1"
else
ping="ping"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -t 0 -s ok register
TRUE=1
while [ "$TRUE" ]
do
result=1
for hosts in `cat $hostfile`
do
if [ $silent = 0 ]
then
echo "pinging $hosts using command $ping $hosts"
fi
if [ $arch = "Linux" ]
then
$ping $hosts > /dev/null 2>&1
else
$ping $hosts $1 > /dev/null 2>&1
fi
status=$?
if [ $status = 0 ]
then
if [ $silent = 0 ]
then
echo " $hosts is alive"
fi
else
if [ $silent = 0 ]
then
echo " $hosts is not responding "
fi
result=0
fi
done
if [ $silent = 0 ]
then
echo "done pinging"
fi
if [ $result = 0 ]
then
if [ $silent = 0 ]
then
echo " Cluster member should be down!"

R80.40 CLI Reference Guide | 1300

The clusterXL_monitor_ips Script

fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -s problem report
else
if [ $silent = 0 ]
then
echo " Cluster member seems fine!"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -s ok report
fi
if [ "$silent" = 0 ]
then
echo "sleeping"
fi
sleep $1
echo "sleep $1"
done

R80.40 CLI Reference Guide | 1301

The clusterXL_monitor_process Script

Description
You can use the clusterXL_monitor_process script to monitor if the specified user space
processes run, and cause cluster fail-over if these processes do not run. For this script to work,
you must write the correct case-sensitive names of the monitored processes in the
$FWDIR/conf/cpha_proc_list file - each process name on a separate line. This file does
not support comments or spaces.
Location of this script on your Cluster Members is:

$FWDIR/bin/clusterXL_monitor_process

Script Workflow
1. Registers Critical Devices (with the status "ok") called as the names of the processes
you specified in the $FWDIR/conf/cpha_proc_list file.
2. While the script detects that the specified process runs, it does not change the status of
the corresponding Critical Device.
3. If the script detects that the specified process do not run anymore, it reports the state of
the corresponding Critical Device as "problem".
This gracefully changes the state of the Cluster Member to "DOWN".

If the script detects that the specified process runs again, it changes the status of the
corresponding Critical Device to "ok" again.
For more information, see sk92904.

Important - You must do these changes on all Cluster Members.

R80.40 CLI Reference Guide | 1302

The clusterXL_monitor_process Script

Example

R80.40 CLI Reference Guide | 1303

The clusterXL_monitor_process Script

#!/bin/sh
#
# This script monitors the existance of processes in the system. The process names should be
written
# in the $FWDIR/conf/cpha_proc_list file one every line.
#
# USAGE :
# cpha_monitor_process X silent
# where X is the number of seconds between process probings.
# if silent is set to 1, no messages will appear on the console.
#
#
# We initially register a pnote for each of the monitored processes
# (process name must be up to 15 charachters) in the problem notification mechanism.
# when we detect that a process is missing we report the pnote to be in "problem" state.
# when the process is up again - we report the pnote is OK.

if [ "$2" -le 1 ]
then
silent=$2
else
silent=0
fi
if [ -f $FWDIR/conf/cpha_proc_list ]
then
procfile=$FWDIR/conf/cpha_proc_list
else
echo "No process file in $FWDIR/conf/cpha_proc_list "
exit 0
fi

arch=`uname -s`

for process in `cat $procfile`

do
$FWDIR/bin/cphaconf set_pnote -d $process -t 0 -s ok -p register > /dev/null 2>&1
done

while [ 1 ]
do

result=1

for process in `cat $procfile`

do
ps -ef | grep $process | grep -v grep > /dev/null 2>&1

status=$?

if [ $status = 0 ]
then
if [ $silent = 0 ]
then
echo " $process is alive"
fi
# echo "3, $FWDIR/bin/cphaconf set_pnote -d $process -s ok report"
$FWDIR/bin/cphaconf set_pnote -d $process -s ok report
else
if [ $silent = 0 ]
then
echo " $process is down"
fi

$FWDIR/bin/cphaconf set_pnote -d $process -s problem report

result=0
fi

done

if [ $result = 0 ]

then

R80.40 CLI Reference Guide | 1304

The clusterXL_monitor_process Script

if [ $silent = 0 ]
then
echo " One of the monitored processes is down!"
fi
else
if [ $silent = 0 ]
then
echo " All monitored processes are up "
fi

fi
if [ "$silent" = 0 ]
then
echo "sleeping"
fi

sleep $1

done

R80.40 CLI Reference Guide | 1305

SecureXL Commands

SecureXL Commands
For more information about SecureXL, see:
n R80.40 Performance Tuning Administration Guide - Chapter SecureXL.
n sk98722 - ATRG: SecureXL.

R80.40 CLI Reference Guide | 1306

'fwaccel' and 'fwaccel6'

Description
The fwaccel commands control the acceleration for IPv4 traffic.
The fwaccel6 commands control the acceleration for IPv6 traffic.

Syntax for IPv4

fwaccel help
fwaccel
cfg <options>
conns <options>
dbg <options>
dos <options>
feature <options>
off <options>
on <options>
ranges <options>
stat <options>
stats <options>
synatk <options>
tab <options>
templates <options>
ver

R80.40 CLI Reference Guide | 1307

'fwaccel' and 'fwaccel6'

Syntax for IPv6

fwaccel6 help
fwaccel6
conns <options>
dbg <options>
dos <options>
feature <options>
off <options>
on <options>
ranges <options>
stat <options>
stats <options>
synatk <options>
tab <options>
templates <options>
ver

Parameters and Options

Parameter and Options Description

help Shows the built-in help.

cfg <options> Controls the SecureXL acceleration parameters (for IPv4 only).
See "fwaccel cfg" on page 1310.

conns <options> Shows all connections that pass through SecureXL.

See "fwaccel conns" on page 1313.

dbg <options> Controls the "SecureXL Debug" on page 1476.

See "fwaccel dbg" on page 1477.

dos <options> Controls the Rate Limiting for DoS Mitigation in SecureXL.
See "fwaccel dos" on page 1322.

feature <options> Controls the specified SecureXL features.

See "fwaccel feature" on page 1350.

off <options> Stops the acceleration on-the-fly. This does not survive reboot.
See "fwaccel off" on page 1353.

on <options> Starts the acceleration on-the-fly, if it was previously stopped.

See "fwaccel on" on page 1357.

R80.40 CLI Reference Guide | 1308

'fwaccel' and 'fwaccel6'

Parameter and Options Description

ranges <options> Shows the loaded ranges.

See "fwaccel ranges" on page 1361.

stat <options> Shows the SecureXL status.

See "fwaccel stat" on page 1368.

stats <options> Shows the acceleration statistics.

See "fwaccel stats" on page 1374.

synatk <options> Controls the Accelerated SYN Defender.

See "fwaccel synatk" on page 1393.

tab <options> Shows the contents of the specified SecureXL table.

See "fwaccel tab" on page 1418.

templates <options> Shows the SecureXL templates.

See "fwaccel templates" on page 1421.

ver Shows the SecureXL and FireWall version.

See "fwaccel ver" on page 1425.

R80.40 CLI Reference Guide | 1309

fwaccel cfg

Description
The fwaccel cfg command controls the SecureXL acceleration parameters.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

fwaccel cfg
-h
-a {<Number of Interface> | <Name of Interface> | reset}
-b {on | off}
-c <Number>
-d <Number>
-e <Number>
-i {on | off}
-l <Number>
-m <Seconds>
-p {on | off}
-r <Number>
-v <Seconds>
-w {on | off}
Important:
n These commands do not provide output. You cannot see the currently configured
values.
n Changes made with these commands do not survive reboot.

Parameters

Parameter Description

-h Shows the applicable built-in help.

R80.40 CLI Reference Guide | 1310

fwaccel cfg

Parameter Description

-a <Number of n -a <Number of Interface>

Interface> Configures the SecureXL not to accelerate traffic on the
-a <Name of interface specified by its internal number in Check Point kernel.
Interface> n -a <Name of Interface>
-a reset Configures the SecureXL not to accelerate traffic on the
interface specified by its name.
n -a reset
Configures the SecureXL to accelerate traffic on all interfaces
(resets the non-accelerated configuration).

Notes:
n This command does not support Falcon Acceleration Cards.
n To see the required information about the interfaces, run
these commands in the specified order:
"fw getifs" on page 1053
"fw ctl iflist" on page 1032
n To see if the "fwaccel cfg -a ..." command failed,
run this command:
tail -n 10 /var/log/messages

-b {on | off} Controls the SecureXL Drop Templates match (sk66402):

n on - Enables the SecureXL Drop Templates match
n off - Disables the SecureXL Drop Templates match

Note - In R80.40, SecureXL does not support this parameter yet..

-c <Number> Configures the maximal number of connections, when SecureXL

disables the templates.

-d <Number> Configures the maximal number of delete retries.

-e <Number> Configures the maximal number of general errors.

-i {on | off} Configures SecureXL to ignore API version mismatch:

n on - Ignore API version mismatch.
n off - Do not ignore API version mismatch (this is the default).

R80.40 CLI Reference Guide | 1311

fwaccel cfg

Parameter Description

-l <Number> Configures the maximal number of entries in the SecureXL templates

database.
Valid values are:
n 0 - To disable the limit (this is the default).
n Between 10 and 524288 - To configure the limit.

Important - If you configure a limit, you must stop and start the
acceleration for this change to take effect. Run the "fwaccel off"
on page 1353 command and then the "fwaccel on" on page 1357
command.

-m <Seconds> Configures the timeout for entries in the SecureXL templates

database.
Valid values are:
n 0 - To disable the timeout (this is the default).
n Between 10 and 524288 - To configure the timeout.

-p {on | off} Configures the offload of Connection Templates (if possible):

n on - Enables the offload of new templates (this is the default).
n off - Disables the offload of new templates.

-r <Number> Configures the maximal number of retries for SecureXL API calls.

-v <Seconds> Configures the interval between SecureXL statistics request.

Valid values are:
n 0 - To disable the interval.
n 1 and greater - To configure the interval.

-w {on | off} Configures the support for warnings about the IPS protection
Sequence Verifier:
n on - Enable the support for these warnings.
n off - Disables the support for these warnings.

R80.40 CLI Reference Guide | 1312

fwaccel conns

Description
The fwaccel conns and fwaccel6 conns commands show the list of the SecureXL connections
on the local Security Gateway, or Cluster Member.

Warning - If the number of concurrent connections is large, when you run these
commands, they can consume memory and CPU at very high level (see sk118716).

Syntax for IPv4

fwaccel conns
-h
-f <filter>
-m <Number of Entries>
-s

Syntax for IPv6

fwaccel6 conns
-h
-f <Filter>
-m <Number of Entries>
-s

Parameters

Parameter Description

-h Shows the applicable built-in help.

-f <Filter> Show the SecureXL Connections Table entries based on the

specified filter flags.
Notes:
n To see the available filter flags, run:
fwaccel conns -h
n Each filter flag is one letter - capital, or small.
n You can specify more than one flag.
For example:
fwaccel conns -f AaQq

R80.40 CLI Reference Guide | 1313

fwaccel conns

Parameter Description

Available filter flags are:

n A - Shows accounted connections (for which SecureXL counted
the number of packets and bytes).
n a - Shows not accounted connections.
n C - Shows encrypted (VPN) connections.
n c - Shows clear-text (not encrypted) connections.
n F - Shows connections that SecureXL forwarded to Firewall.
Note - In R80.40, SecureXL does not support this parameter.
n f - Shows cut-through connections (which SecureXL
accelerated).
Note - In R80.40, SecureXL does not support this parameter.
n H - Shows connections offloaded to the SAM card.
Note - R80.40, does not support the SAM card (Known
Limitation PMTR-18774).
n h - Shows connections created in the SAM card.
Note - R80.40, does not support the SAM card (Known
Limitation PMTR-18774).
n L - Shows connections, for which SecureXL created internal
links.
n l - Shows connections, for which SecureXL did not create
internal links.
n N - Shows connections that undergo NAT.
Note - In R80.40, SecureXL does not support this parameter.
n n - Shows connections that do not undergo NAT.
Note - R80.40, SecureXL does not support this parameter.
n Q - Shows connections that undergo QoS.
n q - Shows connections that do not undergo QoS.
n S - Shows connections that undergo PXL.
n s - Shows connections that do not undergo PXL.
n U - Shows unidirectional connections.
n u - Shows bidirectional connections.

-m <Number of Specifies the maximal number of connections to show.

Entries> Note - In R80.40, SecureXL does not support this parameter.

-s Shows the summary of SecureXL Connections Table (number of

connections).
Warning - Depending on the number of current connections, might
consume memory at very high level.

R80.40 CLI Reference Guide | 1314

fwaccel conns

Example - Default output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel conns

Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- -------
1.1.1.200 50586 1.1.1.100 18191 6 F............. 2/2 2/- 3 0
192.168.0.244 35925 192.168.0.242 18192 6 F............. 1/1 -/- 1 0
192.168.0.93 257 192.168.0.242 53932 6 F............. 1/1 1/- 0 0
192.168.0.242 22 172.30.168.15 57914 6 F............. 1/1 -/- 2 0
192.168.0.244 34773 192.168.0.242 18192 6 F............. 1/1 -/- 2 0
192.168.0.88 138 192.168.0.255 138 17 F............. 1/1 -/- 0 0
1.1.1.100 18191 1.1.1.200 55336 6 F............. 2/2 2/- 4 0
192.168.0.242 18192 192.168.0.244 38567 6 F............. 1/1 -/- 4 0
192.168.0.242 53932 192.168.0.93 257 6 F............. 1/1 1/- 0 0
192.168.0.242 18192 192.168.0.244 62714 6 F............. 1/1 -/- 1 0
192.168.0.244 33558 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
1.1.1.200 36359 1.1.1.100 18191 6 F............. 2/2 2/- 5 0
1.1.1.200 55336 1.1.1.100 18191 6 F............. 2/2 2/- 4 0
192.168.0.242 60756 192.168.0.93 257 6 F............. 1/1 1/- 4 0
1.1.1.100 18191 1.1.1.200 36359 6 F............. 2/2 2/- 5 0
1.1.1.100 18191 1.1.1.200 50586 6 F............. 2/2 2/- 3 0
192.168.0.244 38567 192.168.0.242 18192 6 F............. 1/1 -/- 4 0
192.168.0.242 18192 192.168.0.244 32877 6 F............. 1/1 -/- 5 0
192.168.0.242 53806 192.168.47.45 53 17 F............. 1/1 1/- 3 0
192.168.0.242 18192 192.168.0.244 33558 6 F............. 1/1 -/- 5 0
172.30.168.15 57914 192.168.0.242 22 6 F............. 1/1 -/- 2 0
192.168.0.255 138 192.168.0.88 138 17 F............. 1/1 -/- 0 0
192.168.0.93 257 192.168.0.242 60756 6 F............. 1/1 1/- 4 0
1.1.1.200 18192 1.1.1.100 37964 6 F............. 2/2 -/- 1 0
1.1.1.100 37964 1.1.1.200 18192 6 F............. 2/2 -/- 1 0
192.168.0.244 32877 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
192.168.0.242 18192 192.168.0.244 34773 6 F............. 1/1 -/- 2 0
192.168.0.242 18192 192.168.0.244 35925 6 F............. 1/1 -/- 1 0
192.168.47.45 53 192.168.0.242 53806 17 F............. 1/1 1/- 3 0
192.168.0.244 62714 192.168.0.242 18192 6 F............. 1/1 -/- 1 0

Idx Interface
--- ---------
0 lo
1 eth0
2 eth1

Total number of connections: 30

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1315

fwaccel dbg

Description
The fwaccel dbg command controls the SecureXL debug. See "SecureXL Debug Procedure"
on page 1483.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax in Gaia Clish or the Expert mode on a Security Gateway / ClusterXL:

fwaccel dbg
-h
-m <Name of SecureXL Debug Module>
all
+ <Debug Flags>
- <Debug Flags>
reset
-f {"<5-Tuple Debug Filter>" | reset}
list
resetall

Parameters

Parameter Description

-h Shows the applicable built-in help.

-m <Name of SecureXL Specifies the name of the SecureXL debug module.

Debug Module> To see the list of available debug modules, run:
fwaccel dbg

all Enables all debug flags for the specified debug module.

+ <Debug Flags> Enables the specified debug flags for the specified debug
module:
Syntax:
+ Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the plus
(+) character.

R80.40 CLI Reference Guide | 1316

fwaccel dbg

Parameter Description

- <Debug Flags> Disables all debug flags for the specified debug module.
Syntax:
- Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the
minus (-) character.

reset Resets all debug flags for the specified debug module to
their default state.

-f "<5-Tuple Debug Configures the debug filter to show only debug messages
Filter>" that contain the specified connection.
The filter is a string of five numbers separated with commas:
"<Source IP Address>,<Source
Port>,<Destination IP
Address>,<Destination Port>,<Protocol
Number>"
Notes:
n You can configure only one debug filter at one
time.
n You can use the asterisk "*" as a wildcard for an
IP Address, Port number, or Protocol number.
n For more information, see IANA Service Name
and Port Number Registry and IANA Protocol
Numbers.

-f reset Resets the current debug filter.

list Shows all enabled debug flags in all debug modules.

resetall Reset all debug flags for all debug modules to their default
state.

R80.40 CLI Reference Guide | 1317

fwaccel dbg

Examples
Example 1 - Default output
[Expert@MyGW:0]# fwaccel dbg
Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
-m <module> - module of debugging
-h - this help message
resetall - reset all debug flags for all modules
reset - reset all debug flags for module
all - set all debug flags for module
list - list all debug flags for all modules
-f reset | "<5-tuple>" - filter debug messages
+ <flags> - set the given debug flags
- <flags> - unset the given debug flags

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update
acct conf stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload
nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: api
err init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf
upd_if_inf add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_
ver del_all_tmpl get_state upd_link_sel

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user
deliver vlan pkt nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl

Module: vpn
err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1318

fwaccel dbg

Example 2 - Enabling and disabling of debug flags

R80.40 CLI Reference Guide | 1319

fwaccel dbg

[Expert@MyGW:0]# fwaccel dbg -m default + err conn

Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

R80.40 CLI Reference Guide | 1320

fwaccel dbg

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetall
Debug state was reset to default.
[Expert@MyGW:0]#

Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to 172.16.40.50
[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6
Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<,,*,,>"

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1321

fwaccel dos

Description
The fwaccel dos and fwaccel6 dos commands control the Rate Limiting for DoS mitigation
techniques in SecureXL on the local Security Gateway, or Cluster Member.

Important:
n In VSX mode, you must go to the context of an applicable Virtual System.In
Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run:
vsenv <VSID>
n In a Cluster, you must configure all the Cluster Members in the same way.
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these commands
were renamed:
l from "fwaccel dos blacklist" to "fwaccel dos deny"

l from "fwaccel6 dos blacklist" to "fwaccel6 dos deny"

n Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these commands
were renamed:
l from "fwaccel dos whitelist" to "fwaccel dos allow"

l from "fwaccel6 dos whitelist" to "fwaccel6 dos allow"

Syntax for IPv4

fwaccel dos
blacklist <options>
config <options>
pbox <options>
rate <options>
stats <options>
whitelist <options>

Starting from R80.40 Jumbo Hotfix Accumulator Take 92:

fwaccel dos
allow <options>
config <options>
deny <options>
pbox <options>
rate <options>
stats <options>

R80.40 CLI Reference Guide | 1322

fwaccel dos

Syntax for IPv6

fwaccel6 dos
blacklist <options>
config <options>
pbox <options>
rate <options>
stats <options>
whitelist <options>

Starting from R80.40 Jumbo Hotfix Accumulator Take 92:

fwaccel6 dos
allow <options>
config <options>
deny <options>
pbox <options>
rate <options>
stats <options>

Parameters

Parameter Description

allow Starting from R80.40 Jumbo Hotfix Accumulator Take 92, replaces the
<options> "whitelist" parameter.
whitelist Configures the allow-list for source IP addresses in the SecureXL
<options> Penalty Box.
See "fwaccel dos allow / whitelist" on page 1325.

deny Starting from R80.40 Jumbo Hotfix Accumulator Take 92, replaces the
<options> "blacklist" parameter.
blacklist Controls the IP deny-list in SecureXL.
<options> See "fwaccel dos deny / blacklist" on page 1336.

config Controls the DoS mitigation configuration in SecureXL.

<options> See "fwaccel dos config" on page 1330.

pbox Controls the Penalty Box whitelist in SecureXL.

<options> See "fwaccel dos pbox" on page 1341.

rate Shows and installs the Rate Limiting policy in SecureXL.

<options> See "fwaccel dos rate" on page 1346.

R80.40 CLI Reference Guide | 1323

fwaccel dos

Parameter Description

stats Shows and clears the DoS real-time statistics in SecureXL.

<options> See "fwaccel dos stats" on page 1348.

R80.40 CLI Reference Guide | 1324

fwaccel dos allow / whitelist

Description
The fwaccel dos whitelist / fwaccel dos allow and fwaccel6 dos whitelist / fwaccel6 dos allow
commands control the IP allow-list for source IP addresses in the SecureXL Penalty Box.
This allow list overrides which packet the SecureXL Penalty Box drops.

Important:
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these commands
were renamed:
l from "fwaccel dos whitelist" to "fwaccel dos allow"

l from "fwaccel6 dos whitelist" to "fwaccel6 dos allow"

n This command supports only IPv4.

n In VSX mode, you must go to the context of an applicable Virtual System.In
Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run:
vsenv <VSID>
n In a Cluster, you must configure all the Cluster Members in the same way.
n This allow list overrides entries in the blacklist.
Before you use a 3rd-party or automatic blacklists, add trusted networks and
hosts to the allow list to avoid outages.
n This allow list unblocks IP Options and IP fragments from trusted sources when
you explicitly configure one these SecureXL features:
l --enable-drop-opts

l --enable-drop-frags

See the "fwaccel dos config" on page 1330 command.

Notes:
n To allow the Rate Limiting policy, refer to the bypass action of the fw samp
command.
For example, fw samp -a b ...
For more information about the fw sam_policy command, see the R80.40
Performance Tuning Administration Guide - Chapter SecureXL Commands and
Debug - Section fw sam_policy.
n This command is similar to the "fwaccel dos pbox {whitelist |
allow}" command (see "fwaccel dos pbox" on page 1341).
n Also, see the "fwaccel synatk allow / whitelist" on page 1403 command.

R80.40 CLI Reference Guide | 1325

fwaccel dos allow / whitelist

Syntax for IPv4

fwaccel dos
{whitelist | allow}
-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

Parameters

Parameter Description

whitelist Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the
allow "allow" parameter replaces the "whitelist" parameter.
Controls the IP allow list.

No Parameters Shows the applicable built-in usage.

-a <IPv4 Adds the specified IP address to the Penalty Box allow list.
Address>
n <IPv4 Address>
[/<Subnet
Prefix>] Can be an IPv4 address of a network or a host.
n <Subnet Prefix>
Must specify the length of the subnet mask in the format
/<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix explicitly,
this command uses the subnet prefix /32.
Examples:
n For a host:
192.168.20.30
192.168.20.30/32
n For a network:
192.168.20.0/24

R80.40 CLI Reference Guide | 1326

fwaccel dos allow / whitelist

Parameter Description

-d <IPv4 Removes the specified IPv4 address from the Penalty Box allow
Address> list.
[/<Subnet
n <IPv4 Address>
Prefix>]
Can be an IPv4 address of a network or a host.
n <Subnet Prefix>
Optional. Must specify the length of the subnet mask in the
format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix explicitly,
this command uses the subnet prefix /32.

-F Removes (flushes) all entries from the Penalty Box allow list.

-l /<Path>/<Name Loads the Penalty Box allow list entries from the specified plain-
of File> text file.
Note - To replace the current deny list with the contents of a new
file, use both the "-F" and "-L" parameters on the same command
line.
Important:
n You must manually create and configure this file with the
touch or vi command.
n You must assign at least the read permission to this file with
the chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with the #
character in this file.

R80.40 CLI Reference Guide | 1327

fwaccel dos allow / whitelist

Parameter Description

-L Loads the Penalty Box allow list entries from the plain-text file with
a predefined name:
n R80.40 and R80.40 Jumbo Hotfix Accumulator lower than
Take 92:
$FWDIR/conf/dos-whitelist-v4.conf
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92:
$FWDIR/conf/dos-allow-list-v4.conf

Security Gateway automatically runs this command "fwaccel

dos pbox {whitelist | allow} -L" during each boot.
Note - To replace the current allow list with the contents of a new
file, use both the "-F" and "-L" parameters on the same command
line.
Important:
n This file does not exist by default.
n You must manually create and configure this file with the
touch or vi command.
n You must assign at least the read permission to this file with
the chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with the #
character in this file.

-N "<Name of IP Configures the name for the IP deny list.

Blacklist>" This name appears in the Security Gateway logs.
Notes:
n Maximal length is 79 characters.
n You must only use ASCII characters.

-n Shows the configured name for the IP deny list.

-s Shows the current Penalty Box allow list entries.

R80.40 CLI Reference Guide | 1328

fwaccel dos allow / whitelist

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.0/24

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -F
[Expert@MyGW:0]# fwaccel dos allow -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos allow -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos allow -s
192.168.20.40/32
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1329

fwaccel dos config

Description
The fwaccel dos config and fwaccel6 dos config commands control the global configuration
parameters of the Rate Limiting for DoS mitigation in SecureXL.
These global parameters apply to all configured Rate Limiting rules.

Syntax for IPv4

fwaccel dos config

get
set
{--disable-rate-limit | --enable-rate-limit}
{--disable-pbox | --enable-pbox}
{--disable-blacklists | --enable-blacklists}
{--disable-deny-list | --enable-deny-list}
{--disable-drop-frags | --enable-drop-frags}
{--disable-drop-opts | --enable-drop-opts}
{--disable-internal | --enable-internal}
{--disable-monitor | --enable-monitor}
{--disable-log-drops | --enable-log-drops}
{--disable-log-pbox | --enable-log-pbox}
{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}
{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}
{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

R80.40 CLI Reference Guide | 1330

fwaccel dos config

Syntax for IPv6

fwaccel6 dos config

Parameters and Options

Parameter or
Description
Option

No Parameters Shows the applicable built-in usage.

get Shows the configuration parameters.

set Configuration the parameters.

--disable- Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "--
blacklists disable-deny-list" replaces the "--disable-blacklists"
--disable- parameter.
deny-list Disables the IP deny lists.
This is the default configuration.

R80.40 CLI Reference Guide | 1331

fwaccel dos config

Parameter or
Description
Option

--disable- Disables the drops of all fragmented packets. This is the default
drop-frags configuration.
Important - This option applies to only VSX, and only for traffic that
arrives at a Virtual System through a Virtual Switch (packets
received through a Warp interface). From R80.20, IP Fragment
reassembly occurs in SecureXL before the Warp-jump from a
Virtual Switch to a Virtual System. To block IP fragments, the Virtual
Switch must be configured with this option. Otherwise, this has no
effect, because the IP fragments would already be reassembled
when they arrive at the Virtual System's Warp interface.

--disable- Disables the drops of all packets with IP options.

drop-opts This is the default configuration.

--disable- Disables the enforcement on internal interfaces.

internal This is the default configuration.

--disable- Disables the notifications when the DoS module drops a packet due to
log-drops rate limiting policy.

--disable- Disables the notifications when administrator adds an IP address to the

log-pbox penalty box.

--disable- Disables the acceptance of all packets that otherwise would be dropped.
monitor This is the default configuration.

--disable- Disables the IP penalty box.

pbox This is the default configuration.
Also, see the "fwaccel dos pbox" on page 1341 command.

--disable- Disables the enforcement of the rate limiting policy.

rate-limit This is the default configuration.

--enable- Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "--
blacklists enable-deny-list" replaces the "--enable-blacklists"
--enable- parameter.
deny-list Enables IP deny lists.
Also, see the "fwaccel dos deny / blacklist" on page 1336 command.

--enable- Enables the drops of all fragmented packets.

drop-frags

--enable- Enables the drops of all packets with IP options.

drop-opts

R80.40 CLI Reference Guide | 1332

fwaccel dos config

Parameter or
Description
Option

--enable- Enables the enforcement on internal interfaces.

internal

--enable- Enables the notifications when the DoS module drops a packet due to
log-drops rate limiting policy.
This is the default configuration.

--enable- Enables the notifications when administrator adds an IP address to the

log-pbox penalty box.
This is the default configuration.

--enable- Enables the acceptance of all packets that otherwise would be dropped.
monitor

--enable- Enables the IP penalty box.

pbox Also, see the "fwaccel dos pbox" on page 1341 command.

--enable- Enables the enforcement of the rate limiting policy.

rate-limit Important - After you run this command, you must install the Access
Control policy.

-n <NOTIF_ Configures the maximal number of drop notifications per second for each
RATE> SecureXL device.
--notif-rate Range: 0 - (232-1)
<NOTIF_RATE> Default: 100

-p <PBOX_ Configures the minimal number of reported dropped packets before

RATE> SecureXL adds a source IPv4 address to the penalty box.
--pbox-rate Range: 0 - (232-1)
<PBOX_RATE> Default: 500

-t <PBOX_ Configures the number of seconds until SecureXL removes an IP is from

TMO> the penalty box.
--pbox-tmo Range: 0 - (232-1)
<PBOX_TMO> Default: 180

R80.40 CLI Reference Guide | 1333

fwaccel dos config

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config get

rate limit: enabled (without policy)
rule cache: enabled
pbox: disabled
deny list: enabled (without policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox

OK
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos config get
rate limit: enabled (without policy)
rule cache: enabled
pbox: enabled
deny list: enabled (without policy)
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1334

fwaccel dos config

Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos
config set" commands return to their default values during each reboot. To make these
settings persistent, add the applicable commands to these configuration files:

File Description

$FWDIR/conf/fwaccel_dos_ This shell script for IPv4 must contain only the
rate_on_install "fwaccel dos config set" commands:
#!/bin/bash
fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_ This shell script for IPv6 must contain only the
dos_rate_on_install "fwaccel6 dos config set" commands:
#!/bin/bash
fwaccel6 dos config set <options>

Important - Do not include the "fw sam_policy" on page 1426 commands in these
configuration files. The configured Rate Limiting policy survives reboot. If you add the
"fw sam_policy" commands, the rate policy installer runs in an infinite loop.
Notes:
n To create or edit these files, log in to the Expert mode.
n On VSX Gateway, before you create these files, go to the context of an
applicable Virtual System:
vsenv <VSID>
n If these files do not already exist, create them with one of these commands:
l touch $FWDIR/conf/<Name of File>

l vi $FWDIR/conf/<Name of File>

n These files must start with the "#!/bin/bash" line.

n These files must end with a new empty line.
n After you edit these files, you must assign the execute permission to them:
chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox

R80.40 CLI Reference Guide | 1335

fwaccel dos deny / blacklist

Description
The fwaccel dos blacklist / fwaccel dos deny and fwaccel6 dos blacklist / fwaccel6 dos deny
commands control the IP deny list in SecureXL.
The deny list blocks all traffic to and from the specified IP addresses.
The deny list drops occur in SecureXL, which is more efficient than an Access Control Policy to
drop the packets.

Important:
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these commands
were renamed:
l from "fwaccel dos blacklist" to "fwaccel dos deny"

l from "fwaccel6 dos blacklist" to "fwaccel6 dos deny"

n In VSX mode, you must go to the context of an applicable Virtual System.In

Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run:
vsenv <VSID>
n In a Cluster, you must configure all the Cluster Members in the same way.
n To enforce the IP deny list in SecureXL, you must first enable the IP deny lists.
See these commands:
l "fwaccel dos config" on page 1330

l "fw sam_policy" on page 1426 (configure more granular rules)

Syntax for IPv4

fwaccel dos
{blacklist | deny}
-a <IPv4 Address>
-d <IPv4 Address>
-F
-l /<Path>/<Name of File>
-L
-N "<Name of IP Deny List>"
-n
-s

R80.40 CLI Reference Guide | 1336

fwaccel dos deny / blacklist

Syntax for IPv6

fwaccel6 dos
{blacklist | deny}
-a <IPv6 Address>
-d <IPv6 Address>
-F
-l /<Path>/<Name of File>
-L
-N "<Name of IP Deny List>"
-n
-s

R80.40 CLI Reference Guide | 1337

fwaccel dos deny / blacklist

Parameters

Parameter Description

blacklist Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "deny"
deny parameter replaces the "blacklist" parameter.
Controls the IP deny list.

No Parameters Shows the applicable built-in usage.

-a <IP Adds the specified IP address to the deny list.

Address> To add more than one IP address, run this command for each
applicable IP address.

-d <IP Removes the specified IP addresses from the deny list.

Address> To remove more than one IP address, run this command for each
applicable IP address.

-F Removes (flushes) all IP addresses from the deny list.

-l Loads the Penalty Box deny list entries from the specified plain-text file.
/< Notes:
Path>/<Name
of File>
n To replace the current allow list with the contents of a new file, use
both the "-F" and "-l" parameters on the same command line.
n You can use this parameter several times to load entries from
different files.

Important:
n You must manually create and configure this file with the touch
or vi command.
n You must assign at least the read permission to this file with the
chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with the #
character in this file.

R80.40 CLI Reference Guide | 1338

fwaccel dos deny / blacklist

Parameter Description

-L Loads the Penalty Box deny list entries from all plain-text files located in
the predefined directory:
n R80.40 and R80.40 Jumbo Hotfix Accumulator lower than Take
92:
$FWDIR/conf/blacklists/
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92:
$FWDIR/conf/deny_lists/

Security Gateway automatically runs this command "fwaccel dos

pbox {whitelist | allow} -L" during each boot.
Note - To replace the current deny list with the contents of a new file,
use both the "-F" and "-L" parameters on the same command line.
Important:
n This files in this directory do not exist by default.
n You must manually create and configure these files with the
touch or vi command.
n You must assign at least the read permission to these files with
the chmod +x command.
n Each entry in these files must be on a separate line.
n Each entry in these files must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with the #
character in these files.

-s Shows the configured deny list.

R80.40 CLI Reference Guide | 1339

fwaccel dos deny / blacklist

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos deny -s

The deny list is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos deny -s
The deny list is empty
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1340

fwaccel dos pbox

Description
The fwaccel dos pbox command controls the Penalty Box allow-list in SecureXL.
The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive
from suspected sources. The purpose of this feature is to allow the Security Gateway to cope
better under high traffic load, possibly caused by a DoS/DDoS attack.
The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy
drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detects a
specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all
packets that arrive from the blocked source IP address.

The Penalty Box allow-list in SecureXL configures the source IP addresses, which the
SecureXL Penalty Box never blocks.

Important:
n This command supports only IPv4.
n In VSX mode, you must go to the context of an applicable Virtual System.In
Gaia Clish, run: set virtual-system <VSID>In the Expert mode, run:
vsenv <VSID>
n In a Cluster, you must configure all the Cluster Members in the same way.
n To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.
See these commands:
l "fwaccel dos config" on page 1330

l "fwaccel dos allow / whitelist" on page 1325

l "fwaccel synatk allow / whitelist" on page 1403

Syntax for IPv4

fwaccel dos pbox

flush
{whitelist | allow}
-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

R80.40 CLI Reference Guide | 1341

fwaccel dos pbox

Parameters

Parameter Description

-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

flush Removes (flushes) all source IP addresses from the Penalty

Box.

whitelist Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the
<options> "allow" parameter replaces the "whitelist" parameter.
allow <options> Configures the allow-list for source IP addresses in the
SecureXL Penalty Box.
Important - This allow-list overrides which packet the
SecureXL Penalty Box drops. Before you use a 3rd-party or
automatic blacklists, add trusted networks and hosts to the
allow-list to avoid outages.
Note - This command is similar to the "fwaccel dos allow /
whitelist" on page 1325 command.

-a <IPv4 Address> Adds the specified IP address to the Penalty Box allow-list.
[/<Subnet
n <IPv4 Address>
Prefix>]
Can be an IP address of a network or a host.
n <Subnet Prefix>
Must specify the length of the subnet mask in the format
/<bits>.
Optional for a host IP address.
Mandatory for a network IP address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /32.

Examples:
n For a host:
192.168.20.30
192.168.20.30/32
n For a network:
192.168.20.0/24

R80.40 CLI Reference Guide | 1342

fwaccel dos pbox

Parameter Description

-d <IPv4 Address> Removes the specified IP address from the Penalty Box allow-
[/<Subnet list.
Prefix>]
n <IPv4 Address>
Can be an IP address of a network or a host.
n <Subnet Prefix>
Optional. Must specify the length of the subnet mask in the
format /<bits>.
Optional for a host IP address.
Mandatory for a network IP address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /32.

-F Removes (flushes) all entries from the Penalty Box allow-list.

-l /<Path>/<Name Loads the Penalty Box allow-list entries from the specified plain-
of File> text file.
Important:
n You must manually create and configure this file with
the touch or vi command.
n You must assign at least the read permission to this
file with the chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with
the # character in this file.

R80.40 CLI Reference Guide | 1343

fwaccel dos pbox

Parameter Description

-L Loads the Penalty Box allow-list entries from the plain-text file
with a predefined name:
n R80.40 and R80.40 Jumbo Hotfix Accumulator lower than
Take 92:
$FWDIR/conf/pbox-whitelist-v4.conf
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92:
$FWDIR/conf/pbox-allow-list-v4.conf

Security Gateway automatically runs this command "fwaccel

dos pbox {whitelist | allow} -L" during each boot.
Important:
n This file does not exist by default.
n You must manually create and configure this file with
the touch or vi command.
n You must assign at least the read permission to this
file with the chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with
the # character in this file.

-s Shows the current Penalty Box allow-list entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1344

fwaccel dos pbox

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.0/24

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -F
[Expert@MyGW:0]# fwaccel dos pbox allow -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos pbox allow -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox allow -s
192.168.20.40/32
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1345

fwaccel dos rate

Description
The fwaccel dos rate and fwaccel6 dos rate commands show and install the Rate Limiting
policy in SecureXL.

Syntax for IPv4

fwaccel dos rate

get '<Rule UID>'
install

Syntax for IPv6

fwaccel6 dos rate

get '<Rule UID>'
install

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

get '<Rule Shows information about the rule specified by its Rule UID or its zero-
UID>' based rule index.
The quote marks and angle brackets ('<...>') are mandatory.

install Installs a new rate limiting policy.

Important - This command requires input from the stdin.
To use this command, run:
fw sam_policy get -l -k req_type -t in -v quota
| fwaccel dos rate install
For more information about the "fw sam_policy" command, see "fw
sam_policy" on page 1426.

R80.40 CLI Reference Guide | 1346

fwaccel dos rate

Notes
n If you install a new rate limiting policy with more than one rule, it automatically enables
the rate limiting feature.
To disable the rate limiting feature manually, run this command (see "fwaccel dos config"
on page 1330):

fwaccel dos config set --disable-rate-limit

n To delete the current rate limiting policy, install a new policy with zero rules.

R80.40 CLI Reference Guide | 1347

fwaccel dos stats

Description
The fwaccel dos stats and fwaccel6 dos stats commands show and clear the DoS real-time
statistics in SecureXL.

Syntax for IPv4

fwaccel stats
clear
get

Syntax for IPv6

fwaccel6 dos stats

clear
get

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

clear Clears the real-time statistics counters.

get Shows the real-time statistics counters.

R80.40 CLI Reference Guide | 1348

fwaccel dos stats

Example - Get the current DoS statistics

[Expert@MyGW:0]# fwaccel dos stats get

Firewall Instances in Aggregate:

Memory Usage: 0
Total Active Connections: (FW connection limiting inactive)
New Connections/Second: (FW connection limiting inactive)
Number of Elements in Tables:
Penalty Box Violating IPs: 0
Rate Limit Source Only Tracks: 0
Rate Limit Source and Service Tracks: 0
Rate Limit Dest Only Tracks: 0
Rate Limit Dest and Service Tracks: 0

SecureXL:
Memory Usage: 0
Packets/Second: (rate limiting inactive)
Bytes/Second: (rate limiting inactive)
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Deny List: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0
Non-Empty Deny Lists: 0
Deny List IPs: 0
Rate Limit Matches: 0
Rate Limit Source Only Tracks: 0
Rate Limit Source and Service Tracks: 0
Rate Limit Dest Only Tracks: 0
Rate Limit Dest and Service Tracks: 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1349

fwaccel feature

Description
The fwaccel feature and fwaccel6 feature commands enable and disable the specified
SecureXL features.

Important:
n If you disable a SecureXL feature, SecureXL does not accelerate the applicable
traffic anymore.
n This change does not survive reboot.
n In VSX Gateway, this change is global and applies to all Virtual Systems.
n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel feature <Name of Feature>

get
off
on

Syntax for IPv6

fwaccel6 feature <Name of Feature>

get
off
on

R80.40 CLI Reference Guide | 1350

fwaccel feature

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

<Name of Specifies the SecureXL feature.

Feature> R80.40 SecureXL supports only this feature:
n Name: sctp
n Description: Stream Control Transmission Protocol (SCTP) -
see sk35113

get Shows the current state of the specified SecureXL feature.

off Disables the specified SecureXL feature.

This means that SecureXL does not accelerate the applicable traffic
anymore.

on Enables the specified SecureXL feature.

This means that SecureXL accelerates the applicable traffic again.

Disabling the 'sctp' feature permanently

See "Working with Kernel Parameters on Security Gateway" on page 1861.
1. Add this line to the $FWDIR/boot/modules/fwkern.conf file:
sim_sctp_disable_by_default=1

2. Reboot.

Example 1 - Default output

[Expert@MyGW:0]# fwaccel feature

Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1351

fwaccel feature

Example 2 - Disabling and enabling a feature

[Expert@MyGW:0]# fwaccel feature sctp get

sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp off
Set operation succeeded
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp on
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1352

fwaccel off

Description
The fwaccel off and fwaccel6 off commands stop the SecureXL on-the-fly.
Starting from R80.20, you can stop the SecureXL only temporarily. The SecureXL starts
automatically when you start Check Point services (with the "cpstart" on page 957 command),
or reboot the Security Gateway.

Important:
n Disable the SecureXL only for debug purposes, if Check Point Support explicitly
instructs you to do so.
n If you disable the SecureXL, this change does not survive reboot.
SecureXL remains disabled until you enable it again on-the-fly, or reboot the
Security Gateway.
n If you disable the SecureXL, this change applies only to new connections that
arrive after you disable the acceleration.
SecureXL continues to accelerate the connections that are already accelerated.
Other non-connection oriented processing continues to function (for example,
virtual defragmentation, VPN decrypt).
n On a VSX Gateway:
l If you wish to stop the acceleration only for a specific Virtual System, go to

the context of that Virtual System.

In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
l If you wish to stop the acceleration for all Virtual Systems, you must use

the "-a" parameter.

In this case, it does not matter from which Virtual System context you run
this command.
n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel off [-a] [-q]

Syntax for IPv6

fwaccel6 off [-a] [-q]

R80.40 CLI Reference Guide | 1353

fwaccel off

Parameters

Parameter Description

-a On a VSX Gateway, stops acceleration on all Virtual Systems.

-q Suppresses the output (does not show a returned output).

Possible returned output

n SecureXL device disabled
n SecureXL device is not active
n Failed to disable SecureXL device
n fwaccel_off: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel off

SecureXL device disabled.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1354

fwaccel off

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel off

[Expert@MyVSXGW:1]#

R80.40 CLI Reference Guide | 1355

fwaccel off

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel off -a
SecureXL device disabled. (Virtual ID 0)
SecureXL device disabled. (Virtual ID 1)
SecureXL device disabled. (Virtual ID 2)
[Expert@MyVSXGW:1]#

R80.40 CLI Reference Guide | 1356

fwaccel on

Description
The fwaccel on and fwaccel6 on commands start the acceleration on-the-fly, if it was
previously stopped with the fwaccel off or fwaccel6 off command (see "fwaccel off" on
page 1353).

Important:
n On a VSX Gateway:
l If you wish to start the acceleration only for a specific Virtual System, go to

the context of that Virtual System.

In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
l If you wish to start the acceleration for all Virtual Systems, you must use

the "-a" parameter.

In this case, it does not matter from which Virtual System context you run
this command.
n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel on [-a] [-q]

Syntax for IPv6

fwaccel6 on [-a] [-q]

Parameters

Parameter Description

-a On a VSX Gateway, starts the acceleration on all Virtual Systems.

-q Suppresses the output (does not show a returned output).

Possible returned output

n SecureXL device is enabled.
n Failed to start SecureXL.
n No license for SecureXL.
n SecureXL is disabled by the firewall. Please try again later.

R80.40 CLI Reference Guide | 1357

fwaccel on

n The installed SecureXL device is not compatible with the

installed firewall (version mismatch).
n The SecureXL device is in the process of being stopped. Please
try again later.
n SecureXL cannot be started while "flows" are active.
n SecureXL is already started.
n SecureXL will be started after a policy is loaded.
n fwaccel: Failed to check FloodGate-1 status. Acceleration will
not be started.
n FW-1: SecureXL acceleration cannot be started while QoS is
running in express mode.
Please disable FloodGate-1 express mode or SecureXL.
n FW-1: SecureXL acceleration cannot be started while QoS is
running with citrix printing rule.
Please remove the citrix printing rule to enable SecureXL.
n FW-1: SecureXL acceleration cannot be started while QoS is
running with UAS rule.
Please remove the UAS rule to enable SecureXL.
n FW-1: SecureXL acceleration cannot be started while QoS is
running.

Please remove the QoS blade to enable SecureXL.

n Failed to enable SecureXL device
n fwaccel_on: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel on
SecureXL device is enabled.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1358

fwaccel on

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]#

R80.40 CLI Reference Guide | 1359

fwaccel on

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel on -a
[Expert@MyVSXGW:1]#

R80.40 CLI Reference Guide | 1360

fwaccel ranges

Description
The fwaccel ranges and fwaccel6 ranges commands show the SecureXL loaded ranges:
n Ranges of Rule Base source IP addresses
n Ranges of Rule Base destination IP addresses
n Ranges of Rule Base destination ports and protocols
The Security Gateway creates these ranges during the policy installation. The Firewall creates
and offloads ranges to SecureXL when any of these feature is enabled:
n Rulebase ranges for Drop Templates
n Anti-Spoofing enforcement ranges on per-interface basis
n NAT64 ranges
n NAT46 ranges
These ranges are related to matching of connections to SecureXL Drop Templates. These
ranges represent the Source, Destination and Service columns of the Rule Base.
These ranges are not exactly the same as the Rule Base, because as there are objects that
cannot be represented as real (deterministic) IP addresses. For example, Domain objects and
Dynamic objects. The Security Gateway converts such non-deterministic objects to "Any" IP
address.

In addition, implied rules are represented in these ranges, except for some specific implied
rules.
You can use these commands for troubleshooting.

Syntax for IPv4

fwaccel ranges
-h
-a
-l
-p <Range ID>
-s <Range ID>

R80.40 CLI Reference Guide | 1361

fwaccel ranges

Syntax for IPv6

fwaccel6 ranges
-h
-a
-l
-p <Range ID>
-s <Range ID>

Parameters

Parameter Description

-h Shows the applicable built-in usage.

-a Shows the full information for all loaded ranges.

or Note - In the list of SecureXL Drop Templates (output of the "fwaccel
No templates" on page 1421 command), each Drop Template is assembled
Parameters from ranges indexes. To see mapping between range index and the range
itself, run this command "fwaccel ranges -a". This way you
understand better the practical ranges for Drop Templates and when it is
appropriate to use them.

-l Shows the list of loaded ranges:

n 0 - Ranges of Rule Base source IP addresses
n 1 - Ranges of Rule Base destination IP addresses
n 2 - Ranges of Rule Base destination ports and protocols

-p <Range Shows the full information for the specified range.

ID>

-s <Range Shows the summary information for the specified range.

ID>

Examples
Example 1 - Show the list of ranges from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges -l
SecureXL device 0:
0 Rule base source ranges (ip):
1 Rule base destination ranges (ip):
2 Rule base dport ranges (port, proto):
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1362

fwaccel ranges

Example 2 - Show the full information for all loaded ranges from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges
SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1363

fwaccel ranges

Example 3 - Show the full information for the specified range from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges -p 0
SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 1
SecureXL device 0:
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 2
SecureXL device 0:
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

Example 4 - Show the summary information for the specified range from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges -s 0
SecureXL device 0:
List name "Rule base source ranges (ip):", ID 0, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 1
SecureXL device 0:
List name "Rule base destination ranges (ip):", ID 1, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 2
SecureXL device 0:
List name "Rule base dport ranges (port, proto):", ID 2, Number of ranges 11
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1364

fwaccel ranges

Example 5 - Show the list of ranges from a VSX Gateway

[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth0:
1 Anti spoofing ranges eth1:
[Expert@MyVSXGW:0]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth3:
1 Anti spoofing ranges eth2.52:
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth4:
1 Anti spoofing ranges eth2.53:
[Expert@MyVSXGW:2]#

R80.40 CLI Reference Guide | 1365

fwaccel ranges

Example 6 - Show the full information for all loaded ranges from a VSX Gateway
[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth0:
(0) 0.0.0.0 - 10.20.29.255
(1) 10.20.31.0 - 126.255.255.255
(2) 128.0.0.0 - 192.168.2.255
(3) 192.168.3.1 - 192.168.3.241
(4) 192.168.3.243 - 192.168.3.254
(5) 192.168.4.0 - 223.255.255.255
(6) 240.0.0.0 - 255.255.255.254
Anti spoofing ranges eth1:
(0) 10.20.30.1 - 10.20.30.241
(1) 10.20.30.243 - 10.20.30.254
[Expert@MyVSXGW:0]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth3:
(0) 40.50.60.0 - 40.50.60.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.52:
(0) 70.80.90.0 - 70.80.90.255
(1) 192.168.196.1 - 192.168.196.1
(2) 192.168.196.3 - 192.168.196.14
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth4:
(0) 100.100.100.0 - 100.100.100.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.53:
(0) 192.168.196.1 - 192.168.196.1
(1) 192.168.196.3 - 192.168.196.14
(2) 200.200.200.0 - 200.200.200.255
[Expert@MyVSXGW:2]#

R80.40 CLI Reference Guide | 1366

fwaccel ranges

Example 7 - Show the summary information for the specified range from a VSX Gateway
[Expert@MyVSXGW:2]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth3:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.52:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth4:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.53:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:2]#

R80.40 CLI Reference Guide | 1367

fwaccel stat

Description
The fwaccel stat and fwaccel6 stat commands show the SecureXL status, the list of the
accelerated interfaces and the list of the accelerated features on the local Security Gateway,
or Cluster Member.

Syntax for IPv4

fwaccel stat [-a] [-t] [-v]

Syntax for IPv6

fwaccel6 stat [-a] [-t] [-v]

R80.40 CLI Reference Guide | 1368

fwaccel stat

Parameters

Parameter Description

No Parameters Shows this information:

n SecureXL instance ID
n SecureXL instance role
n SecureXL status
n Accelerated interfaces
n Accelerated features
In addition, also shows:
n More information about the Cryptography feature
n The status of Accept Templates
n The status of Drop Templates
n The status of NAT Templates

-a On a VSX Gateway, shows the information for all Virtual Systems.

-t Shows this information only:

n SecureXL instance ID
n SecureXL instance role
n SecureXL status
n Accelerated interfaces
n Accelerated features

-v On a VSX Gateway, shows the information for all Virtual Systems.

The same as the "-a" parameter.

R80.40 CLI Reference Guide | 1369

fwaccel stat

Example 1 - Full output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel stat

Accept Templates : disabled by Firewall

Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyGW:0]#

Example 2 - Brief output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel stat -t

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1370

fwaccel stat

Example 3 - Full output from a VSX Gateway

R80.40 CLI Reference Guide | 1371

fwaccel stat

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

R80.40 CLI Reference Guide | 1372

fwaccel stat

|LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-
XCBC,SHA256 |
+-----------------------------------------------------------------
------------+

Accept Templates : disabled by Firewall

Layer VS1_Policy Network disables template
offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer VS1_Policy Network disables template
offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyVSXGW:1]#

R80.40 CLI Reference Guide | 1373

fwaccel stats

Description
The fwaccel stats and fwaccel6 stats commands show acceleration statistics for IPv4 on the
local Security Gateway, or Cluster Member.

Syntax for IPv4

fwaccel stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

Syntax for IPv6

fwaccel6 stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

R80.40 CLI Reference Guide | 1374

fwaccel stats

Parameters

Parameter Description

-c Shows the statistics for Cluster Correction.

-d Shows the statistics for drops from device.

-l Shows the statistics in legacy mode - as one table.

-m Shows the statistics for multicast traffic.

-n Shows the statistics for Identity Awareness (NAC).

-o Shows the statistics for Reorder Infrastructure.

-p Shows the statistics for SecureXL violations (F2F packets).

-q Shows the statistics notifications the SecureXL sent to the Firewall.

-r Resets all the counters.

-s Shows the statistics summary only.

-x Shows the statistics for PXL.

Note - PXL is the technology name for combination of SecureXL and PSL
(Passive Streaming Library).

In addition, see:
n "Description of the Statistics Counters in the "fwaccel stats" Output" on page 1376
n "Example Outputs on the "fwaccel stats" Commands" on page 1385

R80.40 CLI Reference Guide | 1375

Description of the Statistics Counters in the "fwaccel stats" Output

The "Accelerated Path" section

Counter Description

accel packets Number of accelerated packets.

accel bytes Number of accelerated bytes.

outbound packets Number of outbound packets.

outbound bytes Number of outbound bytes.

conns created Number of connections the SecureXL created.

conns deleted Number of connections the SecureXL deleted.

C total conns Total number of connections the SecureXL currently handles.

C templates Not in use

Total number of SecureXL templates the SecureXL currently
handles.

C TCP conns Number of TCP connections the SecureXL currently handles.

C non TCP conns Number of non-TCP connections the SecureXL currently

handles.

conns from Not in use

templates Number of connections the SecureXL created from SecureXL
templates.

nat conns Number of NAT connections.

dropped packets Number of packets the SecureXL dropped.

dropped bytes Number of bytes the SecureXL dropped.

nat templates Not in use

port alloc Not in use

templates

conns from nat Not in use

tmpl

port alloc conns Not in use

R80.40 CLI Reference Guide | 1376

Description of the Statistics Counters in the "fwaccel stats" Output

Counter Description

fragments Number of received fragments.

received

fragments Number of transmitted fragments.

transmit

fragments dropped Number of dropped fragments.

fragments expired Number of expired fragments.

IP options Number of packets, from SecureXL stripped IP options.

stripped

IP options Number of packets, in which SecureXL restored IP options.

restored

IP options Number of packets with IP options that SecureXL dropped.

dropped

corrs created Number of corrections the SecureXL made.

corrs deleted Number of corrections the SecureXL deleted.

C corrections Number of corrections the SecureXL currently handles.

corrected packets Number of corrected packets.

corrected bytes Number of corrected bytes.

R80.40 CLI Reference Guide | 1377

Description of the Statistics Counters in the "fwaccel stats" Output

The "Accelerated VPN Path" section

Counter Description

C crypt conns Number of encrypted connections the SecureXL currently

handles.

enc bytes Number of encrypted traffic bytes.

dec bytes Number of decrypted traffic bytes.

ESP enc pkts Number of ESP encrypted packets.

ESP enc err Number of ESP encryption errors.

ESP dec pkts Number of ESP decrypted packets.

ESP dec err Number of ESP decryption errors.

ESP other err Number of ESP general errors.

espudp enc Not in use

pkts

espudp enc err Not in use

espudp dec Not in use

pkts

espudp dec err Not in use

espudp other err Not in use

R80.40 CLI Reference Guide | 1378

Description of the Statistics Counters in the "fwaccel stats" Output

The "Medium Streaming Path" section

Counter Description

PXL Number of PXL packets.

packets PXL is combination of SecureXL and Passive Streaming Library (PSL),
which is an IPS infrastructure that transparently listens to TCP traffic as
network packets, and rebuilds the TCP stream out of these packets.
Passive Streaming can listen to all TCP traffic, but process only the
data packets, which belong to a previously registered connection.

PXL async Number of PXL packets the SecureXL handled asynchronously.

packets

PXL bytes Number of PXL bytes.

C PXL Number of PXL connections the SecureXL currently handles.

conns

C PXL Not in use

templates Number of PXL templates.

PXL FF Number of PXL Fast Forward connections.

conns

PXL FF Number of PXL Fast Forward packets.

packets

PXL FF Number of PXL Fast Forward bytes.

bytes

PXL FF Number of PXL Fast Forward acknowledgments.

acks

The "Inline Streaming Path" section

Counter Description

PSL Inline packets Number of accelerated PSL packets.

PSL Inline bytes Number of accelerated PSL bytes.

CPAS Inline packets Number of accelerated CPAS packets.

CPAS Inline bytes Number of accelerated CPAS bytes.

R80.40 CLI Reference Guide | 1379

Description of the Statistics Counters in the "fwaccel stats" Output

The "QoS General Information" section

Counter Description

Total QoS Conns Total number of QoS connections.

QoS Classify Conns Number of classified QoS connections.

QoS Classify flow Number of classified QoS flows.

Reclassify QoS polic Number of reclassify QoS requests.

The "Firewall QoS Path" section

Counter Description

Enqueued IN packets Number of waiting packets in Firewall QoS inbound queue.

Enqueued OUT Number of waiting packets in Firewall QoS outbound queue.

packets

Dequeued IN packets Number of processed packets in Firewall QoS inbound

queue.

Dequeued OUT Number of processed packets in Firewall QoS outbound

packets queue.

Enqueued IN bytes Number of waiting bytes in Firewall QoS inbound queue.

Enqueued OUT bytes Number of waiting bytes in Firewall QoS outbound queue.

Dequeued IN bytes Number of processed bytes in Firewall QoS inbound queue.

Dequeued OUT bytes Number of processed bytes in Firewall QoS outbound

queue.

R80.40 CLI Reference Guide | 1380

Description of the Statistics Counters in the "fwaccel stats" Output

The "Firewall QoS Path" section

Counter Description

Enqueued IN Number of waiting packets in SecureXL QoS inbound queue.

packets

Enqueued OUT Number of waiting packets in SecureXL QoS outbound

packets queue.

Dequeued IN Number of processed packets in SecureXL QoS inbound

packets queue.

Dequeued OUT Number of processed packets in SecureXL QoS outbound

packets queue.

Enqueued IN bytes Number of waiting bytes in SecureXL QoS inbound queue.

Enqueued OUT bytes Number of waiting bytes in SecureXL QoS outbound queue.

Dequeued IN bytes Number of processed bytes in SecureXL QoS inbound

queue.

Dequeued OUT bytes Number of processed bytes in SecureXL QoS outbound

queue.

R80.40 CLI Reference Guide | 1381

Description of the Statistics Counters in the "fwaccel stats" Output

The "Firewall Path" section

Counter Description

F2F packets Number of packets that SecureXL forwarded to the Firewall kernel in
Slow Path.

F2F bytes Number of bytes that SecureXL forwarded to the Firewall kernel in
Slow Path.

TCP Number of packets, which are in violation of the TCP state.

violations

C Number of anticipated connections SecureXL currently handles.

anticipated
conns

port alloc Not in use

f2f

F2V conn Number of packets that matched a SecureXL connection and

match pkts SecureXL forwarded to the Firewall kernel.

F2V packets Number of packets that SecureXL forwarded to the Firewall kernel
and the Firewall re-injected back to SecureXL.

F2V bytes Number of bytes that SecureXL forwarded to the Firewall kernel and
the Firewall re-injected back to the SecureXL.

R80.40 CLI Reference Guide | 1382

Description of the Statistics Counters in the "fwaccel stats" Output

The "GTP" section

Counter Description

gtp tunnels Number of created GTP tunnels.

created

gtp tunnels Number of GTP tunnels the SecureXL currently handles.

gtp accel pkts Number of accelerated GTP packets.

gtp f2f pkts Number of GTP packets the SecureXL forwarded to the
Firewall kernel.

gtp spoofed pkts Number of spoofed GTP packets.

gtp in gtp pkts Number of GTP-in-GTP packets.

gtp signaling Number of signaling GTP packets.

pkts

gtp tcpopt pkts Number of GTP packets with TCP Options.

gtp apn err pkts Number of GTP packets with APN errors.

R80.40 CLI Reference Guide | 1383

Description of the Statistics Counters in the "fwaccel stats" Output

The "General" section

Counter Description

memory used Not in use

free memory Not in use

C used Not in use

templates

pxl tmpl conns Not in use

C conns from Not in use

tmpl Number of current connections that SecureXL created from
SecureXL Templates.

C tcp handshake Number of current TCP connections that are not yet established.
conn

C tcp Number of established TCP connections the SecureXL currently

established co handles.

C tcp closed Number of closed TCP connections the SecureXL currently

conns handles.

C tcp pxl Number of not yet established PXL TCP connections the
handshake SecureXL currently handles.

C tcp pxl Number of established PXL TCP connections the SecureXL

establishe currently handles.

C tcp pxl Number of closed PXL TCP connections the SecureXL currently
closed con handles.

outbound pxl Not in use

packets

R80.40 CLI Reference Guide | 1384

Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -s

Example of statistics summary:

Accelerated conns/Total conns : 0/0 (0%)

Accelerated pkts/Total pkts : 0/8 (0%)
F2Fed pkts/Total pkts : 8/8 (100%)
F2V pkts/Total pkts : 0/8 (0%)
CPASXL pkts/Total pkts : 0/8 (0%)
PSLXL pkts/Total pkts : 0/8 (0%)
QOS inbound pkts/Total pkts : 0/8 (0%)
QOS outbound pkts/Total pkts : 0/8 (0%)
Corrected pkts/Total pkts : 0/8 (0%)

Example: fwaccel stats

Example of the default output:

R80.40 CLI Reference Guide | 1385

Example Outputs on the "fwaccel stats" Commands

Name Value Name Value

---------------------------- ------------ ---------------------------- ------------

Accelerated Path
--------------------------------------------------------------------------------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
C total conns 0 C TCP conns 0
C non TCP conns 0 nat conns 0
dropped packets 0 dropped bytes 0
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0

Accelerated VPN Path

--------------------------------------------------------------------------------------
C crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0

Medium Streaming Path

--------------------------------------------------------------------------------------
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
C CPASXL conns 0 C PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0

Inline Streaming Path

--------------------------------------------------------------------------------------
PSL Inline packets 0 PSL Inline bytes 0
CPAS Inline packets 0 CPAS Inline bytes 0

QoS Paths
--------------------------------------------------------------------------------------
QoS General Information:
------------------------
Total QoS Conns 0 QoS Classify Conns 0
QoS Classify flow 0 Reclassify QoS policy 0

FireWall QoS Path:

------------------
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0

Accelerated QoS Path:

---------------------
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0

Firewall Path
--------------------------------------------------------------------------------------
F2F packets 35324 F2F bytes 1797781
TCP violations 0 F2V conn match pkts 0
F2V packets 0 F2V bytes 0

R80.40 CLI Reference Guide | 1386

Example Outputs on the "fwaccel stats" Commands

GTP
--------------------------------------------------------------------------------------
gtp tunnels created 0 gtp tunnels 0
gtp accel pkts 0 gtp f2f pkts 0
gtp spoofed pkts 0 gtp in gtp pkts 0
gtp signaling pkts 0 gtp tcpopt pkts 0
gtp apn err pkts 0

General
--------------------------------------------------------------------------------------
memory used 38798784 C tcp handshake conns 0
C tcp established conns 0 C tcp closed conns 0
C tcp pxl handshake conns 0 C tcp pxl established conns 0
C tcp pxl closed conns 0 outbound cpasxl packets 0
outbound pslxl packets 0 outbound cpasxl bytes 0
outbound pslxl bytes 0 DNS DoR stats 0

(*) Statistics marked with C refer to current value, others refer to total value

Example: fwaccel stats -c

Example of statistics for Cluster Correction:

Cluster Correction stats:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
Sent pkts (total) 0 Sent with metadata 0
Received pkts (total) 0 Received with metadata 0
Sent bytes 0 Received bytes 0
Send errors 0 Receive errors 0

Example: fwaccel stats -d

Example of statistics for drops from device:

Reason Value Reason Value

-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 0 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Expired Fragments 0

R80.40 CLI Reference Guide | 1387

Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -l

Example of the output in legacy mode (as one table):

Name Value Name Value

---------------------------- ------------ ---------------------------- ------------
- 0 accel packets 0
accel bytes 0 outbound packets 0
outbound bytes 0 conns created 0
conns deleted 0 C total conns 0
C TCP conns 0 C non TCP conns 0
nat conns 0 dropped packets 0
dropped bytes 0 fragments received 0
fragments transmit 0 fragments dropped 0
fragments expired 0 IP options stripped 0
IP options restored 0 IP options dropped 0
corrs created 0 corrs deleted 0
C corrections 0 corrected packets 0
corrected bytes 0 C crypt conns 0
enc bytes 0 dec bytes 0
ESP enc pkts 0 ESP enc err 0
ESP dec pkts 0 ESP dec err 0
ESP other err 0 espudp enc pkts 0
espudp enc err 0 espudp dec pkts 0
espudp dec err 0 espudp other err 0
acct update interval 3600 CPASXL packets 0
PSLXL packets 0 CPASXL async packets 0
PSLXL async packets 0 CPASXL bytes 0
PSLXL bytes 0 C CPASXL conns 0
C PSLXL conns 0 CPASXL conns created 0
PSLXL conns created 0 PXL FF conns 0
PXL FF packets 0 PXL FF bytes 0
PXL FF acks 0 PXL no conn drops 0
PSL Inline packets 0 PSL Inline bytes 0
CPAS Inline packets 0 CPAS Inline bytes 0
Total QoS Conns 0 QoS Classify Conns 0
QoS Classify flow 0 Reclassify QoS policy 0
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0
F2F packets 35383 F2F bytes 1801493
TCP violations 0 F2V conn match pkts 0
F2V packets 0 F2V bytes 0
gtp tunnels created 0 gtp tunnels 0
gtp accel pkts 0 gtp f2f pkts 0
gtp spoofed pkts 0 gtp in gtp pkts 0
gtp signaling pkts 0 gtp tcpopt pkts 0
gtp apn err pkts 0 memory used 38798784
C tcp handshake conns 0 C tcp established conns 0
C tcp closed conns 0 C tcp pxl handshake conns 0
C tcp pxl established conns 0 C tcp pxl closed conns 0
outbound cpasxl packets 0 outbound pslxl packets 0
outbound cpasxl bytes 0 outbound pslxl bytes 0
DNS DoR stats 0
(*) Statistics marked with C refer to current value, others refer to total value

R80.40 CLI Reference Guide | 1388

Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -m

Example of statistics for multicast traffic:

Name Value Name Value

-------------------- --------------- -------------------- ---------------
in packets 0 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0

Example: fwaccel stats -n

Example of statistics for Identity Awareness (NAC):

Name Value Name Value

-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0

Example: fwaccel stats -o

Example of statistics for Reorder Infrastructure:

R80.40 CLI Reference Guide | 1389

Example Outputs on the "fwaccel stats" Commands

Appliaction: F2V
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: Route
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: New connection

Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0

R80.40 CLI Reference Guide | 1390

Example Outputs on the "fwaccel stats" Commands

Error already held 0

Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: F2P
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Example: fwaccel stats -p

Example of statistics for SecureXL violations (F2F packets):

F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 3036
TCP-SYN miss conn 8 TCP-other miss conn 32224
UDP miss conn 3772 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 0 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0

R80.40 CLI Reference Guide | 1391

Example Outputs on the "fwaccel stats" Commands

Example: fwaccel stats -q

Example of statistics for notifications the SecureXL sent to the Firewall:

Notification Packets Notification Packets

--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 0 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 14871 ntPacketTaggingViolat 0
ntDosNotify 28 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0

Example: fwaccel stats -x

Example of statistics for PXL:

PXL Release Context statistics:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
End Handler 0 Post Sync 0
Stop Stream 0 kbuf fail 0
Set field failure 0 Notif set field fail 0
Non SYN seq fail 0 Tmpl kbuf fail 0
Tmpl set field fail 0 Segment Injection 0
Init app fail 0 Expiration 0
Newconn set field fail 0 Newconn fail 0
CPHWD dec 0 No PSL policy 0

PXL Exception statistics:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
urgent packets 0 invalid SYN retrans 0
SYN seq not init 0 old pkts out win 0
old pkts out win trunc 0 old pkts out win strip 0
new pkts out win 0 incorrect retrans 0
TCP pkts with bad csum 0 ACK unprocessed data 0
old ACK out win 0 Max segments reached 0
No resources 0 Hold timeout 0

R80.40 CLI Reference Guide | 1392

fwaccel synatk

Description
The fwaccel synatk and fwaccel6 synatk commands control the Accelerated SYN Defender on
the local Security Gateway, or Cluster Member.

Important - See sk120476 for information about the 'SYN Attack' protection in
SmartConsole.

Syntax for IPv4

fwaccel synatk
-a
-c <options>
-d
-e
-g
-m
-t <options>
config
monitor <options>
state <options>
{whitelist | allow} <options>

Syntax for IPv6

fwaccel6 synatk
-a
-c <options>
-d
-e
-g
-m
-t <options>
config
monitor <options>
state <options>
{whitelist | allow} <options>

R80.40 CLI Reference Guide | 1393

fwaccel synatk

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

-a Applies the configuration from the default file.

See "fwaccel synatk -a" on page 1395.

-c Applies the configuration from the specified file.

<options> See "fwaccel synatk -c <Configuration File>" on page 1396.

-d Disables the Accelerated SYN Defender on all interfaces.

See "fwaccel synatk -d" on page 1397.

-e Enables the Accelerated SYN Defender on interfaces with topology

"External".
Enables the Accelerated SYN Defender in Monitor (Detect only) mode on
interfaces with topology "Internal".
See "fwaccel synatk -e" on page 1398.

-g Enables the Accelerated SYN Defender on all interfaces.

See "fwaccel synatk -g" on page 1399.

-m Enables the Accelerated SYN Defender in Monitor (Detect only) mode on

all interfaces.
In this state, the Accelerated SYN Defender only sends a log when it
recognizes a TCP SYN Flood attack.
See "fwaccel synatk -m" on page 1400.

-t Configures the threshold numbers of half-opened TCP connections that

<options> trigger the Accelerated SYN Defender.
See "fwaccel synatk -t <Threshold>" on page 1401.

config Shows the current Accelerated SYN Defender configuration.

See "fwaccel synatk config" on page 1408.

monitor Shows the Accelerated SYN Defender status.

<options> See "fwaccel synatk monitor" on page 1411.

state Controls the Accelerated SYN Defender states.

<options> See "fwaccel synatk state" on page 1416.

whitelist Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the "allow"
<options> parameter replaces the "whitelist" parameter.
allow Controls the Accelerated SYN Defender whitelist.
<options> See "fwaccel synatk allow / whitelist" on page 1403.

R80.40 CLI Reference Guide | 1394

fwaccel synatk -a

Description
The "fwaccel synatk -a" and "fwaccel6 synatk -a" commands apply the Accelerated SYN
Defender configuration from the default $FWDIR/conf/synatk.conf file.

Notes:
n Both IPv4 and IPv6 use the same configuration file.
n Interface specific state settings that you define in the configuration file, override
the settings that you define with these commands:
l "fwaccel synatk -d" on page 1397

l "fwaccel synatk -e" on page 1398

l "fwaccel synatk -g" on page 1399

l "fwaccel synatk -m" on page 1400

Syntax for IPv4

fwaccel synatk -a

Syntax for IPv6

fwaccel6 synatk -a

R80.40 CLI Reference Guide | 1395

fwaccel synatk -c <Configuration File>

Description
The "fwaccel synatk -c <Configuration File>" and "fwaccel6 synatk -c <Configuration File>"
commands apply the Accelerated SYN Defender configuration from the specified file.

Important - If you use this parameter, then it must be the first parameter in the syntax.

Notes:
n Both IPv4 and IPv6 use the same configuration file.
n The state settings of a specific interface that you configure in the configuration
file, override the settings that you configure with these commands:
l "fwaccel synatk -d" on page 1397

l "fwaccel synatk -e" on page 1398

l "fwaccel synatk -g" on page 1399

l "fwaccel synatk -m" on page 1400

Syntax for IPv4

fwaccel synatk -c <Configuration File>

Syntax for IPv6

fwaccel6 synatk -c <Configuration File>

Parameters

Parameter Description

<Configuration File> Specifies the full path and the name of the file.
For reference, see the default file:
$FWDIR/conf/synatk.conf

R80.40 CLI Reference Guide | 1396

fwaccel synatk -d

Description
The "fwaccel synatk -d" and "fwaccel6 synatk -d" commands disable the Accelerated SYN
Defender on all interfaces.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the "-c" parameter.
2. Loads the modified file.
3. Does not show any output.
n Output of the "fwaccel synatk monitor" on page 1411 command shows:
l In the row "Configuration": Disabled

l In the column "Enforce": Disable

l In the column "State (sec)": Disable

n Output of the "fwaccel synatk config" on page 1408 command shows:

l In the row "enabled": 0

l In the row "enforce": 0

Syntax for IPv4

fwaccel synatk -d

Syntax for IPv6

fwaccel6 synatk -d

R80.40 CLI Reference Guide | 1397

fwaccel synatk -e

Description
The "fwaccel synatk -e" and "fwaccel6 synatk -e" commands:
n Enable the Accelerated SYN Defender on interfaces with topology "External".
n Enable the Accelerated SYN Defender in Monitor (Detect only) mode on interfaces with
topology "Internal".

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the "-c" parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1411 command shows for
"External" interfaces:
l Configuration: Enforcing

l Enforce: Prevent

l State: Ready (may change later depending on what the SYN Defender

detects)
n Output of the "fwaccel synatk monitor" on page 1411 command shows for
"Internal" interfaces:
l Configuration: Enforcing

l Enforce: Detect

l State: Monitor

n Output of the "fwaccel synatk config" on page 1408 command shows:

l enabled 1

l enforce 1

Syntax for IPv4

fwaccel synatk -e

Syntax for IPv6

fwaccel6 synatk -e

R80.40 CLI Reference Guide | 1398

fwaccel synatk -g

Description
The "fwaccel synatk -g" and "fwaccel6 synatk -g" commands enable the Accelerated SYN
Defender on all interfaces.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the "-c" parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1411 command shows for
"External" interfaces:
l Configuration: Enforcing

l Enforce: Prevent

l State: Ready (may change later depending on what the SYN Defender

detects)
n Output of the "fwaccel synatk monitor" on page 1411 command shows for
"Internal" interfaces:
l Configuration: Enforcing

l Enforce: Detect

l State: Monitor

n Output of the "fwaccel synatk config" on page 1408 command shows:

l enabled 1

l enforce 2

Syntax for IPv4

fwaccel synatk -g

Syntax for IPv6

fwaccel6 synatk -g

R80.40 CLI Reference Guide | 1399

fwaccel synatk -m

Description
The "fwaccel synatk -m" and "fwaccel6 synatk -m" commands enable the Accelerated SYN
Defender in Monitor (Detect only) mode on all interfaces.
In this state, the Accelerated SYN Defender only sends a log when it recognizes a TCP SYN
Flood attack.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the "-c" parameter.
2. Loads the modified file.
n Output of the "fwaccel synatk monitor" on page 1411 command shows:
l Configuration: Monitoring

l Enforce: Detect

l State: Monitor

n Output of the "fwaccel synatk config" on page 1408 command shows:

l enabled 1

l enforce 0

Syntax for IPv4

fwaccel synatk -m

Syntax for IPv6

fwaccel6 synatk -m

R80.40 CLI Reference Guide | 1400

fwaccel synatk -t <Threshold>

Description
The "fwaccel synatk -t <Threshold>" and "fwaccel6 synatk -t <Threshold>" commands
configure the threshold numbers of half-opened TCP connections that trigger the Accelerated
SYN Defender.

Notes:
n This command:
1. Modifies the default configuration file $FWDIR/conf/synatk.conf, or
the configuration file specified with the "-c" parameter.
2. Loads the modified file.
n Threshold values are independent for IPv4 and IPv6.

Syntax for IPv4

fwaccel synatk -t <Threshold>

Syntax for IPv6

fwaccel6 synatk -t <Threshold>

R80.40 CLI Reference Guide | 1401

fwaccel synatk -t <Threshold>

Thresholds
n The Global high attack threshold number is configured to the specified value
<Threshold>.
This is the number of half-open TCP connections on all interfaces required for the
Accelerated SYN Defender to engage.
l Valid values: 100 and greater
l Default: 10000
n The High attack threshold number is configured to 1/2 of the specified value
<Threshold>.
This is the high number of half-open TCP connections on an interface required for the
Accelerated SYN Defender to engage.
l Valid values: (Low attack threshold) < (High attack threshold) <= (Global high
attack threshold)
l Default: 5000
n The Low attack threshold number is configured to 1/10 of the specified value
<Threshold>.
This is the low number of half-open TCP connections on an interface required for the
Accelerated SYN Defender to engage.
l Valid values: 10 and greater
l Default: 1000

R80.40 CLI Reference Guide | 1402

fwaccel synatk allow / whitelist

Description
The "fwaccel synatk whitelist" / "fwaccel synatk allow" and "fwaccel6 synatk whitelist" /
"fwaccel6 synatk allow" commands control the Accelerated SYN Defender allow-list.

Important - Starting from R80.40 Jumbo Hotfix Accumulator Take 92, these
commands were renamed:
n from "fwaccel synatk whitelist" to "fwaccel synatk allow"
n from "fwaccel6 synatk whitelist" to "fwaccel6 synatk allow"

Notes:
n This allow-list overrides which packet the Accelerated SYN Defender drops.
Before you use a 3rd-party or automatic blacklists, add trusted networks and
hosts to the allow-list to avoid outages.
n Also, see the "fwaccel dos allow / whitelist" on page 1325 command.

Important - In Cluster, you must configure the Rate Limiting in the same way on all
the Cluster Members.

Syntax for IPv4

fwaccel synatk {whitelist | allow}

-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

Syntax for IPv6

fwaccel6 synatk {whitelist | allow}

-a <IPv6 Address>[/<Subnet Prefix>]
-d <IPv6 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

R80.40 CLI Reference Guide | 1403

fwaccel synatk allow / whitelist

Parameters

Parameter Description

whitelist Starting from R80.40 Jumbo Hotfix Accumulator Take 92, the
allow "allow" parameter replaces the "whitelist" parameter.

No Parameters Shows the applicable built-in usage.

-a <IPv4 Adds the specified IPv4 address to the Accelerated SYN Defender
Address> allow-list.
[/<Subnet
n <IPv4 Address>
Prefix>]
Can be an IPv4 address of a network or a host.
n <Subnet Prefix>
Must specify the length of the subnet mask in the format
/<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /32.

Examples:
n For a host:
192.168.20.30
192.168.20.30/32
n For a network:
192.168.20.0/24

R80.40 CLI Reference Guide | 1404

fwaccel synatk allow / whitelist

Parameter Description

-a <IPv6 Adds the specified IPv6 address to the Accelerated SYN Defender
Address> allow-list.
[/<Subnet
n <IPv6 Address>
Prefix>]
Can be an IPv6 address of a network or a host.
n <Subnet Prefix>
Must specify the length of the subnet mask in the format
/<bits>.
Optional for a host IPv6 address.
Mandatory for a network IPv6 address.
Range - from /1 to /128.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /128.

Examples:
n For a host:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:0db8:85a3:0000:0000:8a2e:0370:7334/128
n For a network:
2001:cdba:9abc:5678::/64

-d <IPv4 Removes the specified IPv4 address from the Accelerated SYN
Address> Defender allow-list.
[/<Subnet
n <IPv4 Address>
Prefix>]
Can be an IPv4 address of a network or a host.
n <Subnet Prefix>
Optional. Must specify the length of the subnet mask in the
format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /32.

R80.40 CLI Reference Guide | 1405

fwaccel synatk allow / whitelist

Parameter Description

-d <IPv6 Removes the specified IPv6 address from the Accelerated SYN
Address> Defender allow-list.
[/<Subnet
n <IPv6 Address>
Prefix>]
Can be an IPv6 address of a network or a host.
n <Subnet Prefix>
Optional. Must specify the length of the subnet mask in the
format /<bits>.
Optional for a host IPv6 address.
Mandatory for a network IPv6 address.
Range - from /1 to /128.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /128.

-F Removes (flushes) all entries from the Accelerated SYN Defender

allow-list.

-l Loads the Accelerated SYN Defender allow-list entries from the

/<Path>/<Name specified plain-text file.
of File> Note - To replace the current allow-list with the contents of a
new file, use both the -F and -l parameters on the same
command line.
Important:
n You must manually create and configure this file with the
touch or vi command.
n You must assign at least the read permission to this file
with the chmod +x command.
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with
the # character in this file.

R80.40 CLI Reference Guide | 1406

fwaccel synatk allow / whitelist

Parameter Description

-L Loads the Accelerated SYN Defender allow-list entries from the

plain-text file with a predefined name:
n R80.40 and R80.40 Jumbo Hotfix Accumulator lower than
Take 92:
$FWDIR/conf/synatk-whitelist-v4.conf
n Starting from R80.40 Jumbo Hotfix Accumulator Take 92:
$FWDIR/conf/synatk-allow-list-v4.conf

Security Gateway automatically runs these commands "{fwaccel

| fwaccel6} synatk {whitelist | allow} -L" during
each boot.
Note - To replace the current allow-list with the contents of a
new file, use both the "-F" and "-L" parameters on the same
command line.
Important:
n This file does not exist by default.
n You must manually create and configure this file with the
touch or vi command.
n You must assign at least the read permission to this file
with the chmod +x command..
n Each entry in this file must be on a separate line.
n Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
n SecureXL ignores empty lines and lines that start with
the # character in this file.

-s Shows the current Accelerated SYN Defender allow-list entries.

Example

[Expert@MyGW:0]# fwaccel synatk allow -a 192.168.20.0/24

[Expert@MyGW:0]# fwaccel synatk allow -s
192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk allow -d 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk allow -a 192.168.40.55
[Expert@MyGW:0]# fwaccel synatk allow -s
192.168.40.55/32
[Expert@MyGW:0]# fwaccel synatk allow -d 192.168.40.55

R80.40 CLI Reference Guide | 1407

fwaccel synatk config

Description
The "fwaccel synatk config" and "fwaccel6 synatk config" commands show the current
Accelerated SYN Defender configuration.

Syntax for IPv4

fwaccel synatk config

Syntax for IPv6

fwaccel6 synatk config

Example

[Expert@MyGW:0]# fwaccel synatk config

enabled 0
enforce 1
global_high_threshold 10000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 5000
low_threshold 1000
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1408

fwaccel synatk config

Description of Configuration Parameters

Parameter Description

enabled Shows if the Accelerated SYN Defender is enabled or disabled.

n Valid values: 0 (disabled), 1 (enabled)
n Default: 0

enforce When the Accelerated SYN Defender is enabled, shows it enforces the
protection.
Valid values:
n 0 - The Accelerated SYN Defender is in Monitor (Detect only)
mode on all interfaces.
n 1 - The Accelerated SYN Defender is engaged only on external
interfaces when the number of half-open TCP connections
exceeds the threshold.
n 2 - The Accelerated SYN Defender is engaged on both external
and internal interfaces when the number of half-open TCP
connections exceeds the threshold.

global_high_ Global high attack threshold number.

threshold See the "fwaccel synatk -t <Threshold>" on page 1401 command.

periodic_ For internal Check Point use only.

updates
n Valid values: 0 (disabled), 1 (enabled)
n Default: 1

cookie_ For internal Check Point use only.

resolution_
shift
n Valid values: 1-7
n Default: 6

min_frag_sz During the TCP SYN Flood attack, the Accelerated SYN Defender
prevents TCP fragments smaller than this minimal size value.
n Valid values: 80 and greater
n Default: 80

high_ High attack threshold number.

threshold See the "fwaccel synatk -t <Threshold>" on page 1401 command.

low_ Low attack threshold number.

threshold See the "fwaccel synatk -t <Threshold>" on page 1401 command.

R80.40 CLI Reference Guide | 1409

fwaccel synatk config

Parameter Description

score_alpha For internal Check Point use only.

n Valid values: 1-127
n Default: 100

monitor_log_ Interval, in milliseconds, between successive warning logs in the

interval Monitor (Detect only) mode.
(msec)
n Valid values: 1000 and greater
n Default: 60000

grace_ Maximal time, in milliseconds, to stay in the Grace state (which is a

timeout transitional state between Ready and Active ).
(msec) In the Grace state, the Accelerated SYN Defender stops challenging
Clients for TCP SYN Cookie, but continues to validate TCP SYN
Cookies it receives from Clients.
n Valid values: 10000 and greater
n Default: 30000

min_time_in_ Minimal time, in milliseconds, to stay in the Active mode.

active In the Active mode, the Accelerated SYN Defender is actively
(msec) challenging TPC SYN packets with SYN Cookies.
n Valid values: 10000 and greater
n Default: 60000

R80.40 CLI Reference Guide | 1410

fwaccel synatk monitor

Description
The "fwaccel synatk monitor" and "fwaccel6 synatk monitor" commands show the Accelerated
SYN Defender status.

Important - To enable the Accelerated SYN Defender in Monitor (Detect only) mode
on all interfaces, you must run the "fwaccel synatk -m" on page 1400 command.

Syntax for IPv4

fwaccel synatk monitor

[-p]
[-p] -a
[-p] -s
[-p] -v

Syntax for IPv6

fwaccel6 synatk monitor

[-p]
[-p] -a
[-p] -s
[-p] -v

Parameters

Important - You can specify only one of these parameters: -a, -s, or -v.

Parameter Description

-p Shows the Accelerated SYN Defender status for each SecureXL instance
("PPAK ID: 0" is the Host Security Appliance).

[-p] -a Shows the Accelerated SYN Defender statistics for all interfaces (for each
SecureXL instance).

[-p] -s Shows the attack state in short form (for each SecureXL instance).

[-p] -v Shows the attack state in verbose form (for each SecureXL instance).

R80.40 CLI Reference Guide | 1411

fwaccel synatk monitor

R80.40 CLI Reference Guide | 1412

fwaccel synatk monitor

R80.40 CLI Reference Guide | 1413

fwaccel synatk monitor

Example 3 - Showing the Accelerated SYN Defender statistics for all interfaces and for each
SecureXL instance.
[Expert@MyGW:0]# fwaccel synatk monitor -p -a
Global:
status attached
nr_active 0

Firewall
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0

PPAK ID: 0
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1414

fwaccel synatk monitor

Example 4 - Showing the attack state in short form (for each SecureXL instance)
[Expert@MyGW:0]# fwaccel synatk monitor -p -s
M,N,0,0

PPAK ID: 0
----------
M,N,0,0
[Expert@MyGW:0]#

Example 5 - Showing the attack state in verbose form (for each SecureXL instance)
[Expert@MyGW:0]# fwaccel synatk monitor -p -v
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+
PPAK ID: 0
----------
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1415

fwaccel synatk state

Description
The "fwaccel synatk state" and "fwaccel6 synatk state" commands control the Accelerated
SYN Defender states.
The states are independent for IPv4 and IPv6.

Important - This command is not intended for end-user usage. Transitions between
states (Ready, Grace, and Active) occur automatically. This command provides a way
to force temporarily a state transition on an interface or group of interfaces.

Syntax for IPv4

fwaccel synatk state

-h
-a
-d
-g
-i {all | external | internal | <Name of Interface>}
-m
-r

Syntax for IPv6

fwaccel6 synatk state

-h
-a
-d
-g
-i {all | external | internal | <Name of Interface>}
-m
-r

R80.40 CLI Reference Guide | 1416

fwaccel synatk state

Parameters

Important - You can specify only one of these parameters: -a, -d, -g, -m, or -r.

Parameter Description

-h Shows the applicable built-in usage.

-a Sets the state to Active.

-d Sets the state to Disabled.

-g Sets the state to Grace.

-i all Applies the change to all interfaces (this is the default).

-i external Applies the change only to external interfaces.

-i internal Applies the change only to internal interfaces.

-i <Name of Interface> Applies the change to the specified interface.

-m Sets the state to Monitor (Detect only) mode.

-r Sets the state to Ready.

R80.40 CLI Reference Guide | 1417

fwaccel tab

Description
The fwaccel tab and fwaccel6 tab commands show the contents of the specified SecureXL
kernel table.

Notes:
n Dynamic tables, such as the connections table can change while this
command prints their contents.
This may cause some values to be missed or reported twice.
n For some tables, the command prints their contents on the screen.
n For some tables, the command prints their contents to the
/var/log/messages file.
n Also, see the "fw tab" on page 1152 command.

Syntax for IPv4

fwaccel tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>

fwaccel tab -s -t <Name of Kernel Table>

Syntax for IPv6

fwaccel6 tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>

fwaccel6 tab -s -t <Name of Kernel Table>

Parameters

Parameter Description

No Parameters Shows the applicable built-in usage.

-f Formats the output.

We recommend to always use this parameter.

-m <Number of Rows> Specifies how many rows to show from the kernel
table.
Note - The command counts from the top of the table.
Default : 1000

-s Shows summary information only.

R80.40 CLI Reference Guide | 1418

fwaccel tab

Parameter Description

-t <Name of Kernel Specifies the kernel table.

Table> This command supports only these kernel tables:
n connections
n dos_ip_blacklists
n dos_pbox
n dos_pbox_violating_ips
n dos_rate_matches
n dos_rate_track_src
n dos_rate_track_src_svc
n drop_templates
n frag_table
n gtp_apns
n gtp_tunnels
n if_by_name
n inbound_SAs
n invalid_replay_counter
n ipsec_mtu_icmp
n mcast_drop_conns
n outbound_SAs
n PMTU_table
n <Profile>
n reset_table
n vpn_link_selection
n vpn_trusted_ifs

Examples
[Expert@MyGW:0]# fwaccel tab -f -m 200 -t connections
Table connections is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t inbound_SAs

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t outbound_SAs

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t vpn_link_selection

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t drop_templates

Table drop_templates is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t vpn_trusted_ifs

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1419

fwaccel tab

[Expert@MyGW:0]# fwaccel tab -t profile

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t mcast_drop_conns

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t invalid_replay_counter

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t ipsec_mtu_icmp

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t gtp_tunnels

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t gtp_apns

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t if_by_name

Table contents written to /var/log/messages.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t PMTU_table

Table PMTU_table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t frag_table

Table frag_table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t reset_table

Table reset_table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_ip_blacklists

Table dos_ip_blacklists is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_pbox

Table dos_pbox is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_rate_matches

Table dos_rate_matches is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src

Table dos_rate_track_src is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src_svc

Table dos_rate_track_src_svc is not active for SecureXL device 0.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel tab -t dos_pbox_violating_ips

Table dos_pbox_violating_ips is not active for SecureXL device 0.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1420

fwaccel templates

Description
The fwaccel templates and fwaccel6 templates commands show the contents of the SecureXL
templates tables:
n Accept Templates
n Drop Templates

Important> - By default, the Drop Templates are disabled.

To enable the Drop Templates:
1. In SmartConsole, open the Security Gateway / Cluster
object.
2. In the left tree, click the Optimizations pane.
3. Select Enable drop optimization.
4. Click OK.
5. Install the Access Control policy.

Important - Based on the number of current templates, these commands can

consume memory at very high level.

Syntax for IPv4

fwaccel templates
[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

Syntax for IPv6

fwaccel6 templates
[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

R80.40 CLI Reference Guide | 1421

fwaccel templates

Parameters

Parameter Description

No Parameters Shows the contents of the SecureXL Accept Templates table (Table
Name - cphwd_tmpl, Table ID - 8111).

-h Shows the applicable built-in usage.

-d Shows the contents of the SecureXL Drop Templates table.

-m <Number Specifies how many rows to show from the templates table.
of Rows> Note - The command counts from the top of the table.
Default : 1000

-s Shows the summary of SecureXL Connections Templates (number of

templates)

-S Shows statistics for the SecureXL Connections Templates.

R80.40 CLI Reference Guide | 1422

fwaccel templates

Accept Templates flags

One or more of these flags appears in the output:

Flag Description

A Connection is accounted (SecureXL counts the number of packets and bytes).

B Connection is created for a rule that contains an Identity Awareness object, or for
a rule below that rule.

I Identity Awareness (NAC) is enabled for this connection.

M Connection is created for a rule that contains a Domain object, or for a rule below
that rule.

N Connection undergoes NAT.

O Connection is created for a rule that contains a Dynamic object, or for a rule below
that rule.

Q QoS is enabled for this connection.

R Connection is created for a rule that contains a Traceroute object, or for a rule
below that rule.

S PXL (combination of SecureXL and PSL (Passive Streaming Library)) is enabled

for this connection.

T Connection is created for a rule that contains a Time object, or for a rule below
that rule.

U Connection is unidirectional.

Z Connection is created for a rule that contains a Security Zone object, or for a rule
below that rule.

Drop Templates flags

One or more of these flags appears in the output:

Flag Description

D Drop template exists for this connection.

L Log and Drop action for this connection.

R80.40 CLI Reference Guide | 1423

fwaccel templates

Examples
Example 1 - Default output
[Expert@MyGW:0]# fwaccel templates
Source SPort Destination DPort PR Flags LCT DLY C2S i/f S2C i/f
--------------- ----- --------------- ----- -- ------------ ---- --- ------- -------
192.168.10.20 * 192.168.10.50 80 6 0 0 0 eth5/eth1 eth1/eth5
[Expert@MyGW:0]#

Example 2 - Drop Templates

[Expert@MyGW:0]# fwaccel templates -d
The SecureXL drop templates table is empty
[Expert@MyGW:0]#

Example 3 - Summary of SecureXL Connections Templates

[Expert@MyGW:0]# fwaccel templates -s
Total number of templates: 1
[Expert@MyGW:0]#

Example 4 - Templates statistics

[Expert@MyGW:0]# fwaccel templates -S

Templates stats:

Name Value Name Value

-------------------- ------------ -------------------- ------------
C templates 0 conns from templates 0
nat templates 0 conns from nat tmpl 0
C CPASXL templates 0 C PSLXL templates 0
C used templates 0 cpasxl tmpl conns 0
pslxl tmpl conns 0 C conns from tmpl 0

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1424

fwaccel ver

Description
Shows this information:
n Firewall Version and Build
n Accelerator Version
n Firewall API version
n Accelerator API version

Syntax

fwaccel ver

Example

Expert@MyGW:0]# fwaccel ver

Firewall version: R80.40 - Build 123
Acceleration Device: Performance Pack
Accelerator Version 2.1
Firewall API version: 3.0NG (19/11/2015)
Accelerator API version: 3.0NG (19/11/2015)
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1425

fw sam_policy

fw sam_policy
Description
Manages the Suspicious Activity Policy editor that works with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 271
n "sam_alert" on page 376

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

R80.40 CLI Reference Guide | 1426

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R80.40 CLI Reference Guide | 1427

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 282.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 295.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 297.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 300.

R80.40 CLI Reference Guide | 1428

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R80.40 CLI Reference Guide | 1429

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R80.40 CLI Reference Guide | 1430

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

R80.40 CLI Reference Guide | 1431

fw sam_policy add

Parameter Description

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

R80.40 CLI Reference Guide | 1432

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

R80.40 CLI Reference Guide | 1433

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R80.40 CLI Reference Guide | 1434

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

R80.40 CLI Reference Guide | 1435

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

R80.40 CLI Reference Guide | 1436

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

R80.40 CLI Reference Guide | 1437

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

R80.40 CLI Reference Guide | 1438

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

R80.40 CLI Reference Guide | 1439

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

R80.40 CLI Reference Guide | 1440

fw sam_policy add

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

R80.40 CLI Reference Guide | 1441

fw sam_policy batch

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R80.40 CLI Reference Guide | 1442

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

R80.40 CLI Reference Guide | 1443

fw sam_policy del

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R80.40 CLI Reference Guide | 1444

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n To see the Rule UID, run the "fw
sam_policy get" command.

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

R80.40 CLI Reference Guide | 1445

fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R80.40 CLI Reference Guide | 1446

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R80.40 CLI Reference Guide | 1447

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R80.40 CLI Reference Guide | 1448

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

Example 3 - Printing a rule by its Rule UID

R80.40 CLI Reference Guide | 1449

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R80.40 CLI Reference Guide | 1450

fw sam_policy get

[Expert@HostName:0]# fw samp get

R80.40 CLI Reference Guide | 1451

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R80.40 CLI Reference Guide | 1452

The /proc/ppk/ and /proc/ppk6/ entries

Description
SecureXL supports Linux /proc entries. The read-only entries in the /proc/ppk/ and
/proc/ppk6/ contain various data about SecureXL.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/<Name of File>
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/<Name of
File>

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/<Name of File>
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/<Name of
File>

Files

File Description

affinity Contains status and the thresholds for SecureXL New Affinity
mechanism.
See "/proc/ppk/affinity" on page 1455.

conf Contains the SecureXL configuration and basic statistics.

See "/proc/ppk/conf" on page 1456.

conns Contains the list of the SecureXL connections.

See "/proc/ppk/conns" on page 1457.

cpls Contains SecureXL configuration for ClusterXL Load Sharing (CPLS).

See "/proc/ppk/cpls" on page 1458.

cqstats Contains statistics for SecureXL connections queue.

See "/proc/ppk/cqstats" on page 1459.

R80.40 CLI Reference Guide | 1453

The /proc/ppk/ and /proc/ppk6/ entries

File Description

drop_ Contains SecureXL statistics for dropped packets.

statistics See "/proc/ppk/drop_statistics" on page 1460.

ifs Contains the list of interfaces that SecureXL uses.

See "/proc/ppk/ifs" on page 1461.

mcast_ Contains SecureXL statistics for multicast traffic.

statistics See "/proc/ppk/mcast_statistics" on page 1466.

nac Contains SecureXL statistics for Identity Awareness Network Access

Control (NAC) traffic.
See "/proc/ppk/nac" on page 1467.

notify_ Contains SecureXL statistics for notifications SecureXL sent to Firewall

statistics about accelerated connections.
See "/proc/ppk/notify_statistics" on page 1468.

profile_ Contains IDs of the CPU cores and status of Traffic Profiling
cpu_stat See "/proc/ppk/profile_cpu_stat" on page 1470.

rlc Contains SecureXL statistics for drops due to Rate Limiting for DoS
Mitigation.
See "/proc/ppk/rlc" on page 1471.

statistics Contains SecureXL overall statistics.

See "/proc/ppk/statistics" on page 1472.

stats Contains the IRQ numbers and names of interfaces the SecureXL uses.
See "/proc/ppk/stats" on page 1474.

viol_ Contains SecureXL statistics for violations - packets SecureXL

statistics forwarded (F2F) to the Firewall.
See "/proc/ppk/viol_statistics" on page 1475.

R80.40 CLI Reference Guide | 1454

/proc/ppk/affinity

Description
Contains the number of accelerated packets per second and rate of encrypted bytes.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/affinity

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/affinity

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/affinity

Current accelerated PPS : 0
Current enc. bytes rate : 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1455

/proc/ppk/conf

Description
Contains the SecureXL configuration and basic statistics.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conf
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conf

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conf
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conf

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/conf

Flags : 0x00000592
Accounting Update Interval : 3600
Conn Refresh Interval : 512
SA Sync Notification Interval : 200000
UDP Encapsulation Port : 2746
Min TCP MSS : 0
TCP End Timeout : 5
Connection Limit : 18446744073709551615

Total Number of conns : 0

Number of Crypt conns : 0
Number of TCP conns : 0
Number of Non-TCP conns : 0
Total Number of corrs : 0

Debug flags :
0 : 0x1
1 : 0x1
2 : 0x1
3 : 0x1
4 : 0x1
5 : 0x1
6 : 0x1
7 : 0x1
8 : 0x100
9 : 0x8
10 : 0x1
11 : 0x10
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1456

/proc/ppk/conns

Description
Contains the list of the SecureXL connections.

Important - This file is for future use. Refer to the "fwaccel conns" on page 1313
command.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conns
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conns

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conns
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conns

R80.40 CLI Reference Guide | 1457

/proc/ppk/cpls

Description
Contains SecureXL configuration for ClusterXL Load Sharing (CPLS).

Important - This file is for future use. Refer to the "fwaccel cfg -h" command (see
"fwaccel cfg" on page 1310).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cpls

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cpls

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/cpls

fwha_conf_flags: 638
fwha_df_type: 0
fwha_member_id: 0
fwha_port: 8116
FWHAP MAC magic: 0
Forwarding MAC magic: 0
My state: ACTIVE
udp_enc_port: 0
selection table size: 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1458

/proc/ppk/cqstats

Description
Contains statistics for SecureXL connections queue.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cqstats
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/cqstats

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cqstats
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/cqstats

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/cqstats

Name Value Name Value
-------------------- --------------- -------------------- ---------------
Queued pkts 0 Queue fail 0
Dequeue & f2f 0 Dequeue & drop 0
Dequeue & resume 0 Async index req 0
Err Async index req 0 Async index cb 0
Err Async index cb 0 Queue alloc fail 0
Queue empty err 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1459

/proc/ppk/drop_statistics

Description
Contains SecureXL statistics for dropped packets.

Note - This is the same information that the "fwaccel stats -d" command shows
(see "fwaccel stats" on page 1374).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/drop_
statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/drop_statistics
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/drop_
statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics

Reason Packets Reason Packets
-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 0 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Defrag timeout 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1460

/proc/ppk/ifs

Description
Contains the list of interfaces that SecureXL uses.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/ifs

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/ifs

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/ifs

No | Interface | Address | IRQ | F | SIM F | Dev | Output Func
| Features
------------------------------------------------------------------------------------------------
-------------
2 | eth0 | 192.168.3.52 | 67 | 1 | 480 | 0xffff81023e5df000 | 0x000013a0
3 | eth1 | 10.20.30.52 | 83 | 1 | 488 | 0xffff81023dd0c000 | 0x000013a0
4 | eth2 | 40.50.60.52 | 59 | 1 | 480 | 0xffff810237f88000 | 0x000013a0
5 | eth3 | 0.0.0.0 | 67 | 1 | 80 | 0xffff810239b3d000 | 0x000013a0
6 | eth4 | 0.0.0.0 | 91 | 1 | 80 | 0xffff81023841f000 | 0x000013a0
7 | eth5 | 0.0.0.0 | 83 | 1 | 480 | 0xffff8102396fe000 | 0x000013a0
8 | eth6 | 0.0.0.0 | 59 | 1 | 480 | 0xffff810239a4d000 | 0x000013a0
10 | bond0 | 70.80.90.52 | 0 | 1 | 280 | 0xffff8101f1a0e000 | 0x000013a0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1461

/proc/ppk/ifs

Example for IPv6

[Expert@MyGW:0]# cat /proc/ppk6/ifs

No | Interface | Address | IRQ | F | SIM F | Dev | Output Func
| Features
------------------------------------------------------------------------------------------------
-------------
2 | eth0 | fe80:0:0:0:250:56ff:fea3:1807 | 67 | 1 | 480 |
0xffff81023e5df000 | 0x000013a0
3 | eth1 | fe80:0:0:0:250:56ff:fea3:15a4 | 83 | 1 | 480 |
0xffff81023dd0c000 | 0x000013a0
4 | eth2 | fe80:0:0:0:250:56ff:fea3:2f50 | 59 | 1 | 480 |
0xffff810237f88000 | 0x000013a0
5 | eth3 | 0:0:0:0:0:0:0:0 | 67 | 1 | 80 |
0xffff810239b3d000 | 0x000013a0
6 | eth4 | 0:0:0:0:0:0:0:0 | 91 | 1 | 80 |
0xffff81023841f000 | 0x000013a0
7 | eth5 | fe80:0:0:0:250:56ff:fea3:75a9 | 83 | 1 | 480 |
0xffff8102396fe000 | 0x000013a0
8 | eth6 | fe80:0:0:0:250:56ff:fea3:5d4c | 59 | 1 | 480 |
0xffff810239a4d000 | 0x000013a0
10 | bond0 | fe80:0:0:0:250:56ff:fea3:287b | 0 | 1 | 280 |
0xffff8101f1a0e000 | 0x000013a0
[Expert@MyGW:0]#

Explanation about the configuration flags in the "F" and "SIM F" columns
The "F" column shows the internal configuration flags that Firewall set on these interfaces.
The "SIM F" column shows the internal configuration flags that SecureXL set on these
interfaces.

Flag Description

0x001 If this flag is set, the SecureXL drops the packet at the end of the inbound
inspection, if the packet is a "cut-through" packet.
In outbound, SecureXL forwards all the packets to the network.

0x002 If this flag is set, the SecureXL sends an applicable notification when a TCP
state change occurs (connection is established or torn down).

0x004 If this flag is set, the SecureXL it sets the UDP header's checksum field
correctly when the SecureXL encapsulates an encrypted packet (UDP
encapsulation).
If this flag is not set, SecureXL sets the UDP header's checksum field to zero.
It is safe to ignore this flag, if it is set to 0 (SecureXL continues to calculate the
UDP packet's checksum).

0x008 If this flag is set, the SecureXL does not create new connections that match a
template, and SecureXL drops the packet that matches the template, when the
number of entries in the Connections Table reaches the specified limit.
If this flag is not set, the SecureXL forwards the packet to the Firewall.

R80.40 CLI Reference Guide | 1462

/proc/ppk/ifs

Flag Description

0x010 If this flag is set, the SecureXL forwards fragments to the Firewall.

0x020 If this flag is set, the SecureXL does not create connections from TCP
templates anymore.
The Firewall offloads connections to SecureXL when necessary.
This flag only disables the creation of TCP templates.

0x040 If this flag is set, the SecureXL notifies the Firewall at intervals, so it refreshes
the accelerated connections in the Firewall kernel tables.

0x080 If this flag is set, the SecureXL does not create connections from non-TCP
templates anymore.
The Firewall offloads connections to SecureXL when necessary.
This flag only disables the creation of non-TCP templates.

0x100 If this flag is set, the SecureXL allows sequence verification violations for
connections that did not complete the TCP 3-way handshake process.
If this flag is not set, SecureXL must forward the violating packets to the
Firewall.

0x200 If this flag is set, the SecureXL allows sequence verification violations for
connections that completed the TCP 3-way handshake process.
If this flag is not set, SecureXL must forward the violating packets to the
Firewall.

0x400 If this flag is set, the SecureXL forwards TCP [RST] packets to the Firewall.

0x0001 If this flag is set, the SecureXL notifies the Firewall about HitCount data.

0x0002 If this flag is set, the VSX Virtual System works as a junction, rather than a
regular Virtual System (only the local Virtual System flag is applicable).

0x0004 If this flag is set, the SecureXL disables the reply counter of inbound encrypted
traffic.
At a result, SecureXL kernel module works in the same way as the VPN kernel
module.

0x0008 If this flag is set, the SecureXL enables the MSS Clamping.
Refer to the kernel parameters "fw_clamp_tcp_mss" and "fw_clamp_vpn_
mss" in sk101219.

0x0010 If this flag is set, the SecureXL disables the "No Match Ranges" (NMR)
Templates (see sk117755).

R80.40 CLI Reference Guide | 1463

/proc/ppk/ifs

Flag Description

0x0020 If this flag is set, the SecureXL disables the "No Match Time" (NMT) Templates
(see sk117755).

0x0040 If this flag is set, the SecureXL does not send Drop Templates notifications
about dropped packets to the Firewall (to update the drop counters).
For example, if you set the value of the kernel parameter "activate_
optimize_drops_support_now" to 1, it disables the Drop Templates
notifications.

0x0080 If this flag is set, the SecureXL enables the MultiCore support for IPsec VPN
(see sk118097).

0x0100 If this flag is set, the SecureXL enables the support for CoreXL Dynamic
Dispatcher (see sk105261).

0x0800 If this flag is set, the SecureXL does not enforce the Path MTU Discovery for IP
multicast packets.

0x1000 If this flag is set, the SecureXL disables the SIM "drop_templates" feature.

0x2000 If this flag is set, it indicates that an administrator enabled the Link Selection
Load Sharing feature.

0x4000 If this flag is set, the SecureXL disables the asynchronous notification feature.

0x8000 If this flag is set, it indicates that the capacity of the Firewall Connections Table
is unlimited.

R80.40 CLI Reference Guide | 1464

/proc/ppk/ifs

Examples:

Value Description

0x039 Means the sum of these flags:

n 0x001
n 0x008
n 0x010
n 0x020

0x00008a16 Means the sum of these flags:

n 0x0002
n 0x0004
n 0x0010
n 0x0200
n 0x0800
n 0x8000

0x00009a16 Means the sum of these flags:

n 0x0002
n 0x0004
n 0x0010
n 0x0200
n 0x0800
n 0x1000
n 0x8000

R80.40 CLI Reference Guide | 1465

/proc/ppk/mcast_statistics

Description
Contains SecureXL statistics for multicast traffic.

Note - This is the same information that the "fwaccel stats -m" command shows
(see "fwaccel stats" on page 1374).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/mcast_
statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/mcast_statistics
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/mcast_
statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics

Name Value Name Value
-------------------- --------------- -------------------- ---------------
in packets 10100 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1466

/proc/ppk/nac

Description
Contains SecureXL statistics for Identity Awareness Network Access Control (NAC) traffic.

Note - This is the same information that the "fwaccel stats -n" command shows
(see "fwaccel stats" on page 1374).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/nac
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/nac

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/nac
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/nac

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/nac

Name Value Name Value
-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1467

/proc/ppk/notify_statistics

Description
Contains SecureXL statistics for notifications SecureXL sent to Firewall about accelerated
connections.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/notify_
statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/notify_statistics
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/notify_
statistics

R80.40 CLI Reference Guide | 1468

/proc/ppk/notify_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics

Notification Packets Notification Packets
--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 0 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 39375 ntPacketTaggingViolat 0
ntDosNotify 0 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1469

/proc/ppk/profile_cpu_stat

Description
This file is for Check Point use only.
Contains IDs of the CPU cores and status of Traffic Profiling:
n The first column shows the IDs of the CPU cores.
n The second column shows the status of Traffic Profiling for the applicable CPU core.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/profile_cpu_
stat

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/profile_cpu_stat
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/profile_
cpu_stat

Example for IPv4 from a Security Gateway with 4 CPU cores

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat

0 0
1 0
2 0
3 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1470

/proc/ppk/rlc

Description
Contains SecureXL statistics for drops due to Rate Limiting for DoS Mitigation.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/rlc

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/rlc

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/rlc

Total drop packets : 0
Total drop bytes : 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1471

/proc/ppk/statistics

Description
Contains SecureXL overall statistics.
To see these statistics in a better way, run the "fwaccel stats" on page 1374 command.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/statistics
[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/statistics
[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/statistics

R80.40 CLI Reference Guide | 1472

/proc/ppk/statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/statistics

Name Value Name Value
-------------------- --------------- -------------------- ---------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
current total conns 0 TCP conns 0
non TCP conns 0 nat conns 0
dropped packets 728 dropped bytes 107978
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0
crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0 acct update interval 3600
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
CPASXL conns 0 PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0 PSL Inline packets 0
PSL Inline bytes 0 CPAS Inline packets 0
CPAS Inline bytes 0 Total QoS conns 0
CLASSIFY 0 CLASSIFY_FLOW 0
RECLASSIFY_POLICY 0 Enq-IN FW pkts 0
Enq-OUT FW pkts 0 Deq-IN FW pkts 0
Deq-OUT FW pkts 0 Enq-IN FW bytes 0
Enq-OUT FW bytes 0 Deq-IN FW bytes 0
Deq-OUT FW bytes 0 Enq-IN AXL pkts 0
Enq-OUT AXL pkts 0 Deq-IN AXL pkts 0
Deq-OUT AXL pkts 0 Enq-IN AXL bytes 0
Enq-OUT AXL bytes 0 Deq-IN AXL bytes 0
Deq-OUT AXL bytes 0 F2F packets 0
F2F bytes 0 TCP violations 0
F2V conn match pkts 0 F2V packets 0
F2V bytes 0 gtp tunnels created 0
gtp tunnels 0 gtp accel pkts 0
gtp f2f pkts 0 gtp spoofed pkts 0
gtp in gtp pkts 0 gtp signaling pkts 0
gtp tcpopt pkts 0 gtp apn err pkts 0
memory used 38799384 C tcp handshake conn 0
C tcp estab. conns 0 C tcp closed conns 0
C tcp pxl hnshk conn 0 C tcp pxl est. conn 0
C tcp pxl closed 0 ob cpasxl packets 0
ob pslxl packets 0 ob cpasxl bytes 0
ob pslxl bytes 0 DNS DoR stats 0
trimmed pkts
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1473

/proc/ppk/stats

Description
Contains the IRQ numbers and names of interfaces the SecureXL uses.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/stats

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/stats

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/stats

IRQ | Interface
---------------------------
18 eth0
16 eth1
17 eth2
18 eth3
19 eth4
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1474

/proc/ppk/viol_statistics

Description
Contains SecureXL statistics for violations - packets SecureXL forwarded (F2F) to the
Firewall.

Note - This is the same information that the "fwaccel stats -p" command shows
(see "fwaccel stats" on page 1374).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/viol_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 4
TCP-SYN miss conn 356 TCP-other miss conn 1386954
UDP miss conn 943355 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 250859051 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1475

SecureXL Debug

SecureXL Debug
To understand how SecureXL processes the traffic, enable the SecureXL debug while the
traffic passes through the Security Gateway.

Warning - Debug increases the load on Security Gateway's CPU. We recommend

you schedule a maintenance window to debug the SecureXL.

R80.40 CLI Reference Guide | 1476

fwaccel dbg

Description
The fwaccel dbg command controls the SecureXL debug. See "SecureXL Debug Procedure"
on page 1483.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax in Gaia Clish or the Expert mode on a Security Gateway / ClusterXL:

fwaccel dbg
-h
-m <Name of SecureXL Debug Module>
all
+ <Debug Flags>
- <Debug Flags>
reset
-f {"<5-Tuple Debug Filter>" | reset}
list
resetall

Parameters

Parameter Description

-h Shows the applicable built-in help.

-m <Name of SecureXL Specifies the name of the SecureXL debug module.

Debug Module> To see the list of available debug modules, run:
fwaccel dbg

all Enables all debug flags for the specified debug module.

+ <Debug Flags> Enables the specified debug flags for the specified debug
module:
Syntax:
+ Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the plus
(+) character.

R80.40 CLI Reference Guide | 1477

fwaccel dbg

Parameter Description

- <Debug Flags> Disables all debug flags for the specified debug module.
Syntax:
- Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the
minus (-) character.

reset Resets all debug flags for the specified debug module to
their default state.

-f reset Resets the current debug filter.

list Shows all enabled debug flags in all debug modules.

resetall Reset all debug flags for all debug modules to their default
state.

R80.40 CLI Reference Guide | 1478

fwaccel dbg

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update
acct conf stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload
nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user
deliver vlan pkt nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl

Module: vpn
err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1479

fwaccel dbg

Example 2 - Enabling and disabling of debug flags

R80.40 CLI Reference Guide | 1480

fwaccel dbg

[Expert@MyGW:0]# fwaccel dbg -m default + err conn

Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

R80.40 CLI Reference Guide | 1481

fwaccel dbg

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetall
Debug state was reset to default.
[Expert@MyGW:0]#

... ...

Debug filter: "<,,*,,>"

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1482

SecureXL Debug Procedure

By default, SecureXL writes the output debug information to the /var/log/messages file.
To collect the applicable SecureXL debug and to make its analysis easier, follow the steps
below.

Note - For more information, see the R80.40 Quantum Security Gateway Guide -
Chapter Kernel Debug on Security Gateway.
Important:
n We strongly recommend to schedule a full maintenance window to minimize the
impact on your production traffic.
n We strongly recommend to connect over serial console to your Security
Gateway.
This is to avoid a possible issue when you cannot work with the CLI because of
a high load on the CPU.
n In cluster, you must collect this debug from all Cluster Members in the same
way.
n Debug the specific SecureXL instance only when you are sure that only that
SecureXL instance processes the traffic.

Procedure
1. Connect to the command line on your Security Gateway

Use an SSH or a console connection.

Best Practice - Use a console connection.

2. Log in to the Expert mode

If the default shell is Gaia Clish, then run:

expert

3. Reset all kernel debug flags in all kernel debug modules

Run:

fw ctl debug 0

4. Reset all the SecureXL debug flags in all SecureXL debug modules

R80.40 CLI Reference Guide | 1483

SecureXL Debug Procedure

n For all SecureXL instances, run:

fwaccel dbg resetall

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg resetall

5. Allocate the kernel debug buffer

Run:

fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]

Note - The optional part "-v {"<List of VSIDs>" | all}" is to specify
the applicable Virtual Systems on a VSX Gateway or VSX Cluster Member.

6. Make sure the Security Gateway allocated the kernel debug buffer

Run:

fw ctl debug | grep buffer

7. Configure the applicable kernel debug modules and kernel debug flags

Run:

fw ctl debug -m <Name of Kernel Debug Module> {all | +

<Kernel Debug Flags>}

8. Configure the applicable SecureXL debug modules and SecureXL debug flags

n For all SecureXL instances, run:

fwaccel dbg -m <Name of SecureXL Debug Module> {all | +

<SecureXL Debug Flags>}

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg -m <Name of SecureXL Debug

Module> {all | + <SecureXL Debug Flags>}

See "SecureXL Debug Modules and Debug Flags" on page 1487.

9. Examine the kernel debug configuration for kernel debug modules

Run:

R80.40 CLI Reference Guide | 1484

SecureXL Debug Procedure

fw ctl debug

10. Examine the SecureXL debug configuration for SecureXL debug modules

n For all SecureXL instances, run:

fwaccel dbg list

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg list

11. Remove all entries from both the Firewall Connections table and SecureXL Connections
table

Run:

fw tab -t connections -x -y
Important:
n This step makes sure that you collect the debug of the real issue that is

not affected by the existing connections.

n This command deletes all existing connections. This interrupts all

connections, including the SSH.

Run this command only if you are connected over a serial console to
your Security Gateway.

12. Remove all entries from the Firewall Templates table

Run:

fw tab -t cphwd_tmpl -x -y
Note - This command does not interrupt the existing connections. This step
makes sure that you collect the debug of the real issue that is not affected by
the existing connection templates.

13. Start the kernel debug

Run:

fw ctl kdebug -T -f > /var/log/kernel_debug.txt

14. Replicate the issue, or wait for the issue to occur

Perform the steps that cause the issue to occur, or wait for it to occur.

R80.40 CLI Reference Guide | 1485

SecureXL Debug Procedure

15. Stop the kernel debug

Press CTRL+C.

16. Reset all kernel debug flags in all kernel debug modules

Run:

fw ctl debug 0

17. Reset all the SecureXL debug flags in all SecureXL debug modules

n For all SecureXL instances, run:

fwaccel dbg resetall

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg resetall

18. Examine the kernel debug configuration to make sure it returned to the default

Run:

fw ctl debug

19. Examine the SecureXL debug configuration to make sure it returned to the default

n For all SecureXL instances, run:

fwaccel dbg list

n For a specific SecureXL instance, run:

fwaccel -i <SecureXL ID> dbg list

20. Collect and analyze the debug output file

Path to the debug output file:

/var/log/kernel_debug.txt
Best Practice - Compress this file with the "tar -zxvf" command and
transfer it from the Security Gateway to your computer. If you transfer to an
FTP server, do so in the binary mode.

R80.40 CLI Reference Guide | 1486

SecureXL Debug Modules and Debug Flags

To see the available SecureXL debug modules and their debug flags, run the "fwaccel dbg" on
page 1477 command.
Module "default"

Flag Description

acct Connection accounting information

ant Anticipated connections

conf Configuration of the SecureXL (for example, interfaces)

conn Processing of connections

conn_app Processing of connections

corr Correction layer

cpdrv Currently not in use

del Deletion of connections

drv Driver information

err General errors

gtp Processing of GTP tunnel connections

gtp_pkt Processing of GTP tunnel packets

htab Hash table

infra_ids Allocating IDs for a given range in Identity Awareness

init Initialization

ioctl Changes in the configuration, which were initiated from the user space

iter Connection table iterator

kdrv Driver information

lock Lock initializing and finalizing

nat Processing of NAT connections

offload Offloading of connections from the Firewall to the SecureXL

R80.40 CLI Reference Guide | 1487

SecureXL Debug Modules and Debug Flags

Flag Description

queue Connections queue

relations Related connections (such as FTP data connections)

rngs Handling of SecureXL ranges

rngs_print Printing of SecureXL ranges

routing Handling of SecureXL routing

stat Handling of SecureXL statistics

svm Registering templates or connections for System Counters in Security

Gateway object in SmartConsole

tag Tags that were added to the packets by the SecureXL before
forwarding them to the Firewall

tcp_sv Verification of sequence in TCP packets

update Updates of connections

util Utilization

Module "pkt" (Packet)

Flag Description

acct Connection accounting information

caf Mirror and Decrypt feature - Mirror only of all traffic

corr Correction layer

cpls ClusterXL Load Sharing

deliver Packet delivery

drop Packets dropped by SecureXL

err General errors

f2f Reason for forwarding a packet to the Firewall

frag Processing of fragments

R80.40 CLI Reference Guide | 1488

SecureXL Debug Modules and Debug Flags

Flag Description

nat Processing of NAT connections

notif Notifications sent to the Firewall

pkt Processing of packets

pxl PXL (PacketXL) handling - API between the SecureXL and

PSL (Packet Streaming Layer), which is a TCP Streaming engine that
parses TCP streams

qos QoS acceleration

routing Handling of SecureXL routing

spoof Handling of SecureXL Anti-Spoofing

sv Validation of sequence in TCP packets

tcp_state Validation of TCP state in TCP packets

tcp_state_ Validation of TCP packets

pkt

<Username> Currently not in use

vlan Handling of VLAN tags

wrp Handling of WRP interfaces in VSX

Module "db" (Database)

Flag Description

ant Anticipated connections

del Deleting of data from the SecureXL database

err General errors

get Retrieving of data from the SecureXL database

init Initializing and finalizing of SecureXL database

nmr "No Match Ranges" templates, which allow SecureXL Accept Templates
for rules that contain Dynamic objects or Domain objects (or for rules
located below such rules)

R80.40 CLI Reference Guide | 1489

SecureXL Debug Modules and Debug Flags

Flag Description

nmt "No Match Time" templates, which allow SecureXL Accept Templates for
rules that contain Time objects (or for rules located below such rules)

< Operations on profile table

Profile>

save Saving of data to the SecureXL database

tmo Handling of timeouts for SecureXL database entries

tmpl Handling of SecureXL templates database

Module "api" (Application Programmable Interface)

Flag Description

acct Connection accounting information

add Adding of connections

add_sa Offloading of VPN SA to SecureXL

conf Configuration of the SecureXL (for example, interfaces)

del Deletion of connections

del_all_ Deletion of all VPN SAs from SecureXL

sas

del_all_ Deletion of the SecureXL Templates

tmpl

del_sa Deletion of VPN SA from SecureXL

err General errors

get_ Getting features buffer (in SecureXL initialization)

features

get_stat Retrieving of SecureXL statistics

get_state Getting the connection state from SecureXL

get_tab Some extra printouts when processing SecureXL tables

gtp Processing of GTP tunnel connections

R80.40 CLI Reference Guide | 1490

SecureXL Debug Modules and Debug Flags

Flag Description

infra SecureXL infrastructure

init Enabling and disabling of SecureXL

long_ver Prints additional verbose information about connections

misc Prints additional information about SecureXL internals

notif Notifications sent to the Firewall

pxl PXL (PacketXL) handling - API between the SecureXL and

PSL (Packet Streaming Layer), which is a TCP Streaming engine that
parses TCP streams

qos QoS acceleration

reset_ Prints statistics IDs that are reset

stat

stat Handling of SecureXL statistics

sv Validation of sequence in TCP packets

tag Tags that were added to the packets by the SecureXL before forwarding
them to the Firewall

tmpl Handling of SecureXL Templates

tmpl_info Information about SecureXL Templates

upd_conf Update of SecureXL in ClusterXL Load Sharing

upd_if_ Prints some text that shows if SecureXL updated information about
inf interfaces

upd_link_ Updates of VPN Link Selection

sel

update Updates of connections

vpn Processing of VPN connection

Module "adp"

Reserved for future use.

R80.40 CLI Reference Guide | 1491

SecureXL Debug Modules and Debug Flags

Module "infras" (Identity Awareness - Identities Infrastructure)

Flag Description

err General errors

pm Pattern Matcher

reorder Reordering of packets in queue

Module "nac" (Identity Awareness - Network Access Control)

Flag Description

db Updating, adding, deleting of identities

db_get Updating, fetching, searching of identities

err General errors

idnt Identity Tags

ioctl Changes in the configuration, which were initiated from the user space

nac Network Access Control

offload Offloading of connections from the Firewall to the SecureXL

pkt Forwarding of connections to Firewall (when identity is not found or

revoked, or NAC packet tagging verification failed)

pkt_ex NAC packet-tagging verification

signature Signing of packets

Module "vpn" (VPN)

Flag Description

err General errors

linksel VPN Link Selection

routing VPN Encryption routing information

vpn Processing of VPN connections

vpnpkt Processing of VPN packets

R80.40 CLI Reference Guide | 1492

SecureXL Debug Modules and Debug Flags

Module "cpaq" (Internal Asynchronous Queue)

Flag Description

cbuf Information about queue buffers

client Information about queue clients

error General errors

exp Information about expiration of queue items

init Initializing of queue

opreg Currently not in use

<Mgmt Server> Information about queue servers

transport Information about sending messages in queue

transport_utils Additional information about sending messages in queue

Module "dos" (Denial of Service Defender)

Flag Description

detailed Detailed tracing of DoS Rate Limiting logic in the packet flow.
Important - This debug flag is not suitable for large traffic volumes
because it prints a large number of messages. This causes high load on
the CPU.

drop Dropped packets

err General errors

fw1-cfg Information about DoS Rate Limiting configuration in the Firewall kernel
module

fw1-pkt Information about DoS Rate Limiting packet flow in the Firewall kernel
module

sim-cfg Information about DoS Rate Limiting configuration in the SecureXL

kernel module

sim-pkt Information about DoS Rate Limiting packet flow in the SecureXL kernel
module

R80.40 CLI Reference Guide | 1493

SecureXL Debug Modules and Debug Flags

Module "synatk" (Accelerated SYN Defender)

Flag Description

conf Receiving and updating of Accelerated SYN Defender module's

configuration

conn Handling of TCP connections

err General errors

init Initializing of the Accelerated SYN Defender module

log Prints time of the last sent monitor log and interval between the monitor logs

msg Information about internal messages in the Accelerated SYN Defender

module

pkt Handling of TCP packets

proxy Currently not in use

state Information about states of the Accelerated SYN Defender module

Module "tmpl" (Drop Templates)

Flag Description

err General errors

dtmpl_get Getting of Drop Templates

dtmpl_notif Notifications about Drop Templates

tmpl Information about Drop Templates

R80.40 CLI Reference Guide | 1494

CoreXL Commands

CoreXL Commands
For more information about CoreXL, see the R80.40 Performance Tuning Administration
Guide - Chapter CoreXL.

R80.40 CLI Reference Guide | 1495

cp_conf corexl

cp_conf corexl
Description
Enables or disables CoreXL.
For more information, see the R80.40 Performance Tuning Administration Guide.

Syntax
n To enable CoreXL with 'n' IPv4 Firewall instances and optionally 'k' IPv6 Firewall
instances:

cp_conf corexl [-v] enable [n] [-6 k]

n To disable CoreXL:

cp_conf corexl [-v] disable

The related command is:"fwboot corexl" on page 1176.

Parameters

Parameter Description

-v Leaves the high memory (vmalloc) unchanged.

n Denotes the number of IPv4 CoreXL Firewall instances.

k Denotes the number of IPv6 CoreXL Firewall instances.

R80.40 CLI Reference Guide | 1496

cp_conf corexl

Example
Currently, the Security Gateway runs two IP4v CoreXL Firewall instances (KERN_INSTANCE_
NUM = 2).
We change the number of IP4v CoreXL Firewall instances to three.

[Expert@MyGW:0]# fw ctl multik stat

R80.40 CLI Reference Guide | 1497

dynamic_split

dynamic_split
Description
On Check Point Appliances, R80.40 added the ability to change the number of CoreXL
Firewall and SND instances without reboot (Dynamic Split).

Important:
n By default, this feature is disabled.
n We do not recommend manual configuration of CoreXL Firewall and SND
instances, because such configuration disables the CoreXL Dynamic Split.
To enable the CoreXL Dynamic Split again, you must disable it and enable it.
n For CoreXL Dynamic Split requirements, see sk164155.

The dynamic_split command controls the Dynamic Split of CoreXL Firewall and SND
instances on the local Security Gateway, or Cluster Member.
For more information, see R80.40 Performance Tuning Administration Guide - Chapter
CoreXL.

Syntax

dynamic_split
-o disable
-o enable
-o start
-o stop
Important:
n You must run these commands in the Expert mode.
n In a Cluster, you must configure all the Cluster Members in the
same way.

Parameters

Parameter Description

No Parameters Shows the applicable built-in help.

R80.40 CLI Reference Guide | 1498

dynamic_split

Parameter Description

-o disable Disables the CoreXL Dynamic Split.

Important:
n When you disable this feature, the
CoreXL configuration returns to the
default.
n After you disable this feature, the Security
Gateway requires a reboot.
The command shows the applicable
message.

-o enable Enables the CoreXL Dynamic Split.

Important:
n After you enable this feature, the Security
Gateway requires a reboot.
The command shows the applicable
message.
n After the boot, you can stop and start this
feature without reboot.

-o start Starts the CoreXL Dynamic Split after it was stopped.

Important:
n When you start this feature, the Security
Gateway continues to change the
CoreXL split configuration automatically
based on the CPU utilization.
n This change survives the reboot.

-o stop Stops the CoreXL Dynamic Split.

Important:
n When you stop this feature, the Security
Gateway uses the last CoreXL split
configuration.
n This change survives the reboot.

R80.40 CLI Reference Guide | 1499

fw ctl multik

fw ctl multik
Description
The fw ctl multik and fw6 ctl multik commands control CoreXL for IPv4 and IPv6, respectively.

Syntax for IPv4

fw ctl multik
add_bypass_port <options>
del_bypass_port <options>
dynamic_dispatching <options>
gconn <options>
get_instance <options>
print_heavy_conn
prioq <options>
show_bypass_ports
stat
start
stop
utilize

Syntax for IPv6

fw6 ctl multik

add_bypass_port <options>
del_bypass_port <options>
dynamic_dispatching <options>
gconn <options>
get_instance <options>
print_heavy_conn
prioq <options>
show_bypass_ports
stat
start
stop
utilize

R80.40 CLI Reference Guide | 1500

fw ctl multik

Parameters

Parameter Description

add_bypass_port Adds the specified TCP and UDP ports to the CoreXL Dynamic
<options> Dispatcher bypass list.
See "fw ctl multik add_bypass_port" on page 1502.

del_bypass_port Removes the specified TCP and UDP ports from the CoreXL
<options> Dynamic Dispatcher bypass list.
See "fw ctl multik del_bypass_port" on page 1504.

dynamic_ Shows and controls CoreXL Dynamic Dispatcher (see sk105261).

dispatching See "fw ctl multik dynamic_dispatching" on page 1506.
<options>

gconn <options> Shows statistics about CoreXL Global Connections.

See "fw ctl multik gconn" on page 1507.

get_instance Shows CoreXL Firewall instance that processes the specified IPv4
<options> connection.
See "fw ctl multik get_instance" on page 1512.

print_heavy_conn Shows the table with Heavy Connections (that consume the most
CPU resources) in the CoreXL Dynamic Dispatcher.
See "fw ctl multik print_heavy_conn" on page 1514.

prioq <options> Configures the CoreXL Firewall Priority Queues (see sk105762).
See "fw ctl multik prioq" on page 1516.

show_bypass_ Shows the TCP and UDP ports configured in the bypass port list of
ports the CoreXL Dynamic Dispatcher.
See "fw ctl multik show_bypass_ports" on page 1517.

stat Shows the CoreXL status.

See "fw ctl multik stat" on page 1518.

start Starts all CoreXL Firewall instances on-the-fly.

See "fw ctl multik start" on page 1520.

stop Stops all CoreXL Firewall instances temporarily.

See "fw ctl multik stop" on page 1521.

utilize Shows the CoreXL queue utilization for each CoreXL Firewall
instance.
See "fw ctl multik utilize" on page 1522.

R80.40 CLI Reference Guide | 1501

fw ctl multik add_bypass_port

Description
Adds the specified TCP and UDP ports to the bypass port list of the CoreXL Dynamic
Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.

Important - This command saves the configuration in the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax

fw ctl multik add_bypass_port <Port Number 1>,<Port Number

2>,...,<Port Number N>

Parameters

Parameter Description

<Port Number> Specifies the numbers of TCP and UDP ports to add to the list.

Important - You can add 10 ports maximum.

R80.40 CLI Reference Guide | 1502

fw ctl multik add_bypass_port

Example

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik add_bypass_port 8888
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888,9999)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 2
dynamic_dispatcher_bypass_port_table=8888,9999
[Expert@MyGW:0]

R80.40 CLI Reference Guide | 1503

fw ctl multik del_bypass_port

Description
Removes the specified TCP and UDP ports from the bypass port list of the CoreXL Dynamic
Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.

Important - This command saves the configuration in the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax

fw ctl multik del_bypass_port <Port Number 1>,<Port Number

2>,...,<Port Number N>

Parameters

Parameter Description

<Port Number> Specifies the numbers of TCP and UDP ports to remove from the list.

R80.40 CLI Reference Guide | 1504

fw ctl multik del_bypass_port

Example

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

R80.40 CLI Reference Guide | 1505

fw ctl multik dynamic_dispatching

Description
Shows and controls the CoreXL Dynamic Dispatcher that dynamically assigns new
connections to a CoreXL Firewall instances based on the utilization of CPU cores.
For more information, see sk105261.

Syntax for IPv4

fw ctl multik dynamic_dispatching

get_mode
off
on

Syntax for IPv6

fw6 ctl multik dynamic_dispatching

get_mode
off
on

Parameters

Parameter Description

get_mode Shows the current state of the CoreXL Dynamic Dispatcher.

off Disables the CoreXL Dynamic Dispatcher.

on Enables the CoreXL Dynamic Dispatcher.

Example

[Expert@MyGW:0]# fw ctl multik dynamic_dispatching get_mode

Current mode is Off
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik dynamic_dispatching on
New mode is: On
Please reboot the system
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1506

fw ctl multik gconn

Description
Shows statistics about CoreXL Global Connections that Security Gateway stores in the kernel
table fw_multik_ld_gconn_table.
The CoreXL Global Connections table contains information about which CoreXL Firewall
instance owns which connections.

Notes:
n This command does not support
VSX.
n This command does not support
IPv6.

Syntax

fw [-d] ctl multik gconn

-h
-p
-sec
-seg <Number>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

none Shows the interactive menu for the CoreXL Firewall Priority Queues.

-h Shows the built-in help.

R80.40 CLI Reference Guide | 1507

fw ctl multik gconn

Parameter Description

-p Shows the additional information about each CoreXL Firewall instance,

including the information about Firewall Priority Queues:
n I/O (In or Out)
n Inst. ID (CoreXL Firewall instance ID)
n Flags
n Seq (Sequence)
n Hold_ref (Hold reference)
n Prio (Firewall Priority Queues mode)
n last_enq_jiff (Jiffies since last enqueue)
n queue_indx (Queue index number)
n conn_tokens (Connection Tokens)

-s Shows the total number of global connections.

-sec Shows the additional information about each CoreXL Firewall instance:
n I/O (In or Out)
n Inst. ID (CoreXL Firewall instance ID)
n Flags
n Seq (Sequence)
n Hold_ref (Hold reference)

-seg Shows the default information about the specified Global Connections
<Number> Segment.

R80.40 CLI Reference Guide | 1508

fw ctl multik gconn

Example 1 - Default information

[Expert@MyGW:0]# fw ctl multik gconn

Default:

===============================================================================================
===========================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |
| 0 | 192.168.3.52 | 54216 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 54216 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
15 | 0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
15 | 0 | UNDEF |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |

===============================================================================================
===========================
FP - from pool. T - temporary connection. PP - pending pernament.
[Expert@MyGW:0]#

Example 2 - Summary information only

[Expert@MyGW:0]# fw ctl multik gconn -s

Summary:
Total number of global connections: 12
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1509

fw ctl multik gconn

Example 3 - Additional information about each CoreXL Firewall instance, including the
information about Firewall Priority Queues

[Expert@MyGW:0]# fw ctl multik gconn -p

Instance section prio info:

================================================================================================
================================================================================================
=======
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 35883 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
15 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
15 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 0 | Perm | 494 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 35883 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 0 | Perm | 280 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |Prio:| 0 | -1 | 0 |

================================================================================================
================================================================================================
=======
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out
- outbound.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1510

fw ctl multik gconn

Example 4 - Additional information about each CoreXL Firewall instance

[Expert@MyGW:0]# fw ctl multik gconn -sec

Instance section:

===============================================================================================
=======================================================================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 52864 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 2 | 32 |
0 | 0 | UNDEF |Inst. Section: Out | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
15 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 60186 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 76 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
15 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 0 | Perm | 479 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
0 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 52864 | 6 |FP .. ..| No | 0/0 | 2 | 32 |
0 | 0 | UNDEF |Inst. Section: In | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 0 | Perm | 257 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 |
1 | 0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.53 | 60186 | 6 |FP .. ..| No | 0/0 | 1 | 32 |
1 | 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |

R80.40 CLI Reference Guide | 1511

fw ctl multik get_instance

Description
Shows CoreXL Firewall instance that processes the specified IPv4 connection.

Important - This command works only if the CoreXL Dynamic Dispatcher is disabled
(see sk105261).

Syntax
n To show the CoreXL Firewall instance that processes the specified IPv4 connection:

fw ctl multik get_instance sip=<Source IPv4 Address>

dip=<Destination IPv4 Address> proto=<Protocol Number>

n To show the CoreXL Firewall instance that processes the specified range of IPv4
connections:

fw ctl multik get_instance sip=<Source IPv4 Address Start> -

<Source IPv4 Address End> dip=<Destination IPv4 Address Start>
- <Destination IPv4 Address End> proto=<Protocol Number>

R80.40 CLI Reference Guide | 1512

fw ctl multik get_instance

Parameters

Parameter Description

<Source IPv4 Address> Source IPv4 address of the specified connection

<Source IPv4 Address First source IPv4 address of the specified range of
Start> IPv4 addresses

<Source IPv4 Address Last source IPv4 address of the specified range of IPv4
End> addresses

<Destination IPv4 Destination IPv4 address of the specified connection

Address>

<Destination IPv4 First destination IPv4 address of the specified range of

Address Start> IPv4 addresses

<Destination IPv4 Last destination IPv4 address of the specified range of

Address End> IPv4 addresses

<Protocol Number> See IANA Protocol Numbers.

For example:
n 1 = ICMP
n 6 = TCP
n 17 = UDP

Example for a specified IPv4 connection

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3 dip=172.30.241.66 proto=6

protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
[Expert@MyGW:0]#

Example for a specified range of IPv4 connections

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3-192.168.2.8 dip=172.30.241.66

proto=6
protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
192.168.2.4 -> 172.30.241.66 => 0
192.168.2.5 -> 172.30.241.66 => 3
192.168.2.6 -> 172.30.241.66 => 5
192.168.2.7 -> 172.30.241.66 => 4
192.168.2.8 -> 172.30.241.66 => 5
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1513

fw ctl multik print_heavy_conn

Description
Shows the table with Heavy Connections (that consume the most CPU resources) in the
CoreXL Dynamic Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.
CoreXL suspects that a connection is "heavy" if it meets these conditions:
n Security Gateway detected the suspected connection during the last 24 hours
n The suspected connection lasts more than 10 seconds
n CoreXL Firewall instance that processes this connection causes a CPU load of over 60%
n The suspected connection utilizes more than 50% of the total work the applicable
CoreXL Firewall instance does
The output table shows this information about the Heavy Connections:
n Source IP address
n Source Port
n Destination IP address
n Destination Port
n Protocol Number
n CoreXL Firewall instance ID that processes this connection
n CoreXL Firewall instance load on the CPU
n Connection's relative load on the CoreXL Firewall instance

Notes:
n This command shows the suspected heavy connections even if they are already
closed.
n In the "cpview" on page 1724 utility, go to CPU > Top-Connections >
InstancesX-Y > InstanceZ. Refer to the Top Connections section.

Syntax

fw [-d] ctl multik print_heavy_conn

R80.40 CLI Reference Guide | 1514

fw ctl multik print_heavy_conn

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

Example

[Expert@MyGW:0]# fw ctl multik print_heavy_conn

Source: 192.168.20.31; SPort: 51006; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance
Load 61%; Connection instance load 100%
Source: 192.168.20.31; SPort: 50994; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance
Load 61%; Connection instance load 100%
Source: 192.168.20.31; SPort: 50992; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance
Load 61%; Connection instance load 100%
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1515

fw ctl multik prioq

Description
Configures the CoreXL Firewall Priority Queues. For more information, see sk105762.

Important - This command saves the configuration in the $FWDIR/conf/prioq_

mode.conf file. You must not edit this file manually.

Syntax for IPv4

fw ctl multik prioq [{0 | 1 | 2}]

Syntax for IPv6

fw6 ctl multik prioq [{0 | 1 | 2}]

Parameters

Parameter Description

No Shows the interactive menu for configuration of the CoreXL Firewall

Parameters Priority Queues.

0 Disables the CoreXL Firewall Priority Queues.

1 Enables the CoreXL Firewall Priority Queues in the Evaluator-only mode.

2 Enables the CoreXL Firewall Priority Queues.

Example

[Expert@MyGW:0]# fw ctl multik prioq

Current mode is Off

Available modes:
0. Off
1. Evaluator-only
2. On

Choose the desired mode number: (or 3 to Quit)

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1516

fw ctl multik show_bypass_ports

Description
Shows the TCP and UDP ports configured in the bypass port list of the CoreXL Dynamic
Dispatcher with the "fw ctl multik add_bypass_port" on page 1502 command.
For more information about the CoreXL Dynamic Dispatcher, see sk105261.

Important - This command reads the configuration from the

$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file
manually.

Syntax

fw ctl multik show_bypass_ports

Example

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
(9999,8888)
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1517

fw ctl multik stat

Description
Shows information for each CoreXL Firewall instance.

Syntax for IPv4

fw [-d] ctl multik stat

Syntax for IPv6

fw6 [-d] ctl multik stat

Information in the output

n The ID number of each CoreXL Firewall instance (numbers starts from zero).
n The state of each CoreXL Firewall instance.
n The ID number of CPU core, on which the CoreXL Firewall instance runs (numbers starts
from the highest available CPU ID).
n The number of concurrent connections the CoreXL Firewall instance currently handles.
n The peak number of concurrent connections the CoreXL Firewall instance handled from
the time it started.

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1518

fw ctl multik stat

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 5 | 21
1 | Yes | 6 | 3 | 23
2 | Yes | 5 | 5 | 25
3 | Yes | 4 | 4 | 21
4 | Yes | 3 | 5 | 21
5 | Yes | 2 | 5 | 20
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw6 ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 0 | 4
1 | Yes | 6 | 0 | 4
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1519

fw ctl multik start

Description
Starts all CoreXL Firewall instances on-the-fly, if they were stopped with the "fw ctl multik stop"
on page 1521 command.

Syntax for IPv4

fw ctl multik start

Syntax for IPv6

fw6 ctl multik start

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 1 started (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 2 started (3 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
All instances are already active
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1520

fw ctl multik stop

Description
Stops all CoreXL Firewall instances on-the-fly.

Important - To start all CoreXL Firewall instances on-the-fly, run the "fw ctl multik
start" on page 1520 command.

Syntax for IPv4

fw ctl multik stop

Syntax for IPv6

fw6 ctl multik stop

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 2 stopped (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 1 stopped (1 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 4 | 13
1 | No | - | 3 | 11
2 | No | - | 7 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
All instances are already inactive
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1521

fw ctl multik utilize

Description
Shows the CoreXL queue utilization for each CoreXL Firewall instance.

Note - This command does not support VSX.

Syntax for IPv4

fw ctl multik utilize

Syntax for IPv6

fw6 ctl multik utilize

Example

[Expert@MyGW:0]# fw ctl multik utilize

ID | Utilize(%) | Queue Elements
----------------------------------
0 | 1 | 30
1 | 0 | 10
2 | 0 | 17
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik utilize
ID | Utilize(%) | Queue Elements
----------------------------------
0 | 0 | 0
1 | 0 | 0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1522

fw ctl affinity

fw ctl affinity
The fw ctl affinity command shows and configures the CoreXL affinity settings for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

R80.40 CLI Reference Guide | 1523

Running the 'fw ctl affinity -l' command in Gateway Mode

Description
The fw ctl affinity -l command shows the current CoreXL affinity settings on a
Security Gateway for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Syntax
n To see the built-in help:

fw ctl affinity

n To show all the existing affinities:

fw ctl affinity -l [-a] [-v] [-r] [-q]

n To show the affinity for a specified interface:

fw ctl affinity -l -i <Interface Name>

n To show the affinity for a specified CoreXL Firewall instance:

fw ctl affinity -l -k <CoreXL Firewall instance ID>

n To show the affinity for a specified user-space process by its PID:

fw ctl affinity -l -p <Process ID>

n To show the affinity for a specified user-space process by its name:

fw ctl affinity -l -n <Process Name>

n To show the number of system CPU cores allowed by the installed CoreXL license:

fw -d ctl affinity -corelicnum

R80.40 CLI Reference Guide | 1524

Running the 'fw ctl affinity -l' command in Gateway Mode

Parameters

Parameter Description

-i <Interface Shows the affinity for the specified interface.

Name>

-k <CoreXL Shows the affinity for the specified CoreXL Firewall instance.
Firewall instance
ID>

-p <Process ID> Shows the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its PID.

-n <Process Name> Shows the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its name.

all Shows the affinity for all CPU cores (numbers start from zero).

<CPU ID0> ... <CPU Shows the affinity for the specified CPU cores (numbers start
IDn> from zero).

-a Shows all current CoreXL affinities.

-v Shows verbose output with IRQ numbers of interfaces.

-r Shows the CoreXL affinities in reverse order.

-q Suppresses the errors in the output.

R80.40 CLI Reference Guide | 1525

Running the 'fw ctl affinity -l' command in Gateway Mode

Example 1

[Expert@MyGW:0]# fw ctl affinity -l

eth0: CPU 0
eth1: CPU 0
eth2: CPU 0
eth3: CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Example 2

[Expert@MyGW:0]# fw ctl affinity -l -a -v

Interface eth0 (irq 67): CPU 0
Interface eth1 (irq 75): CPU 0
Interface eth2 (irq 83): CPU 0
Interface eth3 (irq 59): CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1526

Running the 'fw ctl affinity -l' command in Gateway Mode

Example 3

[Expert@MyGW:0]# fw ctl affinity -l -a -v -r

CPU 0: eth0 (irq 67) eth1 (irq 75) eth2 (irq 83) eth3 (irq 59)
CPU 1:
CPU 2: fw_5
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca
cprid cpd
CPU 3: fw_4
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca
cprid cpd
CPU 4: fw_3
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca
cprid cpd
CPU 5: fw_2
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca
cprid cpd
CPU 6: fw_1
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca
cprid cpd
CPU 7: fw_0
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca
cprid cpd
All:
[Expert@MyGW:0]#

Example 4
[Expert@MyGW:0]# fw ctl affinity -l -i eth0
eth0: CPU 0
[Expert@MyGW:0]#

Example 5

[Expert@MyGW:0]# ps -ef | grep -v grep | egrep "PID|fwd"

UID PID PPID C STIME TTY TIME CMD
admin 26641 26452 0 Mar27 ? 00:06:56 fwd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -p 26641
Process 26641: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -n fwd
fwd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Example 6

[Expert@MyGW:0]# fw ctl affinity -l -k 1

fw_1: CPU 6
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1527

Running the 'fw ctl affinity -l' command in Gateway Mode

Example 7

[Expert@MyGW:0]# fw -d ctl affinity -corelicnum

[5363 4134733584]@MyGW[4 Apr 18:11:03] Number of system CPUs 8
[5363 4134733584]@MyGW[4 Apr 18:11:03] cplic_get_navailable_cpus: fw_get_allowed_cpus_num
returned invalid value (100000) - all cpus considered as allowed!!!
4
[5363 4134733584]@MyGW[4 Apr 18:11:03] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1528

Running the 'fw ctl affinity -l' command in VSX Mode

Description
The fw ctl affinity -l command shows the CoreXL affinity settings on a VSX Gateway
for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Note - Before running the fw ctl affinity -l -x commands, you must go to

the context of the applicable Virtual System or Virtual Router with the Gaia Clish
command set virtual-system <VSID>.

Syntax
n To show the affinities in VSX mode (you can combine the optional parameters):

fw ctl affinity -l -x
[-vsid <VSID ranges>]
[-cpu <CPU ID ranges>]
[-flags {e | k | t | n | h | o}]

n To show the number of system CPU cores allowed by the installed CoreXL license:

fw -d ctl affinity -corelicnum

R80.40 CLI Reference Guide | 1529

Running the 'fw ctl affinity -l' command in VSX Mode

Parameters

Parameter Description

-vsid <VSID ranges> Shows the affinity for:

n The specified single Virtual System (for example, -
vsid 7)
n The specified several Virtual Systems (for
example, -vsid 0-2 4)

Important - If you omit the -vsid parameter, the

command runs in the current virtual context.

<CPU ID ranges> Shows the affinity for:

n The specified single CPU (for example, -cpu 7)
n The specified several CPU cores (for example, -
cpu 0-2 4)

-flags {e | k | t | n | The -flags parameter requires at least one of these

h | o} arguments:
n e - Do not print the exception processes
n k - Do not print the kernel threads
n t - Print all process threads
n n - Print the process name instead of the
/proc/<PID> /cmdline
n h - Print the CPU mask in Hex format
n o - Print the output into the file called
/tmp/affinity_list_output

Important - You must specify multiple arguments

together. For example: -flags tn

R80.40 CLI Reference Guide | 1530

Running the 'fw ctl affinity -l' command in VSX Mode

Example 1

[Expert@VSX_GW:0]# fw ctl affinity -l -x -cpu 0

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 2 | 0 | 0 | | | K | |
| 3 | 0 | 0 | | | K | |
| 4 | 0 | 0 | | | K | |
| 14 | 0 | 0 | | | K | |
| 99 | 0 | 0 | | | K | |
| 278 | 0 | 0 | | | K | |
| 382 | 0 | 0 | | | K | |
| 674 | 0 | 0 | | | K | |
| 2195 | 0 | 0 | | | K | |
| 6348 | 0 | 0 | | | K | |
| 6378 | 0 | 0 | | | K | |
---------------------------------------------------------------------
PID - represents the pid of the process
VSID - represents the virtual device id
CPU - represents the CPUs assigned to the specific process
SRC - represents the source configuration file of the process - (V)SID / (I)nstance /
(P)rocess
V - represents validity,star means that the actual affinity is different than the configured
affinity
KT - represents whether the process is a kernel thread
EXC - represents whether the process belongs to the process exception list (vsaffinity_
exception.conf)
[Expert@VSX_GW:0]#

Example 2

[Expert@VSX_GW:0]# fw ctl affinity -l -x -vsid 1

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 3593 | 1 | 1 2 3 | | | | | httpd
| 10997 | 1 | 1 2 3 | | | | | cvpn_rotatelogs
| 11005 | 1 | 1 2 3 | | | | | httpd
| 22294 | 1 | 1 2 3 | | | | | routed
| 22328 | 1 | 1 2 3 | | | | | fwk_wd
| 22333 | 1 | 1 2 3 | P | | | | fwk
| 22488 | 1 | 1 2 3 | | | | | cpd
| 22492 | 1 | 1 2 3 | | | | | fwd
| 22504 | 1 | 1 2 3 | | | | | cpviewd
| 22525 | 1 | 1 2 3 | | | | | mpdaemon
| 22527 | 1 | 1 2 3 | | | | | ci_http_server
| 30629 | 1 | 1 2 3 | | | | | vpnd
| 30631 | 1 | 1 2 3 | | | | | pdpd
| 30632 | 1 | 1 2 3 | | | | | pepd
| 30635 | 1 | 1 2 3 | | | | | fwpushd
| 30743 | 1 | 1 2 3 | | | | | dbwriter
| 30748 | 1 | 1 2 3 | | | | | cvpnproc
| 30752 | 1 | 1 2 3 | | | | | MoveFileServer
| 30756 | 1 | 1 2 3 | | | | | CvpnUMD
| 30760 | 1 | 1 2 3 | | | | | Pinger
| 30764 | 1 | 1 2 3 | | | | | IdlePinger
| 30770 | 1 | 1 2 3 | | | | | cvpnd
---------------------------------------------------------------------
[Expert@VSX_GW:0]#

R80.40 CLI Reference Guide | 1531

Running the 'fw ctl affinity -s' command in Gateway Mode

~~$ [LironR , 02 March 2023] TP-10929 - corrcted note about the 'fw ctl affinity -s' command

Description
The fw ctl affinity -s command configures the CoreXL affinity settings on a Security
Gateway for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Note - The Security Gateway saves these changes in the

$FWDIR/conf/fwaffinity.conf configuration file.

Syntax
n To see the built-in help:

fw ctl affinity

n To configure the affinity for a specified interface by its name:

fw ctl affinity -s -i <Interface Name>

all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

n To configure the affinity for a specified CoreXL Firewall instance:

fw ctl affinity -s -k <CoreXL Firewall instance ID>

all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

n To configure the affinity for a specified user-space process by its PID:

fw ctl affinity -s -p <Process ID>

all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

n To configure the affinity for a specified user-space process by its name:

fw ctl affinity -s -n <Process Name>

all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

R80.40 CLI Reference Guide | 1532

Running the 'fw ctl affinity -s' command in Gateway Mode

Parameters

Parameter Description

-i <Interface Configures the affinity for the specified interface.

Name>

-k <CoreXL Configures the affinity for the specified CoreXL Firewall

Firewall instance instance.
ID>

-p <Process ID> Configures the affinity for the Check Point user-space process
(for example: fwd, vpnd) specified by its PID.

-n <Process Name> Configures the affinity for the Check Point user-space process
(for example: fwd, vpnd) specified by its name.

Important - The process name is case-sensitive.

all Configures the affinity for all CPU cores (numbers start from
zero).

<CPU ID0> ... <CPU Configures the affinity for the specified CPU cores (numbers
IDn> start from zero).

Example 1 - Affine the interface eth1 to the CPU core #1

[Expert@MyGW:0]# fw ctl affinity -s -i eth1 1

eth1: CPU 1 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the CoreXL Firewall instance #1 to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -k 1 2

fw_1: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 3 - Affine the process CPD by its PID to the CPU core #2

[Expert@MyGW:0]# cpwd_admin list | egrep "PID|cpd"

APP PID STAT #START START_TIME MON COMMAND
CPD 6080 E 1 [13:46:27] 17/9/2018 Y cpd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -s -p 6080 2
Process 6080: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1533

Running the 'fw ctl affinity -s' command in Gateway Mode

Example 4 - Affine the process CPD by its name to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -n cpd 2

cpd: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1534

Running the 'fw ctl affinity -s' command in VSX Mode

Description
The fw ctl affinity -s command configures the CoreXL affinity settings on a VSX
Gateway for:
n Interfaces
n User-space processes
n CoreXL Firewall instances

Syntax
n To see the built-in help:

fw ctl affinity

n To configure the affinities of Virtual Systems:

fw ctl affinity -s -d [-vsid <VSID ranges> ] -cpu <CPU ID

ranges>

n To configure the affinities of a specified user-space process:

fw ctl affinity -s -d -pname <Process Name> [-vsid <VSID

ranges>]
-cpu all
-cpu <CPU ID ranges>

n To configure the affinities of specified FWK daemon instances (user-space Firewall):

fw ctl affinity -s -d -inst <Instances Ranges> -cpu <CPU ID

ranges>

n To configure the affinities of all FWK instances (user-space Firewalls):

fw ctl affinity -s -d -fwkall <Number of CPUs>

n To reset the affinities to defaults:

fw ctl affinity
-vsx_factory_defaults
-vsx_factory_defaults_no_prompt

R80.40 CLI Reference Guide | 1535

Running the 'fw ctl affinity -s' command in VSX Mode

Important
n The VSX Gateway saves these changes in the $FWDIR/conf/fwaffinity.conf
configuration file.
n When you configure affinity of an interface, it automatically configures the affinities of all
other interfaces that share the same IRQ to the same CPU core.

Parameters

Parameter Description

-vsid <VSID Configures the affinity for:

ranges>
n One specified Virtual System.
For example: -vsid 7
n Several specified Virtual Systems.
For example: -vsid 0-2 4

Note - If you omit the -vsid parameter, the command uses

the current virtual context.

<CPU ID ranges> Configures the affinity to:

n One specified CPU core.
For example: -cpu 7
n Several specified CPU cores.
For example: -cpu 0-2 4

Important - Numbers of CPU cores start from zero.

-pname <Process Configures the affinity for the Check Point daemon specified by its
Name> name (for example: fwd, vpnd).

Important - The process name is case-sensitive.

-inst <Instances Configures the affinity for:

Ranges>
n One specified FWK daemon instance.
For example: -inst 7
n Several specified FWK daemon instances.
For example: -inst 0 2 4

R80.40 CLI Reference Guide | 1536

Running the 'fw ctl affinity -s' command in VSX Mode

Parameter Description

-fwkall <Number Configures the affinity for all running FWK daemon instances to
of CPUs> the specified number of CPU cores.
If it is necessary to affine all running FWK daemon instances to all
CPU cores, enter the number of all available CPU cores.

-vsx_factory_ Deletes all existing affinity settings and creates the default affinity
defaults settings during the next reboot.
Important - Before this operation, the command prompts the
user whether to proceed. You must reboot to complete the
operation.

-vsx_factory_ Deletes all current affinity settings and creates the default affinity
defaults_no_ settings during the next reboot.
prompt Important - Before this operation, the command does not
prompt the user whether to proceed. You must reboot to
complete the operation.

Example 1 - Affine the Virtual Devices #0,1,2,4,7,8 to the CPU cores #0,1,2,4

[Expert@MyGW:0]# fw ctl affinity -s -d -vsid 0-2 4 6-8 -cpu 0-2 4

VDevice 0-2 4 6-8 : CPU 0 1 2 4 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the process CPD by its name for Virtual Devices #0-12 to the CPU core
#7

[Expert@MyGW:0]# fw ctl affinity -s -d -pname cpd -vsid 0-12 -cpu 7

VDevice 0-12 : CPU 7 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
Warning: some of the VSIDs did not exist
[Expert@MyGW:0]#

Example 3 - Affine the FWK daemon instances #0,2,4 to the CPU core #5

[Expert@MyGW:0]# fw ctl affinity -s -d -inst 0 2 4 -cpu 5

VDevice 0 2 4: CPU 5 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 4 - Affine all FWK daemon instances to the last two CPU cores

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 2

VDevice 0-2 : CPU 2 3 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1537

Running the 'fw ctl affinity -s' command in VSX Mode

Example 5 - Affine all FWK daemon instances to all CPU cores

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 4

There are configured processes/FWK instances
(y) will override all currently configured affinity and erase the configuration files
(n) will set affinity only for unconfigured processes/threads
Do you want to override existing configurations (y/n) ? y
VDevice 0-2 : CPU all - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1538

fw -i

fw -i
Description
By default, the "fw" on page 1004 commands apply to the entire Security Gateway.
The fw commands show aggregated information for all CoreXL Firewall instances.
The fw -i commands apply to the specified CoreXL Firewall instance.

Syntax

fw -i <ID of CoreXL Firewall instance> <Command>

Parameters

Parameter Description

<ID of CoreXL Specifies the ID of the CoreXL Firewall instance.

Firewall To see the available IDs, run the "fw ctl multik stat" on page 1518
instance> command.

<Command> Only these commands support the fw -i syntax:

n fw -i <ID> conntab ...
n fw -i <ID> ctl get ...
n fw -i <ID> ctl leak ...
n fw -i <ID> ctl pstat ...
n fw -i <ID> ctl set ...
n fw -i <ID> monitor ...
n fw -i <ID> tab ...

For details and additional parameters for any of these

commands, refer to the corresponding entry for each command.

Example 1 - Show the Connections table for CoreXL Firewall instance #1

fw -i 1 tab -t connections

Example 2 - Show various internal statistics for CoreXL Firewall instance #1

fw -i 1 ctl pstat

R80.40 CLI Reference Guide | 1539

fwboot bootconf

fwboot bootconf
Description
Configures boot security options.

l "control_bootsec" on page 917

Syntax to show the current boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

get_corexl
get_core_override
get_def
get_ipf
get_ipv6
get_kernnum
get_kern6num

Syntax to configure the boot security options

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

set_corexl {0 | 1}
set_core_override <number>
set_def [</path/filename>]
set_ipf {0 | 1}
set_ipv6 {0 | 1}
set_kernnum <number>
set_kern6num <number>

R80.40 CLI Reference Guide | 1540

fwboot bootconf

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

get_corexl Shows if the CoreXL is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the COREXL_INSTALLED.

get_core_ Shows the number of overriding CPU cores.

get_ipf Shows if the IP Forwarding during boot is enabled or disabled:

n 0 - disabled (Security Gateway does not forward traffic
between its interfaces during boot)
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the CTL_IPFORWARDING.

get_ipv6 Shows if the IPv6 support is enabled or disabled:

n 0 - disabled
n 1 - enabled

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the IPV6_INSTALLED.

get_kernnum Shows the configured number of IPv4 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the KERN_INSTANCE_NUM.

R80.40 CLI Reference Guide | 1541

fwboot bootconf

Parameter Description

get_kern6num Shows the configured number of IPv6 CoreXL Firewall instances.

Note - In the $FWDIR/boot/boot.conf file, refer to the
value of the KERN6_INSTANCE_NUM.

set_corexl {0 | Enables or disables CoreXL:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the COREXL_INSTALLED.
n To configure CoreXL, use the "cpconfig" on page 936
menu.

set_core_ Configures the number of overriding CPU cores.

Best Practice - The best location for this file is the

$FWDIR/boot/ directory.

set_ipf {0 | 1} Configures the IP forwarding during boot:

n 0 - disables (forbids the Security Gateway to forward traffic
between its interfaces during boot)
n 1 - enables

Note - In the $FWDIR/boot/boot.conf file, refer to the

value of the CTL_IPFORWARDING.

R80.40 CLI Reference Guide | 1542

fwboot bootconf

Parameter Description

set_ipv6 {0 | Enables or disables the IPv6 Support:

1}
n 0 - disables
n 1 - enables

Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the IPV6_INSTALLED.
n Configure the IPv6 Support in Gaia Portal, or Gaia Clish.
See the R80.40 Gaia Administration Guide.

set_kernnum Configures the number of IPv4 CoreXL Firewall instances.

<number> Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 936
menu.

set_kern6num Configures the number of IPv6 CoreXL Firewall instances.

<number> Notes:
n In the $FWDIR/boot/boot.conf file, refer to the value
of the KERN6_INSTANCE_NUM.
n To configure CoreXL, use the "cpconfig" on page 936
menu.

R80.40 CLI Reference Guide | 1543

fwboot corexl

fwboot corexl
Description
Configures and monitors the CoreXL.

Note - The settings are saved in the $FWDIR/boot/boot.conf file.

Warning - To avoid issues, do not edit the $FWDIR/boot/boot.conf file manually.

Edit the file only with this command.

Syntax to show CoreXL configuration

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

R80.40 CLI Reference Guide | 1544

fwboot corexl

Syntax to configure CoreXL

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

def_by_allowed [n]
default
[-v] disable
[-v] enable [n] [-6 k]
vmalloc_recalculate

Parameters

Parameter Description

No Shows the built-in help with available parameters.

Parameters

core_count Returns the number of CPU cores on this computer.

R80.40 CLI Reference Guide | 1545

fwboot corexl

Parameter Description

def_by_ Sets the default configuration for CoreXL according to the specified
allowed allowed number of CPU cores.
[n]

default Sets the default configuration for CoreXL.

R80.40 CLI Reference Guide | 1546

fwboot corexl

Parameter Description

[-v] Disables CoreXL.

disable
n -v - Leaves the high memory (vmalloc) unchanged.
See the "cp_conf corexl" on page 926 command.

eligible Returns whether CoreXL can be enabled on this Security Gateway.

n 0 - CoreXL cannot be enabled
n 1 - CoreXL can be enabled
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
eligible
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1547

fwboot corexl

Parameter Description

installed Returns whether CoreXL is installed (enabled) on this Security Gateway.

n 0 - CoreXL is not enabled
n 1 - CoreXL is enabled
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl
installed
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1548

fwboot corexl

Parameter Description

R80.40 CLI Reference Guide | 1549

fwboot corexl

Parameter Description

vmalloc_ Updates the value of the vmalloc parameter in the

recalculat /boot/grub/grub.conf file.
e

R80.40 CLI Reference Guide | 1550

fwboot cpuid

fwboot cpuid
Description
Shows the number of available CPUs and CPU cores on this Security Gateway.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot cpuid

{-h | -help | --help}
-c
--full
ht_aware
-n
--possible

Parameters

Parameter Description

No Shows the IDs of the available CPU cores on this Security Gateway.
Parameters
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid
3 2 1 0
[Expert@MyGW:0]#

-c Counts the number of available CPU cores on this Security Gateway.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -c
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1551

fwboot cpuid

Parameter Description

ht_aware Shows the CPU cores in the order of their awareness of Hyper-Threading.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid ht_aware
3 2 1 0
[Expert@MyGW:0]#

-n Counts the number of available CPUs on this Security Gateway.

The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

-- Counts the number of possible CPU cores.

possible The command stores the returned number as its exit code.
Example
[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --
possible
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1552

fwboot ht

fwboot ht
Important - This command is obsolete and is not supported. To configure SMT
(HyperThreading) feature, follow sk93000.

R80.40 CLI Reference Guide | 1553

fwboot multik_reg

fwboot multik_reg
Description
Shows the internal memory address of the registration function for the specified CoreXL
Firewall instance.

Important - This command is for Check Point use only.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of

CoreXL Firewall instance> {ipv4 | ipv6} [-d]

Parameters

Parameter Description

No Parameters Shows the built-in help with available

parameters.

<Number of CoreXL Firewall Specifies the ID number of the CoreXL Firewall

instance> instance.

ipv4 Specifies to work with IPv4 CoreXL Firewall

instances.

ipv6 Specifies to work with IPv6 CoreXL Firewall

instances.

-d Shows the decimal 64-bit address of the hook

function.

R80.40 CLI Reference Guide | 1554

fwboot multik_reg

Example

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 11 | 18
1 | Yes | 2 | 12 | 18
2 | Yes | 1 | 13 | 18
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 0 ipv4

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 1 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 2 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1555

fwboot post_drv

fwboot post_drv
Description
Loads the Firewall driver for CoreXL during boot.

Note - You must run this command from the Expert mode.

Syntax

[Expert@HostName:0]# $FWDIR/boot/fwboot post_drv {ipv4 | ipv6}

Parameters

Parameter Description

No Parameters Shows the built-in help with available parameters.

ipv4 Loads the IPv4 Firewall driver for CoreXL.

ipv6 Loads the IPv6 Firewall driver for CoreXL.

R80.40 CLI Reference Guide | 1556

Multi-Queue Commands

Multi-Queue Commands
For more information about Multi-Queue, see the R80.40 Performance Tuning Administration
Guide - Chapter Multi-Queue.

R80.40 CLI Reference Guide | 1557

mq_mng

mq_mng
In This Section:

Multi-Queue Configuration in the Expert mode 1558

Multi-Queue Configuration in Gaia Clish 1563

You configure Multi-Queue on the command line in one of these shells:

n In the Expert mode
n In Gaia Clish

Multi-Queue Configuration in the Expert mode

Description
The mq_mng utility shows and configures the Multi-Queue on supported interfaces.

R80.40 CLI Reference Guide | 1558

mq_mng

Syntax

Important:
n In a Cluster, you must configure all the Cluster Members in the
same way.
n You must run these commands in the Expert mode.
n Change in the Multi-Queue mode can cause short packet loss.
n To see the built-in help

mq_mng {-h | --help}

n To show the existing Multi-Queue configuration:

mq_mng {-o | --show} [{-v | -vv}] [-a]

n To configure the Multi-Queue for the specified driver:

mq_mng {-s | --set-mode}

auto
manual
{-i | --interface} <Names of Interfaces>
{-c | --core} <IDs of CPU Cores>
off
[{-i | --interface} <Names of Interfaces>]

n To apply the existing Multi-Queue policy:

mq_mng {-r | --reconf}

Parameters

Parameter Description

-h | -- Shows built-in help.

help

-o | -- Shows the existing Multi-Queue configuration.

show

-v | -vv Verbose output.

-a Shows all interfaces in the output.

R80.40 CLI Reference Guide | 1559

mq_mng

Parameter Description

-s | -- Configures the Multi-Queue mode:

set-mode
n auto - Automatic mode (this is the default). Multi-Queue
automatically configures the affinity of all supported interfaces to CPU
cores that run CoreXL SND Instances.
n manual - Manual mode. Administrator configures the affinity of
interfaces to CPU cores that run CoreXL SND Instances. In this
mode, you can specify interfaces, CPU cores, or both.
n off - Disables the Multi-Queue on all or specified supported
interfaces.

Important - Change in the Multi-Queue mode can cause short packet

loss.

Notes:
n To specify interfaces:
l Use this syntax:

{-i | --interface} <Names of Interfaces>

l If you do not specify interfaces, then the configuration

applies to all supported interfaces.

l To specify a specific interface, enter its name (for example:

-i eth2).
l To specify several interfaces, enter their names separates

with spaces (for example: -i eth2 eth4).

n To specify CPU cores:
l Use this syntax:

{-c | --core} <IDs of CPU Cores that run

CoreXL SND Instances>
l To specify a specific CPU core, enter its ID number (for

example: -c 1).
l To specify several nonconsecutive CPU cores, enter their

ID numbers separated with spaces (for example: -c 1 3)

or commas (for example: -c 1,3).
l To specify several consecutive CPU cores, enter their first

and last ID numbers separated with a hyphen (for example:

-c 3-6).
n To see the current CoreXL affinity configuration, run the "fw ctl
affinity" on page 1523 command (with applicable parameters).
n To see the CoreXL Firewall Instances and which CPU cores they
use, run the "fw ctl multik stat" on page 1518 command.
n To see all available CPU cores, run:
cat /proc/cpuinfo | grep processor

R80.40 CLI Reference Guide | 1560

mq_mng

Parameter Description

-r | -- Applies the existing Multi-Queue policy.

reconf

Examples
Show the current Multi-Queue configuration on all interfaces
[Expert@MyGW:0]# mq_mng --show

Total 8 cores. Multiqueue 2

cores i/f type state config cores
--------------------------------------------------------------------------
eth1 igb Up Auto 0,4
eth2 igb Up Auto 0,4
eth2-01 igb Up Auto 0,4
[Expert@MyGW:0]#

Show the current Multi-Queue verbose configuration on all interfaces

[Expert@MyGW:0]# mq_mng --show -v

Total 8 cores. Multiqueue 2 cores: 0,4

i/f type state config cores
--------------------------------------------------------------------------
eth1 igb Up Auto 0(58),4(78)
eth2 igb Up Auto 4(62),0(79)
eth2-01 igb Up Auto 0(42),4(86)

core interfaces queue irq rx packets tx packets

-------------------------------------------------------------------------------------------
0 eth1 eth1-TxRx-0 58 2350 3012
eth2 eth2-TxRx-1 79 0 0
eth2-01 eth2-01-TxRx-0 42 0 45
4 eth1 eth1-TxRx-1 78 652 764
eth2 eth2-TxRx-0 62 0 0
eth2-01 eth2-01-TxRx-1 86 0 12
[Expert@MyGW:0]#

Show the current Multi-Queue verbose configuration on the interface eth2

[Expert@MyGW:0]# mq_mng --show -v -i eth2

Total 8 cores. Multiqueue 2 cores: 0,4

i/f type state config cores
--------------------------------------------------------------------------------------
eth2 igb Up Auto 4(62),0(79)
--------------------------------------------------------------------------------------
eth2 <igb> max 8 cur 2
06:00.2 Ethernet controller: Intel Corporation 82580 Gigabit Network Connection (rev 01)
core interfaces queue irq rx packets tx packets
-------------------------------------------------------------------------------------------
0 eth2 eth2-TxRx-1 79 4212 3965
4 eth2 eth2-TxRx-0 62 0 0
[Expert@MyGW:0]#

Set automatic Multi-Queue mode on all interfaces

mq_mng --set-mode auto

R80.40 CLI Reference Guide | 1561

mq_mng

Set manual Multi-Queue mode on the interfaces eth1 and eth2 to CPU cores 0, 1, 2, 4, 5, and 6
mq_mng -s manual -i eth1 eth2 -c 0-2 4-6

R80.40 CLI Reference Guide | 1562

mq_mng

Multi-Queue Configuration in Gaia Clish

Syntax

Important:
n In a Cluster, you must configure all the Cluster Members in the
same way.
n You must run these commands in Gaia Clish.
n Change in the Multi-Queue mode can cause short packet loss.
n To show the existing Multi-Queue configuration for the specified interface:

show interface <Name of Interface> multi-queue [verbose]

n To configure the Multi-Queue for the specified interface:

set interface <Name of Interface> multi-queue

auto
manual core <IDs of CPU Cores that run CoreXL SND
Instances>
off

Parameters

Parameter Description

<Name of Specifies the interface.

Interface>

verbose Verbose output that also includes:

n IRQ numbers for traffic queues
n Total number of RX and TX packets in traffic queues

auto Configures the automatic Multi-Queue mode (this is the default).

Multi-Queue automatically configures the affinity of the specified
interface to CPU cores that run CoreXL SND Instances.

R80.40 CLI Reference Guide | 1563

mq_mng

Parameter Description

manual core <IDs Configures the manual Multi-Queue mode.

of CPU Cores> Administrator configures the affinity of the specified interface to
CPU cores that run CoreXL SND Instances.
Notes:
n To specify a specific CPU core, enter its ID number (for
example: manual core 1).
n To specify several nonconsecutive CPU cores, enter
their ID numbers separated with commas and without
spaces (for example: manual core 1,3).
n To specify several consecutive CPU cores, enter their
first and last ID numbers separated with a hyphen (for
example: manual core 3-6).
n To see the current CoreXL affinity configuration, run the
"fw ctl affinity" on page 1523 command (with applicable
parameters).
n To see the CoreXL Firewall Instances and which CPU
cores they use, run the "fw ctl multik stat" on page 1518
command.
n To see all available CPU cores, run:
cat /proc/cpuinfo | grep processor

off Disables the Multi-Queue on the specified interface.

Examples
Show Multi-Queue configuration on the interface eth2
MyGW> show interface eth2 multi-queue

Total 8 cores. Multiqueue 2 cores

i/f type state config cores
--------------------------------------------------------------------------
eth2 igb Up Auto 4,0

Note: The output does not include network interfaces that are currently in the down state.
MyGW>

R80.40 CLI Reference Guide | 1564

mq_mng

Show Multi-Queue verbose configuration on the interface eth2

MyGW> show interface eth2 multi-queue verbose

Total 8 cores. Multiqueue 2 cores: 0,4

i/f type state config cores
--------------------------------------------------------------------------
eth2 igb Up Auto 4(62),0(79)

core interfaces queue irq rx packets tx packets

-------------------------------------------------------------------------------------------
0 eth2 eth2-TxRx-1 79 212 80
4 eth2 eth2-TxRx-0 62 16232 18901
MyGW>

Set automatic Multi-Queue mode on the interface eth2

set interface eth2 multi-queue auto

Set manual Multi-Queue mode on the interface eth2 to CPU cores 0, 1, 2, 4, 5, and 6
set interface eth2 multi-queue manual core 0-2,4-6

R80.40 CLI Reference Guide | 1565

Identity Awareness Commands

For more information about Identity Awareness, see the R80.40 Identity Awareness
Administration Guide.
These terms are used in the CLI commands:

Term Description

PDP Identity AwarenessPolicy Decision Point.

This is an Identity AwarenessSecurity Gateway, which is responsible to collect
and share identities.

PEP Identity AwarenessPolicy Enforcement Point.

This is an Identity AwarenessSecurity Gateway, which is responsible to
enforce network access restrictions.
It makes its decisions based on identity data it collected from the PDP.

ADLOG The module responsible for the acquisition of identities of entities (users or
computers) from the Active Directory.
The adlog runs on:
n An Identity AwarenessSecurity Gateway, for which you enabled the AD
Query.
The AD Query serves the Identity AwarenessSoftware Blade, which
enforces the policy and logs identities.
n A Log Server. The adlog logs identities.
The adlog is the command line process used to control and monitor the
ADLOG feature.
The command line tool helps control users' statuses, as well as troubleshoot
and monitor the system.

The PEP and PDP processes are key components of the system. Through them,
administrators control user access and network protection.

R80.40 CLI Reference Guide | 1566

adlog

adlog
Description
Provides commands to control and monitor the AD Query process.

Syntax
n When the adlog runs on a Security Gateway, the AD Query serves the Identity
Awareness Software Blade, which enforces policy and logs identities.
In this case, the command syntax is:

adlog a <parameter> [<option>]

n When the adlog runs on a Log Server, it logs identities.

In this case, the command syntax is:

adlog l <parameter> [<option>]

Note - Parameters for the "adlog a" and "adlog l" commands are identical.

Parameters

Parameter Description

No Parameters Displays available options for this command and exits.

a Sets the working mode:

or n adlog a- If you use the AD Query for Identity
l
Awareness.
n adlog l - If you use a Log Server (Identity Logging).

control <parameter> Sends control commands to the AD Query.

<option> See "adlog control" on page 1569.

dc Shows the status of a connection to the AD domain controller.

See "adlog dc" on page 1571.

debug <parameter> Enables and disables the adlog debug output.

See "adlog debug" on page 1572.

R80.40 CLI Reference Guide | 1567

adlog

Parameter Description

query <parameter> Shows the database of identities acquired by the AD Query,

<option> according to the specified filter.
See "adlog query" on page 1573.

statistics Shows statistics about NT Event logs received by adlog, for

each IP address and total.
Also shows the number of identified IP addresses.
See "adlog statistics" on page 1574.

R80.40 CLI Reference Guide | 1568

adlog control

Description
Sends control commands to the AD Query.

Syntax

adlog {a | l} control
muh <options>
reconf
srv_accounts <options>
stop

Parameters

Parameter Description

muh Manages the list of Multi-User Hosts.

<options> The available <options> are:
n Show all known Multi-User Hosts:
adlog {a | l} control muh show
n Add an IP address as a Multi-User Host:
adlog {a | l} control muh mark
n Removes an IP address from the list of Multi-User Hosts:
adlog {a | l} control muh unmark

reconf Sends a reconfiguration command to the AD Query.

Resets the policy configuration to the one defined in SmartConsole.

R80.40 CLI Reference Guide | 1569

adlog control

Parameter Description

srv_ Manages service accounts.

accounts Service accounts are accounts that do not belong to actual users, rather
<options> they belong to services that run on a computer. Service accounts are
suspected, if they are logged in more than a certain number of times.
The available <options> are:
n Show all known service accounts:
adlog {a | l} control srv_accounts show
n Clear all the accounts from the list of service accounts:
adlog {a | l} control srv_accounts clear
n Manually update the list of service accounts:
adlog {a | l} control srv_accounts find
n Remove an account name from the list of service accounts:
adlog {a | l} control srv_accounts unmark

stop Stops the AD Query.

Security Gateway does not acquire new identities with the AD Query
anymore.

R80.40 CLI Reference Guide | 1570

adlog dc

Description
Shows the status of a connection to the AD domain controller.

Syntax

adlog a dc
adlog l dc

R80.40 CLI Reference Guide | 1571

adlog debug

Description
Enables and disables the adlog debug output.

Feature Output Debug File

Identity Awareness on a Security Gateway $FWDIR/log/pdpd.elg

Identity Logging on a Log Server $FWDIR/log/fwd.elg

Syntax

adlog {a | l} debug
extended
mode
off
on

Parameters

Parameter Description

extended Turns on the debug and adds extended debug topics.

mode Shows the debug status ("on", or "off").

off Turns off the debug.

on Turns on the debug.

R80.40 CLI Reference Guide | 1572

adlog query

Description
Shows the database of identities acquired by the AD Query, according to the specified filter.

Syntax

adlog {a | l} query
all
ip <IP Address>
machine <Computer Name>
string <String>
user <Username>

Parameters

Parameter Description

all No filter. Shows the entire identity database.

ip <IP Address> Filters identities that relate to the specified IP address.

machine <Computer Filters identity mappings based on the specified computer

Name> name.

string <String> Filters identity mappings based on the specified text string.

user <Username> Filters identity mappings based on the specified user.

Example - Show the entry that contains the string "jo" in the user name
adlog a query user jo

R80.40 CLI Reference Guide | 1573

adlog statistics

Description
Shows statistics about NT Event logs received by adlog, for each IP address and total.
Also shows the number of identified IP addresses.

Syntax

adlog a statistics
adlog l statistics

R80.40 CLI Reference Guide | 1574

pdp

pdp
Description
These commands control and monitor the pdpd process.

Syntax

pdp <command> [<parameter> [<option>]]

Commands

Parameter Description

No Parameters Shows available options for this command and exits.

ad <parameter> For the AD Query, adds (or removes) an identity to the Identity
<option> Awareness database on the Security Gateway.
See "pdp ad" on page 1577.

auth <parameter> Shows authentication or authorization options.

<option> See "pdp auth" on page 1579.

broker <parameter> Controls the PDP Identity Broker.

<option> See "pdp broker" on page 1583.

conciliation Controls the session conciliation mechanism.

<parameter> See "pdp conciliation" on page 1587.
<option>

connections Shows the PDP connections with the PEP gateways, Terminal
<parameter> Servers, and Identity Collectors.
See "pdp connections" on page 1589.

control Controls the PDP parameters.

<parameter> See "pdp control" on page 1590.
<option>

debug <parameter> Controls the PDP debug.

<option> See "pdp debug" on page 1591.

idc <parameter> Operations related to Identity Collector.

<option> See "pdp idc" on page 1594.

R80.40 CLI Reference Guide | 1575

pdp

Parameter Description

idp <parameter> Operations related to SAML-based authentication.

<option> See "pdp idp" on page 1598.

monitor Monitors the status of connected PDP sessions.

<parameter> See "pdp monitor" on page 1601.
<option>

muh <parameter> Shows Multi-User Hosts (MUHs).

<option> See "pdp muh" on page 1603.

nested_groups Shows LDAP Nested groups configuration.

<parameter> See "pdp nested_groups" on page 1604.

network Shows information about network related features.

<parameter> See "pdp network" on page 1607.

radius <parameter> Shows and configures the RADIUS accounting options.

<option> See "pdp radius" on page 1608.

roles <parameter> Shows the user role information.

<option> See "pdp roles" on page 1611.

status <parameter> Shows PDP status information, such as start time or

configuration time.
See "pdp status" on page 1614.

tasks_manager Shows the status of the PDP tasks.

<parameter> See "pdp tasks_manager" on page 1615.

timers <parameter> Shows PDP timers information for each session.

See "pdp timers" on page 1616.

topology_map Shows topology of all PDP and PEP addresses.

See "pdp topology_map" on page 1617.

tracker Adds the TRACKER topic to the PDP logs.

<parameter> See "pdp tracker" on page 1618.

update <parameter> Recalculates users and computers group membership.

See "pdp update" on page 1619.

vpn <parameter> Shows connected VPN gateways that send identity data from
VPN Remote Access Clients.
See "pdp vpn" on page 1620.

R80.40 CLI Reference Guide | 1576

pdp ad

pdp ad
General Syntax

pdp ad
associate <options>
disassociate <options>

The 'pdp ad associate' command

Description
For the AD Query, adds an identity to the Identity Awareness database on the Security
Gateway.
The group data must be in the AD.

Syntax

pdp ad associate ip <IP Address> u <Username> d <Domain> [m

<Computer Name>] [t <Timeout>] [s]

Parameters

Parameter Description

ip <IP Specifies the IP address for the identity.

Address>

u <Username> Specifies the username for the identity.

d <Domain> Specifies the Domain of the ID server.

m <Computer Specifies the computer that is defined for the identity.

Name>

t <Timeout> Specifies the timeout for the AD Query.

Default timeout is 5 hours.

s Associates the "u <Username>" and the "m <Computer>"

parameters sequentially.
First, adds the "<Computer>" and then adds the "<Username>" to
the database.

R80.40 CLI Reference Guide | 1577

pdp ad

The 'pdp ad disassociate' command

Description
For the AD Query, removes the identity from the Identity Awareness database on the Security
Gateway.
Identity Awareness does not authenticate a user that is removed.

Syntax

pdp ad disassociate ip <IP Address> {u <Username> | m <Computer

Name>} [r {override | probed | timeout}]

Parameters

Parameter Description

ip <IP Address> Specifies the IP address for the identity.

u <Username> Specifies the username for the identity.

m <Computer Name> Specifies the computer that is defined for the identity.

r {override | probed | Specifies the reason to show in SmartConsole on the Logs

timeout} & Monitor > Logs tab.

R80.40 CLI Reference Guide | 1578

pdp auth

Description
Configures authentication/authorization options for PDP.

Syntax

pdp auth
allow_empty_result <options>
count_in_non_ldap_group <options>
fetch_by_sid <options>
force_domain <options>
kerberos_any_domain <options>
kerberos_encryption <options>
reauth_agents_after_policy <options>
recovery_interval <options>
username_password <options>

Parameters

Parameter Description

allow_empty_ Shows the current configuration of fetching of local groups from the
result AD server based on SID.
<options> Configures that the fetching of local groups from the AD server
based on SID should succeed, even if all SIDs are foreign.
The available <options> are:
n Disable the fetching of local groups:
pdp auth allow_empty_result disable
n Enable the fetching of local groups:
pdp auth allow_empty_result enable
n Show the current configuration:
pdp auth allow_empty_result status

R80.40 CLI Reference Guide | 1579

pdp auth

Parameter Description

count_in_non_ Shows and configures the identification of membership to individual

ldap_group users that are selected in the user picker and LDAP branch groups
<options> in SmartConsole.
The available <options> are:
n Disable the identification of membership:
pdp auth count_in_non_ldap_group disable
n Enable the identification of membership:
pdp auth count_in_non_ldap_group enable
n Show the current configuration:
pdp auth count_in_non_ldap_group status

fetch_by_sid Shows and configures the fetching of local groups from the AD
<options> server based on SID.
The available <options> are:
n Disable the fetching of local groups:
pdp auth fetch_by_sid disable
n Enable the fetching of local groups:
pdp auth fetch_by_sid enable
n Show the current configuration:
pdp auth fetch_by_sid status

force_domain Shows and configures the PDP to match the identity's source,
<options> based on the reported domain and authorization domain.
The available <options> are:
n Disable the match the identity's source:
pdp auth force_domain disable
n Enable the match the identity's source:
pdp auth force_domain enable
n Show the current configuration:
pdp auth force_domain status

R80.40 CLI Reference Guide | 1580

pdp auth

Parameter Description

kerberos_any_ Shows and configures the use of all available Kerberos principles.
domain The available <options> are:
<options>
n Disable the use of all available Kerberos principles:
pdp auth kerberos_any_domain disable
n Enable the use of all available Kerberos principles:
pdp auth kerberos_any_domain enable
n Show the current configuration:
pdp auth kerberos_any_domain status

kerberos_ Shows and configures the Kerberos encryption type.

encryption Note - In SmartConsole, go to Objects menu > Object Explorer
<options> > Servers > open the LDAP Account Unit object > go to
General tab > click Active Directory SSO Configuration).
The available <options> are:
n Configure the Kerberos encryption type:
pdp auth kerberos_encryption set
n Show the current configuration:
pdp auth kerberos_encryption get

reauth_agents_ Shows and configures the automatic reauthentication of Identity

after_policy Agents after policy installation.
<options> The available <options> are:
n Disable the automatic reauthentication:
pdp auth reauth_agents_after_policy
disable
n Enable the automatic reauthentication:
pdp auth reauth_agents_after_policy enable
n Show the current configuration:
pdp auth reauth_agents_after_policy status

R80.40 CLI Reference Guide | 1581

pdp auth

Parameter Description

recovery_ Shows and configures the frequency of attempts to connect back to

interval the higher-priority PDP gateway.
<options> The available <options> are:
n Disable the reconnect attemtps:
pdp auth recovery_interval disable
n Enable the reconnect attemtps:
pdp auth recovery_interval enable
n Configure the frequency or reconnect attempts:
pdp auth recovery_interval set <Number of
Seconds>
n Show the current configuration:
pdp auth recovery_interval show

username_ Shows and configures the username and password authentication.

password The available <options> are:
<options>
n Disable the username and password authentication:
pdp auth username_password disable
n Enable the username and password authentication:
pdp auth username_password enable
n Show the current configuration:
pdp auth username_password status

R80.40 CLI Reference Guide | 1582

pdp broker

Description
These commands control the PDP Identity Broker.

Syntax

pdp broker
debug {set | unset} <options>
discard <options>
reconnect <options>
status [-e]
sync <options>

Parameters

Parameter Description

debug set Controls the debug of the PDP Identity Broker.

<options> The available <options> are:
debug unset
<options>

n Print the logs related to remote Publisher PDPs:

pdp broker debug set pub <IP Address of
Publisher PDP>
n Disable the logs related to remote Publisher PDPs:
pdp broker debug unset pub <IP Address of
Publisher PDP>

n Print the extended logs related to remote Publisher PDPs:

pdp broker debug set pub_ext <IP Address
of Publisher PDP>
n Disable the extended logs related to remote Publisher
PDPs:
pdp broker debug unset pub_ext <IP
Address of Publisher PDP>

R80.40 CLI Reference Guide | 1583

pdp broker

Parameter Description

n Print the logs related to communication with remote

Publisher PDPs:
pdp broker debug set pub_transport <IP
Address of Publisher PDP>
Enable this debug on the Subscriber PDP side to observe
the Publisher PDP's JSON requests in these cases:
l To monitor networking issues in case the message

was not received.

l To monitor the JSON requests from the Publisher

PDPs and related message-parsing issues.

l To monitor if the content of the JSON does not meet

the requirements (for example: Sharing ID).

n Disable the logs related to communication with remote
Publisher PDPs:
pdp broker debug unset pub_transport <IP
Address of Publisher PDP>

n Print the logs related to remote Subscriber PDPs:

pdp broker debug set sub <IP Address of
Subscriber PDP>
n Disable the logs related to remote Subscriber PDPs:
pdp broker debug unset sub <IP Address of
Subscriber PDP>

n Print the extended logs related to remote Subscriber PDPs:

pdp broker debug set sub_ext <IP Address
of Subscriber PDP>
n Disable the extended logs related to remote Subscriber
PDPs:
pdp broker debug unset sub_ext <IP
Address of Subscriber PDP>

R80.40 CLI Reference Guide | 1584

pdp broker

Parameter Description

n Print the logs related to communication with remote

Subscriber PDPs:
pdp broker debug set sub_transport <IP
Address of Subscriber PDP>
n Disable the logs related to communication with remote
Subscriber PDPs:
pdp broker debug unset sub_transport <IP
Address of Subscriber PDP>

Notes:
n For more information about the debug, see "pdp debug"
on page 1591.
n To see the HTTP related issues, run this command to
enable the debug on the Publisher PDP side:
pdp debug set HttpClient all
To see more information for some errors, run this
command:
pdp broker status [-e]

discard <option> Controls the timeout for discarding sessions received from the
specified Publisher PDP during a disconnection.
The available <options> are:
n Show the current timeout:
pdp broker discard show_timeout <IP
Address of Publisher PDP>
n Configure the new timeout (in seconds):
pdp broker discard set_timeout <IP
Address of Publisher PDP> <Timeout>

reconnect <IP Forces the reconnection to the specified Subscriber

Address of PDP immediately.
Subscriber PDP> If you run this command, the PDP ignores the keep-alive intervals
and exponential backoff timeouts, and sends the handshake /
keep-alive immediately.
Best Practice - You can use this command when a long time
passed since the PDP disconnected, and it is necessary to
establish the connection again immediately.

R80.40 CLI Reference Guide | 1585

pdp broker

Parameter Description

status [-e] Shows the status of remote Publisher PDPs and Subscriber
PDPs.
The option "-e" flag adds more information (Subscriber PDP port
and the last error time and description).

sync <option> Synchronizes identities with the specified Publisher PDPs or

Subscriber PDPs.
The available <options> are:

n Send the synchronization request (in the next broker

message) to the specified remote Publisher PDP:
pdp broker sync pub <IP Address of
Publisher PDP>
n Send the synchronization request (in the next broker
message) to all remote Publisher PDPs:
pdp broker sync pub all

n Control the schedule for synchronization with remote

Publisher PDPs:
pdp broker sync schedule {add <option> |
remove <option>| show <option>}
l To add new synchronization time:
pdp broker sync schedule add <IP
Address of Publisher PDP> "<HH:MM>"
l To remove the current schedule:
pdp broker sync schedule remove <IP
Address of Publisher PDP> "<HH:MM>"
l To show the current schedule:
pdp broker sync schedule show [<IP
Address of Publisher PDP>]

n Initiate the synchronization with the specified remote

Subscriber PDP:
pdp broker sync sub <IP Address of
Subscriber PDP>
n Initiate the synchronization with all remote Subscriber
PDPs:
pdp broker sync sub all

R80.40 CLI Reference Guide | 1586

pdp conciliation

Description
Controls the session conciliation mechanism.

Syntax

pdp conciliation
adq_single_user <option>
api_multiple_users <option>
idc_multiple_users <option>
rad_multiple_users <option>

Parameters

Parameter Description

adq_single_user Shows and controls the assumption that single AD Query user is
<option> connected on each computer.
The available <options> are:
n Disable this behavior:
pdp conciliation adq_single_user disable
n Enable this behavior:
pdp conciliation adq_single_user enable
n Show the current status (enabled or disabled):
pdp conciliation adq_single_user stat

api_multiple_ Shows and controls the assumption that multiple Web-API users
users <option> are connected on each computer.
The available <options> are:
n Disable this behavior:
pdp conciliation api_multiple_users
disable
n Enable this behavior:
pdp conciliation api_multiple_users
enable
n Show the current status (enabled or disabled):
pdp conciliation api_multiple_users stat

R80.40 CLI Reference Guide | 1587

pdp conciliation

Parameter Description

idc_multiple_ Shows and controls the assumption that multiple Identity Collector
users <option> users are connected on each computer.
The available <options> are:
n Disable this behavior:
pdp conciliation idc_multiple_users
disable
n Enable this behavior:
pdp conciliation idc_multiple_users
enable
n Show the current status (enabled or disabled):
pdp conciliation idc_multiple_users stat

rad_multiple_ Shows and controls the assumption that multiple RADIUS users
users <option> are connected on each computer.
The available <options> are:
n Disable this behavior:
pdp conciliation rad_multiple_users
disable
n Enable this behavior:
pdp conciliation rad_multiple_users
enable
n Show the current status (enabled or disabled):
pdp conciliation rad_multiple_users stat

R80.40 CLI Reference Guide | 1588

pdp connections

Description
Shows the PDP connections with PEP gateways, Terminal Servers, and Identity Collectors.

Syntax

pdp connections
idc
pep
ts

Parameters

Parameter Description

idc Shows a list of connected Identity Collectors.

pep Shows the connection status of all the PEPs, which the current PDP should
update.

ts Shows a list of all connected Terminal Servers.

R80.40 CLI Reference Guide | 1589

pdp control

Description
Provides commands to control the PDP.

Syntax

pdp control
revoke_ip <IP address>
sync

Parameters

Parameter Description

revoke_ip Logs out the session that is related to the specified IP address.
<IP address>

sync Forces an initiated synchronization operation between the PDPs and

the PEPs.
When you run this command, the PDP informs its related PEPs of the
up-to-date information of all connected sessions.
At the end of this operation, the PDP and the PEPs contain the same
and latest session information.

R80.40 CLI Reference Guide | 1590

pdp debug

Description
Controls the debug of the PDP.

Syntax

pdp debug
async1
ccc {off | on}
memory
off
on
reset
rotate
set <Topic Name> <Severity>
spaces [<0 - 5>]
stat
unset <Topic Name>

Parameters

Parameter Description

async1 Tests the async command line with the echo command for 30
seconds.

ccc {off | on} Configures whether to write the CCC debug logs into the PDP log
file - $FWDIR/log/pdpd.elg
n on - Writes the CCC debug logs
n off - Does not write the CCC debug logs

memory Shows the memory consumption by the pdpd daemon.

off Disables the PDP debug.

on Enables the PDP debug.

Important - After you run this command "pdp debug on",
you must run the command "pdp debug set ..." to
configure the required filter.

R80.40 CLI Reference Guide | 1591

pdp debug

Parameter Description

reset Resets the PDP debug options for Debug Topic and Severity.
Important - After you run this command "pdp debug
reset", you must run the command "pdp debug off" to
turn off the debug.

rotate Rotates the PDP log files - increases the index of each log file:
1. $FWDIR/log/pdpd.elg becomes
$FWDIR/log/pdpd.elg.0
2. $FWDIR/log/pdpd.elg.0 becomes
$FWDIR/log/pdpd.elg.1
3. And so on.

set <Topic Name> Filters which debug logs PDP writes to the log file based on the
<Severity> specified Debug Topics and Severity:
The available Debug Topics are:
n all
n Check Point Support provides more specific topics, based
on the reported issue
The available Severities are:
n all
n critical
n events
n important
n surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:
pdp debug set all all

spaces [<0 - 5>] Shows and configures the number of indentation spaces in the
$FWDIR/log/pdpd.elg file.
You can specify the number of spaces:
n 0 (this is the default)
n 1
n 2
n 3
n 4
n 5

stat Shows the PDP current debug status.

R80.40 CLI Reference Guide | 1592

pdp debug

Parameter Description

unset <Topic Unsets the specified Debug Topic(s).

Name>

Important - When you enable the debug, it affects the performance of the pdpd
daemon. Make sure to disable the debug after you complete your troubleshooting.

R80.40 CLI Reference Guide | 1593

pdp idc

Description
Operations related to Identity Collector.

Syntax

pdp idc
groups_consolidation <options>
groups_update <options>
muh <options>
service_accounts <options>
status

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Parameters

Parameter Description

groups_ Shows and configures the consolidation of external groups with

consolidation fetched groups.
<options> The available <options> are:
n Enable the consolidation (this is the default):
pdp idc groups_consolidation enable
n Disable the consolidation:
pdp idc groups_consolidation disable
n Show the current status:
pdp idc groups_consolidation status

R80.40 CLI Reference Guide | 1594

pdp idc

Parameter Description

groups_update Shows and configures the automatic update of Identity Collector's

<options> LDAP Groups.
The available <options> are:
n Perform "update all" to get the current LDAP group status:
pdp idc groups_update on
n Disable the feature (default):
pdp idc groups_update off
n Show the current status of the feature:
pdp idc groups_update status

muh <options> Shows and configures the Multi-User Host detection.

The available <options> are:
n Mark an IP address as a Multi-User Host:
pdp idc muh mark <IP Address>
n Show known Multi-User Host machines:
pdp idc muh show
n Unmark an IP address as a Multi-User Host:
pdp idc muh unmark <IP Address>

R80.40 CLI Reference Guide | 1595

pdp idc

Parameter Description

service_ Important - This parameter is available in R80.40 Jumbo

accounts Hotfix Accumulator starting from Take 131.
<options> Shows and configures the suspected Service Accounts.

Important - This feature is enabled by default.

The available <options> are:

n Show service account statistics -the current mode, known
Service Accounts, and excluded accounts:
pdp idc service_accounts show
n Configure the number of simultaneous logins (default is 100),
after which all usernames are detected as Service Accounts:
pdp idc service_accounts set_threshold <2-
1000>
n Enable (this is the default) or disable the Prevent Mode (Auto-
Exclude Mode):
pdp idc service_accounts set_auto_
prevention {enable | disable}
Notes:
l If you disable the Prevent Mode, then Identity

Collector works in the Detect Mode.

l When you change the work mode from Detect to

Prevent, all sessions that are marked as a Service

Account are revoked.
n Mark specific usernames as a Service Account (if prevention
is enabled, the sessions for these users are revoked):
pdp idc service_accounts mark <username>
n Configure specific usernames not to be detected as Service
Accounts (continue to enforce identity):
pdp idc service_accounts add_exception
<username_1> <username_2> ... <username_N>
n Configure specific usernames to be detected as Service
Accounts, if users log in the specified number of times:
pdp idc service_accounts delete_exception
<username_1> <username_2> ... <username_N>
n Remove specific usernames from the list of Service
Accounts:
pdp idc service_accounts unmark_service_
accounts

R80.40 CLI Reference Guide | 1596

pdp idc

Parameter Description

Note - You must put at least one space between account

names. Do not put punctuation between account names.
n Remove all usernames from the list of Service Accounts:
pdp idc service_accounts unmark_service_
accounts_all

status Shows the status of configured identity sources (Identity

Collectors).

R80.40 CLI Reference Guide | 1597

pdp idp

Description
Operations related to SAML-based authentication.

Syntax

pdp idp groups <options>

Parameters

Parameter Description

groups Shows and configures the consolidation of external groups with the fetched
<options> groups.
The available <options> are:
n Configure the authorization behavior for user groups:
pdp idp groups set {only | prefer | union |
ignore}
l only - Considers only groups the Identity Provider sends.
Ignore groups received from configured User Directories.
l prefer -Prefers groups the Identity Provider sends. Considers

groups received from configured User Directories only if the

Identity Provider sends no group. This is the default.
l union - Considers both groups received from configured User

Directories and groups the Identity Provider sends.

l ignore - Considers only groups received from configured User

Directories. Ignores groups the Identity Provider sends.

n Shows the configured behavior:
pdp idp groups status

R80.40 CLI Reference Guide | 1598

pdp ifmap

Description
Controls the Interface to Metadata Access Points (IF-MAP) sessions.

Syntax

pdp ifmap
connect <options>
disconnect <options>
revoke <options>
status <options>

Parameters

Parameter Description

connect <options> Initiates connections to disconnected IF-MAP sessions.

The available <options> are:
n Initiate connections to all disconnected IF-MAP sessions:
pdp ifmap connect all
n Initiate connections to the specified disconnected IF-
MAP session:
pdp ifmap connect <Session Number>

disconnect Disconnects an IF-MAP session.

<options> The available <options> are:
n Disconnect all IF-MAP session:
pdp ifmap disconnect all
n Disconnects the specified IF-MAP session:
pdp ifmap disconnect <Session Number>

R80.40 CLI Reference Guide | 1599

pdp ifmap

Parameter Description

revoke <options> Revokes IP addresses of an IF-MAP session.

The available <options> are:
n Revoke IP addresses of all IF-MAP sessions:
pdp ifmap revoke all
n Revoke IP addresses of the specified IF-MAP session:
pdp ifmap revoke <Session Number>

status <options> Shows the current IF-MAP status.

The available <options> are:
n Show detailed information:
pdp ifmap status <Session Number>

R80.40 CLI Reference Guide | 1600

pdp monitor

Description
Monitors the status of connected PDP sessions.
You can run different queries with the commands below to get the output, in which you are
interested.

Syntax

pdp monitor
all
client_type <Client Type>
cv_ge <Version>
cv_le <Version>
groups <Group Name>
ip <IP address>
machine <Computer Name>
machine_exact
mad
network
s_port
summary
user <Username>
user_exact

Parameters

Parameter Description

all Shows information for all connected sessions.

client_type Shows all sessions that connect through the specified client type.
<Client Type> Possible client types are:
n "AD Query" - User was identified by the AD Query.
n "Identity Agent" - User or computer was identified by an
Identity Awareness Agent.
n portal - User was identified by the Captive Portal.
n unknown - User was identified by an unknown source.

cv_ge Shows all sessions that are connected with a client version that is
<Version> higher than (or equal to) the specified version.

R80.40 CLI Reference Guide | 1601

pdp monitor

Parameter Description

cv_le Shows all sessions that are connected through a client version that is
<Version> lower than (or equal to) the specified version.

groups <Group Shows all sessions of users or computers that are members of the
Name> specified group.

ip <IP Shows session information for the specified IP address.

address>

machine Shows session information for the specified computer name.

machine_exact Shows sessions filtered by the exact computer name.

mad Shows all sessions that relate to a managed asset.

For example, all sessions that successfully performed computer
authentication.

network Shows sessions filtered by a network wildcard.

For example: 192.168.72.*

s_port Shows sessions filtered by the assigned source port (MUH sessions
only).

summary Shows the summary monitoring data.

user Shows session information for the specified user name.

user_exact Shows sessions filtered by the exact user.

Example - Show the connected user behind the IP address 192.0.2.1

pdp monitor ip 192.0.2.1

Note - The last field "Published" indicates whether the session information was
already published to the Gateway PEPs, whose IP addresses are listed.

R80.40 CLI Reference Guide | 1602

pdp muh

Description
Shows Multi-User Hosts (MUHs).

Syntax

pdp muh status

R80.40 CLI Reference Guide | 1603

pdp nested_groups

Description
Configures the Security Gateway queries LDAP Nested Groups.
Shows the current configuration LDAP Nested Group queries.

Syntax

pdp nested_groups
auto_tune {enable | disable}
clear
depth <options>
disable
enable
show
status
__set_state <options>

Important - In a Cluster, you must configure all the Cluster Members in the same way.

R80.40 CLI Reference Guide | 1604

pdp nested_groups

Parameters

Parameter Description

auto_tune Note - This feature is available only in the R80.40 Jumbo Hotfix
{enable | Accumulator Take 119 and higher.
disable} Enables and disables the auto-tune feature.
This feature calculates and automatically selects the state of Nested
Groups based on the LDAP configuration on the Security Gateway and the
Management Server.
Notes:
n When you enable this feature, the Security Gateway
automatically configures the best the state of Nested Groups it
calculated.
n When you disable this feature, the Security Gateway
automatically returns to the state of Nested Groups you
configured earlier with the "__set_state" parameter.

Best Practice - Enable this feature on the Policy Decision Point (PDP)
to increase the performance.

clear Clears the list of users, for which the depth was not enough.

depth <1 - Configures the nested groups depth (between 1 and 40).
40>

disable Disables the nested groups.

enable Enables the nested groups.

show Shows a list of users, for which the depth was not enough.

status Shows the configuration status of nested groups.

R80.40 CLI Reference Guide | 1605

pdp nested_groups

Parameter Description

__set_ Configures the nested groups state:

state {1 |
2 | 3 | 4}
n 1 - Recursive (this is the default)
l The Security Gateway queries each user to find out its group

memberships, and then queries each group recursively until it

determines the nested groups.
l We recommend this method for environments that have few

nested groups or no nested groups configured on the LDAP

server.
n 2 - Per-user
l The Security Gateway sends one LDAP query. The response

includes all groups for the specified user, including the nesting
levels. The response includes all groups for the given user,
including nesting levels. This query shows groups from any
branch in the Active Directory forest. This type of query are sent
to the Global Catalog ports (TCP 3268 or 3269).
l We recommend this method for environments that have a policy

that includes access roles with nested groups in them.

l Use this state if you work with multiple branches in the account

unit, or if you use group membership cross-domain trees. For

example, a user belongs to the domain tree example1.com
and belongs to the different domain tree example2.com. See
sk134292.
n 3 - Multi per-group
l The Security Gateway sends one LDAP query. This LDAP

query includes a user and a group. The response shows if the

user is included in this group.
l We recommend this method for environments that have all

types of users and groups and have a small number of access

roles with nested groups in them.
n 4 - Per user, if there is a single branch in each Account Unit
l The Security Gateway sends one LDAP query. The response

includes all groups for the specified user, including the nesting
levels. This query shows groups from the branch specified in
the LDAP account unit. This type of query can work over all
LDAP ports (TCP 3268 or 3269, TCP 389 or 636).
l Use this state if you work with a single branch on each account

unit.
Note - This state "4" is available only in the R80.40 Jumbo Hotfix
Accumulator Take 91 and higher.

R80.40 CLI Reference Guide | 1606

pdp network

Description
Shows information about network related features.

Syntax

pdp network {info | registered}

Parameters

Parameter Description

info Shows a list of networks known by the PDP.

registered Shows the mapping of a network address to the registered gateways

(PEP module).

R80.40 CLI Reference Guide | 1607

pdp radius

Description
Shows and configures the RADIUS accounting options.

Syntax

pdp radius
ip
reset
set <options>
groups
fetch <options>
reset
set <options>
parser
reset
set <options>
roles
fetch <options>
reset
set <options>
status

Parameters

Parameter Description

ip <options Configures the secondary IP options.

The available <options> are:
n Set the secondary IP index:
pdp radius ip set <attribute index>
[-a <vendor specific attribute
index>] [-c <vendor code>]
n Reset the secondary IP settings:
pdp radius ip reset

R80.40 CLI Reference Guide | 1608

pdp radius

Parameter Description

groups <options Configures the options for user groups.

The available <options> are:
n Control whether to fetch groups from RADIUS
messages:
pdp radius groups fetch {off | on}
l off - Do not fetch.
l on - Fetch.

n Reset user groups options:

pdp radius groups reset
n Set group index:
pdp radius groups set <options>
l To set group index for machines:
pdp radius groups set -m
<attribute index> [-a <vendor
specific attribute index>] [-c
<vendor code>] [-d
<delimiter>]
l To set group index for users:
pdp radius groups set -u
<attribute index> [-a <vendor
specific attribute index>] [-c
<vendor code>] [-d
<delimiter>]

parser <options Configures the parsing options.

The available <options> are:
n Reset parsing options:
pdp radius parser reset
n Set parsing options for attributes:
pdp radius parser set <attribute
index> [-c <vendor code> -a <vendor
specific attribute index>] -p
<prefix> -s <suffix>

R80.40 CLI Reference Guide | 1609

pdp radius

Parameter Description

roles <options> Configures how to obtain roles from RADIUS messages.

The available <options> are:
n Control whether to fetch roles from RADIUS
messages:
pdp radius roles fetch {off | on}
l off - Do not fetch.
l on - Fetch.

n Reset role fetch options:

pdp radius roles reset
n Set role index:
pdp radius roles set <options>
l Set role index for machines:
pdp radius roles set -m
<attribute index> [-a <vendor
specific attribute index>] [-c
<vendor code>] [-d
<delimiter>]
l Set role index for users:
pdp radius roles set -u
<attribute index> [-a <vendor
specific attribute index>] [-c
<vendor code>] [-d
<delimiter>]

status Shows the current status.

R80.40 CLI Reference Guide | 1610

pdp roles

pdp roles
General Syntax

pdp roles
extract
fetch <options>

The 'pdp roles extract' command

Description
Extracts and shows the roles from the file $FWDIR/tmp/roles_command_output.txt that
was created with the "pdp roles fetch" command.

Syntax

pdp roles extract

The 'pdp roles fetch' command

Description
Fetches the roles that match the provided Access Role information and saves the output in the
$FWDIR/tmp/roles_command_output.txt file.

Syntax

pdp roles fetch [-ip <IP Address>]

-u "<Username>" -is "<Identity Source>"
-ug "<User Group 1>","<User Group 2>",...
-mg "<Machine Group 1>","<Machine Group 2>",...

R80.40 CLI Reference Guide | 1611

pdp roles

Parameters

Parameter Description

-ip <IP Address> Optional.

Specifies the IP address of identity, host, or session to
calculate and fetch Access Roles that also contain explicitly
selected objects in the Networks pane.
Example for an Access Role object, in which a Host object with
the IPv4 address 5.5.5.5 was selected in the Networks pane:
pdp roles fetch -i 5.5.5.5 -u "user_1" -is
"AD_Query"

-u "<Username>" -is Specifies the username and the identity source.

"<Identity Source>" The available identity sources are (case-sensitive):
n portal
n Identity_Agent
n Remote_Access
n AD_Query
n IFMAP
n Terminal_Server_Identity_Agent
n Radius_Accounting

Important - If in the Access Role object you explicitly

selected objects in the Networks and Users panes, you
must also use the parameter "-ip <IP Address>".
Examples:
pdp roles fetch -u "user_1" -is "AD_Query"

pdp roles fetch -i 5.5.5.5 -u "user_1" -is

"AD_Query"

-ug "<User Group Specifies the user group.

1>","<User Group Enter the comma separated list of group names.
2>",... For Active Directory groups, you must enter the prefix "ad_
group_".
Example for an AD group called "LaptopUsers":
pdp roles fetch -ug "ad_group_LaptopUsers"

R80.40 CLI Reference Guide | 1612

pdp roles

Parameter Description

-mg "<Machine Group Specifies the machine group.

1>","<Machine Group Enter the comma separated list of group names.
2>", ... For Active Directory groups, you must enter the prefix "ad_
group_".
Example for an AD group called "Laptops":
pdp roles fetch -mg "ad_group_Laptops"

R80.40 CLI Reference Guide | 1613

pdp status

Description
Shows PDP status information, such as start time or configuration time.

Syntax

pdp status show

Parameters

Parameter Description

show Shows PDP information.

R80.40 CLI Reference Guide | 1614

pdp tasks_manager

Description
Shows the status of the PDP tasks (current running, previous, and pending tasks).

Syntax

pdp tasks_manager status

Parameters

Parameter Description

status Shows the status of the PDP tasks.

R80.40 CLI Reference Guide | 1615

pdp timers

Description
Shows PDP timers information for each PDP session.

Syntax

pdp timers show

Parameters

Parameter Description

show Shows PDP timers information for each PDP session:

n User Auth Timer
n Machine Auth Timer
n Pep Cache Timer
n Compliance Timer
n Keep Alive Timer
n Ldap Fetch Timer

R80.40 CLI Reference Guide | 1616

pdp topology_map

Description
Shows topology of all PDP and PEP addresses.

Syntax

pdp topology_map

R80.40 CLI Reference Guide | 1617

pdp tracker

Description
During the PDP debug, adds the TRACKER debug topic to the PDP logs (this is enabled by
default).
This is very useful when you monitor the PDP-to-PEP identity sharing and other
communication in distributed environments.
You can set this manually if you add the TRACKER topic to the PDP debug.

Syntax

pdp tracker {off | on}

Parameters

Parameter Description

off Disables the logging of TRACKER events in the PDP log.

on Enables the logging of TRACKER events in the PDP log.

R80.40 CLI Reference Guide | 1618

pdp update

Description
Initiates a recalculation of group membership for all users and computers.

Important - This command does not update deleted accounts.

Syntax

pdp update {all | specific}

Parameters

Parameter Description

all Recalculates group membership for all users and computers.

specific Recalculates group membership for a specified user or a computer.

R80.40 CLI Reference Guide | 1619

pdp vpn

Description
Shows the connected VPN gateways that send VPN Remote Access Client identity data.

Syntax

pdp vpn show

Parameters

Parameter Description

show Shows the connected VPN gateways.

R80.40 CLI Reference Guide | 1620

pep

pep
Description
Provides commands to control and monitor the PEPD process (see below for options).

Syntax

pep <command> [<parameter> [<option>]]

Commands

Command Description

control <parameter> Controls the PEP parameters.

<option> See "pep control" on page 1622.

debug <parameter> Controls the PEP debug.

<option> See "pep debug" on page 1623.

show <parameter> Shows PEP information.

<option> See "pep show" on page 1625.

tracker <parameter> During the PEP debug, adds the TRACKER debug topic to
the PEP logs.
See "pep tracker" on page 1628.

R80.40 CLI Reference Guide | 1621

pep control

Description
Provides commands to control the PEP.

Syntax

pep control
extended_info_storage <options>
portal_dual_stack <options>
tasks_manager status <options>

Parameters

Parameter Description

extended_info_storage Controls whether PEP stores the extended identities

<options> information for debug.
The available <options> are:
n disable - PEP does not store the information.
n enable - PEP stores the information.

portal_dual_stack Controls the support for portal dual stack (IPv4 and IPv6).
<options> The available <options> are:
n disable - Disables the support.
n enable - Enables the support.

tasks_manager Shows the status of the PEP tasks (current running,

<options> previous, and pending tasks).
The available <options> are:
n status - Shows the status.

R80.40 CLI Reference Guide | 1622

pep debug

Description
Controls the debug of the PEP.

Syntax

pep debug
memory
off
on
reset
rotate
set <options>
spaces [<options>]
stat
unset <options>

Parameters

Parameter Description

memory Displays the memory consumption by the pepd daemon.

off Disables the PEP debug.

on Enables the PEP debug.

Important - After you run this command "pep debug on",
you must run the command "pep debug set ..." to
determine the required filter.

reset Resets the PEP debug options for Debug Topics and Severities.
Important - After you run this command "pep debug
reset ...", you must run the command "pep debug
off" to turn off the debug.

rotate Rotates the PEP log files - increases the index of each log file:
n $FWDIR/log/pepd.elg becomes
$FWDIR/log/pepd.elg.0,
n $FWDIR/log/pepd.elg.0 becomes
$FWDIR/log/pepd.elg.1
n And so on.

R80.40 CLI Reference Guide | 1623

pep debug

Parameter Description

set <Topic Name> Filters which debug logs PEP writes to the log file based on the
<Severity> specified Debug Topics and Severity.
Available Debug Topics are:
n all
n Check Point Support provides more specific topics, based
on the reported issue
Available Severities are:
n all
n critical
n events
n important
n surprise

Best Practice - We recommend to enable all Topics and all

Severities. Run:
pep debug set all all

spaces Displays and sets the number of indentation spaces in the

[0 | 1 | 2 | $FWDIR/log/pepd.elg file.
3 | 4 | 5] The default is 0 spaces.

stat Shows the PEP current debug status.

unset <Topic Name> Unsets the specified Debug Topic(s).

Important - When you enable the debug, it affects the performance of the pepd
daemon. Make sure to turn off the debug after you complete your troubleshooting.

R80.40 CLI Reference Guide | 1624

pep show

Description
Shows information about PEP.

Syntax

pep show
conciliation_clashes
all
clear
ip <Session IP Address>
network
pdp
registration
pdp
all
id <ID of PDP>
stat
topology_map
user
all
query
cid <IP[,ID]>
cmp <Compliance>
mchn <Computer Name>
mgrp <Group>
pdp <IP[,ID]>
role <Identity Role>
ugrp <Group>
uid <UID String>
usr <Username>

R80.40 CLI Reference Guide | 1625

pep show

Parameters

Parameter Description

conciliation_ Shows session conciliation clashes.

clashes <options> The available <options> are:
n all - Show all conciliation clashes.
n clear - Clears all session clashes.
n ip <Session IP Address> - Show all conciliation
clashes filtered by the specified session IP address.

network <options> Shows network related information.

The available <options> are:
n pdp - Shows the Network-to-PDP mapping table.
n registration - Shows the networks registration table.

pdp <options> Shows the communication channel between the PEP and the
PDP.
Available <options> are:
n all - Shows all connected PDPs.
n id - Shows the information for the specified PDP.

stat Shows the last time the pepd daemon was started and the last
time a policy was received.
Important - Each time the pepd daemon starts, it loads the
policy and the two timers. The times between the pepd
daemon start and when it fetched the policy are very close.

topology_map Shows topology of all PDP and PEP addresses.

R80.40 CLI Reference Guide | 1626

pep show

Parameter Description

user <options> Shows the status of sessions that PEP knows.

You can perform various queries to get the applicable output
(see below).
The available <options> are:
n all - Shows the list of all clients.
n query - Queries the list of users based on the specified
filters:
l cid <IP[,ID]> - Matches entries of clients with

the specified Client ID.

l cmp <Compliance> - Matches entries with the

specified compliance.
l mchn <Computer Name> - Matches entries with

the specified computer name.

l mgrp <Group> - Matches entries with the specified

machine group.
l pdp <IP[,ID]> - Matches entries, which the

specified PDP updated.

l role <Identity Role> - Matches entries with

the specified identity role.

l ugrp <Group> - Matches entries with the specified

user group.
l uid <UID String> - Matches entries with the

specified full or partial UID.

l usr <Username> - Matches entries with the

specified username.
Note - You can use multiple query filters at the same
time to create a logical AND correlation between
them.
For example, to show all users that have a sub-string
of "jo" AND are part of the user group "Employees"
you can use this query syntax:
# pep show user query usr jo ugrp
Employees

R80.40 CLI Reference Guide | 1627

pep tracker

Description
During the PEP debug, adds the TRACKER debug topic to the PEP logs (this is enabled by
default).
This is very useful when you monitor the PDP-to-PEP identity sharing and other
communication in distributed environments.
You can set this manually if you add the TRACKER topic to the PEP debug.

Syntax

pep tracker {off | on}

Parameters

Parameter Description

off Disables the logging of TRACKER events in the PEP log.

on Enables the logging of TRACKER events in the PEP log.

R80.40 CLI Reference Guide | 1628

test_ad_connectivity

test_ad_connectivity
Description
This utility runs connectivity tests from the Security Gateway to an AD domain controller.
You can define the parameters for this utility in one of these ways:
n In the command line as specified below
n In the $FWDIR/conf/test_ad_connectivity.conf configuration file.
Parameters you define in the $FWDIR/conf/test_ad_connectivity.conf file
cannot contain white spaces and cannot be within quotation marks.

Important:
n Parameters you define in the command line override the parameters you define
in the configuration file.
n This utility saves its output in the file you specify with the -o parameter.
In addition, examine the $FWDIR/log/test_ad_connectivity.elg file.

Syntax

[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity -h
[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity <Parameter_1
Value_1> <Parameter Value_2> ... <Parameter_N Value_N>
...<Parameters And Options>

Parameters

Mandatory /
Parameter Description
Optional

-h Optional Shows the built-in help.

-a Mandatory Prompts the user for the password on the screen.

Use only one
of these
options:
n -a
n -c
n -p

R80.40 CLI Reference Guide | 1629

test_ad_connectivity

Mandatory /
Parameter Description
Optional

-b <LDAP Optional Specifies the LDAP Search Base String.

Search Base
String>

-c <Password Mandatory Specifies the user's password in clear text.

in Clear Use only one
Text> of these
options:
n -a
n -c
n -p

-d <Domain Mandatory Specifies the domain name of the AD (for example,

Name> ad.mycompany.com).

-D <User DN> Mandatory Overrides the LDAP user DN (the utility does not try to
figure out the DN automatically).

-f <AD Optional Specifies the AD fingerprint for LDAPS.

Fingerprint
for LDAPS>

-i <IPv4 Mandatory Specifies the IPv4 address of the AD domain

address of controller to tested.
DC>

-I <IPv6 Mandatory Specifies the IPv6 address of the AD domain

address of controller to test.
DC>

-o <File Mandatory Specifies the name of the output file.

Name> This utility always saves the output file in the
$FWDIR/tmp/ directory.

-p Mandatory Specifies the user's password in obfuscated text.

<Obfuscated Use only one
Password> of these
options:
n -a
n -c
n -p

-l Optional Runs LDAP connectivity test only (no WMI test).

R80.40 CLI Reference Guide | 1630

test_ad_connectivity

Mandatory /
Parameter Description
Optional

-L <Timeout> Optional Specifies the timeout (in milliseconds) for the LDAP
test only.
If this timeout expires, and the LDAP test still runs,
then both LDAP connectivity and WMI connectivity
tests fail.

-M Optional Run the utility in demo mode.

-r <Port Optional Specifies the LDAP or LDAPS connection port

Number> number.
The default ports are:
n LDAP - 389
n LDAPS - 636

-s Optional Specifies that LDAP connection must be over SSL.

-t <Timeout> Optional Specifies the total timeout (in milliseconds) for both
LDAP connectivity and WMI connectivity tests.

-u <Username> Mandatory Specifies the administrator user name on the AD.

-v Optional Prints the full path to the specified output file.

-x <Domain Mandatory Specifies the domain name of the AD (for example,

Name> ad.mycompany.com).
Utility prompts the user for the password.

-w Optional Runs WMI connectivity test only (no LDAP test).

Example

IPv4 of AD 192.168.230.240
DC
Domain mydc.local

Username Administrator

Password aaaa

R80.40 CLI Reference Guide | 1631

test_ad_connectivity

Syntax [Expert@GW:0]# $FWDIR/bin/test_ad_connectivity -u

"Administrator" -c "aaaa" -D
"CN=Administrator,CN=Users,DC=mydc,DC=local" -d
mydc.local -i 192.168.230.240 -b "DC=mydc,DC=local" -o
test.txt
[Expert@GW:0]#

Output [Expert@GW:0]# cat $FWDIR/tmp/test.txt

(
:status (SUCCESS_LDAP_WMI)
:err_msg ("WMI_SUCCESS;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (WMI_SUCCESS)
:timestamp ("Mon Feb 26 10:17:41 2018")
)
[Expert@GW:0]#

Note - In order to know the output is authentic, pay attention that the timestamp is the
same as the local time.

R80.40 CLI Reference Guide | 1632

VPN Commands

VPN Commands
VPN commands generate status information regarding VPN processes, or are used to stop
and start specific VPN services.
All VPN commands are executed on the Security Gateway and Cluster Members.
For more information about VPN, see the:
n R80.40 Site to Site VPN Administration Guide.
n R81 Remote Access VPN Administration Guide.

R80.40 CLI Reference Guide | 1633

vpn

vpn
Description
Configures VPN settings.
Shows VPN information.

Syntax

vpn
check_ttm
compreset
compstat
crl_zap
crlview
debug
dll
drv
dump_psk
ipafile_check
ipafile_users_capacity
macutil
mep_refresh
neo_proto
nssm_topology
overlap_encdom
rim_cleanup
rll
set_slim_server
set_snx_encdom_groups
set_trac
shell
show_tcpt
sw_topology
{tunnelutil | tu}
ver

R80.40 CLI Reference Guide | 1634

vpn

Parameters

Parameter Description

check_ttm Makes sure the specified TTM file is valid.

See "vpn check_ttm" on page 1637.

compreset Resets compression and decompression statistics counters.

See "vpn compreset" on page 1638.

compstat Shows compression and decompression statistics counters.

See "vpn compstat" on page 1639.

crl_zap Erases all Certificate Revocation Lists (CRLs) from the cache.
See "vpn crl_zap" on page 1640.

crlview Retrieves the Certificate Revocation List (CRL) from various

distribution points and shows it for the user.
See "vpn crlview" on page 1641.

debug Controls the debug of vpnd daemon and IKE.

See "vpn debug" on page 1643.

dll Works with DNS Lookup Layer.

See "vpn dll" on page 1646.

drv Controls the VPN kernel module.

See "vpn drv" on page 1647.

dump_psk Shows hash (SHA256) of peers' pre-shared-keys.

See "vpn dump_psk" on page 1648.

ipafile_check Verifies a candidate for the $FWDIR/conf/ipassignment.conf

file.
See "vpn ipafile_check" on page 1649.

ipafile_ Shows and configures the capacity in the

users_ $FWDIR/conf/ipassignment.conf file.
capacity See "vpn ipafile_users_capacity" on page 1650.

macutil Shows a generated MAC address for each user name when you use
Remote Access VPN with Office Mode.
See "vpn macutil" on page 1651.

mep_refresh Initiates MEP re-decision.

See "vpn mep_refresh" on page 1652.

R80.40 CLI Reference Guide | 1635

vpn

Parameter Description

neo_proto Controls the NEO client protocol.

See "vpn neo_proto" on page 1653.

nssm_topology Generates and uploads a topology in NSSM format to an NSSM

server.
See "vpn nssm_toplogy" on page 1654.

overlap_ Shows all overlapping VPN domains.

encdom See "vpn overlap_encdom" on page 1655.

rim_cleanup Cleans RIM routes.

See "vpn rim_cleanup" on page 1657.

rll Works with Route Lookup Layer.

See "vpn rll" on page 1658.

set_slim_ Deprecated.
server See "vpn set_slim_server" on page 1659.

set_snx_ Controls the encryption domain per usergroup feature for SSL
encdom_groups Network Extender.
See "vpn set_snx_encdom_groups" on page 1660.

set_trac Controls the TRAC server.

See "vpn set_trac" on page 1661.

shell VPN Command Line Interface.

See "vpn shell" on page 1662.

show_tcpt Shows Visitor Mode users.

See "vpn show_tcpt" on page 1669.

sw_topology Downloads the topology for a UTM-1 Edge or Safe@Office device.

Note - R80.40 does not support UTM-1 Edge and Safe@Office
devices. The information about this command is provided only to
describe the existing syntax option until it is removed completely.
See "vpn sw_topology" on page 1670.

tunnelutil | Launches the TunnelUtil tool, which is used to control VPN

tu tunnels.
See "vpn tu" on page 1671.

ver Shows the major version number and build number of the VPN kernel
module.
See "vpn ver" on page 1681.

R80.40 CLI Reference Guide | 1636

vpn check_ttm

Description
Makes sure the specified TTM file contains valid syntax.

Syntax

vpn check_ttm <Path to TTM file>

Parameters

Parameter Description

<Path to TTM file> Specifies the full path and name of the TTM file.

Example

[Expert@MyGW:0]# find / -name \*.ttm -type f

find: /proc/64899: No such file or directory
/var/opt/CPsuite-R80.40/fw1/conf/fw_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/nemo_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/neo_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/iphone_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/topology_trans_tmpl.ttm
/var/opt/CPsuite-R80.40/fw1/conf/vpn_client_1.ttm
/var/opt/CPsuite-R80.40/fw1/conf/trac_client_1.ttm
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# vpn check_ttm /var/opt/CPsuite-R80.40/fw1/conf/trac_client_1.ttm

Summary for the file: trac_client_1.ttm

result: the file passed the check without any problems

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1637

vpn compreset

Description
Resets compression and decompression statistics counters.

Syntax

vpn compreset

Example

[Expert@MyGW:0]# vpn compreset

Compression statistics were reset.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1638

vpn compstat

Description
Shows compression and decompression statistics counters.

Syntax

vpn compstat

Example

[Expert@MyGW:0]# vpn compstat

Compression: sum of all instances :

Compression:
============
Bytes before compression : 0
Bytes after compression : 0
Compression overhead (bytes) : 0
Bytes that were not compressed : 0
Compressed packets : 0
Packets that were not compressed : 0
Compression errors : 0

Pure compression ratio : 0.000000

Effective compression ratio : 0.000000

Decompression:
==============
Bytes before decompression : 0
Bytes after decompression : 0
Decompression overhead (bytes) : 0
Decompressed packets : 0
Decompression errors : 0
Pure decompression ratio : 0.000000
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1639

vpn crl_zap

Description
Erases all Certificate Revocation Lists (CRLs) from the cache.

Syntax

vpn crl_zap

Return Values
n 0 (zero) for success
n any other value for failure

R80.40 CLI Reference Guide | 1640

vpn crlview

Description
Retrieves the Certificate Revocation List (CRL) from various distribution points and shows it for
the user.

Syntax

vpn crlview [-d]

-obj <Network Object Name> -cert <Certificate Object Name>
-f <Certificate File>
-view

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

-obj <Network Object Name> Specifies the name of the CA network object.

-cert <Certificate Object Specifies the name of the certificate object.

Name>

-f <Certificate File> Specifies the path and the name of the certificate
file.

-view Shows the CRL.

Return Values
n 0 (zero) for success
n any other value for failure

R80.40 CLI Reference Guide | 1641

vpn crlview

Example 1
vpn crlview -obj <MyCA> -cert <MyCert>

1. The VPN daemon contacts the Certificate Authority called MyCA and locates the
certificate called MyCert.
2. The VPN daemon extracts the certificate distribution point from the certificate.
3. The VPN daemon goes to the distribution point and retrieves the CRL. The distribution
point can be an LDAP or HTTP server.
4. The VPN daemon shows it to the standard output.

Example 2
vpn crlview -f /var/log/MyCert

1. The VPN daemon extracts the certificate distribution point from the certificate file called
MyCert.
2. The VPN daemon goes to the distribution point and retrieves the CRL. The distribution
point can be an LDAP or HTTP server.
3. The VPN daemon shows the CRL to the standard output.

Example 3
vpn crlview -view <Lastest CRL>

If the CRL was retrieved in the past, this command instructs the VPN daemon to show the
contents to the standard output.

R80.40 CLI Reference Guide | 1642

vpn debug

Description
Instructs the VPN daemon vpnd to write debug messages to the $FWDIR/log/vpnd.elg*
and $FWDIR/log/ike.elg* log files.
Debugging of the VPN daemon takes place according to Debug Topics and Debug Levels:
n A Debug Topic is a specific area, on which to perform debugging.
For example, if the Debug Topic is LDAP, all traffic between the VPN daemon and the
LDAP server is written to the log file.
Check Point Support provides the specific Debug Topics when needed.
n Debug Levels range from 1 (least informative) to 5 (most informative - write all debug
messages).
For more information, see sk180488.

Syntax

vpn debug
on [<Debug_Topic>=<Debug_Level>]
off
ikeon [-s <Size_in_MB>]
ikeoff
trunc [<Debug_Topic>=<Debug_Level>]
truncon [<Debug_Topic>=<Debug_Level>]
truncoff
timeon [<Seconds>]
timeoff
ikefail [-s <Size_in_MB>]
mon
moff
say ["String"]
tunnel [<Level>]

Parameters

Parameter Description

No Parameters Shows the built-in usage.

R80.40 CLI Reference Guide | 1643

vpn debug

Parameter Description

on Turns on high level VPN debug.

Information is written in the $FWDIR/log/vpnd.elg* files.

<Debug_ Specifies the Debug Topic and the Debug Level.

Topic Check Point Support provides these.
>=<Debug_ Best Practice - Run this command to start the debug:
Level>
vpn debug trunc ALL=5

off Turns off all VPN debug.

Best Practice - Run one of these commands to stop the VPND
debug:
vpn debug off
vpn debug truncoff

ikeon [-s Turns on the IKE debug.

<Size_in_ Information is written in the $FWDIR/log/ike.elg* files.
MB>] You can specify the size of the $FWDIR/log/ike.elg file, when to
perform the log rotation (close the current active file, rename it, open a
new active file).

ikeoff Turns off IKE debug.

Run this command to stop the IKE debug:
vpn debug ikeoff

trunc This command:

or
1. Rotates the $FWDIR/log/vpnd.elg file
truncon
2. Truncates the $FWDIR/log/ike.elg file
3. Starts the VPND daemon debug
4. Starts the IKE debug
Run this command to start the debug:
vpn debug trunc ALL=5

truncoff Stops the VPND daemon debug.

Run one of these commands to stop the VPND debug:
vpn debug truncoff
vpn debug off

R80.40 CLI Reference Guide | 1644

vpn debug

Parameter Description

timeon Enables the timestamp in the log files.

[<Seconds>] Prints one timestamp after the specified number of seconds.
By default, prints the timestamp every 10 seconds.

timeoff Disables the timestamp in the log files every number of seconds.

ikefail [-s Logs failed IKE negotiations.

<Size_in_ You can specify the size of the $FWDIR/log/ike.elg file, when to
MB>] perform the log rotation (close the current active file, rename it, open a
new active file).

mon Enables the IKE Monitor.

Saves the IKE packets in the $FWDIR/log/ikemonitor.snoop file.
Warning - The output file may contain user X-Auth passwords.
Make sure the file is protected.

moff Disables the IKE Monitor.

say Saves the specified text string in the $FWDIR/log/vpnd.elg file.

"String" For example, run: vpn debug say "BEGIN TEST"
Notes:
n Run this command after you start the VPN debug (with one of
these commands: "vpn debug on", "vpn debug trunc",
or "vpn debug truncon").
n The length of the string is limited to 255 characters.

tunnel This command:

[<Debug_
Level>] 1. Rotates the $FWDIR/log/vpnd.elg file
2. Truncates the $FWDIR/log/ike.elg file
3. Starts the VPND daemon debug with these two Debug Topics:
tunnel
ikev2
If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug
Topic:
CRLCache
4. Starts the IKE debug

Return Values
n 0 (zero) for success
n any other value for failure (typically, -1 or 1)

R80.40 CLI Reference Guide | 1645

vpn dll

Description
Works with VPN DNS Lookup Layer:
n Save the DNS Lookup Layer information to the specified file.
n Resolve the specified hostname.

Syntax

vpn dll
dump <File>
resolve <HostName>

Parameters

Parameter Description

dump <File> Saves the DNS Lookup Layer information (DNS Names and IP
Addresses) to the specified file.

resolve Resolves the specified hostname.

<HostName> The command saves the last specified hostname in this file:
$FWDIR/tmp/vpnd_cmd.tmp

R80.40 CLI Reference Guide | 1646

vpn drv

Description
Controls the VPN kernel module.

Syntax

vpn drv {off | on | stat}

Parameters

Parameter Description

off Stops the VPN kernel module

on Starts the VPN kernel module

stat Shows the current status of the VPN kernel module

Example

[Expert@MyGW:0]# vpn drv stat

VPN-1 module active
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1647

vpn dump_psk

Description
Shows hash (SHA256) of peers' pre-shared-keys.

Syntax

vpn dump_psk

R80.40 CLI Reference Guide | 1648

vpn ipafile_check

Description
Verifies a candidate for the $FWDIR/conf/ipassignment.conf file.

Syntax

vpn ipafile_check <File> [{err | warn | detail}] [verify_group_

names]

Parameters

Parameter Description

<File> Specifies the full path and name of the candidate file.

{err | warn | Specifies the how much information to show about the
detail} candidate file:
n err - Only errors
n warn - Only warnings
n detail - All details

verify_group_names Examines the group names.

R80.40 CLI Reference Guide | 1649

vpn ipafile_users_capacity

Description
n Shows the current capacity in the $FWDIR/conf/ipassignment.conf file.
n Configures the new capacity in the $FWDIR/conf/ipassignment.conf file.

Syntax

vpn ipafile_users_capacity get

vpn ipafile_users_capacity set <128-32768>

Parameters

Parameter Description

get Shows the current capacity.

set <128-32768> Configures the new capacity to the specified number of users.
Notes:
n The default is 1024 entries.
n This command configures the amount of memory
reserved to store usernames.

Example

[Expert@MyGW:0]# vpn ipafile_users_capacity get

The gateway can currently read 1024 users from the ipassignment.conf file
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1650

vpn macutil

Description
Shows a generated MAC address for each user name when you use Remote Access VPN with
Office Mode.
This command is applicable only when allocating IP addresses through DHCP.
Remote Access VPN users in Office Mode receive an IP address, which is mapped to a
hardware or MAC address.

Syntax

vpn macutil <username>

Example
# vpn macutil John
20-0C-EB-26-80-7D, "John"

R80.40 CLI Reference Guide | 1651

vpn mep_refresh

Description
Initiates MEP re-decision.
Used in "backup stickiness" configuration to initiate MEP re-decision (fail back to primary
Security Gateway, if possible).

Syntax

vpn mep_refresh

R80.40 CLI Reference Guide | 1652

vpn neo_proto

Description
Controls the NEO client protocol.

Important - This command is for Check Point use only.

Syntax

vpn neo_proto {off | on}

Parameters

Parameter Description

off Disables the NEO client protocol.

on Enables the NEO client protocol.

R80.40 CLI Reference Guide | 1653

vpn nssm_toplogy

Description
Generates and uploads a topology in NSSM format to an NSSM server.

Syntax

vpn nssm_topology -url <"url"> -dn <"dn"> -name <"name"> -pass

<"password"> [-action {bypass | drop}] [-print_xml]

Parameters

Parameter Description

-url <"url"> URL of the NSSM server.

-dn <"dn"> Distinguished Name of the NSSM server (needed to establish an SSL
connection).

-name Valid login name for the NSSM server.

<"name">

-pass Valid password for the NSSM server.

<"password">

-action Specifies the action that the Symbian client should take, if the packet is
{bypass | not destined for an IP address in the VPN domain.
drop} Bypass is the default.

-print_xml Writes the topology to a file in XML format.

R80.40 CLI Reference Guide | 1654

vpn overlap_encdom

Description
Shows all overlapping VPN domains.
Some IP addresses might belong to two or more VPN domains.
The command alerts for overlapping encryption domains if one or both of the following
conditions exist:
n The same VPN domain is defined for both Security Gateways.
n If the Security Gateway has multiple interfaces, and one or more of the interfaces has the
same IP address and netmask.

Syntax

vpn overlap_encdom [communities | traditional]

Parameters

Parameter Description

communities Shows all pairs of objects with overlapping VPN domains, only if the
objects (that represent VPN sites) are included in the same VPN
community.
This parameter is also used, if the same destination IP can be reached
through more than one VPN community.

traditional Default parameter.

Shows all pairs of objects with overlapping VPN domains.

R80.40 CLI Reference Guide | 1655

vpn overlap_encdom

Example

# vpn overlap_encdom communities

The objects Paris and London have overlapping encryption domains.
The overlapping domain is:
10.8.8.1 - 10.8.8.1
10.10.8.0 - 10.10.9.255
- This overlapping encryption domain generates a multiple entry points configuration in
MyIntranet and RemoteAccess communities.
- Same destination address can be reached in more than one community (Meshed, Star). This
configuration is not supported.

The objects Paris and Chicago have overlapping encryption domains. The overlapping domain is:
10.8.8.1 - 10.8.8.1
- Same destination address can be reached in more than one community (MyIntranet, NewStar). This
configuration is not supported.

The objects Washington and Tokyo have overlapping encryption domains.

The overlapping domain is:
10.12.10.68 - 10.12.10.68
10.12.12.0 - 10.12.12.127
10.12.14.0 - 10.12.14.255
- This overlapping encryption domain generates a multiple entry points configuration in Meshed,
Star and NewStar communities.

R80.40 CLI Reference Guide | 1656

vpn rim_cleanup

Description
Cleans RIM routes.

Syntax

vpn rim_cleanup

R80.40 CLI Reference Guide | 1657

vpn rll

Description
Controls the VPN Route Lookup Layer:
n Saves the Route Lookup Layer information to the specified file.
n Synchronizes the routing table.

Syntax

vpn rll
dump <File>
sync

Parameters

Parameter Description

dump <File> Saves the Route Lookup Layer information to the specified file:
n ISP Redundancy Default Routes (Next Hop, Interface,
Metric)
n Route Shadow (Interface and Metric, IP/Mask, Next Hop)
n Monitored IP Addresses (Data, IP/Mask)

sync Synchronizes the routing table.

R80.40 CLI Reference Guide | 1658

vpn set_slim_server

Description
This command is deprecated.
Delete the $FWDIR/conf/slim.conf file and use the Management Server to configure SSL
Network Extender.
As long as the $FWDIR/conf/slim.conf file exists, it overrides the settings you configure
on the Management Server.

R80.40 CLI Reference Guide | 1659

vpn set_snx_encdom_groups

Description
Controls the encryption domain per usergroup feature for SSL Network Extender.

Syntax

vpn set_snx_encdom_groups
off
on

Parameters

Parameter Description

off Disables the encryption domain per usergroup feature.

on Enables the encryption domain per usergroup feature.

R80.40 CLI Reference Guide | 1660

vpn set_trac

Description
Controls the TRAC server.

Syntax

vpn set_trac
disable
enable

Parameters

Parameter Description

disable Disables the TRAC server.

enable Enables the TRAC server.

Example

[Expert@MyGW:0]# vpn set_trac enable

Trac client enabled, Install Policy for this change to take effect
[Expert@MyGW:0]#

[Expert@MyGW:0]# vpn set_trac disable

Trac client disabled, Install Policy for this change to take effect
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1661

vpn shell

Description
VPN Command Line Interface.

Syntax for IPv4

vpn shell

Syntax for IPv6

vpn6 shell

Menu Options

[Expert@MyGW:0]# vpn shell

? - This help
.. - Go up one level
quit - Quit
[interface ] - Manipulate tunnel interfaces
[show ] - Show internal data
[tunnels ] - Manipulate tunnel data
[license ] - Display SCM licenses
VPN shell:[/] >

R80.40 CLI Reference Guide | 1662

vpn shell

Menu Sub-Options

interface
add
modify
delete
show
show
interface
tunnels
IKE
all
peer <Internal Peer IP>
IPsec
all
peer <Internal Peer IP>
tunnels
show
IKE
all
peer <Internal Peer IP>
IPsec
all
peer <Internal Peer IP>
delete
IKE
peer <Security Gateway>
user <Username>
all
IPsec
peer <Security Gateway>
user <Username>
all
all
IKE
IPsec
license
scm
status
list

R80.40 CLI Reference Guide | 1663

vpn shell

Description of Options and Sub-Options

Option Description

? Shows the available advanced commands in the current menu level.

.. Goes up one level in the menu.

quit Quits the VPN shell (available only in the main level).

interface These commands are deprecated on Gaia OS.

Use the applicable options in Gaia Portal or the applicable commands in
Gaia Clish.
See the R80.40 Gaia Administration Guide.

show Shows internal data.

The available options are:
n Show and configure tunnel interfaces:
show > interface
These commands are deprecated on Gaia OS.
Use the applicable options in Gaia Portal or the applicable commands
in Gaia Clish.
See the R80.40 Gaia Administration Guide.

R80.40 CLI Reference Guide | 1664

vpn shell

Option Description

n Show Security Associations (SAs):

show > tunnels
The available sub-options are:
l Show all IKE SAs

show > tunnels > IKE > all

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (3)

List all IKE SAs for a given peer (GW).

o The "vpn tu [-w] list ike" command (see "vpn

tu list" on page 1676).

l Show all IKE SAs for a specified VPN peer:
show > tunnels > IKE > peer <Internal Peer
IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (1)

List all IKE SAs.

o The "vpn tu [-w] list peer_ike <IP

Address>" command (see "vpn tu list" on page 1676).

l Show all IPsec SAs
show > tunnels > IPsec > all
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (2)

List all IPsec SAs.

o The "vpn tu [-w] list ipsec" command (see

"vpn tu list" on page 1676).

l Show all IPsec SAs for a specified VPN peer:
show > tunnels > IPsec > peer <Internal Peer
IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (4)

List all IPsec SAs for a given peer (GW).

o The "vpn tu [-w] list peer_ipsec <IP

Address>" command (see "vpn tu list" on page 1676).

R80.40 CLI Reference Guide | 1665

vpn shell

Option Description

tunnels Shows and deletes Security Associations (SAs).

The available options are:
n Show Security Associations (SAs):
tunnels > show
The available sub-options are:
l Show all IKE SAs:

tunnels > show > IKE > all

Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (1)

List all IKE SAs.

o The "vpn tu [-w] list ike" command (see "vpn

tu list" on page 1676).

l Show all IKE SAs for a specified VPN peer:
tunnels > show > IKE > peer <Internal Peer
IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (3)

List all IKE SAs for a given peer (GW).

o The "vpn tu [-w] list peer_ike <IP

Address>" command (see "vpn tu list" on page 1676).

l Show all IPsec SAs:
tunnels > show > IPsec > all
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (2)

List all IPsec SAs.

o The "vpn tu [-w] list ipsec" command (see

"vpn tu list" on page 1676).

l Show all IPsec SAs for a specified VPN peer:
tunnels > show > IPsec > peer <Internal Peer
IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (4)

List all IPsec SAs for a given peer (GW).

o The "vpn tu [-w] list peer_ipsec <IP

Address>" command (see "vpn tu list" on page 1676).

R80.40 CLI Reference Guide | 1666

vpn shell

Option Description

n Delete Security Associations (SAs):

tunnels > delete
The available sub-options are:
l Delete all IKE for a specified VPN peer:

tunnels > delete > IKE > peer <Internal Peer

IP>
l Delete all IKE for a specified user:
tunnels > delete > IKE > user <Username>
l Delete all IKE SAs for all VPN peers and users:
tunnels > delete > IKE > all
tunnels > delete > all > IKE
l Delete all IPsec SAs for a specified VPN peer:
tunnels > delete > IPsec > peer <Internal
Peer IP>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (5)

Delete all IPsec SAs for a given peer (GW).

o The "vpn tu [-w] del ipsec <IP Address>"

command (see "vpn tu del" on page 1673).

l Delete all IPsec SAs for a specified user:
tunnels > delete > IPsec > user <Username>
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (6)

Delete all IPsec SAs for a given User (Client).

o The "vpn tu [-w] del ipsec <IP Address>

<Username>" command (see "vpn tu del" on

page 1673).
l Delete all IPsec SAs for all VPN peers and users:
tunnels > delete > IPsec > all
tunnels > delete > all > IPsec
Note - This sub-option is the same as:
o In the main "vpn tu" on page 1671 menu, the option (9)

Delete all IPsec SAs for ALL peers and users.

o The "vpn tu [-w] del ipsec all" command

(see "vpn tu del" on page 1673).

R80.40 CLI Reference Guide | 1667

vpn shell

Option Description

license Shows the SecureClient Mobile (SCM) licenses.

The available sub-options are:
n Show the current status of SCM licenses:
license > scm > status
n Show the list of SCM licensed devices:
license > scm > list

R80.40 CLI Reference Guide | 1668

vpn show_tcpt

Description
Shows users connected in Visitor Mode.

Syntax

vpn show_tcpt

R80.40 CLI Reference Guide | 1669

vpn sw_topology

vpn sw_topology
Note - R80.40 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Downloads the topology for a UTM-1 Edge or Safe@Office device.

Syntax

vpn [-d] sw_toplogy -dir <directory> -name <name> -profile

<profile> [-filename <filename>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-dir <directory> Output directory for file.

-name <name> Nickname of site, which appears in remote client.

-profile Name of the UTM-1 Edge or Safe@Office profile, for which the
<profile> topology is created.

-filename Name of the output file.

R80.40 CLI Reference Guide | 1670

vpn tu

Description
Launches the TunnelUtil tool, which is used to control VPN tunnels.

General Syntax

vpn tu
vpn tunnelutil

Menu Options

[Expert@MyGW:0]# vpn tu

Select Option

(1) List all IKE SAs

(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW)
(4) * List all IPsec SAs for a given peer (GW)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User
(Client)
(9) Delete all IPsec SAs for ALL peers
(0) Delete all IPsec+IKE SAs for ALL peers

* To list data for a specific CoreXL instance, append "-i

<instance number>" to your selection.

(Q) Quit

*******************************************
Note - When you view Security Associations for a specific VPN peer, you must
specify the IP address in dotted decimal notation.

R80.40 CLI Reference Guide | 1671

vpn tu

Advanced Syntax

vpn tu
help
del <options>
list <options>
mstats
tlist <options>

Parameters

Parameter Description

help Shows the available advanced commands.

del <options> Deletes IPsec and IKE SAs.

See "vpn tu del" on page 1673.

list Shows IPsec and IKE SAs.

<options> See "vpn tu list" on page 1676.

mstats Shows distribution of VPN tunnels (SPIs) between CoreXL Firewall

instances.
See "vpn tu mstats" on page 1678.

tlist Shows information about VPN tunnels.

<options> See "vpn tu tlist" on page 1679.

R80.40 CLI Reference Guide | 1672

vpn tu del

Description
Deletes IPsec Security Associations (SAs) and IKE Security Associations (SAs).

Syntax for IPv4

vpn tu [-w] del

all
ipsec
all
<IPv4 Address>
<IPv4 Address> <Username>
<IPv4 Address>
<IPv4 Address> <Username>

Syntax for IPv6

vpn tu [-w] del

all
ipsec
all
<IPv6 Address>
<IPv6 Address>
<IPv6 Address> <Username>

Parameters

Parameter Description

-w Shows various warnings on the screen.

all Deletes all IPsec SAs and IKE SAs for all VPN peers and users.
Note - This command is the same as:
n In the main "vpn tu" on page 1671 menu, the option (0)
Delete all IPsec+IKE SAs for ALL peers and users.
n In the "vpn shell" on page 1662 menu, the option
tunnels > delete > all > IKE and the option tunnels >
delete > all > IPsec..

R80.40 CLI Reference Guide | 1673

vpn tu del

Parameter Description

ipsec <options> Deletes the specified IPsec SAs.

The available <options> are:
n Delete all IPsec SAs for all peers and users:
vpn tu [-w] del ipsec all
Note - This command is the same as:
l In the main "vpn tu" on page 1671 menu, the

option (9) Delete all IPsec SAs for ALL peers

and users.
l In the "vpn shell" on page 1662 menu, the option

tunnels > delete > all > IPsec.

n Delete all IPsec SAs for the specified VPN peer:

vpn tu [-w] del ipsec <IP Address>
Note - This command is the same as:
l In the main "vpn tu" on page 1671 menu, the

option (5) Delete all IPsec SAs for a given peer

(GW).
l In the "vpn shell" on page 1662 menu, the option

tunnels > delete > IPsec > peer <Internal Peer

IP>.

n Delete all IPsec SAs for the specified VPN peer and the
specified user:
vpn tu [-w] del ipsec <IPv4 Address>
<Username>
Notes:
l This command is the same as:

o In the main "vpn tu" on page 1671 menu,

the option (6) Delete all IPsec SAs for a

given User (Client).
o In the "vpn shell" on page 1662 menu, the

option tunnels > delete > IPsec > user

<Username>.
l This command does not support IPv6 addresses.

<IP Address> Deletes all IPsec SAs and IKE SAs for the specified VPN peer.
Note - This command is the same as the option (7) Delete
all IPsec+IKE SAs for a given peer (GW) in the main "vpn
tu" on page 1671 menu.

R80.40 CLI Reference Guide | 1674

vpn tu del

Parameter Description

<IP Address> Deletes all IPsec SAs and IKE SAs for the specified VPN peer
<Username> and the specified user.
Note - This command is the same as the option (8) Delete
all IPsec+IKE SAs for a given User (Client) in the main
"vpn tu" on page 1671 menu.

R80.40 CLI Reference Guide | 1675

vpn tu list

Description
Shows IPsec SAs and IKE SAs.

Syntax for IPv4 and IPv6

vpn tu [-w] list

ike
ipsec
peer_ike <IP Address>
peer_ipsec <IP Address>
tunnels

Parameters

Parameter Description

-w Shows various warnings on the screen.

ike Shows all IKE SAs.

Note - This command is the same as:
n In the main "vpn tu" on page 1671 menu, the
option (1) List all IKE SAs.
n In the "vpn shell" on page 1662 menu, the
option show > tunnels > IKE > all or the
option tunnels > show > IKE > all.

ipsec Shows all IPsec SAs.

Note - This command is the same as:
n In the main "vpn tu" on page 1671 menu, the
option (2) List all IPsec SAs.
n In the "vpn shell" on page 1662 menu, the
option show > tunnels > IPsec > all or the
option tunnels > show > IPsec > all.

R80.40 CLI Reference Guide | 1676

vpn tu list

Parameter Description

peer_ike <IP Address> Shows all IKE SAs for the specified VPN peer.
Note - This command is the same as:
n In the main "vpn tu" on page 1671 menu, the
option (3) List all IKE SAs for a given peer
(GW).
n In the "vpn shell" on page 1662 menu, the
option show > tunnels > IKE > peer <Internal
Peer IP> or the option tunnels > show > IKE
> peer <Internal Peer IP>.

peer_ipsec <IP Address> Shows all IPsec SAs for the specified VPN peer.
Note - This command is the same as:
n In the main "vpn tu" on page 1671 menu, the
option (4) List all IPsec SAs for a given peer
(GW).
n In the "vpn shell" on page 1662 menu, the
option show > tunnels > IPsec > peer
<Internal Peer IP> or the option tunnels >
show > IPsec > peer <Internal Peer IP>.

tunnels Shows information about VPN tunnels.

In addition, see the "vpn tu tlist" on page 1679 command.

R80.40 CLI Reference Guide | 1677

vpn tu mstats

Description
Shows the distribution of VPN traffic between CoreXL Firewall instances.
For more information, see sk118097 - MultiCore Support for IPsec VPN in R80.10 and above.

Syntax for IPv4

vpn tu [-w] mstats

Syntax for IPv6

vpn6 tu [-w] mstats

Parameters

Item Description

-w Shows various warnings on the screen.

Example for IPv4

[Expert@MyGW:0]# vpn tu mstats

Instance# # of inSPIs # of outSPIs

0 182 170
1 184 176
2 191 174
3 215 197
4 237 227
5 191 176
6 180 170
7 190 166
8 171 160
9 199 187
-----------------------------------------
Summary: 1940 1803

[Expert@MyGW:0]#

Example for IPv6

[Expert@MyGW:0]# vpn6 tu mstats

Instance# # of inSPIs # of outSPIs

0 238 228
1 224 214
-----------------------------------------
Summary: 462 442

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1678

vpn tu tlist

Description
Shows information about VPN tunnels.

Syntax for IPv4

vpn tu [-w] tlist

{-h | -help}
[clear]
[start]
[state]
[stop]
[<Sort Options>]

Syntax for IPv6

vpn6 tu [-w] tlist

{-h | -help}
[clear]
[start]
[state]
[stop]
[<Sort Options>]

Parameters

Parameter Description

-w Shows various warnings on the screen.

-h | -help Shows the built-in usage.

clear Clears the Tunnel List volume statistics.

start Turns on the Tunnel List volume statistics.

state Shows the current Tunnel List volume statistics state.

stop Turns off the Tunnel List volume statistics.

R80.40 CLI Reference Guide | 1679

vpn tu tlist

Parameter Description

<Sort The available sort options are:

Options>
n -b - Sorts by total (encrypted + decrypted) bytes.
n -d - Sorts by inbound (decrypted) bytes.
n -e - Sorts by outbound (encrypted) bytes.
n -i - Combines list rows for each CoreXL Firewall instance with
accumulated traffic. Default order is descending by total bytes.
n -m - Sorts by MSPI.
n -n - Sorts by VPN peer name.
n -p <IP Address> - Shows tunnels only for a VPN peer with the
specified IP address.
n -r - Sorts in reverse order.
n -s - Sorts by SPI.
n -t - Combines list rows for each VPN peer with accumulated traffic.
Default order is descending by total bytes.
n -v - Verbose mode, prints a header message for each option.

If you specify more than one sort option, you can:

n Separate the options with spaces:
... -<option1> -<option2> -<option3>
For example: -v -t -b -r
n Write the options together:
... -<option1><option2><option3>
For example: -vtbr

Example for IPv4

[Expert@MyGW:0]# vpn tu tlist

R80.40 CLI Reference Guide | 1680

vpn ver

Description
Shows the major version number and build number of the VPN kernel module.

Syntax

vpn ver [-k] [-f <filename>]

Parameters

Parameter Description

-k Shows the version name and build number and the kernel build number.

-f Saves the information to the specified text file.

Example

[Expert@MyGW:0]# vpn ver -k

This is Check Point VPN-1(TM) R80.40 - Build 123
kernel: R80.40 - Build 456
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1681

mcc

mcc
Description
The VPN Multi-Certificate CA (MCC) commands let you manage certificates and Certificate
Authorities on a Security Management Server or Domain Management Server:
n Shows Certificate Authorities
n Shows certificates
n Adds certificates
n Deletes certificates

Important:
n Before you run this command, you must close all SmartConsole clients,
Database Tool (GuiDBEdit Tool) clients (see sk13009), and "dbedit" clients
(see skI3301) to prevent a lock of the management database. The only
exceptions are the "mcc lca" and "mcc show" commands.
n The mcc commands require the cpca process to be up and running. Run this
command:
ps auxw | egrep "cpca|COMMAND"
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

mcc
-h
add <options>
add2main <options>
del <options>
lca
main2add <options>
show <options>

Parameters

Parameter Description

-h Shows the built-in usage.

R80.40 CLI Reference Guide | 1682

mcc

Parameter Description

add <options> Adds certificates.

See "mcc add" on page 1684.

add2main <options> Promotes an additional certificate to be the main certificate.

See "mcc add2main" on page 1685.

del <options> Deletes certificates.

See "mcc del" on page 1686.

lca Shows Certificate Authorities.

See "mcc lca" on page 1687.

main2add <options> Adds main certificate to additional certificates.

See "mcc main2add" on page 1688.

show <options> Shows certificates.

See "mcc show" on page 1689.

R80.40 CLI Reference Guide | 1683

mcc add

Description
Adds a certificate stored in DER format in a specified file, as an additional certificate to the
specified CA. The new certificate receives an index number higher by one than the highest
existing certificate index number.
The new certificate receives an index number higher by one than the highest existing
certificate index number.

Syntax

mcc add <CA Name> <Certificate File>

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
Important - Before you run this command, you must close all SmartConsole clients,
Database Tool (GuiDBEdit Tool) clients (see sk13009), and "dbedit" clients (see
skI3301) to prevent a lock of the management database.

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server
database.

<Certificate Specifies the path and the name of the certificate file.
File> To show the main certificate of a CA, omit this parameter.

Example - Add the certificate stored in the /var/log/Mycert.cer file to the CA called
"MyCA"
mcc add MyCA /var/log/Mycert.cer

R80.40 CLI Reference Guide | 1684

mcc add2main

Description
Copies the additional certificate of the specified index number of the specified CA to the main
position and overwrites the previous main certificate.

Syntax

mcc add2main <CA Name> <Certificate Index Number>

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management
Server database.

<Certificate Index Specifies the certificate index number.

Number>

Example - Copy certificate #1 of a CA called "MyCA" to the main position

mcc add2main MyCA 1

R80.40 CLI Reference Guide | 1685

mcc del

Description
Removes the additional certificate of the specified index number from the specified CA.
Greater index numbers (of other additional certificates) are reduced by one.

Syntax

mcc del <CA Name> <Certificate Index Number>

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management
Server database.

<Certificate Index Specifies the certificate index number.

Number>

Example - Remove certificate #1 of a CA called "MyCA"

mcc del MyCA 1

R80.40 CLI Reference Guide | 1686

mcc lca

Description
Shows all Certificate Authorities (CAs) defined in the Management Server database, with the
number of additional CA certificates for each CA.

Syntax

mcc lca
Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Example

[Expert@MGMT:0]# mcc lca

MCC: Here is a list of the CAs, with the number of additional CA certificates
1. internal_ca (0)
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1687

mcc main2add

Description
Copies the main certificate of the specified CA to an additional position.
The copied certificate receives an index number higher by one than the highest existing
certificate index number.

Syntax

mcc main2add <CA Name>

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management Server
database.

Example
The CA called "MyCA" has a main certificate and one additional certificate.
If you run this command, then the CA will have two additional certificates, and additional
certificate #2 will be identical to the main certificate:
mcc main2add MyCA

R80.40 CLI Reference Guide | 1688

mcc show

Description
Shows details for a specified certificate of a specified CA.

Syntax

mcc show <CA Name> [<Certificate Index Number>]

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

<CA Name> Specifies the name of the CA, as defined in the Management
Server database.

<Certificate Index Optional.

Number> Specifies the certificate index number.
To show the main certificate of a CA, omit this parameter.

Example 1 - Show certificate #1 of a CA called MyCA

mcc show MyCA 1

R80.40 CLI Reference Guide | 1689

mcc show

Example 2 - Show certificate of a CA called "internal_ca"

[Expert@MGMT:0]# mcc lca

MCC: Here is a list of the CAs, with the number of additional CA certificates
1. internal_ca (0)
[Expert@MGMT:0]#

[Expert@MGMT:0]# mcc show internal_ca

PubKey:
Modulus:
ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45 f1 00 04 bc
3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be db 75 cc c8
... ... ...
a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50 01 0f 86 9d
55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
Exponent: 65537 (0x10001)

X509 Certificate Version 3

refCount: 1
Serial Number: 1
Issuer: O=MyServer.checkpoint.com.s6t98x
Subject: O=MyServer.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1690

Mobile Access Commands

For more information about Mobile Access, see the R80.40 Mobile Access Administration
Guide.

R80.40 CLI Reference Guide | 1691

admin_wizard

admin_wizard
Description
Runs the administration client wizard to test connectivity to websites, Exchange server
services, or LDAP server.

Note - This wizard saves its log messages in these files:

n $CVPNDIR/log/AdminWizardLog.elg
n $CVPNDIR/log/wizard.elg
n $CVPNDIR/log/wizardDns
n $CVPNDIR/log/wizardEstimation
n $CVPNDIR/log/wizardLdap
n $CVPNDIR/log/wizardProxy

Syntax

admin_wizard
cancel
estimation
exchange_wizard <Exchange Server Address> <User Name>
<Password> [<Options>]
ldap <LDAP server>
wizard <Web Site Address>

Parameters

Parameter Description

No Parameters Shows the built-in help.

cancel Kills the administration client wizard that already

runs.

estimation Estimates how many seconds the wizard will

run.

R80.40 CLI Reference Guide | 1692

admin_wizard

Parameter Description

exchange_wizard <Exchange Tests the response from an Exchange server:

Server Address> <User Name>
<Password> [<Options>]
n Finds the address protocol (HTTP or
HTTPS) and authentication method (Basic
or NTLM) of the Exchange server
services.
n Checks accessibility of Mobile Access
ActiveSync and EWS services for users.
n For Web command, checks access to the
URL.
n For OWA command, returns the URL to
the outlook web access.

The parameters are:

n <Exchange Server Address> -
Specifies the Exchange server by its IP
address or hostname.
n <User Name> - Specifies the user name
on the Exchange Server.
n <Password> - Specifies the password on
the Exchange Server.
n <Options> - Specifies the test options.

R80.40 CLI Reference Guide | 1693

admin_wizard

Parameter Description

The available test options are:

n -t {as | ews | owa | all} -
Specifies the services to test on the
Exchange server:
Note - To specify more than one service,
separate them with a comma. For
example: as,ews
l all - Tests all of the services

(default)
l as - Tests ActiveSync

l ews -Tests Exchange Web Services

l owa - Searches for the Outlook Web

Application (OWA) address of the

Exchange server
n -d <DNS Servers> - Specifies the DNS
servers.
n -x <Proxy Servers> - Specifies the
Proxy servers.
n -c <Username>:<Password> -
Specifies the user name and password for
Proxy server authentication.
n -n - Allows only NTLM authentication
instead of Basic and NTLM.
n -m <Domain Name> - Specifies the user
domain name.
n -s <ActiveSync Path> - Tests a
specified ActiveSync service path
(Default: /Microsoft-Server-
ActiveSync).
n -e <EWS Path> - Tests a specified
Exchange Web Services service path
(Default: /EWS/Exchange.asmx).
n -f <File Name> - Writes the test
results to the specified file
n -r - Sends a request with the configured
Proxy, DNS, HTTP protocol, and
authentication method.
l If you also specify the "-n" option,

then the NTLM authentication

method is used.
l If you do not specify the "-n" option,

then only the Basic authentication

method is used.

R80.40 CLI Reference Guide | 1694

admin_wizard

Parameter Description

n -v - Makes the HTTP requests verbose.

The verbose result files are saved in the
$CVPNDIR/log/trace_log/ directory.
n -p - Validates the SSL certificate of the
web server.

ldap <LDAP server> Tests connectivity to the specified LDAP server.

You can specify the LDAP server by its IP
address or hostname.

wizard <Web Site Address> Tests connectivity to the specified URL.

Example 1 - Check URL accessibility of 'www.checkpoint.com'

admin_wizard wizard www.checkpoint.com

Example 2 - Check accessibility to the LDAP server 192.168.0.55

admin_wizard ldap 192.168.0.55

Example 3 - Check accessibility for username 'user1' to ActiveSync and EWS on the
Exchange server 'exchange.example.com'

admin_wizard exchange_wizard exchange.example.com username user1 -

t as,ews

R80.40 CLI Reference Guide | 1695

cvpnd_admin

cvpnd_admin
Description
Changes the behavior of the Mobile Access cvpnd process.

Syntax

cvpnd_admin
appMonitor status
clear_kernel_tables
clear_portal_cache
debug <options>
ics_update
isEnabled
license <options>
policy [{graceful | hard}]
revoke <Certificate Serial Number>

Parameters

Parameter Description

appMonitor Controls the Application Monitor.

<options> The Application Monitor is a software component that monitors
internal servers to track their up time.
If problems are found, a system alert log is created.
The available <options> are:
n restart - Restarts the Application Monitor.
n start - Start the Application Monitor.
n status - Shows the status of the Application Monitor
feature, the applications monitored by the Application
Monitor and their status.
n stop - Stops the Application Monitor.

clear_kernel_ Clears all Mobile Access kernel tables.

tables

clear_portal_ Clears the cache for the applications presented in the Mobile
cache Access Portal for all open sessions.

R80.40 CLI Reference Guide | 1696

cvpnd_admin

Parameter Description

debug set Enables all cvpnd debug output for the running cvpnd process.
TDERROR_ALL_ The output is in the $CVPNDIR/log/cvpnd.elg file.
ALL=5 Note - When you enable all debug topics, it might impact the
performance. Debug topics are provided by Check Point
Support.

debug off Disables all cvpnd debug output.

debug trace on The TraceLogger feature generates full captures of incoming

debug trace and outgoing authenticated Mobile Access traffic.
users=<Username> The output is saved in the $CVPNDIR/log/trace_log/
directory.
n debug trace on - Enables the TraceLogger feature for
all users.
n debug trace users=<Username> - Enables the
TraceLogger feature for a specified username

Important:
n The TraceLogger feature has a major effect on
performance, because all traffic is saved as files.
n The TraceLogger feature uses a lot of disk space,
because all traffic is saved as files. After a maximum
number of files is saved, the oldest files are removed
from the disk, which also has a performance cost.
n The TraceLogger feature creates a security concern:
end-user passwords that are sent to internal resources
might appear in the capture files.

ics_update Updates the Mobile Access services after you published a new
ICS update.

isEnabled Checks if Mobile Access is enabled by policy.

license Shows Mobile Access license count and status:

<options>
n all - Shows information about the MOB and MOBMAIL
licenses.
n mob - Shows information about the MOB license.
n mobmail - Shows information about the MOBMAIL license.

R80.40 CLI Reference Guide | 1697

cvpnd_admin

Parameter Description

policy Updates the Mobile Access services according to the current

[{graceful | policy:
hard}]
n policy - For Apache services, each httpd process waits
until its current request is finished, then exits.
n policy graceful - For Apache services, each httpd
process waits until its current request is finished, then exits.
n policy hard - For Apache services, all httpd processes
exit immediately, terminating all current http requests.

revoke Notifies about revocation of a certificate with a given serial

R80.40 CLI Reference Guide | 1698

cvpnd_settings

cvpnd_settings
Description
Changes a Mobile Access Gateway local configuration file $CVPNDIR/conf/cvpnd.C.
The cvpnd_settings commands allow to get attribute values or set them in order to
configure the cvpnd process.

Important - Changes made by with the cvpnd_settings command are not saved
during the Mobile Access Gateway upgrade. Keep a backup of your
$CVPNDIR/conf/cvpnd.C file after you make manual changes.
Warning - The cvpnd process may not start, if you make a mistake in the syntax -
attribute names or their values.

General Syntax

cvpnd_settings [<Configuration File>] {get | set | add | listAdd |

listRemove | internal} <Attribute-Name> [<Attribute-Value>]

Syntax for DynamicID Resend

cvpnd_settings [<Configuration File>] {set | get}

smsMaxResendRetries [<Number>]

Syntax for Kerberos Authentication

cvpnd_settings [<Configuration File>] {set | get} useKerberos

{true | false}
cvpnd_settings [<Configuration File>] {listAdd | listRemove}
kerberosRealms [<Your AD Name>]

Parameters
Run this command to see the full explanation of the parameters: cvpnd_settings -h

Parameter Description

-h Shows built-in help with full explanation of the parameters.

R80.40 CLI Reference Guide | 1699

cvpnd_settings

Parameter Description

get Gets the value of an existing attribute, or values of a list.

set Sets the value of an attribute.

If the specified attribute does not exist in the configuration file, then
the command adds it.

add Adds a new attribute.

If the specified attribute already exists in the configuration file, then
the command does not change it.

listAdd Adds the specified attribute to a list.

listRemove Removes the specified attribute from a list.

internal Specifies that the command must change the

$CVPNDIR/conf/cvpnd_internal_settings.C file instead of
the $CVPNDIR/conf/cvpnd.C file.

<Attribute- Specifies the attribute name.

Name>

<Attribute- Specifies the attribute value.

Value>

<Number> Specifies the number of SMS resend attempts.

<Your AD Name> Specifies the Active Directory name.

Examples 1 - Set the value of the attribute 'myFlag' to 1

cvpnd_settings set myFlag 1

Examples 2 - See the current value of the attribute 'myFlag'

cvpnd_settings get myFlag

Examples 3 - Empty the value of the attribute 'myFlag', or create a new attribute/list
'myFlag'
cvpnd_settings set myFlag

Examples 4 - Add the attribute 'myFlag' with the value 'a.example.com' to a list
cvpnd_settings listAdd myFlag a.example.com

R80.40 CLI Reference Guide | 1700

cvpn_ver

cvpn_ver
Description
Shows the version of the Mobile Access Software Blade.

Best Practice - Run the "fw ver -k" command to get all version details (see "fw
ver" on page 1168).

Syntax

cvpn_ver

Example

[Expert@MyGW:0]# cvpn_ver
This is Check Point Mobile Access R80.40 - Build 123
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1701

cvpnrestart

cvpnrestart
Description
Restarts all Mobile Access blade services.

Warning - While this command does not terminate sessions, it closes all TCP
connections. End-users might lose their work.

Syntax

cvpnrestart [--with-pinger]

Parameters

Parameter Description

--with- Restarts the Pinger service, responsible for ActiveSync and Outlook Web
pinger Access push mail notifications.

R80.40 CLI Reference Guide | 1702

cvpnstart

cvpnstart
Description
Starts all Mobile Access blade services, after you stopped them with the "cvpnstop" on
page 1704 command.

Syntax

cvpnstart

R80.40 CLI Reference Guide | 1703

cvpnstop

cvpnstop
Description
Stops all Mobile Access blade services.

Warning - While this command does not terminate sessions, it closes all TCP
connections. End-users might lose their work.

Syntax

cvpnstop

R80.40 CLI Reference Guide | 1704

deleteUserSettings

deleteUserSettings
Description
Deletes all persistent settings (favorites, cookies, credentials) of one or more end-users.

Syntax

deleteUserSettings [-s] <Username1> [<Username2> ...]

Parameters

Parameter Description

-s Runs in silent mode with no output to the end-user's screen.

<Username> Specifies the user name, whose settings to delete.

Notes:
n When you refer to an internal user, use its
username.
n When you refer to an LDAP user, use the full DN
according to your LDAP settings.

Example 1 - Delete an internal user named 'user1

deleteUserSettings [-s] user1

Example 2 - Delete an LDAP user named 'user1', whose DN is

'CN=user1,OU=users,DC=example,DC=com':
deleteUserSettings [-s] CN=user1,OU=users,DC=example,DC=com

R80.40 CLI Reference Guide | 1705

fwpush

fwpush
Description
Sends command interrupts to the fwpushd process on the Mobile Access Gateway.

Note - Users get the push notifications only while they are logged in.

Syntax

fwpush
debug <options>
del <options>
info
print
send <options>
unsub <options>

Parameters

Parameter Description

debug {off | on | reset | set all all Controls the debug of the Mobile
| stat} Access Push Notifications daemon.
For more information, see sk109039.

del {-token <Token> | -uid <User-UID>} Deletes a specified token, or all

tokens for a specified user.
The available options are:
n Delete the specified token for
all users:
fwpush del -token
<Token>
n Delete all tokens for a
specified user:
fwpush del -uid
<User-UID>

R80.40 CLI Reference Guide | 1706

fwpush

Parameter Description

info Gets data on notifications in the

push queue:
n Number of items in queues
n Number of seconds the oldest
item is in the queue
n Number of seconds the newest
item is in the queue
n Number of seconds a batch
waits in the queue
n Number of seconds to the
sending of the next batch
n Number of batch errors and
authentication request
timeouts

print Shows the push notifications queue

and the pending batches.

send -token <Token> -os {iPhone | Sends an on-demand push

Android} -msg "<Notification Message>" notification message from a
send {-user <Username> | -uid <User- command line.
UID>} -msg "<Notification Message>" Important - Before you use the
"fwpush send" command,
make sure the user is: (A)
registered on the Exchange
Server, (B) connected.

R80.40 CLI Reference Guide | 1707

fwpush

Parameter Description

unsub {<Token> | -user <Username> | - Unsubscribes a user from push

uid <User-UID> | -all} notifications.
The available options are:
n Unsubscribe all users from the
specified token:
fwpush unsub <Token>
n Unsubscribe the specified user
from all tokens:
fwpush unsub -user
<Username>
or
fwpush unsub -uid
<User-UID>
n Unsubscribe all users from all
tokens:
fwpush unsub -all

Viewing the details of connected users

UserSettingsUtil show_exchange_registered_users

Example output:

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users

User Name: CN=JohnD,OU=USERS,OU=RND,OU=PO,OU=USA,DC=AD,DC=CHECKPOINT,DC=COM User Settings id:
c4b6c6fbb0c4xxxxxxxx265e93e0e372
Push Token: xxxxxxxxxxxxx65b48e424023ebxxxxxxxxca22ea788cfb3cxxxxxxxxxx Device id:
46c5XXXXcc1d10b4e18cf5a1xxxxxxxx
[Expert@MyGW:0]#

Notes:
n To use the "<Token>" parameter in the "fwpush" commands, use the value of
the Push Token attribute.
In the above example:
xxxxxxxxxxxxx65b48e424023ebxxxxxxxxca22ea788cfb3cxxxxxxxxxx
n To use the "<Username>" parameter in the "fwpush" commands, use the value
of the CN attribute.
In the above example: JohnD
n To use the "<User-UID>" parameter in the "fwpush" commands, use the value
of the User Settings id attribute.
In the above example: c4b6c6fbb0c4xxxxxxxx265e93e0e372

R80.40 CLI Reference Guide | 1708

fwpush

Example
[Expert@MyGW:0]# fwpush send -uid JohnD -msg "Hello - push"

R80.40 CLI Reference Guide | 1709

ics_updates_script

ics_updates_script
Description
Manually starts an Endpoint Security on Demand (ESOD) update on the Mobile Access
Gateway.
For more information, see the contents of the $CVPNDIR/bin/ics_updates_script file.

Syntax

$CVPNDIR/bin/ics_updates_script <Path to Local ICS Updates

Package>

Parameters

Parameter Description

<Path to Local ICS Updates Specifies the full path to the local ICS Updates
Package> package.
Do not specify the name of the ICS Updates
package.

R80.40 CLI Reference Guide | 1710

ics_updates_script

Notes
n Usually, it is not necessary to run this command, and you start the ESOD updates from
SmartConsole:
1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Manage & Settings.
3. In the Mobile Access section, click Configure in SmartDashboard.
The SmartDashboard opens on the Mobile Access tab.
4. From the left tree, click Endpoint Security on Demand > Endpoint Compliance
Updates.

5. Click Update Database Now.

6. Enter the applicable User Center credentials.
7. Click Next.
8. Select the applicable Mobile Access Gateways.
9. Click Finish.
10. Close the SmartDashboard.
n Make sure to run only one instance of this command at a time.

R80.40 CLI Reference Guide | 1711

listusers

listusers
Description
Shows a list of end-users connected to the Mobile Access Gateway, along with their source IP
addresses.

Syntax

listusers

Example

[Expert@MyGW:0]# listusers
------------------------------
UserName | IP
------------------------------
Tom , 192.168.0.51
John , 192.168.0.130
Jane , 192.168.0.7
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1712

rehash_ca_bundle

rehash_ca_bundle
Description
Imports all of the Certificate Authority (CA) files from the $CVPNDIR/var/ssl/ca-bundle/
directory into the Mobile Access trusted CA bundle.
The trusted CA bundle is used when the Mobile Access Gateway accesses an internal server
(such as OWA) through HTTPS.
If the SSL server certificate of the internal server is not trusted by the Mobile Access Gateway,
the Mobile Access Gateway responds based on the settings for the Internal Web Server
Verification feature. The default setting is Monitor.

To accept certificates from a specified server, add its server certificate CA to the CA bundle.

Syntax

rehash_ca_bundle

Example

[Expert@MyGW:0]# rehash_ca_bundle
Doing /opt/CPcvpn-R80.40/var/ssl/ca-bundle/
AC_Ra__z_Certic__mara_S.A..pem => 6f2c1157.0
AOL_Time_Warner_Root_Certification_Authority_1.pem => ed9bb25c.0
... ... ...
beTRUSTed_Root_CA_-_RSA_Implementation.pem => 16b3fe3c.0
thawte_Primary_Root_CA.pem => 2e4eed3c.0
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1713

UserSettingsUtil

UserSettingsUtil
Description
Shows details of users connected to the Mobile Access Gateway.

Syntax

UserSettingsUtil show_exchange_registered_users [<Username>]

Parameters

Parameter Description

<Username> Specifies the user name.

Notes:
n When you
refer to an
internal user,
use its
username.
n When you
refer to an
LDAP user,
use the full
DN according
to your LDAP
settings.

Example 1 - To show all users

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users

Example 2 - To show an internal user named 'user1'

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users user1

R80.40 CLI Reference Guide | 1714

UserSettingsUtil

Example 3 - To show an LDAP user named 'user1', whose DN is

'CN=user1,OU=users,DC=example,DC=com'
[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users CN=user1,OU=users,DC=example,DC=com

R80.40 CLI Reference Guide | 1715

Data Loss Prevention Commands

For more information about Data Loss Prevention, see the R80.40 Data Loss Prevention
Administration Guide.

R80.40 CLI Reference Guide | 1716

dlpcmd

dlpcmd
Description
Control the Data Loss Prevention Engine on Security Gateway.

Syntax on a Security Gateway

dlpcmd [-s]
action_by_admin <options>
getquarantined
getquarantinedcount
getquarantinedsize
ramdisk <options>

R80.40 CLI Reference Guide | 1717

dlpcmd

Parameters

Parameter Description

-s Silent mode - does not print failure messages on the screen.

action_by_admin Sends or deletes the specified quarantined email by its

<options> public GUID from quarantine.
The available options are:
n Send (Release) the specified quarantined email:
dlpcmd action_by_admin 1 {Public GUID
of the Quarantined Email}
["Justification for Sending or
Deleting"] ["Administrator Name"]
n Delete (Discard) the specified quarantined email:
dlpcmd action_by_admin 2 {Public GUID
of the Quarantined Email}
["Justification for Sending or
Deleting"] ["Administrator Name"]

Notes:
n You must enclose the email ID in curly brackets
{}.
n You can see this action in Audit Logs in
SmartConsole. For example, see sk117753.

getquarantined Shows the list of all quarantined emails.

getquarantinedcount Shows the number of all quarantined emails.

getquarantinedsize Shows the total size of all emails in quarantine.

ramdisk <options> Shows and controls the DLP RAM Disk.

The available options are:
n off - Disables the DLP RAM Disk
n on - Enables the DLP RAM Disk
n size <Size in MBytes> - Configures the size of
the DLP RAM Disk
n status - Shows the DLP RAM Disk information

Important - All operations except "status" require a

restart of all services ("cpstop" on page 967 and
"cpstart" on page 957).

R80.40 CLI Reference Guide | 1718

dlpcmd

Example

[Expert@MyGW:0]# dlpcmd getquarantined

Printing quarantined mails:
Mail GUID: {8698E6EC-340C-9115-0AB6-F6CA9986147F}; Arrival date: Sun Dec 1 13:38:32 2019; exp
date: Sun Dec 8 13:38:32 2019; sender: dataowner-JOHNDOE;
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# dlpcmd action_by_admin 1 {8698E6EC-340C-9115-0AB6-F6CA9986147F} "Released an
Email" "Main Admin"
[Expert@MyGW:0]#
[Expert@MyGW:0]# dlpcmd getquarantined
No quarantined mails
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1719

VSX Commands

VSX Commands
For more information about VSX, see the R80.40 VSX Administration Guide.

R80.40 CLI Reference Guide | 1720

cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This tool configures specific settings for the installed Check Point products.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and contracts Manages Check Point licenses and contracts on this
Security Gateway or Cluster Member.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R80.40 Gaia Administration
Guide - Chapter System Management - Section SNMP.

PKCS#11 Token Register a cryptographic token, for use by Gaia Operating

System.
See details of the token, and test its functionality.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Secure Internal Manages SIC on the Security Gateway or Cluster

R80.40 CLI Reference Guide | 1721

cpconfig

Menu Option Description

Enable Check Point Per Enables Virtual System Load Sharing on the VSX Cluster
Virtual System State Member.
For more information, see the R80.40 VSX Administration
Guide.

Disable Check Point Per Disables Virtual System Load Sharing on the VSX Cluster
Virtual System State Member.
For more information, see the R80.40 VSX Administration
Guide.

Check Point CoreXL Manages CoreXL on the Security Gateway or Cluster

Member.
After all changes in CoreXL configuration, you must reboot
the Security Gateway or Cluster Member.
For more information, see the R80.40 Performance Tuning
Administration Guide.

R80.40 CLI Reference Guide | 1722

cpconfig

Menu Option Description

Automatic start of Check Shows and controls which of the installed Check Point
Point Products products start automatically during boot.

Exit Exits from the Check Point Configuration Tool.

Example 1 - Menu on a single Security Gateway

[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

(9) Exit

Enter your choice (1-9) :

Example 2 - Menu on a Cluster Member

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

(11) Exit

Enter your choice (1-11) :

R80.40 CLI Reference Guide | 1723

cpview

cpview
Overview of CPView

On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R80.40 CLI Reference Guide | 1724

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R80.40 CLI Reference Guide | 1725

vsenv

vsenv
Description
Changes the shell's current context to the specified Virtual Device.

Syntax

vsenv [{<VSID> | <Name of Virtual Device>}]

Parameters

Parameter Description

No Parameters Changes the context to the default Virtual Device 0.

<VSID> Specifies the Virtual Device by its ID.

<Name of Virtual Device> Specifies the Virtual Device by its Name.

Note - To see the configured Virtual Devices, run the "vsx stat -v" command.

Example 1 - Changing the context to the default Virtual Device 0

[Expert@MyVsxGW:0]# vsenv
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVsxGW:0]#

Example 2 - Changing the context to the specific Virtual Device

[Expert@MyVsxGW:0]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVsxGW:2]#

R80.40 CLI Reference Guide | 1726

vsx

vsx
Description
n Shows VSX configuration.
n Fetches VSX configuration.
n Shows and configures Memory Resource Control.

Syntax

vsx
fetch <options>
fetch_all_cluster_policies
fetchvs <options>
get
mstat <options>
resctrl
showncs <options>
sicreset
stat <options>
unloadall
vspurge

Note - The fw6 vsx commands are not supported.

Parameters

Parameter Description

fetch <options> Fetches configuration for VSX Gateway.

See "vsx fetch" on page 1730.

fetch_all_cluster_ Fetches security policy for all Virtual Systems and Virtual
policies Routers from cluster peers.
See "vsx fetch_all_cluster_policies" on page 1732.

fetchvs <options> Fetches configuration for a Virtual System.

See "vsx fetchvs" on page 1733.

get Shows the information about the current VSX context.

See "vsx get" on page 1734.

R80.40 CLI Reference Guide | 1727

vsx

Parameter Description

mstat <options> Shows and configures Memory Resource Control.

See "vsx mstat" on page 1735.

resctrl From R80.40, the CPU Resource Control is integrated into the
CPView utility.
1. Go to the context of Virtual System 0:
n In the Expert mode:

vsenv
n In Gaia Clish:
set virtual-system 0
2. Run the CPView:
cpview
See "cpview" on page 1724.
3. From the top, click:
Advanced > VSX > VSs > Physical-Resources
Notes:
n This tab shows the CPU consumption by

Virtual Systems and by Virtual Routers.

n The "CPU %" column shows the percentage of

CPU used by all the processes of each Virtual

System.
The column shows a percentage of a single
CPU (the same behavior as in the "top"
command).
Example:
l There are 4 CPU cores on the VSX

Gateway.
l The processes of the Virtual System

"VS1" are using:

o 30% of CPU 0
o 40% of CPU 1
o 50% of CPU 2
o 10% of CPU 3

In such case, the "CPU %" column

shows 130% for VS1.
n To get the CPU usage for the VSX Gateway /

VSX Cluster Member, divide the "CPU %"

value in the Total Resource Consumption
section by the number of the CPU cores.

R80.40 CLI Reference Guide | 1728

vsx

Parameter Description

showncs <options> Shows Check Point Network Configuration Script (NCS) for
Virtual Device.
See "vsx showncs" on page 1739.

sicreset Resets SIC for Virtual System or Virtual Router in the current
VSX context.
See "vsx sicreset" on page 1740.

stat <options> Shows status information for VSX Gateway.

See "vsx stat" on page 1741.

unloadall Unloads security policy for all Virtual Systems and Virtual
Routers.
See "vsx unloadall" on page 1744.

vspurge Cleans unused entries for Virtual Devices.

Fetches configuration file for Virtual Devices.
See "vsx vspurge" on page 1745.

R80.40 CLI Reference Guide | 1729

vsx fetch

Description
Fetches the most current configuration files from the Security Management Server or Main
Domain Management Server, and applies it to the VSX Gateway.

Syntax

vsx fetch [-v] [-q] [-s] local

vsx fetch [-v | -q | -s] [-f <Configuration File>]
vsx fetch [-v | -q] -C "NCS Command"
vsx fetch [-v | -q | -c | -n | -s] [<Management Server>]

Parameters

Parameter Description

-c Specifies that this is a VSX Cluster.

-n Specifies not to apply the local.vsall, if VSX configuration, as

fetched from Management Server, is up-to-date.

-q Specifies to run in quiet mode - shows only summary information.

-s Specifies to fetch concurrently for multi-processor environment.

-v Specifies to run in verbose mode - shows detailed information.

local Reads the configuration file

$FWDIR/state/local/VSX/local.vsall and executes the
Network Configuration Script (NCS).

-f Fetches the specified configuration with NCS commands file instead

-C Executes the specified NCS command.

"NCS Command"

R80.40 CLI Reference Guide | 1730

vsx fetch

Parameter Description

<Management Fetches the local.vsall from the specified Management Server

Server> (by resolvable hostname, or IP address), replaces and runs it.
Note - If you do not specify the Management Server explicitly,
the command takes it from the $FWDIR/conf/masters file on
the VSX Gateway.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example

[Expert@MyVsxGW:0]# vsx fetch

Fetching VSX Configuration From: 192.168.30.40

Local VSX Configuration is Up-To-Date.

Cleaning un-used Virtual Systems entries (local.vskeep).

Purge operation succeeded.

Fetching Virtual Systems configuration file (local.vsall).

SecureXL device has been enabled for vsid 1

SecureXL device has been enabled for vsid 2
SecureXL device has been enabled for vsid 3
Virtual Systems configuration file installed successfully
[Expert@MyVsxGW:0]#

R80.40 CLI Reference Guide | 1731

vsx fetch_all_cluster_policies

Description
Fetches security policy for all Virtual Systems and Virtual Routers from cluster peers.

Syntax

vsx fetch_all_cluster_policies [-v]

Parameters

Parameter Description

-v Specifies to run in verbose mode - shows detailed information.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

R80.40 CLI Reference Guide | 1732

vsx fetchvs

Description
Fetches configuration file for the specified Virtual Device based on information stored locally
on the VSX Gateway.

Syntax

vsx fetchvs [-v | -q] [{<VSID> | <Name of Virtual Device>}]

Parameters

Parameter Description

-q Specifies to run in quiet mode - shows only summary

information.

-v Specifies to run in verbose mode - shows detailed

information.

<Name of Virtual Specifies the name of the Virtual Device.

Device>

<VSID> Specifies the ID of the Virtual Device.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example
[Expert@MyVsxGW:0]# vsx fetchvs 2

R80.40 CLI Reference Guide | 1733

vsx get

Description
Shows the information about the current VSX context.

Syntax

vsx get

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example

[Expert@MyVsxGW:0]# vsx get

Current context is VSX Gateway MyVsxGW (ID 2).
[Expert@MyVsxGW:0]#

R80.40 CLI Reference Guide | 1734

vsx mstat

Description
Shows and configures Memory Resource Control.
Output shows these global memory resources:

Resource Description

Memory Total Total physical memory on the VSX Gateway.

Memory Free Available physical memory.

Swap Total Total of swap memory.

Swap Free Available swap memory.

Swap-in rate Total memory swaps per second.

In addition:
1. Run the cpview command (see "cpview" on page 1724).
2. From the top, click:
Advanced > VSX > VSs > Physical-Resources

Syntax

vsx mstat help

vsx mstat
[-vs <VSID>] [unit <Unit>] [sort {<Number> | all}]
debug
disable
enable
status
swap <Minutes>

Parameters

Parameter Description

help Shows the built-in usage.

No Parameters Shows the total memory consumption for each Virtual System.

R80.40 CLI Reference Guide | 1735

vsx mstat

Parameter Description

-vs <VSID> Specifies the Virtual Systems by their IDs.

You can specify:
n One Virtual System.
Example: -vs 1
n Many individual Virtual Systems (separate their IDs with spaces).
Example: -vs 2 3
n A range of Virtual Systems.
Example: -vs 4-6

Note - You can combine all the available options (separate them
with spaces). Example: -vs 1 4-6

unit <Unit> Specifies the memory measurement unit shown in the command output:
n B - bytes
n K - kilobytes
n M - megabytes (default)
n G - gigabytes

sort Sorts the Virtual Systems in the output by their memory size.
{<Number> | Specifies the number of Virtual Systems shown in the command output.
all} Use all to show all Virtual Systems.
If you do not specify this flag, the Virtual Systems in the output are sorted
by their VSID.

debug Shows memory consumption debug information for each Virtual System
by fields, which are defined in the configuration file.

disable Disables the Memory Resource Control.

Note - This change applies immediately and does not require a
reboot.

enable Enables the Memory Resource Control.

Note - This change requires a reboot.

status Shows the current Memory Resource Control status.

R80.40 CLI Reference Guide | 1736

vsx mstat

Parameter Description

swap Specifies the swap-in sample rate in minutes.

<Minutes> Enter the number of minutes that the system measures memory swaps
to determine the swap-in rate.
Only integers are valid values.
The default swap-in sample rate is 10.
Notes:
n Swap-in sample rate is a system-wide Linux setting.
When you change the value for memory monitoring, all the
swap-in rates are calculated according to the new value.
n When you enable the monitoring memory resources feature,
the swap-in rate setting is saved.
When you disable the feature, the system restores the saved
setting.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

Example 1

[Expert@MyVsxGW:0]# vsx mstat unit M sort all

VSX Memory Status

=================
Memory Total: 7753.95 MB
Memory Free: 7168.71 MB
Swap Total: 3992.71 MB
Swap Free: 3992.71 MB
Swap-in rate: 8796093022208.00 MB

VSID | Memory Consumption

======+====================
0 | 260.79 MB
1 | 0.00 MB

[Expert@MyVsxGW:0]#

R80.40 CLI Reference Guide | 1737

vsx mstat

Example 2

[Expert@MyVsxGW:0]# vsx mstat -vs 0 unit G

VSX Memory Status

=================
Memory Total: 7.572 GB
Memory Free: 7.001 GB
Swap Total: 3.899 GB
Swap Free: 3.899 GB
Swap-in rate: 8589934592.000 GB

VSID | Memory Consumption

======+====================
0 | 0.255 GB

[Expert@MyVsxGW:0]#

Example 3

[Expert@MyVsxGW:0]# vsx mstat debug

VSX Memory Status

=================
Memory Total: 7940048.00 KB
Memory Free: 7339864.00 KB
Swap Total: 4088532.00 KB
Swap Free: 4088532.00 KB
Swap-in rate: 9007199254740992.00 KB

VSID | Private_Clean | Private_Dirty | DispatcherGConn | DispatcherHTab | SecureXL |

DispatcherGConn6 | DispatcherHTab6 | SecureXL6

======+===============+===============+=================+================+=============+=======
===========+=================+===========
0 | 34456.00 KB | 182104.00 KB | 6.09 KB | 0.00 KB | 51071.91 KB |
0.00 KB | 0.00 KB | 0.00 KB
1 | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB |
0.00 KB | 0.00 KB | 0.00 KB

Note: To add a field to memory table please uncomment the required field (delete the leading
'#')
To remove a field from memory table please comment out the required field (add a leading
'#')
Configuration is done in the file /opt/CPsuite-R80.40/fw1/conf/memoryinfo.conf

[Expert@MyVsxGW:0]#

R80.40 CLI Reference Guide | 1738

vsx showncs

Description
Shows Check Point Network Configuration Script (NCS) for a Virtual Device.

Syntax

vsx showncs {<VSID> | <Name of Virtual Device>}

Parameters

Parameter Description

<Name of Virtual Device> Specifies the name of the Virtual Device.

<VSID> Specifies the ID of the Virtual Device.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

R80.40 CLI Reference Guide | 1739

vsx sicreset

Description
Resets SIC for Virtual System or Virtual Router in the current VSX context.

Notes:
n This operation is not supported for the context of VSX Gateway itself (VS0).
n On the Management Server, run the "cpca_client revoke_cert" on page 108
command to cancel the old certificate.
n In SmartConsole, open the Virtual System object and immediately click OK.
This action creates a new certificate, and transfers the certificate to the VSX
Gateway.

Syntax

vsenv {<VSID> | <Name of Virtual Device>}

vsx sicreset {<VSID> | <Name of Virtual Device>}

Parameters

Parameter Description

<Name of Virtual Device> Specifies the name of the Virtual Device.

<VSID> Specifies the ID of the Virtual Device.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

R80.40 CLI Reference Guide | 1740

vsx stat

Description
Shows status information for VSX Gateway.

Syntax

vsx stat [-l] [-v] [<VSID>]

Parameters

Parameter Description

-l Shows a list of all Virtual Devices and their applicable information.

-v Shows a summary table with all Virtual Devices.

<VSID> Specifies a Virtual Device by its ID.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

R80.40 CLI Reference Guide | 1741

vsx stat

Example 1 - Show a summary table with all Virtual Devices.

[Expert@MyVsxGW:2]# vsx stat -v

VSX Gateway Status
==================
Name: VSX1_192.168.3.241
Access Control Policy: VSX_Cluster_VSX
Installed at: 20Sep2019 22:06:33
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 5 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVsxGW:2]#

R80.40 CLI Reference Guide | 1742

vsx stat

Example 2 - Show a list of all Virtual Devices and their applicable information.

[Expert@MyVsxGW:2]# vsx stat -l

VSID: 0
VRID: 0
Type: VSX Gateway
Name: VSX1_192.168.3.241
Security Policy: VSX_Cluster_VSX
Installed at: 20Sep2019 22:06:33
SIC Status: Trust
Connections number: 5
Connections peak: 43
Connections limit: 14900

VSID: 1
VRID: 1
Type: Virtual System
Name: VS1
Security Policy: VS_Policy
Installed at: 20Sep2019 22:07:03
SIC Status: Trust
Connections number: 0
Connections peak: 3
Connections limit: 14900

VSID: 2
VRID: 2
Type: Virtual System
Name: VS2
Security Policy: VS_Policy
Installed at: 20Sep2019 22:07:01
SIC Status: Trust
Connections number: 0
Connections peak: 2
Connections limit: 14900
[Expert@MyVsxGW:2]#

Example 3 - Shows the information for the specified Virtual Device

[Expert@MyVsxGW:2]# vsx stat 2

R80.40 CLI Reference Guide | 1743

vsx unloadall

Description
Unloads security policy for all Virtual Systems and Virtual Routers.
See sk33065: Unloading policy from a VSX Security Gateway.

Syntax

vsx unloadall

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

R80.40 CLI Reference Guide | 1744

vsx vspurge

Description
Removes Virtual Devices that are no longer defined in the management database, but were
not removed from the VSX Gateway, because the VSX Gateway was down or disconnected
when the management server pushed the updated VSX configuration.
This command cleans all unused Virtual Devices entries (from the NCS local.vskeep) and
fetches the VSX configuration file (NCS local.vskeep) again.

Syntax

vsx vspurge [-q | -v] [-f <purge_file>]

Parameters

Parameter Description

-q Specifies to run in quiet mode - shows only summary information.

-v Specifies to run in verbose mode - shows detailed information.

-f <purge_ Specifies the path and the name of the file, in which the command saves
file> the purged information.

Return Values
n 0 (zero) indicates that the command executed successfully.
n Any other value indicates an error.

R80.40 CLI Reference Guide | 1745

vsx_util

vsx_util
Description
Performs various VSX maintenance tasks.
You run this command from the Expert mode on the Management Server (Security
Management Server, or a Main Domain Management Server on Multi-Domain Server).

Important - Before you run the vsx_util commands:

n Back up the VSX environment. See sk100395: How to backup and restore VSX
gateway.
n You must close all SmartConsole clients. Failure to do so may result in a
database lock error.

Syntax

vsx_util -h
vsx_util <Command> [-s <Mgmt Server>] [-u <UserName>] [-c <Name of
VSX Object>] [-m <Name of VSX Cluster Member>]

Parameters

Parameter Description

-h Shows the built-in usage.

<Command> Specifies the vsx_util sub-command. See the table below.

-s <Mgmt Server> Specifies the IP address or resolvable hostname of the Security

Management Server, or Main Domain Management Server.

-u <UserName> Specifies the administrator username.

-c <Name of VSX Specifies the name of the VSX Gateway or VSX Cluster object.
Object>

-m <Name of VSX Specifies the name of the VSX Gateway or VSX Cluster Member
Cluster Member> object.

R80.40 CLI Reference Guide | 1746

vsx_util

Important - The vsx_util command requires you to enter this information:

n IP address or Hostname of the Security Management Server, or Main Domain
Management Server.
n Management Server Administrator user name and password.
n The applicable VSX object, on which the command operates.
n Most of the vsx_util sub-commands are interactive and require additional
user input.

R80.40 CLI Reference Guide | 1747

vsx_util

The 'vsx_util' sub-commands

Sub-command Description

vsx_util Adds a new Cluster Member to a VSX Cluster and pushes the VSX
add_member Cluster configuration to the new VSX Cluster Member.
See "vsx_util add_member" on page 1751.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Automatically replaces designated existing interfaces with new

change_ interfaces on all Virtual Devices, to which the existing interfaces
interfaces connect.
See "vsx_util change_interfaces" on page 1753.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Changes the VSX Management IP address (within the same subnet) of
change_mgmt_ a VSX Gateway or VSX Cluster Member.
ip See "vsx_util change_mgmt_ip" on page 1757.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Changes (or adds) the VSX Management IP address of a VSX

change_mgmt_ Gateway or VSX Cluster Member to a new subnet.
subnet See "vsx_util change_mgmt_subnet" on page 1758.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Changes the IP address of the Internal Communication Network in a

change_ VSX Cluster.
private_net See "vsx_util change_private_net" on page 1760.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Converts the VSX Cluster mode between High Availability (default) and
convert_ Virtual System Load Sharing.
cluster See "vsx_util convert_cluster" on page 1762.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

R80.40 CLI Reference Guide | 1748

vsx_util

Sub-command Description

vsx_util Downgrades the version of a VSX Gateway or VSX Cluster in the

downgrade management database.
See "vsx_util downgrade" on page 1763.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Restores VSX configuration on a VSX Gateway or VSX Cluster

reconfigure Member.
See "vsx_util reconfigure" on page 1764.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Removes a Cluster Member from a VSX Cluster.

remove_ See "vsx_util remove_member" on page 1770.
member You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Shows configuration of selected interfaces - interface types,

show_ connections to Virtual Devices, and IP addresses.
interfaces See "vsx_util show_interfaces" on page 1771.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Upgrades the version of a VSX Gateway or VSX Cluster in the

upgrade management database.
See "vsx_util upgrade" on page 1775.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

vsx_util Shows configuration of a Virtual Device on the Management Server

view_vs_conf versus the VSX Gateway or VSX Cluster.
See "vsx_util view_vs_conf" on page 1776.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

R80.40 CLI Reference Guide | 1749

vsx_util

Sub-command Description

vsx_util Shows the configuration menu for Virtual System Load Sharing - see
vsls status, redistribute, export and import configuration.
See "vsx_util vsls" on page 1780.
You run this command from the Expert mode on the Management
Server (Security Management Server, or a MainDomain Management
Server on Multi-Domain Server).

Notes
n This command writes its messages to the vsx_util_YYYYMMDD_HH_MM.log file on
the Management Server:
l On a Security Management Server:

$FWDIR/log/vsx_util_YYYYMMDD_HH_MM.log

l On a Multi-Domain Server - if executed the command in the MDS context:

/opt/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_MM.log

l On a Multi-Domain Server - if executed the command in the context of a Domain

Management Server:

/opt/CPmds-R80.40/customers/<Name of Domain Management

Server>/CPsuite-R80.40/fw1/log/vsx_util_YYYYMMDD_HH_
MM.log

n If it is necessary to exit from the vsx_util command's menu, press the CTRL C keys.

Important - Do not press these keys, it this command already started to perform
a change. If you press these keys during the operation, the command does not
save its log file.

R80.40 CLI Reference Guide | 1750

vsx_util add_member

Description
Adds a new Cluster Member to a VSX Cluster and pushes the VSX Cluster configuration to the
new VSX Cluster Member.

Important - Before you run the vsx_util commands:

n Back up the VSX environment. See sk100395: How to backup and restore VSX
gateway.
n You must close all SmartConsole clients. Failure to do so may result in a
database lock error.
n On a Multi-Domain Security Management Server, you must switch to the
context of the Main Domain Management Server that manages the VSX
Gateway / VSX Cluster object.
Use the command "mdsenv <IP Address or Name of Domain
Management Server>".

Syntax

vsx_util add_member

Required Input
n The applicable VSX Cluster object.
n Name of the new VSX Cluster Member.
n IP address for the management interface.
n IP address for the synchronization interface.
n The one-time Activation Key (SIC activation key)

R80.40 CLI Reference Guide | 1751

vsx_util add_member

Comments
n Execute the command and follow the instructions on the screen.
n After the command adds a new Cluster Member to the management database, the
command prompts you to reconfigure the new VSX Cluster Member (to push the VSX
Cluster configuration to it).
l If you enter "y" to reconfigure the new VSX Cluster Member at this time, then the
"vsx_util reconfigure" on page 1764 operation starts automatically on the new VSX
Cluster Member.

Important - You must reboot the new VSX Cluster Member after the
reconfigure operation finishes.

l If you enter "n" to cancel the reconfigure operation on the new VSX Cluster
Member at this time, then later you must manually run the "vsx_util reconfigure" on
page 1764 command for the new VSX Cluster Member.

R80.40 CLI Reference Guide | 1752

vsx_util change_interfaces

Description
Automatically replaces designated existing interfaces with new interfaces on all Virtual
Devices, to which the existing interfaces connect.
This command is useful when converting a deployment to use Link Aggregation, especially
where VLANs connect to many Virtual Devices.

Important - Before you run the vsx_util commands:

Syntax

vsx_util change_interfaces

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n Where to apply the change (Management Server only, or Management Server and VSX
Gateway / VSX Cluster Members).
n Name of the interface to be replaced.
n Name of the new (replacement) interface.

Comments
n Execute the command and follow the instructions on the screen.
n This command supports the resume feature.
n You can use this command to migrate a VSX deployment from an Open Server to a
Check Point appliance by using the Management Only mode.
n Refer to the Notes section below for additional information.

R80.40 CLI Reference Guide | 1753

vsx_util change_interfaces

Procedure

Step Instructions

1 Close all SmartConsole clients that are connected to the Security Management
Server or Domain Management Servers.

2 Connect to the command line on the Management Server.

3 Log in to the Expert mode.

4 On Multi-Domain Server, go to the context of the Main Domain Management

Server that manages the applicable VSX Gateway (VSX Cluster) object:
mdsenv <IP address or Name of Domain Management Server>

5 Run:
vsx_util change_interfaces

6 Enter the IP address of the Security Management Server or Main Domain

Management Server.

7 Enter the Management Server administrator username and password.

8 Select the VSX Gateway (VSX Cluster) object.

9 When prompted, select one of the following options:

n Apply changes to the management database and to the VSX
Gateway/Cluster members immediately
Changes the interface on the Management Server and on the VSX Gateway
(each VSX Cluster Member).
n Apply changes to the management database only
Changes the interface on the Management Server only.
You must run the "vsx_util reconfigure" on page 1764 command to push the
updated VSX configuration to VSX Gateways (each VSX Cluster Member).

10 Select the interface to be replaced.

R80.40 CLI Reference Guide | 1754

vsx_util change_interfaces

Step Instructions

11 Select the new (replacement) interface.

a. You can optionally add a new interface, if you select the A new interface
name option.
This interface must physically exist on the VSX Gateway (all VSX Cluster
Members).
Otherwise, the operation fails.
b. At the prompt, enter the new interface name.
If the new interface is a Bond interface, the interface name must match the
name of the configured Bond interface exactly.

12 The command prompts you:

Would you like to change another interface? (y|n) [n]:

n To replace additional interfaces, enter y.

n To complete the process, enter n.

13 If you selected the option Apply changes to the management database only,
you can remove the old (replaced) interfaces from the management database.
When prompted, enter y:
Would you like to remove the old interfaces from the
database? (y|n) [n]: y

14 Reboot the VSX Gateway (all VSX Cluster Members).

R80.40 CLI Reference Guide | 1755

vsx_util change_interfaces

Notes
n The option "Apply changes to the management database and to the VSX
Gateway/Cluster members immediately" verifies connectivity between the
Management Server and the VSX Gateway or VSX Cluster Members. In the event of a
connectivity failure one of the following actions occur:
1. If all of the newly changed interfaces fail to establish connectivity, the process
terminates unsuccessfully.
2. If one or more interfaces successfully establish connectivity, while one or more
other interfaces fail, you may optionally continue the process.
In this case, those interfaces for which connectivity was established successfully
will be changed.

For those interfaces that failed, you must then resolve the issue and then run the
"vsx_util reconfigure" on page 1764 command to complete the process.
n If you select the option "Apply changes to the management database only", you can
select one of these:
l Another interface from list (if any are available).
l Option to add a new interface.

R80.40 CLI Reference Guide | 1756

vsx_util change_mgmt_ip

Description
Changes the VSX Management IP address of a VSX Gateway or VSX Cluster Member.
This command changes the Management IP address within the same subnet.
For more information, see sk92425.

Important - Before you run the vsx_util commands:

Syntax

vsx_util change_mgmt_ip

Required Input
n The applicable VSX Cluster object.
n The applicable VSX Cluster Member object.
n New management IP address.

Comments
n Execute the command and follow the instructions on the screen.

R80.40 CLI Reference Guide | 1757

vsx_util change_mgmt_subnet

Description
Changes the VSX Management IP address of a VSX Gateway or VSX Cluster Member.
This command changes the Management IP address from the current subnet to a different
subnet.
For more information, see sk92425.

Important - Before you run the vsx_util commands:

Syntax

vsx_util change_mgmt_subnet

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n New management IPv4 address.
n New management IPv4 netmask.
n New management IPv6 address.
n New management IPv6 prefix.
n New IPv4 default gateway.
n New IPv6 default gateway.

R80.40 CLI Reference Guide | 1758

vsx_util change_mgmt_subnet

Comments
n Execute the command and follow the instructions on the screen.
n This command updated only routes that were automatically generate.
You must remove and/or change all manually created routes that use the previous
management subnet.
n You must reboot the VSX Gateway (all VSX Cluster Members) after the command
finishes.

R80.40 CLI Reference Guide | 1759

vsx_util change_private_net

Description
Changes the IP address of the Internal Communication Network in a VSX Cluster (cluster
private network).

Important - Before you run the vsx_util commands:

Syntax

vsx_util change_private_net

Required Input
n The applicable VSX Cluster object.
n New IPv4 address for the cluster private network.
n New IPv4 netmask for the cluster private network.
n New IPv6 address and prefix for the cluster private network.

R80.40 CLI Reference Guide | 1760

vsx_util change_private_net

Comments
n Run the command and follow the instructions on the screen.
n The IP address of the Internal Communication Network must be unique.
This IP address must not be used anywhere in your environment, including the Virtual
Devices on this VSX Cluster.
n The illegal IPv4 addresses are: 0.0.0.0, 127.0.0.0, and 255.255.255.255
n For IPv4 address, the network mask must be one of these:
l 255.255.0.0, or /16
l 255.255.128.0, or /17
l 255.255.192.0, or /18
l 255.255.224.0, or /19
l 255.255.240.0, or /20
l 255.255.248.0, or /21
l 255.255.252.0, or /22 (this is the default)
n For IPv6 address, the new prefix must be /80.

R80.40 CLI Reference Guide | 1761

vsx_util convert_cluster

Description
Converts the VSX Cluster mode between High Availability (default) and Virtual System Load
Sharing.

Important - Before you run the vsx_util commands:

Syntax

vsx_util convert_cluster

Required Input
n The applicable VSX Cluster object.
n The ClusterXL mode (case sensitive).

Comments
n Execute the command and follow the instructions on the screen.
n When you convert from Virtual System Load Sharing to High Availability:
l All Virtual Systems are Active on the same VSX Cluster Member by default.
l Peer Virtual Systems are Standby on other VSX Cluster Members.

R80.40 CLI Reference Guide | 1762

vsx_util downgrade

Description
Downgrades the version of a VSX Gateway or VSX Cluster in the management database.

Important - You can use this command only if you did not make any configuration
changes after you used the "vsx_util upgrade" command.
Important - Before you run the vsx_util commands:
n Back up the VSX environment. See sk100395: How to backup and restore VSX
gateway.
n You must close all SmartConsole clients. Failure to do so may result in a
database lock error.
n On a Multi-Domain Security Management Server, you must switch to the
context of the Main Domain Management Server that manages the VSX
Gateway / VSX Cluster object.
Use the command "mdsenv <IP Address or Name of Domain
Management Server>".

Syntax

vsx_util downgrade

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The applicable Check Point version.

Comments
n Used only to revert the upgraded VSX Gateway or VSX Cluster object.
n Execute the command and follow the instructions on the screen.
n To deploy the version change to the VSX Cluster Members, you must run the "vsx_util
reconfigure" on page 1764 command.

R80.40 CLI Reference Guide | 1763

vsx_util reconfigure

Description
Restores VSX configuration on a VSX Gateway or VSX Cluster Member (for example, after
you perform clean install after a system failure).

Syntax

vsx_util reconfigure
Important - Before you run the vsx_util commands:
n Back up the VSX environment. See sk100395: How to backup and restore VSX
gateway.
n You must close all SmartConsole clients. Failure to do so may result in a
database lock error.
n On a Multi-Domain Security Management Server, you must switch to the
context of the Main Domain Management Server that manages the VSX
Gateway / VSX Cluster object.
Use the command "mdsenv <IP Address or Name of Domain
Management Server>".

Important - Before you run this command on the Management Server, you must
configure specific settings on the cleanly installed VSX Gateway or VSX Cluster
Member as they were:
n IP address of Gaia management interface
n Enable IPv6 support in Gaia
n Configure the applicable interfaces (Bond, VLAN, and so on)
n Configure kernel parameters and their values:
l $FWDIR/boot/modules/fwkern.conf

l $FWDIR/boot/modules/vpnkern.conf

l $PPKDIR/conf/simkern.conf

n Configure CoreXL:
l Number of CoreXL Firewall instances (for IPv4 and IPv6) in the context of

VS0 (run the cpconfig command and select the option Check Point
CoreXL)
l $FWDIR/conf/fwaffinity.conf

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The one-time Activation Key (SIC activation key).

R80.40 CLI Reference Guide | 1764

vsx_util reconfigure

Comments
n Execute the command and follow the instructions on the screen.
n The new VSX Gateway or VSX Cluster Member:
l Must be a new installation.
You cannot use a VSX Gateway or VSX Cluster Member with a previous VSX
configuration.
l Must have the same hardware specifications as the original.
Most importantly, it must have at least the same number of interfaces.
l Must have the same Gaia OS configuration as the original.

Most importantly, it must have the same VSX Management IP address.

R80.40 CLI Reference Guide | 1765

vsx_util reconfigure

Limitations
The reconfigure process does not restore the local configuration that was performed on VSX
Gateway or VSX Cluster Member itself (because this configuration is not stored on the
Management Server).

Important - After the reconfigure process is complete and you rebooted VSX
Gateway or VSX Cluster Member, you must manually configure these settings from
scratch or from backed up files.

These settings and files are not restored during the reconfigure process and you must
manually configure them again:
n Any OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay,
and so on).
n Backup files and Gaia snapshots saved in the past on the VSX Gateway or VSX Cluster
Member.
n Any settings manually defined in various configuration files on the VSX Gateway or VSX
Cluster Member.
n Any Check Point configuration files.

Note - Some of these files do not exist by default. Some files are configured on
each VSX Gateway and VSX Cluster Member, and some files are configured for
each Virtual System.

List of the most important files

Note - Some of these files do not exist by default. Some files are configured
on each VSX Gateway and VSX Cluster Member, and some files are
configured for each Virtual System.
l $FWDIR/boot/modules/fwkern.conf
l $FWDIR/boot/modules/vpnkern.conf
l $FWDIR/conf/fwaffinity.conf
l $FWDIR/conf/fwauthd.conf
l $FWDIR/conf/local.arp
l $FWDIR/conf/discntd.if
l $FWDIR/conf/cpha_bond_ls_config.conf
l $FWDIR/conf/resctrl
l $FWDIR/conf/vsaffinity_exception.conf
l $FWDIR/database/qos_policy.C

R80.40 CLI Reference Guide | 1766

vsx_util reconfigure

l simkern.conf
o In R80.20 and higher: $PPKDIR/conf/simkern.conf
o In R80.10 and lower: $PPKDIR/boot/modules/simkern.conf
l sim_aff.conf
o In R80.20 and higher: $PPKDIR/conf/sim_aff.conf
o In R80.10 and lower: $PPKDIR/boot/modules/sim_aff.conf
l /var/ace/sdconf.rec
l /var/ace/sdopts.rec
l /var/ace/sdstatus.12
l /var/ace/securid

R80.40 CLI Reference Guide | 1767

vsx_util reconfigure

Example

This example shows how the VSX configuration is restored on a VSX Cluster Member.

[Expert@MDS:0]# vsx_util reconfigure

******************************************************************************************
* Note: the operation you are about to perform changes the information in the management *
* database. Back up the database before continuing. *
******************************************************************************************

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for
'localhost'): 192.168.3.240
Enter Administrator Name: ******
Enter Administrator Password: ******
Select VSX gateway/cluster object name:
1) VSX_Cluster
Select: 1

Select VSX member name to reconfigure:

1) VSX1_192.168.3.241
2) VSX2_192.168.3.242
Select: 1
You are about to perform reconfigure on VSX gateway/cluster, please read sk97552.
Are you sure you want to continue [y/n]? y
Enter Activation Key:
Retype Activation Key:

1/10 : Certificate Revocation [#######################################] 100%

00:00:01
2/10 : Certificate Replacement [#######################################] 100%
00:00:06
3/10 : Connectivity Check [#######################################] 100%
00:00:05
4/10 : Fetching Configuration [#######################################] 100%
00:00:02
5/10 : Verifying Configuration [#######################################] 100%
00:00:00
6/10 : Installing policy on: VSX_Cluster [#######################################] 100%
00:00:21
7/10 : Converting Gateway to VSX [#######################################] 100%
00:02:13
8/10 : Generating Activation Keys [#######################################] 100%
00:00:00
9/10 : Reconfiguring [#######################################] 100%
00:00:03
10/10 : Pushing Configuration [#######################################] 100%
00:00:44

Database saved successfully.

R80.40 CLI Reference Guide | 1768

vsx_util reconfigure

===================== SUMMARY =====================

---- Reconfigure gateway operation completed successfully

************************************************************
IMPORTANT:
When you are managing a VSX cluster,
make sure that the new reconfigured member has the same number of
IPv4, and IPv6 firewall instances as the other VSX cluster members.
Run cpconfig command to show and edit CoreXL settings.
NOTE:
In case of adding a new cluster member to a VSX Cluster,
while using 'ClusterXL Virtual System Load Sharing'
make sure to run 'vsx_util vsls' after rebooting the
gateway in order for the Virtual Systems to become active
on the newly added VSX cluster member.

IMPORTANT: Please reboot the gateway

************************************************************

Logging details are available at /opt/CPmds-R80.40/customers/MyDomain_Server/CPsuite-

R80.40/fw1/log/vsx_util_20190917_13_16.log

[Expert@MDS:0]#

R80.40 CLI Reference Guide | 1769

vsx_util remove_member

Description
Removes a Cluster Member from a VSX Cluster.

Important - Before you run the vsx_util commands:

Syntax

vsx_util remove_member

Required Input
n The applicable VSX Cluster object.
n The applicable VSX Cluster Member object.

Comments
n Before you run this command:
l Make sure to remove (detach) the license from the VSX Cluster Member.
l Make sure to run the "cphastop" on page 1287 command to avoid unexpected
failover from the VSX Cluster Member.
l Make sure to disconnect the VSX Cluster Member from all networks, except from
the Management Server.
n Execute the command and follow the instructions on the screen.

R80.40 CLI Reference Guide | 1770

vsx_util show_interfaces

Description
Shows configuration of selected interfaces - interface types, connections to Virtual Devices,
and IP addresses.
The command shows the information on the screen and also saves it to the
interfacesconfig.csv file in the current working directory.

Important - On a Multi-Domain Security Management Server, you must switch to the

context of the MainDomain Management Server that manages the VSX Gateway /
VSX Cluster object.
Use the command "mdsenv <IP Address or Name of Domain Management
Server>".

Syntax

vsx_util show_interfaces

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n Which interfaces to show:

Menu Option Description

1) All Interfaces Shows all interfaces (Physical and Warp).

2) All Physical Shows only Physical interfaces.

Interfaces

3) All Warp Interfaces Shows only Warp interfaces.

4) A Specific Interface Prompts you to enter the name of the specific interface to
show.
Note - You cannot specify a VLAN tag as a parameter.
You can, however, specify an interface used as a
VLAN (without the tag) to see all VLAN tags
associated with that interface. See the example below.

R80.40 CLI Reference Guide | 1771

vsx_util show_interfaces

Example

R80.40 CLI Reference Guide | 1772

vsx_util show_interfaces

[Expert@MGMT:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for
'localhost'): 172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW_1
4) VSX_GW_2
Select: 1

Which interface would you like to display?

1) All Interfaces
2) All Physical Interfaces
3) All Warp Interfaces
4) A Specific Interface
Enter your choice: 1

+-------------------+---------------------+----+---------------------------------------------------
--+
| Type & Interface | Virtual Device Name |VSID| IP / Mask length
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|M eth0 |VSX_Cluster_1 |0 |v4 172.16.16.98/24 v6 2001:0DB8::98/64
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|S eth1 |VSX_Cluster_1 |0 |v4 10.0.0.0/24
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|U eth2 |VS1 |1 |v4 192.0.2.2/24 v6 2001:0DB8:c::1/64
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|U eth3 |VS1 |1 |v4 192.168.3.3/24 v6 2001:0DB8:b::1/64
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|A eth4 | | |
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|U eth5 |VS2 |2 |v4 10.10.10.10/24 v6 2001:0DB8:a::1/64
|
+-------------------+---------------------+----+---------------------------------------------------
--+
|A eth6 | | |
|
+-------------------+---------------------+----+---------------------------------------------------
--+

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface
# U - Used Interface A - Available Interface
# X - Unknown Interface E - Error in Interface Properties

Logging details are available at /opt/CPsuite-R80.40/fw1/log/vsx_util_20210625_17_45.log

[Expert@MGMT:0]#
[Expert@MGMT:0]# cat interfacesconfig.csv
Interface Name , Type ,Virtual Device Name , VSID , IPv4 Address , IPv4 mask length, IPv6 Address,
IPv6 mask length

R80.40 CLI Reference Guide | 1773

vsx_util show_interfaces

eth0,M,VSX_Cluster_1,0,172.16.16.98,24,2001:0DB8::98,64
eth1,S,VSX_Cluster_1,0,10.0.0.0,24,,
eth2,U,VS1,192.0.2.2,24,2001:0DB8:c::1,64
eth3,U,VS1,192.168.3.3,24,2001:0DB8:b::1,64
eth4,A
eth5,U,VS2,10.10.10.10,24,2001:0DB8:a::1,64
eth6,A

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface
# U - Used Interface A - Available Interface
# X - Unknown Interface E - Error in Interface Properties

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1774

vsx_util upgrade

Description
Upgrades the version of a VSX Gateway or VSX Cluster in the management database.

Important - Before you run the vsx_util commands:

Syntax

vsx_util upgrade

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The applicable Check Point version.

Comments
n Execute the command and follow the instructions on the screen.
n After the command finishes, you must run the "vsx_util reconfigure" on page 1764
command.
n To revert this upgrade, run the "vsx_util downgrade" on page 1763 command.

R80.40 CLI Reference Guide | 1775

vsx_util view_vs_conf

Description
Compares the configuration of all Virtual Devices on the Management Server and the actual
configuration on the VSX Gateway or VSX Cluster Members.

Important - On a Multi-Domain Security Management Server, you must switch to the

context of the Main Domain Management Server that manages the VSX Gateway /
VSX Cluster object.
Use the command "mdsenv <IP Address or Name of Domain Management
Server>".

Syntax

vsx_util view_vs_conf

Required Input
n The applicable VSX Gateway or VSX Cluster object.
n The applicable Virtual Device object.

R80.40 CLI Reference Guide | 1776

vsx_util view_vs_conf

Example

R80.40 CLI Reference Guide | 1777

vsx_util view_vs_conf

[Expert@MGMT:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for
'localhost'): 172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW
4) VSX_GW_2
Select: 1

Select Virtual Device object name:

1) VS1
2) VS2
3) VS3
4) VSX_Cluster
Select: 1

Type: Virtual System

Interfaces configuration table:

+---------------------------------------------------+-----+-------------------+
|Interfaces |Mgmt |VSX GW(s) |
+----------+----------------------------------------+-----+---------+---------+
|Name |IP / Mask length | |mem 1 |mem2 |
+----------+----------------------------------------+-----+---------+---------+
|eth2 |v4 10.0.0.0/24 v6 2001:db8::abc::1/64 | V | V | V |
|eth3 |v4 10.10.10.10/24 v6 2001:db8::3121/64 | V | V | V |
+----------+----------------------------------------+-----+---------+---------+

Interfaces Table Legend:

V - Interface exists on the gateway and matches management information (if defined on the
management).
- - Interface does not exist on the gateway.
N/A - Fetching Virtual Device configuration from the gateway failed.
!IP - Interface exists on the gateway, but there is an IP address mismatch.
!MASK - Interface exists on the gateway, but there is a Net Mask mismatch.

Routing table:

+----------------------------------------------------------+-----+-------------+
|Ipv4 Routes |Mgmt |VSX GW(s) |
+--------------------------+--------------------+----------+-----+------+------+
|Destination / Mask Length |Gateway |Interface | |mem1 |mem2 |
+--------------------------+--------------------+----------+-----+------+------+
|2.2.2.0/24 | |eth2 | V | V | V |
|3.3.3.0/24 | |eth3 | V | V | V |
+--------------------------+--------------------+----------+-----+------+------+
+--------------------------+--------------------+----------+-----+------+------+

+----------------------------------------------------------+-----+-------------+
|Ipv6 Routes |Mgmt |VSX GW(s) |
+--------------------------+--------------------+----------+-----+------+------+
|Destination / Mask Length |Gateway |Interface | |mem1 |mem2 |
+--------------------------+--------------------+----------+-----+------+------+
|2001:db8::abc::/64 | |eth2 | V | !NH | !NH |
|2001:db8:0a::/64 | |eth3 | V | !NH | !NH |
+--------------------------+--------------------+----------+-----+------+------+
|2001:db8::1ffe:0:0:0/112 | |eth2 | - | V | V |

R80.40 CLI Reference Guide | 1778

vsx_util view_vs_conf

|2001:db8::fd9a:0:1:0/112 | |eth3 | - | V | V |
+--------------------------+--------------------+----------+-----+------+------+

Routing Table Legend:

V - Route exists on the gateway and matches management information (if defined on the
management).
- - Route does not exist on the gateway.
N/A - Fetching Virtual Device configuration from the gateway failed.
!NH - Route exists on the gateway, but there is a Next Hop mismatch.

Note: Routes can be created automatically on the gateways by the Operating System.
Therefore, routes that appear on all gateways, but are not defined on the management,
do not necessarily indicate a problem.

Logging details are available at /opt/CPsuite-R80.40/fw1/log/vsx_util_20210625_18_11.log

[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1779

vsx_util vsls

Description
Shows the configuration menu for Virtual System Load Sharing - status, redistribute, export,
and import of configuration.

Important - Before you run the vsx_util commands:

Syntax

vsx_util vsls

Required Input
n The applicable VSX Cluster object.
n The applicable redistribution option.

Comments
n Execute the command and follow the instructions on the screen.
n If the command output shows "Operation not allowed. Object is not a
Virtual System Load Sharing cluster.", then run the "vsx_util convert_
cluster" on page 1762 command.

R80.40 CLI Reference Guide | 1780

vsx_util vsls

Example

[Expert@MGMT:0]# vsx_util vsls

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for
'localhost'): 172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW_1
4) VSX_GW_2
Select: 1

VS Load Sharing - Menu

________________________________
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster member is equally loaded
3. Set all VSes active on one member
4. Manually set priority and weight
5. Toggle VSLS mode between Active Up and Primary Up
6. Import configuration from a file
7. Export configuration to a file
8. Exit

Enter redistribution option (1-8) [1]:

R80.40 CLI Reference Guide | 1781

vsx_provisioning_tool

vsx_provisioning_tool
This section describes the VSX Provisioning Tool (the vsx_provisioning_tool
command).

Description
This tool allows the VSX administrator to add and remove Virtual Devices (Virtual Systems,
Virtual Routers, Virtual Switches), interfaces and routes from the command line of a Security
Management Server or Domain Management Server.
This allows the automation of the required VSX Provisioning operations in the environment.

Syntax

vsx_provisioning_tool -h
vsx_provisioning_tool [-s <Mgmt Server>] {-u <Username> | -c
<Certificate>} -p <Password>
-o <Commands> [-a] -L
-f <Input File> [-l <Line>] [-a] -L

Parameters

Parameter Description

-h Shows the built-in usage.

-s <Mgmt Specifies the Security Management Server or the applicable Domain

Server> Management Server.
Enter the IPv4 or IPv6 address, or the resolvable hostname name.
This parameter is mandatory when you run the tool:
n From a SmartConsole computer
n On a Multi-Domain Server.

-u Specifies the Management Server administrator's user name.

-c Specifies the path and the name for the Management Server
< administrator's certificate file.
Certificate>

R80.40 CLI Reference Guide | 1782

vsx_provisioning_tool

Parameter Description

-p Specifies the password of the:

<Password>
n Management Server administrator
n Certificate file

-o Executes the commands you enter on the command line.

<Commands> See "vsx_provisioning_tool Commands" on page 1786.

-f <Input Specifies the path and the name for the file with the commands to
File> execute.
The tool treats all text begins with a hash sign (#) as a comment and
ignores it.
This way you can add comments on separate lines, or in-line.
See:
n "Transactions" on page 1785
n "vsx_provisioning_tool Commands" on page 1786

-l <Line> Specifies the line number in <Input File>, from which to start to
execute the commands.
You can use this "-l" parameter only together with the "-f" parameter.

-a Specifies that before the tool executes the specified commands, it must
make sure it can connect to all VSX Gateways.
Note - This does not guarantee that a VSX Gateway can
successfully apply all the specified commands.

-L Specifies local authentication mode.

R80.40 CLI Reference Guide | 1783

vsx_provisioning_tool

Exit Codes

Exit
Description
Code

0 The tool successfully applied all changes, on all VSX Cluster Members.

1 The tool successfully applied all changes to the management database, but not
to all VSX Cluster Members.

2 The tool successfully applied all changes, but SIC communication failed to
establish with at least one VSX Cluster Member.

3 Connectivity test failed with at least one VSX Cluster Member (if you used the "-
a" parameter).
The tool did not apply changes to the management database, or to the VSX
Cluster Member.

4 The tool failed to apply changes (due to internal error, syntax error, or another
reason).

Note - If commands are executed from a file with multiple transactions, the exit code
refers to the last transaction processed.

Example 1
Run the tool on the Security Management Server.

Execute the commands from the text /var/log/vsx.txt file.

vsx_provisioning_tool -s localhost -u admin -p mypassword -f /var/log/vsx.txt

Example 2
Run the tool on the Multi-Domain Server in the context of the Domain Management Server
called MyDomain.
Create a new Virtual System object called VS1 on the VSX Cluster object called
VSXCluster1

In the new Virtual System object, on the interface eth4, add a VLAN interface with VLAN ID
100 and IPv4 address 1.1.1.1/24.
mdsenv MyDomain
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vd name VS1 vsx VSXCluster1, add interface name eth4.100 ip 1.1.1.1/24

R80.40 CLI Reference Guide | 1784

Transactions

Transactions
Notes:
n A transaction is a set of operations performed on one Virtual Device.
n The utility commits all operations to the management database together when
the transaction ends.
If the transaction fails, the utility discards all its commands.
n You must specify the name of the Virtual Device with a parameter in the first
command.
You do not need to specify this name again in other commands of the same
transaction.
n You cannot send operations to different Virtual Devices in one transaction.
n You cannot start a new transaction until you exit the one before.
n When you send commands with the "-o" parameter, you can enter multiple
commands (for example: add a Virtual System and then add interfaces and
routes to it).
Separate the commands with a comma ( , ).
All the commands are one transaction.
The "-o" parameter does not support explicit transaction commands.
n When you send commands with the "-f" parameter, you can use explicit
transaction commands (see "vsx_provisioning_tool Commands" on page 1786).
n Commands from a file can be one or more transactions:
l If not inside a transaction, the current line is one transaction, which the

utility automatically commits.

You can write multiple commands in one line (as one transaction),
separated with a comma ( , ).
l If currently inside a transaction, the utility processes the lines, but does

not take action until the transaction ends.

R80.40 CLI Reference Guide | 1785

vsx_provisioning_tool Commands

vsx_provisioning_tool Commands
All vsx_provisioning_tool commands are pairs of a key and a value.
The first two words in each command must appear in the correct order.
Other pairs can be written in any order.

R80.40 CLI Reference Guide | 1786

Explicit Transaction Commands

Operation Command Syntax

Begin a new transaction transaction begin

End a transaction transaction end

Cancel a transaction transaction cancel

Note - SIC with the Virtual System is established automatically. If it fails, operations
continue, and the transaction returns error code 2.

R80.40 CLI Reference Guide | 1787

Adding a VSX Gateway

Description
This command adds a new VSX Gateway object.

Syntax

add vsx type gateway name <Name of VSX Gateway Object> version
<Version> main_ip <Main IPv4 Address> main_ip6 <Main IPv6 Address>
sic_otp <Activation Key> [rule_snmp {enable | disable}] [rule_ssh
{enable | disable}] [rule_ping {enable | disable} [rule_ping6
{enable | disable}] [rule_https {enable | disable}] [rule_drop
{enable | disable}]
Note - In this transaction, you can only add the "set physical interface"
command.

Parameters

type gateway You must use the value "gateway" to add a

new VSX Gateway object.

name <Name of Object name Defines the name of the VSX Gateway object.
VSX Gateway You cannot use spaces of Check Point
Object> reserved words.

version Check Point Defines the Check Point version of the VSX
<Version> version Gateway object.
You must enter the exact version as appears in
SmartConsole (case-sensitive).

main_ip <Main IPv4 Address Defines the main IPv4 Address of the VSX
IPv4 Address> Gateway object.

main_ip6 <Main IPv6 Address Defines the main IPv6 Address of the VSX
IPv6 Address> Gateway object.

sic_otp SIC password You must enter the same Activation Key you
<Activation entered during the First Time Configuration
Key> Wizard of the VSX Gateway.

R80.40 CLI Reference Guide | 1788

Adding a VSX Gateway

rule_snmp n enable Controls how to process all SNMP packets sent

{enable | n disable to the VSX Gateway:
disable}
n enable - Allows all SNMP packets
n disable - Drops all SNMP packets
(default)

rule_ssh n enable Controls how to process all SSH packets sent

{enable | n disable to the VSX Gateway:
disable}
n enable - Allows all SSH packets
n disable - Drops all SSH packets
(default)

rule_ping n enable Controls how to process all ICMP Echo

{enable | n disable Request (ping) packets sent to the VSX
disable} Gateway:
n enable - Allows all IPv4 ping packets
n disable - Drops all IPv4 ping packets
(default)

rule_ping6 n enable Controls how to process all ICMPv6 Echo

{enable | n disable Request (ping) packets sent to the VSX
disable} Gateway:
n enable - Allows all IPv6 ping packets
n disable - Drops all IPv6 ping packets
(default)

rule_https n enable Controls how to process all HTTPS packets

{enable | n disable sent to the VSX Gateway:
disable}
n enable - Allows all HTTPS packets
n disable - Drops all HTTPS packets
(default)

rule_drop n enable Controls how to process all packets (other than

{enable | n disable SNMP, SSH, ICMP, ICMPv6, HTTPS) sent to
disable} the VSX Gateway:
n enable - Drops all other packets (default)
n disable - Allows all other packets

R80.40 CLI Reference Guide | 1789

Adding a VSX Gateway

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vsx name VSX_GW1 type gateway main_ip 192.168.20.1 version R80.40 sic_
otp ABCDEFG rule_ssh enable rule_ping enable

R80.40 CLI Reference Guide | 1790

Adding a VSX Cluster

Description
This command adds a new VSX Cluster object.

Syntax

add vsx type cluster name <Name of VSX Cluster Object> version
<Version> main_ip <Main Virtual IPv4 Address> main_ip6 <Main
Virtual IPv6 Address> cluster_type {vsls | ha | crbm} sync_if_name
<Name of Sync Interface> sync_netmask <Sync Interface Netmask>
[rule_snmp {enable | disable}] [rule_ssh {enable | disable}]
[rule_ping {enable | disable} [rule_ping6 {enable | disable}]
[rule_https {enable | disable}] [rule_drop {enable | disable}]
Important - You must run the "add vsx_member" command for each VSX Cluster
Member in the same transaction as the "add vsx type cluster name"
command.

Parameters

Parameter Value Notes

type cluster You must use the value "cluster" to add a

new VSX Cluster object.

name <Name of Object name Defines the name of the VSX Cluster object.
VSX Cluster You cannot use spaces of Check Point
Object> reserved words.

version Check Point Defines the Check Point version of the VSX
<Version> version Cluster object.
You must enter the exact version as appears
in SmartConsole (case-sensitive).

main_ip <Main IPv4 Address Defines the main IPv4 Virtual Address of the
Virtual IPv4 VSX Cluster object.
Address>

main_ip6 <Main IPv6 Address Defines the main IPv6 Virtual Address of the
Virtual IPv6 VSX Cluster object.
Address>

R80.40 CLI Reference Guide | 1791

Adding a VSX Cluster

Parameter Value Notes

cluster_type Cluster type Defines the cluster type.

{vsls | ha | Enter one of these:
crbm}
n vsls - Virtual System Load Sharing
mode
n ha - High Availability mode
n crbm - X-Series appliances (former
BlueCoat / Crossbeam)

sync_if_name Sync interface Defines the name of the Cluster

sync_netmask IPv4 Network Defines an IPv4 Netmask for the Cluster

<Sync Interface mask Synchronization interface (in a dot-quad
Netmask> format X.X.X.X).

rule_snmp n enable Controls how to process all SNMP packets

{enable | n disable sent to the VSX Cluster Members:
disable}
n enable - Allows all SNMP packets
n disable - Drops all SNMP packets
(default)

rule_ssh n enable Controls how to process all SSH packets sent

{enable | n disable to the VSX Cluster Members:
disable}
n enable - Allows all SSH packets
n disable - Drops all SSH packets
(default)

rule_ping n enable Controls how to process all ICMP Echo

{enable | n disable Request (ping) packets sent to the VSX
disable} Cluster Members:
n enable - Allows all IPv4 ping packets
n disable - Drops all IPv4 ping packets
(default)

rule_ping6 n enable Controls how to process all ICMPv6 Echo

{enable | n disable Request (ping) packets sent to the VSX
disable} Cluster Members:
n enable - Allows all IPv6 ping packets
n disable - Drops all IPv6 ping packets
(default)

R80.40 CLI Reference Guide | 1792

Adding a VSX Cluster

Parameter Value Notes

rule_https n enable Controls how to process all HTTPS packets

{enable | n disable sent to the VSX Cluster Members:
disable}
n enable - Allows all HTTPS packets
n disable - Drops all HTTPS packets
(default)

rule_drop n enable Controls how to process all packets (other

{enable | n disable than SNMP, SSH, ICMP, ICMPv6, HTTPS)
disable} sent to the VSX Cluster Members:
n enable - Drops all other packets
(default)
n disable - Allows all other packets

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vsx name VSX1 type cluster cluster_type vsls main_ip 192.168.1.1 version
R80.40 sync_if_name eth3 sync_netmask 255.255.255.0 rule_ssh enable rule_ping enable

R80.40 CLI Reference Guide | 1793

Adding a Virtual Device

Description
This command adds a new Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Syntax

add vd name <Name of Virtual Device Object> vsx <Name of VSX

Gateway or VSX Cluster Object > [type {vs | vsbm | vsw | vr}] [vs_
mtu <MTU>] [instances <Number of IPv4 CoreXL Firewall instances>]
[instances6 <Number of IPv6 CoreXL Firewall instances>] [main_ip
<Main IPv4 Address>] [main_ip6 <Main IPv6 Address>] [calc_topo_
auto {true | false}]

Parameters

Parameter Value Notes

name <Name of Virtual Object name Defines the name of the Virtual Device
Device Object> object.
Mandatory parameter, if this is the first
command in a transaction.

vsx <Name of VSX Parent object Defines the name of the applicable VSX
Gateway or VSX name Gateway or VSX Cluster object, in which
Cluster Object > you create this Virtual Device.
You cannot use spaces or Check Point
reserved words.
Mandatory parameter.

type {vs | vsbm | vsw Type of Virtual Defines the type of the Virtual Device:
| vr} Device
n vs - Virtual System (default)
n vsbm - Virtual System in Bridge
Mode
n vsw - Virtual Switch
n vr - Virtual Router

R80.40 CLI Reference Guide | 1794

Adding a Virtual Device

Parameter Value Notes

vs_mtu <MTU> Integer Defines the Global MTU value for all
interfaces.
This parameter is applicable only for a:
n Virtual System in Bridge Mode
(type vsbm)
n Virtual Switch (type vsw)
Default is 1500 bytes.
Note - For a Virtual Switch, if you do
not add a VLAN or physical interface
in the same transaction, the utility
ignores this value.

instances <Number of Integer Defines the number of IPv4 CoreXL

IPv4 CoreXL Firewall Firewall instances.
instances> This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual System in Bridge Mode
(type vsbm)
Default is 1.
For more information about CoreXL, see
R80.40 Performance Tuning
Administration Guide.

instances6 <Number of Integer Defines the number of IPv6 CoreXL

IPv6 CoreXL Firewall Firewall instances.
instances> This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual System in Bridge Mode
(type vsbm)
Default is 1.
For more information about CoreXL, see
R80.40 Performance Tuning
Administration Guide.

R80.40 CLI Reference Guide | 1795

Adding a Virtual Device

Parameter Value Notes

main_ip <Main IPv4 IPv4 Address Defines the main IPv4 Address of the
Address> Virtual Device object.
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual Router (type vr)

Note - If you do not specify this value

explicitly, the utility uses the IPv4
address of the first interface added to
the new device.

main_ip6 <Main IPv6 IPv6 Address Defines the main IPv6 Address of the
Address> Virtual Device object.
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual Router (type vr)

Note - If you do not specify this value

explicitly, the utility uses the IPv6
address of the first interface added to
the new device.

calc_topo_auto {true n true Defines how to calculate topology based

| false} n false on routes:
n true - Automatically calculate
topology based on routes (default)
n false - Does not calculate
topology based on routes
(administrator can configure it
manually)
This parameter is applicable only for a:
n Virtual System (type vs)
n Virtual Router (type vr)

Example - Adding a Virtual Switch "VirtSwitch1" to the VSX Gateway "VSX_GW1"

vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vd name VirtSwitch1 vsx VSX_GW1 type vsw

R80.40 CLI Reference Guide | 1796

Deleting a Virtual Device

Description
This command deletes a Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router
You cannot delete a Virtual Device if:
n It is referenced by a policy rule.
n It is referenced by other objects.
n It is enabled for global use in a Multi-Domain Security Management environment.

Important - After you delete a Virtual Device, you cannot have more commands in the
same transaction.

Syntax

remove vd name <Name of Virtual Device Object>

Parameters

Parameter Value Notes

name <Name of Virtual Object Specifies the name of the Virtual Device
Device Object> name object.
Mandatory parameter, if this is the first
command in a transaction.

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove vd name VirtSwitch1

R80.40 CLI Reference Guide | 1797

Modifying Settings of a Virtual Device

Description
This command changes the settings of an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Syntax

set vd name <Name of Virtual Device Object> [vs_mtu <MTU>]

[instances <Number of IPv4 CoreXL Firewall instances>] [instances6
<Number of IPv6 CoreXL Firewall instances>] [main_ip <Main IPv4
Address>] [main_ip6 <Main IPv6 Address>] [calc_topo_auto {true |
false}]

Parameters

Parameter Value Notes

name <Name of Virtual Object name Specifies the name of the Virtual
Device Object> Device object.
Mandatory parameter, if this is the first
command in a transaction.

vs_mtu <MTU> Integer Specifies the Global MTU value for all
interfaces.
This parameter is applicable only for a:
n Virtual System in Bridge Mode
n Virtual Switch
Default is 1500 bytes.

R80.40 CLI Reference Guide | 1798

Modifying Settings of a Virtual Device

Parameter Value Notes

instances <Number of Integer Specifies the number of IPv4 CoreXL

IPv4 CoreXL Firewall Firewall instances.
instances> This parameter is applicable only for a:
n Virtual System
n Virtual System in Bridge Mode
Default is 1.
For more information about CoreXL,
see R80.40 Performance Tuning
Administration Guide.

instances6 <Number of Integer Specifies the number of IPv6 CoreXL

IPv6 CoreXL Firewall Firewall instances.
instances> This parameter is applicable only for a:
n Virtual System
n Virtual System in Bridge Mode
Default is 1.
For more information about CoreXL,
see R80.40 Performance Tuning
Administration Guide.

main_ip <Main IPv4 IPv4 Address Specifies the main IPv4 Address of the
Address> Virtual Device object.
This parameter is applicable only for a:
n Virtual System
n Virtual Router

Note - To remove the current IPv4

address, set the value to
"empty". For example: set vd
name VS1 main_ip empty

main_ip6 <Main IPv6 IPv6 Address Specifies the main IPv6 Address of the
Address> Virtual Device object.
This parameter is applicable only for a:
n Virtual System
n Virtual Router

Note - To remove the current IPv6

address, set the value to empty.
For example: set vd name
VS1 main_ip6 empty

R80.40 CLI Reference Guide | 1799

Modifying Settings of a Virtual Device

Parameter Value Notes

calc_topo_auto {true | n true Specifies how to calculate topology

false} n false based on routes:
n true - Automatically calculate
topology based on routes
(default)
n false - Does not calculate
topology based on routes
(administrator can configure it
manually)
This parameter is applicable only for a:
n Virtual System
n Virtual Router

Example
vsx_provisioning_tool -s localhost -u admin -p mypassword -o set vd name VS1 instances 8 main_ip 192.0.2.6 calc_topo_auto false

R80.40 CLI Reference Guide | 1800

Adding an Interface to a Virtual Device

Description
This command adds an interface to an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Syntax

add interface vd <Device Object Name> {name <Interface> | leads_to

<VSW or VR Object Name>} ip <IPv4 Address>{/<IPv4 Prefix Length> |
netmask <IPv4 Netmask> | prefix <IPv4 Prefix>} ip6 <IPv6 Address>
{/<IPv6 Prefix Length> | netmask6 <IPv6 Netmask> | prefix6 <IPv6
Prefix>} [propagate {true | false}] [propagate6 {true | false}]
[topology {external | internal_undefined | internal_this_network |
internal_specific [specific_group <Network Group Object Name>}]
[mtu <MTU>]

Parameters

Parameter Value Notes

vd <Device Object name Specifies the name of the Virtual Device object.
Object Mandatory parameter, if this is the first command in a
Name> transaction.

name Interface name Specifies the name of the physical or VLAN interface.
< Note - You must use the "name" or "leads_to"
Interface> parameter, but not both.

leads_to Object name Specifies the name of the Virtual Switch or Virtual
<VSW or VR Router object, to which this interface connects.
Object This parameter is applicable only for a Virtual System.
Name> Note - You must use the "name" or "leads_to"
parameter, but not both.

R80.40 CLI Reference Guide | 1801

Adding an Interface to a Virtual Device

Parameter Value Notes

ip <IPv4 IPv4 Specifies the IPv4 settings:

Address> configuration
{/<IPv4
n <IPv4 Address> - IPv4 address
Prefix> |
n <IPv4 Prefix> - Integer between 1 and 32
netmask n <IPv4 Netmask> - Number in a format
<IPv4 X.X.X.X
Netmask> | This parameter is applicable only for a:
prefix
<IPv4 n Virtual System
Prefix>} n Virtual Router
For interfaces on a Virtual System that connect to a
Virtual Router, you must use the possible maximum
for the IPv4 address family:
n Netmask 255.255.255.255
n Prefix 32

ip6 <IPv6 IPv6 Specifies the IPv6 settings:

Address> configuration
{/<IPv6
n <IPv6 Address> - IPv6 address
Prefix> |
n <IPv6 Prefix> - Integer between 64 and 128
netmask6 n <IPv6 Netmask> - Number in a format
<IPv6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:
Netmask> | XXXX
prefix6 This parameter is applicable only for a:
<IPv6
Prefix>} n Virtual System
n Virtual Router

For interfaces on a Virtual System that connect to a

Virtual Router, you must use the possible maximum
for the IPv6 address family:
n Netmask
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFF
F
n Prefix 128

R80.40 CLI Reference Guide | 1802

Adding an Interface to a Virtual Device

Parameter Value Notes

propagate n true Controls how to propagate the IPv4 routes to adjacent

{true | n false Virtual Devices:
false}
n true - Propagate the IPv4 routes
n false - Do not propagate the IPv4 routes
(default)

Note - This parameter is applicable only for a

Virtual System with VLAN or physical interfaces.

propagate6 n true Controls how to propagate the IPv6 routes to adjacent

{true | n false Virtual Devices:
false}
n true - Propagate the IPv6 routes
n false - Do not propagate the IPv6 routes
(default)

Note - This parameter is applicable only for a

Virtual System with VLAN or physical interfaces.

topology n external Specifies the Topology configuration of the interface:

{external n interna
| l_
n external - External interface.
internal_ undefine
n internal_undefined - Internal interface with
undefined d undefined topology. This is the default for a
| n interna Virtual System in Bridge Mode.
internal_ l_this_
n internal_this_network - Internal interface.
this_ network This is the default for a Virtual System and
network | n interna Virtual Router. Virtual System in Bridge Mode
internal_ l_ does not support this topology.
specific } specific
n internal_specific - Internal interface with
topology defined by the specified Network
Group object.
This parameter is applicable only for a:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Router

specific_ Name of Network If you specified the "topology internal_

group Group Object specific" parameter, then specify the name of the
<Network Network Group object that contains the applicable
Group Network objects.
Object This parameter is applicable only if you disable the
Name> automatic topology calculation.

R80.40 CLI Reference Guide | 1803

Adding an Interface to a Virtual Device

Parameter Value Notes

mtu <MTU> Integer Specifies the MTU value for this interface.
Default is 1500 bytes.
This parameter is applicable only for a:
n Virtual System
n Virtual Router

Example - Add VLAN interface eth4.100 with IPv4 1.1.1.1/24 to the Virtual System
'VirtSystem1'
vsx_provisioning_tool-s localhost -u admin -p mypassword -o add interface vd VirtSystem1 name eth4.100 ip 1.1.1.1/24

R80.40 CLI Reference Guide | 1804

Removing an Interface from a Virtual Device

Description
This command removes an interface from an existing Virtual Device object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Important:
n If the interface you remove leads to a Virtual Router, all routes through that
interface are removed automatically.
n You must remove all subordinate interfaces of a bridge interface in the same
transaction. This also removes the bridge interface.

Note - If there are routes that have a next-hop IP address, which would become
inaccessible without this interface, the transaction fails.

Syntax

remove interface vd <Name of Virtual Device Object> {name <Name of

Interface> | leads_to <Name of VSW or VR Object>}

R80.40 CLI Reference Guide | 1805

Removing an Interface from a Virtual Device

Parameters

Parameter Value Notes

vd <Name of Object Specifies the name of the Virtual Device object.

Virtual Device name Mandatory parameter, if this is the first command
Object> in a transaction.

name <<Name of Interface Specifies the name of the physical or VLAN

Interface>> name interface.
Note - You must use the "name" or "leads_
to" parameter, but not both.

leads_to <Name of Object Specifies the name of the Virtual Switch or Virtual
VSW or VR Object> name Router object, to which this interface connects.
This parameter is applicable only for a Virtual
System.
Note - You must use the "name" or "leads_
to" parameter, but not both.

Example 1 - Removing a VLAN interface from a Virtual System "VS1"

vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove interface vd VS1 name eth4.100

Example 2 - Removing all subordinate interfaces "eth2" and "eth3" of a bridge interface in
the Virtual System "VS1"
vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove interface vd VS1 name eth2, remove interface vd VS1 name eth3

R80.40 CLI Reference Guide | 1806

Modifying Settings of an Interface

Description
This command changes the settings of an interface that belongs to an existing Virtual Device
object:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Switch
n Virtual Router

Note - You cannot change or remove the IP address or netmask of an existing

interface with this command. You can remove the interface and add a new interface
with a different IP address, but not all the previous interface settings are kept.

Syntax

set interface vd <Name of Virtual Device Object> {name <Name of

Interface> [new_name <Name of New Interface>] | leads_to <Name of
VSW or VR Object> [new_leads_to <Name of New VSW or VR Object>]}
[propagate {true | false}] [propagate6 {true | false}] [topology
{external | internal_undefined | internal_this_network | internal_
specific [specific_group <Network Group Object Name>]}] [mtu
<MTU>]

Parameters

Parameter Value Notes

vd <Name of Virtual Object name Specifies the name of the Virtual

Device Object> Device object.
Mandatory parameter, if this is the
first command in a transaction.

name <Name of Interface name Specifies the name of the physical

Interface> or VLAN interface.
Note - You must use the "name"
or "leads_to" parameter, but
not both.

R80.40 CLI Reference Guide | 1807

Modifying Settings of an Interface

Parameter Value Notes

new_name <Name of New Interface name You can change the name, but not
Interface> the type of interface.
Note - You can change a VLAN
or physical interface only to a
VLAN or physical interface.

leads_to <Name of VSW Object name Specifies the name of the Virtual
or VR Object> Switch or Virtual Router object, to
which this interface connects.
This parameter is applicable only for
a Virtual System.
Note - You must use the "name"
or "leads_to" parameter, but
not both.

new_leads_to <Name of Object name You can where the interface leads:
New VSW or VR Object>
n You can change an interface
that leads to a Virtual Switch
only to lead to a different
Virtual Switch.
n You can change an interface
that leads to a Virtual Router
only to lead to a different
Virtual Router.

propagate {true | n true Controls how to propagate the IPv4

false} n false routes to adjacent Virtual Devices:
n true - Propagate the IPv4
routes
n false - Do not propagate the
IPv4 routes (default)

Note - This parameter is

applicable only for a Virtual
System with VLAN or physical
interfaces.

R80.40 CLI Reference Guide | 1808

Modifying Settings of an Interface

Parameter Value Notes

propagate6 {true | n true Controls how to propagate the IPv6

false} n false routes to adjacent Virtual Devices:
n true - Propagate the IPv6
routes
n false - Do not propagate the
IPv6 routes (default)

Note - This parameter is

applicable only for a Virtual
System with VLAN or physical
interfaces.

topology {external | n external Specifies the Topology configuration

internal_undefined | n internal_ of the interface:
internal_this_network undefined
| internal_specific} n
n external - External
internal_
interface.
this_
network
n internal_undefined -
n
Internal interface with
internal_
undefined topology. This is the
specific
default for Virtual System in
Bridge Mode.
n internal_this_network -
Internal interface. This is the
default for Virtual System and
Virtual Router. Virtual System
in Bridge Mode does not
support this topology.
n internal_specific
[specific_group
<Network Group Object
Name>] - Internal interface
with topology defined by the
specified Network Group
object.
This parameter is applicable only for
a:
n Virtual System
n Virtual System in Bridge Mode
n Virtual Router

R80.40 CLI Reference Guide | 1809

Modifying Settings of an Interface

Parameter Value Notes

specific_group Name of Network If you specified the "topology

<Network Group Object Group Object internal_specific" parameter,
Name> then specify the name of the
Network Group object that contains
the applicable Network objects.
Note - This parameter is
applicable only if you disable
the automatic topology
calculation with the "set vd
... calc_topo_auto
false" command (see
"Modifying Settings of a Virtual
Device" on page 1798).

mtu <MTU> Integer Specifies the MTU value for this

interface.
Default is 1500 bytes.
This parameter is applicable only
for:
n Virtual System
n Virtual Router

Example - On the Virtual System "VS1", change the VLAN interface eth4.10 to the physical
interface eth5
vsx_provisioning_tool -s localhost -u admin -p mypassword -o set interface vd VS1 name eth4.100 new_name eth5 propagate true topology
internal_specific specific_group NYGWs

R80.40 CLI Reference Guide | 1810

Adding a Route

Description
This command adds an IPv4 or IPv6 route to an existing Virtual System or Virtual Router
object.

Note - This command detects IPv4 and IPv6 automatically.

Syntax

add route vd <Name of VS or VR Object> destination {<IP Address>

[/<IP Prefix>] | default | default6} [{netmask <IP Netmask> |
prefix <IP Prefix>}] {next_hop <Next Hop IP Address> | leads_to
<Name of VS or VR Object>} [propagate {true | false}]

Parameters

Parameter Value Notes

vd <Name of Object name Specifies the name of the Virtual System or Virtual
VS or VR Router object.
Object> Mandatory parameter, if this is the first command in a
transaction.

destination See the Specifies the route destination settings:

{<IP Notes
Address> column on
n <IP Address> - IPv4 or IPv6 address
[/<IP the right
n <IP Prefix> -
l For IPv4 - Integer between 1 and 32
Prefix>] |
l For IPv6 - Integer between 64 and 128
default |
default6} n default - Use the default IPv4 route
n default6 - Use the default IPv6 route

netmask <IP Number Specifies an IP Netmask:

Netmask>
n For IPv4 - Number in a format X.X.X.X
n For IPv6 - Number in a format
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XX
XX

prefix <IP Integer Specifies the IP address prefix length:

Prefix>
n For IPv4 - Integer between 1 and 32
n For IPv6 - Integer between 64 and 128

R80.40 CLI Reference Guide | 1811

Adding a Route

Parameter Value Notes

next_hop IP Address Specifies the IP address of the next hop of the route.
<Next Hop Notes:
IP Address>
n This IP address must be on a subnet of an
existing interface.
n You must use the "next_hop" or "leads_
to" parameter, but not both.

leads_to Object name Specifies the name of the Virtual System or Virtual
<Name of VS Router object, which is the next hop for the configured
or VR route.
Object> Note - You must use the "next_hop" or "leads_
to" parameter, but not both.

propagate n true Controls how to propagate the IP routes to adjacent

{true | n false Virtual Devices:
false}
n true - Propagate the IP routes
n false - Do not propagate the IP routes (default)

Note - The "propagate" parameter is applicable

only if you specified the "next_hop" parameter.

Example - Adding a route on the Virtual System "VS1" that uses the default IPv4 route as a
destination and the Virtual Router "VR3" as a next hop
vsx_provisioning_tool -s localhost -u admin -p mypassword -o add route vd VS1 destination default leads_to VR3

R80.40 CLI Reference Guide | 1812

Removing a Route

Description
This command removes an IPv4 or IPv6 route from an existing Virtual System or Virtual Router
object.

Note - This command detects IPv4 and IPv6 automatically.

Syntax

remove route vd <Name of VS or VR Object> destination {<IP

Address>[/<IP Prefix>] | default | default6} [{netmask <IP
Netmask> | prefix <IP Prefix>]

Parameters

Parameter Value Notes

vd <Name of Object Specifies the name of the Virtual System or Virtual Router
VS or VR name object.
Object> Mandatory parameter, if this is the first command in a
transaction.

destination See the Specifies the route destination settings:

{<IP Notes
Address> column
n <IP Address> - IPv4 or IPv6 address
[/<IP on the
n <IP Prefix> -
l For IPv4 - Integer between 1 and 32
Prefix>] | right
l For IPv6 - Integer between 64 and 128
default |
default6} n default - Use the default IPv4 route
n default6 - Use the default IPv6 route

netmask <IP Number Specifies an IP Netmask:

Netmask>
n For IPv4 - Number in a format X.X.X.X
n For IPv6 - Number in a format
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

prefix <IP Integer Specifies the IP address prefix length:

Prefix>
n For IPv4 - Integer between 1 and 32
n For IPv6 - Integer between 64 and 128

R80.40 CLI Reference Guide | 1813

Removing a Route

Example - Removing a route from the Virtual System "VS1" that uses the default IPv6
route as a destination
vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove route vd VS1 destination default6

R80.40 CLI Reference Guide | 1814

Showing Virtual Device Data

Description
This command shows the information about an existing Virtual Device object.

Syntax

show vd name <Name of Virtual Device Object>

Parameters

Parameter Value Notes

vd <Name of Virtual Name of the Specifies the name of the Virtual

Device Object> Virtual Device Device object.
Mandatory parameter.

Comments
n The command shows only non-automatic routes.
n The command does not show routes that are created automatically with route
propagation.
n For a Virtual Router and Virtual Switch:

The command does not show the wrpj interfaces (created automatically) that connect to
Virtual Systems.

R80.40 CLI Reference Guide | 1815

Script Examples

Script Examples
Note - Line numbers in the left column are written only to make it easier to read the
script examples.

Example 1
Create a Virtual System connected to a Virtual Router.
Add a default route on the Virtual System that routes the traffic to the Virtual Router.
Add applicable routes on the Virtual Router to route the traffic to the Virtual System.

Line Command

1 transaction begin

2 add vd name VR1 vsx VSX1 type vr

3 add interface name eth3.100 ip 10.0.0.1/24

4 transaction end

5 transaction begin

6 add vd name VR2 vsx VSX2 type vr

7 add interface name eth3.200 ip 20.0.0.1/24

8 transaction end

9 transaction begin

10 add vd name VS1 vsx VSX1

11 add interface leads_to VR1 ip 192.168.1.1/32

12 add interface name eth4.20 ip 192.168.20.1/24 propagate

true

13 add route destination default leads_to VR1

14 add route destination 192.168.40.0/25 next_hop

192.168.20.254

15 transaction end

R80.40 CLI Reference Guide | 1816

Script Examples

Example 2
Create a Virtual System connected to a Virtual Switch, with manual topology.

Line Command

1 transaction begin

2 add vd name VSW1 vsx VSX1 type vsw vs_mtu 1400

3 add interface name eth3.100

4 transaction end

5 transaction begin

6 add vd name VS1 vsx VSX1 calc_topo_auto false

7 add interface leads_to VSW1 ip 10.0.0.1/24 ip6 2001::1/64

topology external

8 add interface name eth4.20 ip 192.168.20.1/25 ip6

2020::1/64 topology internal_this_network

9 add route destination default next_hop 10.0.0.254

10 add route destination default6 next_hop 2001::254

11 transaction end

R80.40 CLI Reference Guide | 1817

Script Examples

Example 3
Add CoreXL Firewall instances to the Virtual System made in the last example.
Turn on automatic calculation of topology.
Change the name of the internal interface, and decrease its MTU.

Line Command

1 transaction begin

2 set vd name VS1 instances 4 instances6 2 calc_topo_auto

true

3 set interface name eth4.20 new_name eth4.21 mtu 1400

4 transaction end

R80.40 CLI Reference Guide | 1818

QoS Commands

QoS Commands
For more information about QoS, see the R80.40 QoS Administration Guide.

R80.40 CLI Reference Guide | 1819

etmstart

etmstart
Description
Starts the QoS Software Blade on the Security Gateway - starts the QoS daemon fgd50, and
fetches the QoS policy from the Management Servers configured in the
$FWDIR/conf/masters file on the Security Gateway.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

etmstart

Example

[Expert@MyGW:0]# etmstart
QoS: Starting fgd50

QoS: Fetching QoS Policy from masters

Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
QoS started
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1820

etmstop

etmstop
Description
Stops the QoS Software Blade on the Security Gateway - kills the QoS daemon fgd50 and
then unloads the QoS policy.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

etmstop

Example

[Expert@CXL1_192.168.3.52:0]# etmstop
Unloading QoS Policy:
Target(s): CXL1_192.168.3.52
CXL1_192.168.3.52: QoS policy unloaded successfully.
Done.
QoS stopped
[Expert@CXL1_192.168.3.52:0]#

R80.40 CLI Reference Guide | 1821

fgate

fgate
This section describes:
The 'fgate' command on Management Server

Description
Installs and uninstalls the QoS policy on the managed Security Gateways.
Shows the status of the QoS Software Blade on the managed Security Gateways.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

fgate [-d]
load <Name of QoS Policy>.F <GW1> <GW2> ... <GWN>
stat
-h
<GW1> <GW2> ... <GWN>
unload <GW1> <GW2> ... <GWN>
ver

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

R80.40 CLI Reference Guide | 1822

fgate

Parameter Description

load <Name of QoS Runs a verifier on the QoS policy <Name_of_QoS_Policy>.

Policy>.F <GW1> If the QoS policy is valid, the Management Server compiles
<GW2> ... <GWN> and installs the QoS Policy on the specified Security
Gateways <GW1> <GW2> ... <GWN>.
Notes:
n The maximal supported length of the <Name of
QoS Policy> string is 32 characters.
n To specify a Security Gateway, enter the main IP
address of the name of its object as configured in
SmartConsole. You can specify several Security
Gateways or cluster members in the same
command.

stat -h Shows the built-in usage for the "stat" parameter.

stat <GW1> <GW2> Shows the status of the QoS Software Blade and policy on
... <GWN> the managed Security Gateways.
Note - To specify a Security Gateway, enter the main IP
address of the name of its object as configured in
SmartConsole. You can specify several Security
Gateways or cluster members in the same command.
Important - This command is outdated and exists only
for backward compatibility with very old versions. Use
the ""cpstat" on page 958" command.

unload <GW1> <GW2> Uninstalls the QoS Policy from the specified Security
... <GWN> Gateways <GW1> <GW2> ... <GWN>.
Note - To specify a Security Gateway, enter the main IP
address of the name of its object as configured in
SmartConsole. You can specify several Security
Gateways or cluster members in the same command.

ver Shows the QoS Software Blade version on the Management

Server.

R80.40 CLI Reference Guide | 1823

fgate

Examples
Example 1 - Installing the QoS policy on one Security Gateway specified by its IP address
[Expert@MGMT:0]# fgate load MyPolicy.F 192.168.3.52
QoS rules verified OK!
Downloading QoS Policy: MyPolicy.F...
Target(s): MyGW
MyGW: QoS policy transferred to module: MyGW.
MyGW: QoS policy installed succesfully.
Done.
[Expert@MGMT:0]#

Example 2 - Installing the QoS policy on two cluster members specified by their object names
[Expert@MGMT:0]# fgate load MyPolicy.F MyClusterMember1 MyClusterMember2
QoS rules verified OK!
Downloading QoS Policy: MyPolicy.F...
MyClusterMember1: QoS policy transferred to module: MyClusterMember1.
MyClusterMember1: QoS policy installed succesfully.
MyClusterMember2: QoS policy transferred to module: MyClusterMember2.
MyClusterMember2: QoS policy installed succesfully.
Done.
[Expert@MGMT:0]#

Example 3 - Viewing the QoS status on one Security Gateway specified by its object name
[Expert@MGMT:0]# fgate stat MyGW

Module name: MyGW

=======================

Product: QoS Software Blade

Version: R80.40
Kernel Build: 456
Policy Name: MyPolicy
Install time: Wed Dec 4 19:53:48 2019
Interfaces Num: 1

Interface table
----------------------------------------------------------------
|Name|Dir|Limit (Bps)|Avg Rate (Bps)|Conns|Pend pkts|Pend bytes|
----------------------------------------------------------------
|eth0|in | 1250000000| 0| 0| 0| 0|
|eth0|out| 1250000000| 0| 0| 0| 0|
----------------------------------------------------------------

[Expert@MGMT:0]#

Example 4 - Viewing the QoS Software Blade version

[Expert@MGMT:0]# fgate ver
This is Check Point QoS Software Blade R80.40 - Build 123
[Expert@MGMT:0]#

R80.40 CLI Reference Guide | 1824

fgate

The 'fgate' command on Security Gateway

Description
Installs and uninstalls the QoS policy on the managed Security Gateways.
Shows the status of the QoS Software Blade on the managed Security Gateways.
Controls the QoS debug.
For more information, see:
n R80.40 QoS Administration Guide
n sk41585: How to control and debug FloodGate-1 (QoS)

Syntax

fgate [-d]
ctl
-h
<QoS Module> {on | off}
debug
on
off
fetch
-f
<Management Server>
kill [-t <Signal Number>] <Name of QoS Process>
load
log
on
off
stat
stat [-h]
ver [-k]
unload

R80.40 CLI Reference Guide | 1825

fgate

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

ctl -h Shows the expected syntax and the list of the available
QoS modules.

ctl <QoS Module> {on | Controls the specified QoS module:

off}
n on - Enables the module (default)
n off - Disables the module

Note - In R80.40, the only available QoS module is

etmreg.

debug {on | off} Controls the debug mode of the QoS user space
daemon fgd50 (see sk41585):
n on - Enables the debug
n off - Disables the debug (default)
This sends additional debugging information to the
fgd50 daemon's log file $FGDIR/log/fgd.elg.

fetch -f Fetches and installs the QoS Policy from all the
Management Servers configured in the
$FWDIR/conf/masters file.

fetch <Management Fetches and installs the QoS Policy from the specified
Server> Management Server.
Enter the main IP address or the name of the
Management Server object as configured in
SmartConsole.

R80.40 CLI Reference Guide | 1826

fgate

Parameter Description

kill [-t <Signal Sends the specified signal to the specified QoS user
Number>] <Name of QoS space process.
Process> Notes:
n In R80.40, the only available QoS user space
process is fgd50.
n The QoS fgd50 daemon, upon its startup,
writes the PIDs of the applicable QoS user
spaces processes to the
$FWDIR/tmp/<Name of QoS
Process>.pid files.
For example: $FWDIR/tmp/fgd50.pid
n If the file $FWDIR/tmp/<Name of QoS
Process>.pid exists, then this command
sends the specified Signal Number to the PID
in that file.
n If you do not specify the signal explicitly, the
command sends Signal 15 (SIGTERM).
n For the list of available signals and their
numbers, run the kill -l command. For
information about the signals, see the manual
pages for the kill and signal.
n To restart the QoS fgd50 daemon manually,
run the "etmstop" on page 1821 and then
"etmstart" on page 1820 commands.

load Installs the local QoS Policy on the Security Gateway.

If this command fails, run the "etmstop" on page 1821
and then "etmstart" on page 1820 commands.

log {on | off | stat} Controls the state of QoS logging in the Security
Gateway kernel:
n on - Enables the QoS logging (default)
n off - Disables the QoS logging
n stat - Shows the current QoS logging status
You can disable the QoS logging to save resources
without reinstalling the QoS policy.

R80.40 CLI Reference Guide | 1827

fgate

Parameter Description

stat [-h] Shows the status of the QoS Software Blade and policy
on the Security Gateway.
The -h parameter shows the built-in usage for the
"stat" parameter.
Important - This command is outdated and exists
only for backward compatibility with very old
versions. Use the ""cpstat" on page 958" command.

unload Uninstalls the QoS Policy from the Security Gateway.

ver [-k] Shows the QoS Software Blade version.

If you specify the "-k" parameter, the output also shows
the kernel version.

R80.40 CLI Reference Guide | 1828

fgate

Examples
Example 1 - Fetching the QoS policy based on the $FWDIR/conf/masters file
[Expert@MyGW]# fgate fetch -f
Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
[Expert@MyGW]#

Example 2 - Fetching the QoS policy from the Management Server specified by its IP address
[Expert@MyGW]# fgate fetch 192.168.3.240
Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
[Expert@MyGW]#

Example 3 - Viewing the QoS status

[Expert@MyGW]# fgate stat

Product: QoS Software Blade

Version: R80.40
Kernel Build: 456
Policy Name: MyPolicy
Install time: Wed Dec 4 19:53:48 2019
Interfaces Num: 1

[Expert@MyGW]#

Example 4 - Viewing the QoS Software Blade version

[Expert@MyGW:0]# fgate ver
This is Check Point QoS Software Blade R80.40 - Build 123
[Expert@MyGW:0]#
[Expert@MyGW:0]# fgate ver -k
This is Check Point QoS Software Blade R80.40 - Build 123
kernel: R80.40 - Build 456
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1829

IPS Commands

IPS Commands
For more information about IPS, see the R80.40 Threat Prevention Administration Guide.
IPS commands let you configure and show the IPS on the Security Gateway without installing
a new policy.
Important - Changes in the IPS configuration made with these commands are not persistent. If
you install a policy or restart the Security Gateway, the changes are deleted.

R80.40 CLI Reference Guide | 1830

ips

ips
Description
Shows various information about the IPS Software Blade.
Controls the IPS Software Blade.

Syntax

ips
bypass <options>
debug <options>
off
on
pmstats <options>
refreshcap
stat
stats <options>

Parameters

Parameter Description

No Parameters Shows the built-in usage.

bypass <options> Controls the IPS Bypass mode.

See "ips bypass" on page 1833.

debug <options> Collects the IPS debug.

See "ips debug" on page 1835.

off Disables the IPS Software Blade on-the-fly.

See "ips off" on page 1836.

on Enables the IPS Software Blade on-the-fly.

See "ips on" on page 1837.

pmstats <options> Collects statistics about the IPS Pattern Matcher.

See "ips pmstats" on page 1838.

refreshcap Refreshes the IPS sample capture repository.

See "ips refreshcap" on page 1839.

R80.40 CLI Reference Guide | 1831

ips

Parameter Description

stat Shows the IPS status.

See "ips stat" on page 1840.

stats <options> Shows statistics for the IPS performance and Pattern Matcher.
See "ips stats" on page 1841.

R80.40 CLI Reference Guide | 1832

ips bypass

Description
Controls the IPS Bypass mode:
n When CPU and/or Memory utilization reaches the configured higher threshold, IPS
Software Blade disables itself.
n When CPU and/or Memory utilization goes down to the configured lower threshold, IPS
Software Blade enables itself.

Syntax

ips bypass
off
on
set <options>
stat

Parameters

Parameter Description

No Shows the applicable built-in usage.

Parameters

off Disables the IPS Bypass mode.

on Enables the IPS Bypass mode.

R80.40 CLI Reference Guide | 1833

ips bypass

Parameter Description

set Configures the utilization thresholds (in per cent), at which to engage
<options> (higher threshold) or disengage (lower threshold) the IPS Bypass mode.
The available options are:
n Configure the lower CPU threshold:
ips bypass set cpu low <0-100>
n Configure the higher CPU threshold:
ips bypass set cpu high <0-100>
n Configure the lower Memory threshold:
ips bypass set mem low <0-100>
n Configure the higher Memory threshold:
ips bypass set mem high <0-100>

Example:
ips bypass set cpu low 80

stat Shows the status of the IPS Bypass Under Load:

n IPS bypass mode
n CPU thresholds
n Memory thresholds

R80.40 CLI Reference Guide | 1834

ips debug

Description
Collects the IPS debug information.

Note - For information about the kernel debug, see the R80.40 Quantum Security
Gateway Guide - Chapter Kernel Debug on Security Gateway.

Syntax

ips debug [-e <Filter>] -o <Output File>

Parameters

Parameter Description

-e Specifies the INSPECT filter to capture packets.

<Filter> For more information, see the explanation for the ""fw monitor" on
page 1078" command in sk30583: What is FW Monitor?

-o <Output Specifies the path and the name of the output debug file.
File>

Example
ips debug -o /var/log/IPS_debug.txt

R80.40 CLI Reference Guide | 1835

ips off

Description
Disables the IPS Software Blade on-the-fly.

Note - To enable, run the ""ips on" on page 1837" command.

Syntax

ips off

Example 1
[Expert@MyGW:0]# ips off
IPS is disabled
Please note that for the configuration to apply for connections from existing templates, you have to run this command with -n flag which
deletes existing templates.
Without '-n', it will fully take effect in a few minutes.
[Expert@MyGW:0]#

Example 2
[Expert@MyGW:0]# ips off -n
IPS is disabled
Deleting templates

Clearing table cphwd_tmpl

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1836

ips on

Description
Enables the IPS Software Blade on-the-fly, if it was disabled with the ""ips off" on page 1836"
command.

Syntax

ips on [-n]

Example 1
[Expert@MyGW:0]# ips on
IPS is enabled
Please note that for the configuration to apply for connections from existing templates, you have to run this command with -n flag which
deletes existing templates.
Without '-n', it will fully take effect in a few minutes.
[Expert@MyGW:0]#

Example 2
[Expert@MyGW:0]# ips on -n
IPS is enabled
Deleting templates

Clearing table cphwd_tmpl

[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1837

ips pmstats

R80.40 CLI Reference Guide | 1838

ips refreshcap

Description
After you install a new policy, the IPS Software Blade captures the first packet for each IPS
protection and saves it in the packet capture repository.
This command refreshes the packet capture repository.
The IPS designates the next packet of each IPS protection as the first packet.
The new first packet replaces the previous one in the packet capture repository.

Syntax

ips refreshcap

Example

[Expert@MyGW:0]# ips refreshcap

Refreshed IPS sample capture
- A single new packet capture will be issued upon the next detection of each attack. You can see
the packet capture attached to the log or in the Packet Capture Repository.
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1839

ips stat

Description
Shows this information:
n IPS Status (Enabled or Disabled)
n IPS Update Version
n Global Detect (On or Off)
n Bypass Under Load (On or Off)

Syntax

ips stat

Example

[Expert@MyGW:0]# ips stat

Active Profiles:
My_IPS_Profile
IPS Status: Enabled
IPS Update Version: 635158746
Global Detect: Off
Bypass Under Load: Off
[Expert@MyGW:0]#

Note - The section "Active Profiles:" is available only from R80.40 Jumbo
Hotfix Accumulator Take 91.

R80.40 CLI Reference Guide | 1840

ips stats

Description
This tool generates a report that includes both IPS and Pattern Matcher statistics.
The report can help administrators and protection writers analyze, which IPS protections or
IPS components cause performance issues.
The output files are located in the $FWDIR/ips/statistics_results/ directory.
On a Standalone, the tool creates a directory for each specified IP address.
The output files are:

File Description

ips.dbg Contains the raw report, which contains all the

information.

ips_stat_output_ Contains the report with the IPS statistics.

file.csv

pm_output_file.csv Contains the statistics for the Pattern Matcher.

tier1_output_file.csv Contains the statistics for the Pattern Matcher first tier.

tier2_output_file.csv Contains the statistics for the Pattern Matcher second

tier.

Syntax

ips stats -h
ips stats
ips stats <Seconds>
ips stats -g <Seconds>
ips stats <IP Address of Gateway>
ips stats <IP Address of Gateway> <Seconds>
ips stats <IP Address of Gateway> -m

Important - To generate a report on a VSX Gateway, you must use the Manual Mode.

R80.40 CLI Reference Guide | 1841

ips stats

Parameters

Parameter Description

ips stats -h Shows the applicable built-in usage.

ips stats Available only in Standalone configurations.

Collects the IPS and Pattern Matcher statistics on the
Standalone computer during 20 seconds.

ips stats Available only in Standalone configurations.

<Seconds> Collects the IPS and Pattern Matcher statistics on the
Standalone computer during the specified number of seconds.

ips stats -g Manual Mode on the current Security Gateway.

<Seconds> Important - You must use this command on a VSX
Gateway.
Collects the IPS and Pattern Matcher statistics during the
specified number of seconds.
The output file is /ips_tar.tgz (in the root partition)
For analysis, you must copy this file to the root partition on the
Management Server.

ips stats <IP Collects the IPS and Pattern Matcher statistics for the Security
Address of Gateway with the main specified IP address during 20 seconds.
Gateway>

ips stats <IP Collects the IPS and Pattern Matcher statistics for the Security
Address of Gateway with the main specified IP address during the specified
Gateway> <Seconds> number of seconds.

ips stats <IP Available only on the Management Server.

Address of Runs an analysis on the output file /ips_tar.tgz that you
Gateway> -m collected from the Security Gateway with the main specified IP
address.

Related SK article
sk43733: How to measure CPU time consumed by IPS protections.

Example 1 - Collect the statistics on the Security Gateway with IP address 192.168.20.14
during 40 seconds

ips stats 192.168.20.14 40

R80.40 CLI Reference Guide | 1842

ips stats

Example 2- Collect the statistics on the current Security Gateway during 30 seconds

ips stats -g 30

Example - Analyze the statistics you collected from the Security Gateway with IP address
192.168.20.14

ips stats 192.168.20.14 -m

R80.40 CLI Reference Guide | 1843

Monitoring Commands

Monitoring Commands
For more information, see the R80.40 Logging and Monitoring Administration Guide.
This section contains commands for the Monitoring Software Blade (former SmartView
Monitor) on the Security Gateway / each Cluster Member.

R80.40 CLI Reference Guide | 1844

rtm

rtm
Description
Controls the Monitoring Software Blade (former SmartView Monitor) on the Security Gateway
/ each Cluster Member.
Shows the information about the Monitoring Software Blade.

Syntax

rtm
debug <options>
drv <options>
monitor <options>
rtmd
stat <options>
ver <options>

Note - "RTM" stands for Real Time Monitoring.

Parameters

Parameter Description

No Parameters Shows the built-in usage.

"rtm debug" on Collects the SmartView Monitor debug information.

page 1846

"rtm drv" on page 1847 Starts, stops, or shows the status of the SmartView Monitor
kernel driver.

"rtm rtmd" on page 1854 Starts the SmartView Monitor daemon manually.

"rtm monitor" on Starts the monitoring process for an interface or a virtual link.
page 1848

"rtm stat" on page 1855 Shows information about the SmartView Monitor.

"rtm ver" on page 1858 Shows the SmartView Monitor version.

R80.40 CLI Reference Guide | 1845

rtm debug

Description
Collects the SmartView Monitor debug information in the $FWDIR/log/rtmd.elg file on the
Security Gateway / each Cluster Member.

Syntax

rtm debug {on | off} [OPSEC_DEBUG_LEVEL | TDERROR_<AppName>_

<Topic>=<ErrLevel>]

Parameters

Parameter Description

on Start debug mode

off Stop debug mode

OPSEC_DEBUG_LEVEL Turn on OPSEC debug printouts

TDERROR_RTM_ALL Turn on SmartView Monitor debug printouts

Example

rtm debug on TDERROR_RTM_ALL=5

R80.40 CLI Reference Guide | 1846

rtm drv

Description
Starts, stops, or shows the status of the SmartView Monitor kernel driver on the Security
Gateway / each Cluster Member.

Important - Do not run this command manually. Run the "rtmstart" on page 1859 and
"rtmstop" on page 1860 commands.

Syntax

rtm drv
off
on
stat

Parameters

Parameter Description

on Starts the SmartView Monitor kernel driver

off Stops the SmartView Monitor kernel driver

stat Shows the SmartView Monitor kernel driver status

R80.40 CLI Reference Guide | 1847

rtm monitor

Description
Starts the monitoring process for an interface or a Virtual Link on the Security Gateway / each
Cluster Member.
If options and grouping are not used, this command monitors all traffic, on all interfaces, in
both directions.

Syntax

rtm monitor vl <Virtual_Link_Name> [-t {wire | application}] [-h

<Module>]
rtm monitor <Key_1> [<Key_2> [<Key_3>] [<Key_4>]] <Value_Column_1>
[<Value_Column_2> [<Value_Column_3>] [<Value_Column_4>] [<Value_
Column_5>] [<Value_Column_6>]] [<Filter>] [<Options>]

Parameters

Parameter Description

No Parameters Shows the built-in usage and examples.

<Virtual_Link_Name> Specifies the name of the monitored Virtual Link.

-t {wire | Specifies how to show the data:

application}
n wire - Shows the data on the wire after compression, or
encryption.
n application - Shows the data as the application sees
it (not compressed and not encrypted).

-h <Module> Specifies the Security Gateway by its IP address, or

resolvable hostname.

<Key_1> [... [<Key_ Specifies up to four keys in this format:

4>]] -k <Key_Type> [<Key_Atrr>] [<Entity_1> ...
<Entity_N>]

R80.40 CLI Reference Guide | 1848

rtm monitor

Parameter Description

The <Key_Type> can be one of these:

n connId - Monitors according to a connection ID.
n dst - Monitors according to a network object
(destination only).
n fgrule - Monitors according to a QoS Policy rule.
n fwrule - Monitors according to an Access Control
Policy rule.
n interface - Monitors according to an interface.
Use comma "," to specify the direction for the
interface filter:
,{in|out|both}
Default is both.
n ip - Monitors according to a network object (source and
destination).
n orientation - Monitors according to connection's
direction.
n pktRange - Monitors according to a range of packet
sizes.
n src - Monitors according to a network object (source
only).
n svc - Monitors according to a service (for example,
http).
n tunnel - Monitors according to a VPN tunnel.
n tunnelType - Monitors according to a VPN tunnel type:
l 0 - reserved

l 1 - regular

l 2 - permanent

n url [<URL_Mode>] - Monitors according to a URL.

The <URL_Mode> can be one of these:
l url_mod=full (default)

l url_mod=host

l url_mod=host_path

l url_mod=path

l url_mod=scheme

l url_mod=scheme_host

n wdAttack - Monitors according to web defense attacks.

<Value_Column_1> Specifies up to six column values in this format:

[... [<Value_ -v <Value Type> [<Accumulate Mode>] [<Sort
Column_6>]] Mode>] [<Direction Filter>] [<Encryption
Filter>]

R80.40 CLI Reference Guide | 1849

rtm monitor

Parameter Description

n The <Value Type> can be one of these:

l ab - Shows application bytes

l conn - Shows connections

l pkt - Shows packets

l session - Shows sessions

l wb - Shows wire-bytes

n The <Accumulate Mode> can be one of these:

l If <Value Type>=ab:

o acc=lineUtil
o acc=rate (default)
o acc=sum

l If <Value Type>=conn:

o acc=concurrent (default)
o acc=new

l If <Value Type>=pkt:

o acc=rate (default)
o acc=sum

l If <Value Type>=session:

o acc=new

l If <Value Type>=wb:

o acc=lineUtil
o acc=rate (default)
o acc=sum

n The <Sort Mode> can be one of these:

l sort=top (default for all views)

l sort=bottom

l sort=none (default for specific views)

n The <Direction Filter> can be one of these:

l dir=in

l dir=out

l dir=both (default)

n The <Encryption Filter> can be one of these:

l enc=yes

l enc=no

l enc=both (default)

R80.40 CLI Reference Guide | 1850

rtm monitor

Parameter Description

<Filter> Specifies the filter that can be one of these:

n For the atom filter:
-f <Filter_Type> [not] [<Entity_1> ...
<Entity_N>]
n For the hierarchy filter:
-f {and | or} [...]

The <Filter_Type> can be one of these:

n connId - Monitors according to a connection ID.
n dst - Monitors according to a network object
(destination only).
n fgrule - Monitors according to a QoS Policy rule.
n fwrule - Monitors according to an Access Control
Policy rule.
n interface - Monitors according to an interface.
Use comma ","to specify the direction for the
interface filter:
,{in|out|both}
Default is both.
n ip - Monitors according to a network object (source and
destination).
n orientation - Monitors according to connection's
direction.
n src - Monitors according to a network object (source
only).
n svc - Monitors according to a service (for example,
http).
n tunnel - Monitors according to a VPN tunnel.
n tunnelType - Monitors according to a VPN tunnel type:
l 0 - reserved

l 1 - regular

l 2- permanent

n url [<URL_Mode>] - Monitors according to a URL.

The <URL_Mode> can be one of these:
l url_mod=full (default)

l url_mod=host

l url_mod=host_path

l url_mod=path

l url_mod=scheme

l url_mod=scheme_host

n wdAttack - Monitors according to web defense attacks.

R80.40 CLI Reference Guide | 1851

rtm monitor

Parameter Description

<Options> Specifies these options:

n -e <Export File Name>
Specifies the path and the name of the file, in which the
command saves its output.
n -h <Module>
Specifies the Security Gateway by its IP address, or
resolvable hostname.
Default is localhost.
n -i <Interval in Seconds>
The command runs in the loop and shows the output
every specified number of seconds.
Default is 2 sec.
n -m {raw | resolve | both}
Specifies how to resolve the names.
Default is both.
n -s {top | bottom | none} [index=<1...6>]
[updates=<1...200>]
Specifies how to sort the output.
If you specify none, the defaults are:
index=1 and updates=50.

Notes
n Use the tilde character "~~" to specify a subrule (rule~~subrule).
To monitor for the QoS Policy, use: rule~~fgrule
n The specified entities correspond to the specified grouping option.
For example, if the monitoring process works according to a service (svc), add all the
monitored services, separated by a space.

Examples
Example 1

This command shows top services (based on bytes per seconds) on external interfaces in
the inbound direction:

rtm monitor -f interface external,in -k svc -v wb

R80.40 CLI Reference Guide | 1852

rtm monitor

Example 2

This command shows top Access Control rules (based on average concurrent
connections):

rtm monitor -k fwrule -v conn acc=concurrent

Example 3

This command shows Individual HTTP connections (bytes per second):

rtm monitor -f svc http -k svc -k connId -v wb

Example 4

This command shows bottom inbound IP addresses versus outbound IP addresses (based
on packets per interval):

rtm monitor -k ip -v pkt dir=in acc=sum -v pkt dir=out acc=sum -

v pkt acc=sum sort=bottom -i 10

Example 5

This command shows top tunnels (based on average concurrent connections):

rtm monitor -f tunnelType not 0 -k tunnel -k tunnelType -v conn

-m resolve

Example 6

This command shows packet size distribution (based on packets per interval):

rtm monitor -k pktRange 0-99 100-499 500-999 1000-1999 ">2000" -

v pkt acc=sum -i 1

Example 7

This command shows top URLs (based on sessions per seconds) - host part only:

rtm monitor -k url url_mod=host -v session

R80.40 CLI Reference Guide | 1853

rtm rtmd

Description
Starts the SmartView Monitor daemon manually on the Security Gateway / each Cluster
Member.
This also occurs manually when you run the "rtmstart" on page 1859 command.

Syntax

rtm [-d] rtmd

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

R80.40 CLI Reference Guide | 1854

rtm stat

Description
Show this information on the Security Gateway / each Cluster Member:
n The status of the Monitoring Software Blade
n The status of the SmartView Monitor daemon
n The status of the SmartView Monitor driver
n Number of opened Virtual Links
n Number of opened Views
n Some performance counters

Syntax

rtm stat -h
rtm stat [vl | view] [perf [{on | off | reset}] [-i <Interval>] [-
r <View_ID>] [-v[v][v]]

Parameters

Parameter Description

-h Shows the built-in usage.

vl Shows current Virtual Links

view Shows current Views

perf [{off | on | Controls whether to show performance information:

reset}]
n off - Disables the feature
n on - Enables the feature
n reset - Resets the counters
The output shows these performance counters:
n New Connections
n Packets
n Inf Reclassify
n View Reclassify
n End Connections
n Packets / connections ratio

R80.40 CLI Reference Guide | 1855

rtm stat

Parameter Description

-i <Interval> The command runs in the loop and shows the output every
specified number of seconds.

-r <View_ID> Specifies the View ID to show.

-v[v][v] Verbose output:

n -v - Verbose output
n -vv - More verbose output
n -vvv - Most verbose output

Examples
Example 1
[Expert@MyGW:0]# rtm stat
-------------------------------------------------------
SmartView Monitor Status: Sun Mar 20 18:25:51 2022
-------------------------------------------------------
Product is Enabled
Daemon is ON
-------------------------------------------------------
Status for kernel instance 0
-------------------------------------------------------
Driver is ON
Open Virtual-Links: 0
Open Views: 0
-------------------------------------------------------
Status for kernel instance 1
-------------------------------------------------------
Driver is ON
Open Virtual-Links: 0
Open Views: 0
-------------------------------------------------------
Status for kernel instance ...
-------------------------------------------------------
... (truncated for brevity) ...
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1856

rtm stat

Example 2
[Expert@MyGW:0]# rtm stat view -vvv
-------------------------------------------------------
SmartView Monitor Status: Sun Mar 20 18:25:51 2022
-------------------------------------------------------
Product is Enabled
Daemon is ON
-------------------------------------------------------
Status for kernel instance 0
-------------------------------------------------------
Driver is ON
Open Virtual-Links: 0
Open Views: 0
-------------------------------------------------------
Status for kernel instance 1
-------------------------------------------------------
Driver is ON
Open Virtual-Links: 0
Open Views: 0
-------------------------------------------------------
Status for kernel instance ...
-------------------------------------------------------
... (truncated for brevity) ...
----------------------------------------------------------------
---------------------------
VIEW 1: svc | wb(rate) interval: 2 Seconds
60016,60016 | 5148
11008a,11008a | 229
Aggregate | 5377

Number of Entries(2)
Keys(-k svc acc=replace )
Values(-v wb acc=rate )
Sort(-s top )
Filter(-)
Daemon id:5 kernel id:0 timeUntilUpdate: 1 [Sec]
----------------------------------------------------------------
---------------------------
[Expert@MyGW:0]#

R80.40 CLI Reference Guide | 1857

rtm ver

Description
Shows the SmartView Monitor version on the Security Gateway / each Cluster Member.

Syntax

rtm ver [-k]

Parameters

Parameter Description

-k Shows the SmartView Monitor kernel version.

R80.40 CLI Reference Guide | 1858

rtmstart

rtmstart
Description
Loads the SmartView Monitor kernel module and starts the SmartView Monitor daemon on the
Security Gateway / each Cluster Member.

Syntax

rtmstart

R80.40 CLI Reference Guide | 1859

rtmstop

rtmstop
Description
Kills the SmartView Monitor daemon and unloads the SmartView Monitor kernel module on the
Security Gateway / each Cluster Member.

Syntax

rtmstop

R80.40 CLI Reference Guide | 1860

Working with Kernel Parameters on Security Gateway

Working with Kernel Parameters

on Security Gateway
See the R80.40 Quantum Security Gateway Guide.

R80.40 CLI Reference Guide | 1861

Running Check Point Commands in Shell Scripts

Running Check Point Commands

in Shell Scripts
To run Check Point commands in your shell scripts, it is necessary to add the calls to the
required Check Point shell scripts.
You must add these calls below the top line "#!/bin/bash".

On a Security Management Server / Log Server

/ SmartEvent Server
You must add the call to the /etc/profile.d/CP.sh script.

#!/bin/bash

source /etc/profile.d/CP.sh

<Applicable Check Point Commands>

[mandatory last new line]

R80.40 CLI Reference Guide | 1862

Running Check Point Commands in Shell Scripts

On a Multi-Domain Server / Multi-Domain Log

Server
You must add the calls to these scripts (in the order listed below):
1. /etc/profile.d/CP.sh
2. $MDSDIR/scripts/MDSprofile.sh
3. $MDS_SYSTEM/shared/mds_environment_utils.sh
4. $MDS_SYSTEM/shared/sh_utilities.sh

#!/bin/bash

source /etc/profile.d/CP.sh
source $MDSDIR/scripts/MDSprofile.sh
source $MDS_SYSTEM/shared/mds_environment_utils.sh
source $MDS_SYSTEM/shared/sh_utilities.sh

<Applicable Check Point Commands>

[mandatory last new line]

On a Security Gateway / Cluster Members (non-

VSX)
You must add the call to the /etc/profile.d/CP.sh script.

#!/bin/bash

source /etc/profile.d/CP.sh

<Applicable Check Point Commands>

[mandatory last new line]

R80.40 CLI Reference Guide | 1863

Running Check Point Commands in Shell Scripts

On a VSX Gateway / VSX Cluster Members

You must add the calls to these scripts (in the order listed below):
1. /etc/profile.d/CP.sh
2. /etc/profile.d/vsenv.sh

#!/bin/bash

source /etc/profile.d/CP.sh
source /etc/profile.d/vsenv.sh

<Applicable Check Point Commands>

[mandatory last new line]

R80.40 CLI Reference Guide | 1864

Glossary

Glossary
3

3rd-party Cluster
Cluster of Check Point Security Gateways that work together in a redundant
configuration. These Check Point Security Gateways are installed on X-Series XOS, or
IPSO OS. VRRP Cluster on Gaia OS is also considered a 3rd-party cluster. The 3rd-
party cluster handles the traffic, and Check Point Security Gateways perform only State
Synchronization.

Accelerated Path
Packet flow on the Host appliance, when the packet is completely handled by the
SecureXL device. It is processed and forwarded to the network.

Access Role
Access Role objects let you configure network access according to: Networks, Users
and user groups, Computers and computer groups, Remote Access Clients. After you
activate the Identity Awareness Software Blade, you can create Access Role objects and
use them in the Source and Destination columns of Access Control Policy rules.

Active
State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the
state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to
the state of the cluster State Synchronization mechanism.

Active-Active
A cluster mode (in versions R80.40 and higher), where cluster members are located in
different geographical areas (different sites, different cloud availability zones). This mode
supports the configuration of IP addresses from different subnets on all cluster
interfaces, including the Sync interfaces. Each cluster member inspects all traffic routed
to it and synchronizes the recorded connections to its peer cluster members. The traffic
is not balanced between the cluster members.

Active Domain Server

The only Domain Management Server in a Management High Availability deployment
that can manage a specified Domain.

R80.40 CLI Reference Guide | 1865

Glossary

Active Security Management Server

The Management Server in Management High Availability that is currently configured as
Active.

Active Up
ClusterXL in High Availability mode that was configured as Maintain current active
Cluster Member in the cluster object in SmartConsole: (1) If the current Active member
fails for some reason, or is rebooted (for example, Member_A), then failover occurs
between Cluster Members - another Standby member will be promoted to be Active (for
example, Member_B). (2) When former Active member (Member_A) recovers from a
failure, or boots, the former Standby member (Member_B) will remain to be in Active
state (and Member_A will assume the Standby state).

Active(!)
In ClusterXL, state of the Active Cluster Member that suffers from a failure. A problem
was detected, but the Cluster Member still forwards packets, because it is the only
member in the cluster, or because there are no other Active members in the cluster. In
any other situation, the state of the member is Down. Possible states: ACTIVE(!),
ACTIVE(!F) - Cluster Member is in the freeze state, ACTIVE(!P) - This is the Pivot
Cluster Member in Load Sharing Unicast mode, ACTIVE(!FP) - This is the Pivot Cluster
Member in Load Sharing Unicast mode and it is in the freeze state.

AD Query
Check Point clientless identity acquisition tool. It is based on Active Directory integration
and it is completely transparent to the user. The technology is based on querying the
Active Directory Security Event Logs and extracting the user and computer mapping to
the network address from them. It is based on Windows Management Instrumentation
(WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates
directly with the Active Directory domain controllers and does not require a separate
server. No installation is necessary on the clients, or on the Active Directory server.

Affinity
The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface,
user space process, or IRQ to one or more specified CPU cores.

Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and
communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

R80.40 CLI Reference Guide | 1866

Glossary

Anti-Spam
Check Point Software Blade on a Security Gateway that provides comprehensive
protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS,
ASPAM.

Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures
and anomaly-based protections from ThreatCloud to detect and block malware at the
Security Gateway before users are affected. Acronym: AV.

Application Control
Check Point Software Blade on a Security Gateway that allows granular control over
specific web-enabled applications by using deep packet inspection. Acronym: APPI.

ARP Forwarding
Forwarding of ARP Request and ARP Reply packets between Cluster Members by
encapsulating them in Cluster Control Protocol (CCP) packets. Introduced in R80.10
version.

Ask
UserCheck rule action that blocks traffic and files and shows a UserCheck message. The
user can agree to allow the activity.

Audit Log
Log that contains administrator actions on a Management Server (login and logout,
creation or modification of an object, installation of a policy, and so on).

Backup
(1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted
to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System
Load Sharing mode with three or more Cluster Members - State of a Virtual System on a
third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this
state does not process any traffic passing through cluster.

Blocking Mode
Cluster operation mode, in which Cluster Member does not forward any traffic (for
example, caused by a failure).

R80.40 CLI Reference Guide | 1867

Glossary

Bot
Malicious software that neutralizes Anti-Virus defenses, connects to a Command and
Control center for instructions from cyber criminals, and carries out the instructions.

Bridge Mode
Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Browser-Based Authentication
Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to
which users connect with their web browser to log in and authenticate.

Burstiness
Data that is transferred or transmitted in short, uneven spurts. LAN traffic is typically
bursty. Opposite of streaming data.

Captive Portal
A Check Point Identity Awareness web portal, to which users connect with their web
browser to log in and authenticate, when using Browser-Based Authentication.

Cloud Credentials
Specific credentials from identity providers used by the Identity Collector to connect
seamlessly to the Infinity Portal. These credentials are essential for establishing a secure
and efficient connection between the Identity Client and the Infinity Portal.

Cloud Services
Refers to a centralized identities solution provided by Infinity Identity and Directory Sync.
These services offer identity management and directory synchronization capabilities,
hosted and managed in the cloud.

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

R80.40 CLI Reference Guide | 1868

Glossary

Cluster Control Protocol

Proprietary Check Point protocol that runs between Cluster Members on UDP port 8116,
and has the following roles: (1) State Synchronization (Delta Sync), (2) Health checks
(state of Cluster Members and of cluster interfaces): Health-status Reports, Cluster-
member Probing, State-change Commands, Querying for cluster membership. Note:
CCP is located between the Check Point Firewall kernel and the network interface
(therefore, only TCPdump should be used for capturing this traffic). Acronym: CCP.

Cluster Correction Layer

Proprietary Check Point mechanism that deals with asymmetric connections in Check
Point cluster. The CCL provides connections stickiness by "correcting" the packets to the
correct Cluster Member: In most cases, the CCL makes the correction from the CoreXL
SND; in some cases (like Dynamic Routing, or VPN), the CCL makes the correction from
the Firewall or SecureXL. Acronym: CCL.

Cluster Interface
An interface on a Cluster Member, whose Network Type was set as Cluster in
SmartConsole in cluster object. This interface is monitored by cluster, and failure on this
interface will cause cluster failover.

Cluster Member
Security Gateway that is part of a cluster.

Cluster Mode
Configuration of Cluster Members to work in these redundant modes: (1) One Cluster
Member processes all the traffic - High Availability or VRRP mode (2) All traffic is
processed in parallel by all Cluster Members - Load Sharing.

Cluster Topology
Set of interfaces on all members of a cluster and their settings (Network Objective, IP
address / Net Mask, Topology, Anti-Spoofing, and so on).

ClusterXL
Cluster of Check Point Security Gateways that work together in a redundant
configuration. The ClusterXL both handles the traffic and performs State
Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1)
ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster
Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL
Load Sharing mode, configuring more than 4 Cluster Members significantly decreases
the cluster performance due to amount of Delta Sync traffic.

R80.40 CLI Reference Guide | 1869

Glossary

Compliance
Check Point Software Blade on a Management Server to view and apply the Security
Best Practices to the managed Security Gateways. This Software Blade includes a
library of Check Point-defined Security Best Practices to use as a baseline for good
Security Gateway and Policy configuration.

Content Awareness
Check Point Software Blade on a Security Gateway that provides data visibility and
enforcement. Acronym: CTNT.

Cooperative Enforcement
Integration of an on-premises Harmony Endpoint Security Server and Security Gateway.

CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CoreXL Dynamic Dispatcher

Improved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXL
Firewall instances. Traffic distribution between CoreXL Firewall instances is dynamically
based on the utilization of CPU cores, on which the CoreXL Firewall instances are
running. The dynamic decision is made for first packets of connections, by assigning
each of the CoreXL Firewall instances a rank, and selecting the CoreXL Firewall
instance with the lowest rank. The rank for each CoreXL Firewall instance is calculated
according to its CPU utilization. The higher the CPU utilization, the higher the CoreXL
Firewall instance's rank is, hence this CoreXL Firewall instance is less likely to be
selected by the CoreXL SND.

CoreXL Firewall Instance

On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple
times. Each replicated copy, or firewall instance, runs on one processing CPU core.
These firewall instances handle traffic at the same time, and each firewall instance is a
complete and independent firewall inspection kernel. Synonym: CoreXL FW Instance.

R80.40 CLI Reference Guide | 1870

Glossary

CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick
to a particular FWK daemon is done at the first packet of connection on a very high level,
before anything else. Depending on the SecureXL settings, and in most of the cases, the
SecureXL can be offloading decryption calculations. However, in some other cases,
such as with Route-Based VPN, it is done by FWK daemon.

CPHA
General term in Check Point Cluster that stands for Check Point High Availability
(historic fact: the first release of ClusterXL supported only High Availability) that is used
only for internal references (for example, inside kernel debug) to designate ClusterXL
infrastructure.

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can
automatically update Check Point products for the Gaia OS, and the Gaia OS itself.

Critical Device
A special software device on each Cluster Member, through which the critical aspects for
cluster operation are monitored. When the critical monitored component on a Cluster
Member fails to report its state on time, or when its state is reported as problematic, the
state of that member is immediately changed to Down. The complete list of the
configured critical devices (pnotes) is printed by the 'cphaprob -ia list' command or 'show
cluster members pnotes all' command. Synonyms: Pnote, Problem Notification.

Custom Report
User-defined report for a Check Point product, typically based on a predefined report.

DAIP Gateway
Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the
IP address of the external interface is assigned dynamically by the ISP.

R80.40 CLI Reference Guide | 1871

Glossary

Data Loss Prevention

Check Point Software Blade on a Security Gateway that detects and prevents the
unauthorized transmission of confidential information outside the organization. Acronym:
DLP.

Data Type
Classification of data in a Check Point Security Policy for the Content Awareness
Software Blade.

Dead
State reported by a Cluster Member when it goes out of the cluster (due to 'cphastop'
command (which is a part of 'cpstop'), or reboot).

Decision Function
A special cluster algorithm applied by each Cluster Member on the incoming traffic in
order to decide, which Cluster Member should process the received packet. Each
Cluster Members maintains a table of hash values generated based on connections
tuple (source and destination IP addresses/Ports, and Protocol number).

Dedicated Management Interface

Separate physical interface on VSX Gateway or VSX Cluster Members, through which
Check Point Security Management Server or Multi-Domain Server connects directly to
VSX Gateway or VSX Cluster Members. DMI is restricted to management traffic, such as
provisioning, logging and monitoring. Acronym: DMI.

Delta Sync
Synchronization of kernel tables between all working Cluster Members - exchange of
CCP packets that carry pieces of information about different connections and operations
that should be performed on these connections in relevant kernel tables. This Delta Sync
process is performed directly by Check Point kernel. While performing Full Sync, the
Delta Sync updates are not processed and saved in kernel memory. After Full Sync is
complete, the Delta Sync packets stored during the Full Sync phase are applied by order
of arrival.

R80.40 CLI Reference Guide | 1872

Glossary

Delta Sync Retransmission

It is possible that Delta Sync packets will be lost or corrupted during the Delta Sync
operations. In such cases, it is required to make sure the Delta Sync packet is re-sent.
The Cluster Member requests the sending Cluster Member to retransmit the
lost/corrupted Delta Sync packet. Each Delta Sync packet has a sequence number. The
sending member has a queue of sent Delta Sync packets. Each Cluster Member has a
queue of packets sent from each of the peer Cluster Members. If, for any reason, a Delta
Sync packet was not received by a Cluster Member, it can ask for a retransmission of
this packet from the sending member. The Delta Sync retransmission mechanism is
somewhat similar to a TCP Window and TCP retransmission mechanism. When a
member requests retransmission of Delta Sync packet, which no longer exists on the
sending member, the member prints a console messages that the sync is not complete.

Detect
UserCheck rule action that allows traffic and files to enter the internal network and logs
them.

Directory Sync
Abstracts identity providers by offering a unified schema and a single API, consolidating
all logic in one centralized location.

Distributed Deployment
Configuration in which the Check Point Security Gateway and the Security Management
Server products are installed on different computers.

Domain Dedicated Log Server

Dedicated Log Server (not a Domain Log Server) configured in a specified Domain (in
versions R81 and higher). It stores and processes logs from Security Gateways that are
managed by the corresponding Domain Management Server. Acronym: DDLS.

Domain Dedicated SmartEvent Server

Dedicated SmartEvent Server configured in a specified Domain (in versions R81 and
higher). It hosts the events database for logs from Security Gateways that are managed
by the corresponding Domain Management Server.

Domain Management Server

Virtual Security Management Server that manages Security Gateways for one Domain,
as part of a Multi-Domain Security Management environment. Acronym: DMS.

R80.40 CLI Reference Guide | 1873

Glossary

Down
State of a Cluster Member during a failure when one of the Critical Devices reports its
state as "problem": In ClusterXL, applies to the state of the Security Gateway
component; in 3rd-party / OPSEC cluster, applies to the state of the State
Synchronization mechanism. A Cluster Member in this state does not process any traffic
passing through cluster.

Dying
State of a Cluster Member as assumed by peer members, if it did not report its state for
0.7 second.

Dynamic Object
Special object type, whose IP address is not known in advance. The Security Gateway
resolves the IP address of this object in real time.

Encryption Domain
The networks that a Security Gateway protects and for which it encrypts and decrypts
VPN traffic.

Endpoint Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
Harmony Endpoint Security environment.

Event
Record of a security or network incident that is based on one or more logs, and on a
customizable set of rules that are defined in the Event Policy.

Event Correlation
Procedure that extracts, aggregates, correlates, and analyzes events from the logs.

Event Policy
Set of rules that define the behavior of SmartEvent.

Expert Mode
The name of the elevated command line shell that gives full system root permissions in
the Check Point Gaia operating system.

R80.40 CLI Reference Guide | 1874

Glossary

F2F
Denotes non-VPN connections that SecureXL forwarded to firewall. See "Firewall Path".

Failback
Recovery of a Cluster Member that suffered from a failure. The state of a recovered
Cluster Member is changed from Down to either Active, or Standby (depending on
Cluster Mode). Synonym: Fallback.

Failed Member
A Cluster Member that cannot send or accept traffic because of a hardware or software
problem.

Failover
Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered
a failure to another Cluster Member (based on internal cluster algorithms). Synonym:
Fail-over.

Failure
A hardware or software problem that causes a Security Gateway to be unable to serve
as a Cluster Member (for example, one of cluster interface has failed, or one of the
monitored daemon has crashed). Cluster Member that suffered from a failure is declared
as failed, and its state is changed to Down (a physical interface is considered Down only
if all configured VLANs on that physical interface are Down).

Firewall Path
Packet flow on the Host Security Appliance, when the SecureXL device is unable to
process the packet. The packet is passed to the CoreXL layer and then to one of the
CoreXL Firewall instances for full processing. This path also processes all packets when
SecureXL is disabled. Synonym: Slow Path.

Flapping
Consequent changes in the state of either cluster interfaces (cluster interface flapping),
or Cluster Members (Cluster Member flapping). Such consequent changes in the state
are seen in the 'Logs & Monitor' > 'Logs' (if in SmartConsole > cluster object, the cluster
administrator set the 'Track changes in the status of cluster members' to 'Log').

R80.40 CLI Reference Guide | 1875

Glossary

Flush and ACK

Cluster Member forces the Delta Sync packet about the incoming packet and waiting for
acknowledgments from all other Active members and only then allows the incoming
packet to pass through. In some scenarios, it is required that some information, written
into the kernel tables, will be Sync-ed promptly, or else a race condition can occur. The
race condition may occur if a packet that caused a certain change in kernel tables left
Member_A toward its destination and then the return packet tries to go through Member_
B. In general, this kind of situation is called asymmetric routing. What may happen in this
scenario is that the return packet arrives at Member_B before the changes induced by
this packet were Sync-ed to this Member_B. Example of such a case is when a SYN
packet goes through Member_A, causing multiple changes in the kernel tables and then
leaves to a server. The SYN-ACK packet from a server arrives at Member_B, but the
connection itself was not Sync-ed yet. In this condition, the Member_B will drop the
packet as an Out-of-State packet (First packet isn't SYN). In order to prevent such
conditions, it is possible to use the "Flush and ACK" (F&A) mechanism. This mechanism
can send the Delta Sync packets with all the changes accumulated so far in the Sync
buffer to the other Cluster Members, hold the original packet that induced these changes
and wait for acknowledgment from all other (Active) Cluster Members that they received
the information in the Delta Sync packet. When all acknowledgments arrived, the
mechanism will release the held original packet. This ensures that by the time the return
packet arrived from a server at the cluster, all the Cluster Members are aware of the
connection. F&A is being operated at the end of the Inbound chain and at the end of the
Outbound chain (it is more common at the Outbound). Synonyms: FnA, F&A.

Forwarding
Process of transferring of an incoming traffic from one Cluster Member to another
Cluster Member for processing. There are two types of forwarding the incoming traffic
between Cluster Members - Packet forwarding and Chain forwarding. For more
information, see "Forwarding Layer in Cluster" and "ARP Forwarding".

R80.40 CLI Reference Guide | 1876

Glossary

Forwarding Layer
The Forwarding Layer is a ClusterXL mechanism that allows a Cluster Member to pass
packets to peer Cluster Members, after they have been locally inspected by the firewall.
This feature allows connections to be opened from a Cluster Member to an external host.
Packets originated by Cluster Members are hidden behind the Cluster Virtual IP address.
Thus, a reply from an external host is sent to the cluster, and not directly to the source
Cluster Member. This can pose problems in the following situations: (1) The cluster is
working in High Availability mode, and the connection is opened from the Standby
Cluster Member. All packets from the external host are handled by the Active Cluster
Member, instead. (2) The cluster is working in a Load Sharing mode, and the decision
function has selected another Cluster Member to handle this connection. This can
happen since packets directed at a Cluster IP address are distributed between Cluster
Members as with any other connection. If a Cluster Member decides, upon the
completion of the firewall inspection process, that a packet is intended for another
Cluster Member, it can use the Forwarding Layer to hand the packet over to that Cluster
Member. In High Availability mode, packets are forwarded over a Synchronization
network directly to peer Cluster Members. It is important to use secured networks only,
as encrypted packets are decrypted during the inspection process, and are forwarded as
clear-text (unencrypted) data. In Load Sharing mode, packets are forwarded over a
regular traffic network. Packets that are sent on the Forwarding Layer use a special
source MAC address to inform the receiving Cluster Member that they have already
been inspected by another Cluster Member. Thus, the receiving Cluster Member can
safely hand over these packets to the local Operating System, without further inspection.

Full High Availability

A special Cluster Mode supported only on Check Point appliances running Gaia OS
(R75.40 and higher) or SecurePlatform OS (R77.30 and lower), where each Cluster
Member also runs as a Security Management Server. This provides redundancy both
between Security Gateways (only High Availability is supported) and between Security
Management Servers (only High Availability is supported). Synonyms: Full HA Cluster
Mode, Full HA, FullHA.

R80.40 CLI Reference Guide | 1877

Glossary

Full Sync
Process of full synchronization of applicable kernel tables by a Cluster Member from the
working Cluster Member(s) when it tries to join the existing cluster. This process is meant
to fetch a ‎"snapshot" of the applicable kernel tables of already Active Cluster Member(s).
Full Sync is performed during the initialization of Check Point software (during boot
process, the first time the Cluster Member runs policy installation, during 'cpstart', during
'cphastart'). Until the Full Sync process completes successfully, this Cluster Member
remains in the Down state, because until it is fully synchronized with other Cluster
Members, it cannot function as a Cluster Member. Meanwhile, the Delta Sync packets
continue to arrive, and the Cluster Member that tries to join the existing cluster, stores
them in the kernel memory until the Full Sync completes. The whole Full Sync process is
performed by fwd daemons on TCP port 256 over the Sync network (if it fails over the
Sync network, it tries the other cluster interfaces). The information is sent by fwd
daemons in chunks, while making sure they confirm getting the information before
sending the next chunk. Also see "Delta Sync".

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restricted shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for the Check Point Gaia operating system.

Geo Cluster
A High Availability cluster mode (in versions R81.20 and higher), where cluster members
are located in different cloud availability zones. This mode supports the configuration of
IP addresses from different subnets on all cluster interfaces, including the Sync
interfaces. The Active cluster member inspects all traffic routed to the cluster and
synchronizes the recorded connections to its peer cluster members. The traffic is not
balanced between the cluster members. See "High Availability".

R80.40 CLI Reference Guide | 1878

Glossary

Global Domain
Domain on a Multi-Domain Security Management Server, on which the Multi-Domain
Server administrator creates and manages objects, security policies and settings that
apply to the entire Multi-Domain Security Management environment.

Global Objects
On a Multi-Domain Security Management Server, all objects defined in the Global
Domain. You can use this objects in a Global Policy or Local Policies on Domains.

Global Policy
On a Multi-Domain Security Management Server, a policy defined in the Global Domain.
You can assigns this Global Policy to Domains.

HA not started
Output of the 'cphaprob <flag>' command or 'show cluster <option>' command on the
Cluster Member. This output means that Check Point clustering software is not started
on this Security Gateway (for example, this machine is not a part of a cluster, or
'cphastop' command was run, or some failure occurred that prevented the ClusterXL
product from starting correctly).

High Availability
A redundant cluster mode, where only one Cluster Member (Active member) processes
all the traffic, while other Cluster Members (Standby members) are ready to be promoted
to Active state if the current Active member fails. In the High Availability mode, the
Cluster Virtual IP address (that represents the cluster on that network) is associated: (1)
With physical MAC Address of Active member (2) With virtual MAC Address. Synonym:
Active/Standby. Acronym: HA.

Hotfix
Software package installed on top of the current software version to fix a wrong or
undesired behavior, and to add a new behavior.

HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets
Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection.
Acronyms: HTTPSI, HTTPSi.

R80.40 CLI Reference Guide | 1879

Glossary

HTU
Stands for "HA Time Unit". All internal time in ClusterXL is measured in HTUs (the times
in cluster debug also appear in HTUs). Formula in the Check Point software: 1 HTU = 10
x fwha_timer_base_res = 10 x 10 milliseconds = 100 ms.

Hybrid
Starting in R80.20, on Security Gateways with 40 or more CPU cores, Software Blades
run in the user space (as 'fwk' processes). The Hybrid Mode refers to the state when you
upgrade Cluster Members from R80.10 (or below) to R80.20 (or above). The Hybrid
Mode is the state, in which the upgraded Cluster Members already run their Software
Blades in the user space (as fwk processes), while other Cluster Members still run their
Software Blades in the kernel space (represented by the fw_worker processes). In the
Hybrid Mode, Cluster Members are able to synchronize the required information.

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

ICAP Client
The ICAP Client functionality in your Security Gateway or Cluster (in versions R80.40
and higher) enables it to interact with an ICAP Server responses (see RFC 3507), modify
their content, and block the matched HTTP connections.

ICAP Server
The ICAP Server functionality in your Security Gateway or Cluster (in versions R80.40
and higher) enables it to interact with an ICAP Client requests, send the files for
inspection, and return the verdict.

Identity Agent
Check Point dedicated client agent installed on Windows-based user endpoint
computers. This Identity Agent acquires and reports identities to the Check Point Identity
Awareness Security Gateway. The administrator configures the Identity Agents (not the
end users). There are two types of Identity Agents - Full and Light. You can download the
Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_
Address>/connect' or from Support Center.

R80.40 CLI Reference Guide | 1880

Glossary

Identity Agent Configuration Utility

Check Point utility that creates custom Identity Agent installation packages. This utility is
installed as a part of the Identity Agent: go to the Windows Start menu > All Programs >
Check Point > Identity Agent > right-click the 'Identity Agent' shortcut > select 'Properties'
> click 'Open File Location' ('Find Target' in some Windows versions > double-click
'IAConfigTool.exe').

Identity Agent Distributed Configuration Tool

Check Point Identity Agent control tool for Windows-based client computers that are
members of an Active Directory domain. The Distributed Configuration tool lets you
configure connectivity and trust rules for Identity Agents - to which Identity Awareness
Security Gateways the Identity Agent should connect, depending on its IPv4 / IPv6
address, or Active Directory Site. This tool is installed a part of the Identity Agent: go to
the Windows Start menu > All Programs > Check Point > Identity Agent > open the
Distributed Configuration. Note - You must have administrative access to this Active
Directory domain to allow automatic creation of new LDAP keys and writing.

Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and
audits data based on network location, the identity of the user, and the identity of the
computer. Acronym: IDA.

Identity Broker
Identity Sharing mechanism between Identity Servers (PDP): (1) Communication
channel between PDPs based on Web-API (2) Identity Sharing capabilities between
PDPs - ability to add, remove, and update the identity session.

Identity Collector
Check Point dedicated client agent installed on Windows Servers in your network.
Identity Collector collects information about identities and their associated IP addresses,
and sends it to the Check Point Security Gateways for identity enforcement. You can
download the Identity Collector package from Support Center.

Identity Collector Identity Sources

Identity Sources for Check Point Identity Collector - Microsoft Active Directory Domain
Controllers, Cisco Identity Services Engine (ISE) Servers, or NetIQ eDirectory Servers.

Identity Collector Query Pool

A list of Identity Sources for Check Point Identity Collector.

R80.40 CLI Reference Guide | 1881

Glossary

Identity Logging
Check Point Software Blade on a Management Server to view Identity Logs from the
managed Security Gateways with enabled Identity Awareness Software Blade.

Identity Server
Check Point Security Gateway with enabled Identity Awareness Software Blade.

Indicator
Pattern of relevant observable malicious activity in an operational cyber domain, with
relevant information on how to interpret it and how to handle it.

Infinity Identity
A centralized solution for identity-based security. It aggregates identity information from
various sources, including identity providers and Check Point products, and supplies this
information to users.

Init
State of a Cluster Member in the phase after the boot and until the Full Sync completes.
A Cluster Member in this state does not process any traffic passing through cluster.

Inline Layer
Set of rules used in another rule in Security Policy.

Intelligent Queuing Engine

A bandwidth allocation algorithm that guarantees high priority traffic takes precedence
over low priority traffic.

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IoC
Indicator of Compromise. Artifact observed on a network or in an operating system that,
with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures
and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet
command and control servers. Identified through a process of incident response and
computer forensics, intrusion detection systems and anti-virus software can use IoC's to
detect future attacks.

R80.40 CLI Reference Guide | 1882

Glossary

IP Tracking
Collecting and saving of Source IP addresses and Source MAC addresses from
incoming IP packets during the probing. IP tracking is a useful for Cluster Members to
determine whether the network connectivity of the Cluster Member is acceptable.

IP Tracking Policy
Internal setting that controls, which IP addresses should be tracked during IP tracking:
(1) Only IP addresses from the subnet of cluster VIP, or from subnet of physical cluster
interface (this is the default) (2) All IP addresses, also outside the cluster subnet.

IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets
and data for numerous types of risks (Intrusion Prevention System).

IPsec VPN
Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and
Remote Access VPN access.

IRQ Affinity
A state of binding an IRQ to one or more CPU cores.

Jitter
Variation in the delay of received packets. On the sending side, packets are spaced
evenly apart and sent in a continuous stream. On the receiving side, the delay between
each packet can vary according to network congestion, improper queuing or
configuration errors.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

Kerberos
An authentication server for Microsoft Windows Active Directory Federation Services
(ADFS).

R80.40 CLI Reference Guide | 1883

Glossary

LLQ
Low Latency Queuing is a feature developed by Cisco to bring strict priority queuing (PQ)
to class-based weighted fair queuing (CBWFQ). LLQ allows delay-sensitive data (such
as voice) to be given preferential treatment over other traffic by letting the data to be
dequeued and sent first.

Load Sharing
A redundant cluster mode, where all Cluster Members process all incoming traffic in
parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing
Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS.

Load Sharing Multicast

Load Sharing Cluster Mode, where all Cluster Members process all traffic in parallel.
Each Cluster Member is assigned the equal load of [ 100% / number_of_members ]. The
Cluster Virtual IP address (that represents the cluster on that network) is associated with
Multicast MAC Address 01:00:5E:X:Y:Z (which is generated based on last 3 bytes of
cluster Virtual IP address on that network). A ClusterXL decision algorithm (Decision
Function) on all Cluster Members decides, which Cluster Member should process the
given packet.

Load Sharing Unicast

Load Sharing Cluster Mode, where one Cluster Member (called Pivot) accepts all traffic.
Then, the Pivot member decides to process this traffic, or to forward it to other non-Pivot
Cluster Members. The traffic load is assigned to Cluster Members based on the hard-
coded formula per the value of "Pivot_overhead" attribute in the cluster object. The
Cluster Virtual IP address (that represents the cluster on that network) is associated with:
(1) Physical MAC Address of Pivot member (2) Virtual MAC Address.

Log Server
Dedicated Check Point server that runs Check Point software to store and process logs.

Logging & Status

Check Point Software Blade on a Management Server to view Security Logs from the
managed Security Gateways.

R80.40 CLI Reference Guide | 1884

Glossary

Mail Transfer Agent

Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the
applicable inspection component. Acronym: MTA.

Main Domain Management Server

Domain Management Server on a Multi-Domain Server, on which you configured the
object of your VSX Gateway or VSX Cluster. In this case, objects of your Virtual Systems
are defined on different Domain Management Servers (Target Domain Management
Servers).

Malware Database
The Check Point database of commonly used signatures, URLs, and their related
reputations, installed on a Security Gateway and used by the ThreatSpect engine.

Management High Availability

Deployment and configuration mode of two Check Point Management Servers, in which
they automatically synchronize the management databases with each other. In this
mode, one Management Server is Active, and the other is Standby. Acronyms:
Management HA, MGMT HA.

Management Interface
(1) Interface on a Gaia Security Gateway or Cluster member, through which
Management Server connects to the Security Gateway or Cluster member. (2) Interface
on Gaia computer, through which users connect to Gaia Portal or CLI.

Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security
Management Server.

Manual NAT Rules

Manual configuration of NAT rules by the administrator of the Check Point Management
Server.

Master
State of a Cluster Member that processes all traffic in cluster configured in VRRP mode.

R80.40 CLI Reference Guide | 1885

Glossary

Medium Path
Packet flow on the Host Security Appliance, when the packet is handled by the SecureXL
device. The CoreXL layer passes the packet to one of the CoreXL Firewall instances to
process it. Even when CoreXL is disabled, the SecureXL uses the CoreXL infrastructure
to send the packet to the single CoreXL Firewall instance that still functions. When the
Medium Path is available, the SecureXL fully accelerates the TCP handshake. Rule
Base match is achieved for the first packet through an existing connection acceleration
template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK]
packets. However, once data starts to flow, to stream it for Content Inspection, an FWK
instance now handles the packets. The SecureXL sends all packets that contain data to
FWK for data extraction in order to build the data stream. Only the SecureXL handles the
TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets, because they do not contain data
that needs to be streamed. The Medium Path is available only when CoreXL is enabled.
Exceptions are: IPS (some protections); VPN (in some configurations); Application
Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPS Inspection; Proxy mode;
Mobile Access; VoIP; Web Portals. Synonym: PXL.

Mirror and Decrypt

The Mirror and Decrypt feature on a Security Gateway or Cluster (in versions R80.40
and higher) that performs these actions: (1) Mirror only of all traffic - Clones all traffic
(including HTTPS without decryption) that passes through, and sends it out of the
designated physical interface. (2) Mirror and Decrypt of HTTPS traffic - Clones all
HTTPS traffic that passes through, decrypts it, and sends it in clear-text out of the
designated physical interface. Acronym: M&D.

Mobile Access
Check Point Software Blade on a Security Gateway that provides a Remote Access VPN
access for managed and unmanaged clients. Acronym: MAB.

Multi-Domain Log Server

Dedicated Check Point server that runs Check Point software to store and process logs
in a Multi-Domain Security Management environment. The Multi-Domain Log Server
consists of Domain Log Servers that store and process logs from Security Gateways that
are managed by the corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security
Management Servers called Domain Management Servers. Synonym: Multi-Domain
Security Management Server. Acronym: MDS.

R80.40 CLI Reference Guide | 1886

Glossary

Multi-Queue
An acceleration feature on Security Gateway that configures more than one traffic queue
for each network interface. Multi-Queue assigns more than one receive packet queue
(RX Queue) and more than one transmit packet queue (TX Queue) to an interface. Multi-
Queue is applicable only if SecureXL is enabled (this is the default). Acronym: MQ.

Multi-Version Cluster
The Multi-Version Cluster mechanism lets you synchronize connections between cluster
members that run different versions. This lets you upgrade to a newer version without a
loss in connectivity and lets you test the new version on some of the cluster members
before you decide to upgrade the rest of the cluster members. Acronym: MVC.

NAC
Network Access Control. This is an approach to computer security that attempts to unify
endpoint security technology (such as Anti-Virus, Intrusion Prevention, and Vulnerability
Assessment), user or system authentication and network security enforcement. Check
Point's Network Access Control solution is called Identity Awareness Software Blade.

Network Object
Logical object that represents different parts of corporate topology - computers, IP
addresses, traffic protocols, and so on. Administrators use these objects in Security
Policies.

Network Objective
Defines how the cluster will configure and monitor an interface - Cluster, Sync,
Cluster+Sync, Monitored Private, Non-Monitored Private. Configured in SmartConsole >
cluster object > 'Topology' pane > 'Network Objective'.

Network Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
environment with an Access Control and Threat Prevention policies.

Non-Blocking Mode
Cluster operation mode, in which Cluster Member keeps forwarding all traffic.

R80.40 CLI Reference Guide | 1887

Glossary

Non-Dedicated Management Interface

Shared physical interface on VSX Gateway or VSX Cluster Members (supported only in
versions R80.40 and lower), which carries user "production" traffic and through which
Check Point Security Management Server or Multi-Domain Server connects to VSX
Gateway or VSX Cluster Members. Non-DMI configuration requires the use of a Virtual
Router or Virtual Switch. Acronym: Non-DMI.

Non-Monitored Interface
An interface on a Cluster Member, whose Network Type was set as Private in
SmartConsole, in cluster object.

Non-Pivot
A Cluster Member in the Unicast Load Sharing cluster that receives all packets from the
Pivot Cluster Member.

Non-Sticky Connection
A connection is called non-sticky, if the reply packet returns via a different Cluster
Member, than the original packet (for example, if network administrator has configured
asymmetric routing). In Load Sharing mode, all Cluster Members are Active, and in
Static NAT and encrypted connections, the Source and Destination IP addresses
change. Therefore, Static NAT and encrypted connections through a Load Sharing
cluster may be non-sticky.

Observable
Event or stateful property that can be observed in an operational cyber domain.

Open Server
Physical computer manufactured and distributed by a company, other than Check Point.

Package Repository
Collection of software packages that were uploaded to the Management Server. You can
easily install these packages in SmartConsole on the managed Security Gateways.

R80.40 CLI Reference Guide | 1888

Glossary

Packet Selection
Distinguishing between different kinds of packets coming from the network, and
selecting, which member should handle a specific packet (Decision Function
mechanism): CCP packet from another member of this cluster; CCP packet from another
cluster or from a Cluster; Member with another version (usually older version of CCP);
Packet is destined directly to this member; Packet is destined to another member of this
cluster; Packet is intended to pass through this Cluster Member; ARP packets.

PDP
Check Point Identity Awareness Security Gateway that acts as Policy Decision Point:
acquires identities from identity sources; shares identities with other gateways.

PEP
Check Point Identity Awareness Security Gateway that acts as Policy Enforcement
Point: receives identities via identity sharing; redirects users to Captive Portal.

Permission Profile
Predefined group of SmartConsole access permissions assigned to Domains and
administrators. With this feature you can configure complex permissions for many
administrators with one definition.

Pingable Host
Some host (that is, some IP address) that Cluster Members can ping during probing
mechanism. Pinging hosts in an interface's subnet is one of the health checks that
ClusterXL mechanism performs. This pingable host will allow the Cluster Members to
determine with more precision what has failed (which interface on which member). On
Sync network, usually, there are no hosts. In such case, if switch supports this, an IP
address should be assigned on the switch (for example, in the relevant VLAN). The IP
address of such pingable host should be assigned per this formula: IP_of_pingable_host
= IP_of_physical_interface_on_member + ~10. Assigning the IP address to pingable
host that is higher than the IP addresses of physical interfaces on the Cluster Members
will give some time to Cluster Members to perform the default health checks. Example:
IP address of physical interface on a given subnet on Member_A is 10.20.30.41; IP
address of physical interface on a given subnet on Member_B is 10.20.30.42; IP address
of pingable host should be at least 10.20.30.5

Pivot
A Cluster Member in the Unicast Load Sharing cluster that receives all packets. Cluster
Virtual IP addresses are associated with Physical MAC Addresses of this Cluster
Member. This Pivot Cluster Member distributes the traffic between other Non-Pivot
Cluster Members.

R80.40 CLI Reference Guide | 1889

Glossary

Policy Layer
Layer (set of rules) in a Security Policy.

Policy Package
Collection of different types of Security Policies, such as Access Control, Threat
Prevention, QoS, and Desktop Security. After installation, Security Gateways enforce all
Policies in the Policy Package.

Preconfigured Mode
Cluster Mode, where cluster membership is enabled on all Cluster Members to be.
However, no policy had been yet installed on any of the Cluster Members - none of them
is actually configured to be primary, secondary, and so on. The cluster cannot function, if
one Cluster Member fails. In this scenario, the "preconfigured mode" takes place. The
preconfigured mode also comes into effect when no policy is yet installed, right after the
Cluster Members came up after boot, or when running the 'cphaconf init' command.

Predefined Report
Default report included in a Check Point product that you can run right out of the box.

Prevent
UserCheck rule action that blocks traffic and files and can show a UserCheck message.

Primary Multi-Domain Server

The Multi-Domain Security Management Server in Management High Availability that
you install as Primary.

Primary Security Management Server

The Security Management Server in Management High Availability that you install as
Primary.

R80.40 CLI Reference Guide | 1890

Glossary

Primary Up
ClusterXL in High Availability mode that was configured as Switch to higher priority
Cluster Member in the cluster object in SmartConsole: (1) Each Cluster Member is given
a priority (SmartConsole > cluster object > 'Cluster Members' pane). Cluster Member
with the highest priority appears at the top of the table, and Cluster Member with the
lowest priority appears at the bottom of the table. (2) The Cluster Member with the
highest priority will assume the Active state. (3) If the current Active Cluster Member with
the highest priority (for example, Member_A), fails for some reason, or is rebooted, then
failover occurs between Cluster Members. The Cluster Member with the next highest
priority will be promoted to be Active (for example, Member_B). (4) When the Cluster
Member with the highest priority (Member_A) recovers from a failure, or boots, then
additional failover occurs between Cluster Members. The Cluster Member with the
highest priority (Member_A) will be promoted to Active state (and Member_B will return
to Standby state).

Private Interface
An interface on a Cluster Member, whose Network Type was set as 'Private' in
SmartConsole in cluster object. This interface is not monitored by cluster, and failure on
this interface will not cause any changes in Cluster Member's state.

Probing
If a Cluster Member fails to receive status for another member (does not receive CCP
packets from that member) on a given segment, Cluster Member will probe that segment
in an attempt to illicit a response. The purpose of such probes is to detect the nature of
possible interface failures, and to determine which module has the problem. The
outcome of this probe will determine what action is taken next (change the state of an
interface, or of a Cluster Member).

Provisioning
Check Point Software Blade on a Management Server that manages large-scale
deployments of Check Point Security Gateways using configuration profiles. Synonyms:
SmartProvisioning, SmartLSM, Large-Scale Management, LSM.

R80.40 CLI Reference Guide | 1891

Glossary

PSL
Passive Streaming Library. Packets may arrive at Security Gateway out of order, or may
be legitimate retransmissions of packets that have not yet received an acknowledgment.
In some cases, a retransmission may also be a deliberate attempt to evade IPS
detection by sending the malicious payload in the retransmission. Security Gateway
ensures that only valid packets are allowed to proceed to destinations. It does this with
the Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer,
which provides stream reassembly for TCP connections. (2) The Security Gateway
makes sure that TCP data seen by the destination system is the same as seen by code
above PSL. (3) The PSL handles packet reordering, congestion, and is responsible for
various security aspects of the TCP layer, such as handling payload overlaps, some DoS
attacks, and others. (4) The PSL is capable of receiving packets from the Firewall chain
and from the SecureXL. (5) The PSL serves as a middleman between the various
security applications and the network packets. It provides the applications with a
coherent stream of data to work with, free of various network problems or attacks. (6)
The PSL infrastructure is wrapped with well-defined APIs called the Unified Streaming
APIs, which are used by the applications to register and access streamed data.

PSLXL
Technology name for combination of SecureXL and PSL (Passive Streaming Library) in
versions R80.20 and higher. In versions R80.10 and lower, this technology was called
PXL (PacketXL).

Publisher PDP
Check Point Identity Awareness Security Gateway that gets identities from an identity
source/remote PDP and shares identities to a remote PDP. The Publisher PDP: (1)
Initiates an HTTPS connection to the Subscriber PDP for each Identity to be shared (2)
Verifies the CN and OU present in the subject field of the certificate presented (3)
Verifies that the CA's certificate matches the certificate that was approved in advance by
the administrator (4) Checks if the certificate presented is revoked (5) Shares identities
including the information about user(s), machine(s) and Access Roles in the form of
HTTP POST requests.

QoS
Check Point Software Blade on a Security Gateway that provides policy-based traffic
bandwidth management to prioritize business-critical traffic and guarantee bandwidth
and control latency.

QoS Action Properties

Properties that define bandwidth allocation, limits, and guarantees for a security rule.

R80.40 CLI Reference Guide | 1892

Glossary

RDED
Retransmit Detect Early Drop. The bottleneck that results from the connection of a LAN
to the WAN causes TCP to retransmit packets. RDED prevents inefficiencies by
detecting retransmits in TCP streams and preventing the transmission of redundant
packets when multiple copies of a packet are concurrently queued on the same flow.

Ready
State of a Cluster Member during after initialization and before promotion to the next
required state - Active / Standby / VRRP Master / VRRP Backup (depending on Cluster
Mode). A Cluster Member in this state does not process any traffic passing through
cluster. A member can be stuck in this state due to several reasons.

Remote Access VPN

An encrypted tunnel between remote access clients (such as Endpoint Security VPN)
and a Security Gateway.

Report
Summary of network activity and Security Policy enforcement that is generated by Check
Point products, such as SmartEvent.

Route-Based VPN
A routing method for participants in a VPN community, defined by network routes.

Rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause
specified actions to be taken for a communication session.

Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase.

R80.40 CLI Reference Guide | 1893

Glossary

Same VMAC
Same Virtual MAC Address (see "VMAC"). When this feature is enabled in a ClusterXL
(in the High Availability or Load Sharing Unicast mode), the Cluster Members use Virtual
MAC (VMAC) addresses on the cluster interfaces instead of the real MAC addresses.
Cluster interfaces that belong to the same subnet get the same VMAC address instead
of their real MAC address. This feature helps avoid issues during the cluster operation,
when switches block ports connected to the Cluster Members.

Secondary Multi-Domain Server

The Multi-Domain Security Management Server in Management High Availability that
you install as Secondary.

Secondary Security Management Server

The Security Management Server in Management High Availability that you install as
Secondary.

SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that
passes through a Security Gateway.

Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and
enforce Security Policies for connected network resources.

Security Management Server

Dedicated Check Point server that runs Check Point software to manage the objects and
policies in a Check Point environment within a single management Domain. Synonym:
Single-Domain Security Management Server.

Security Policy
Collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

R80.40 CLI Reference Guide | 1894

Glossary

Selection
The packet selection mechanism is one of the central and most important components in
the ClusterXL product and State Synchronization infrastructure for 3rd-party clustering
solutions. Its main purpose is to decide (to select) correctly what has to be done to the
incoming and outgoing traffic on the Cluster Member. (1) In ClusterXL, the packet is
selected by Cluster Member(s) depending on the cluster mode: In HA modes - by Active
member; In LS Unicast mode - by Pivot member; In LS Multicast mode - by all members.
Then the Cluster Member applies the Decision Function (and the Cluster Correction
Layer). (2) In 3rd-party / OPSEC cluster, the 3rd-party software selects the packet, and
Check Point software just inspects it (and performs State Synchronization).

Service Account
In Microsoft® Active Directory, a user account created explicitly to provide a security
context for services running on Microsoft® Windows® Server.

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over SSL,
for secure communication. This authentication is based on the certificates issued by the
ICA on a Check Point Management Server.

Silent Standby
In the ClusterXL High Availability mode, this feature configures the Standby cluster
member to communicate only through the Active cluster member. This feature is useful
when it is necessary to connect from Standby cluster members to a host / server on the
network.

Site to Site VPN

An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site
VPN. Contractions: S2S VPN, S-to-S VPN.

SmartConsole
Check Point GUI application used to manage a Check Point environment - configure
Security Policies, configure devices, monitor products and events, install updates, and
so on.

SmartDashboard
Legacy Check Point GUI client used to create and manage the security settings in
versions R77.30 and lower. In versions R80.X and higher is still used to configure
specific legacy settings.

R80.40 CLI Reference Guide | 1895

Glossary

SmartEvent Correlation Unit

SmartEvent software component on a SmartEvent Server that analyzes logs and detects
events.

SmartEvent Server
Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts
the events database.

SmartProvisioning
Check Point Software Blade on a Management Server (the actual name is
"Provisioning") that manages large-scale deployments of Check Point Security
Gateways using configuration profiles. Synonyms: Large-Scale Management,
SmartLSM, LSM.

SmartUpdate
Legacy Check Point GUI client used to manage licenses and contracts in a Check Point
environment.

Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade
inspects specific characteristics of the traffic (2) On a Management Server, each
Software Blade enables different management capabilities.

Standalone
Configuration in which the Security Gateway and the Security Management Server
products are installed and configured on the same server.

Standby
State of a Cluster Member that is ready to be promoted to Active state (if the current
Active Cluster Member fails). Applies only to ClusterXL High Availability Mode.

Standby Domain Server

All Domain Management Servers for a Domain that are not designated as the Active
Domain Management Server.

Standby Security Management Server

The Security Management Server in Management High Availability that is currently
configured as Standby.

R80.40 CLI Reference Guide | 1896

Glossary

State Synchronization
Technology that synchronizes the relevant information about the current connections
(stored in various kernel tables on Check Point Security Gateways) among all Cluster
Members over Synchronization Network. Due to State Synchronization, the current
connections are not cut off during cluster failover.

Sticky Connection
A connection is called sticky, if all packets are handled by a single Cluster Member (in
High Availability mode, all packets reach the Active Cluster Member, so all connections
are sticky).

STIX
Structured Threat Information eXpression™. A language that describes cyber threat
information in a standardized and structured way.

Subscriber PDP
Check Point Identity Awareness Security Gateway that gets identities from a remote
PDP. The Subscriber PDP: (1) Presents the configured SSL certificate to the Publisher
PDP (2) Receives the information from the Publisher PDP after verifying the pre-shared
secret in the POST requests.

Subscribers
User Space processes that are made aware of the current state of the ClusterXL state
machine and other clustering configuration parameters. List of such subscribers can be
obtained by running the 'cphaconf debug_data' command.

Sync Interface
An interface on a Cluster Member, whose Network Type was set as Sync or
Cluster+Sync in SmartConsole in cluster object. This interface is monitored by cluster,
and failure on this interface will cause cluster failover. This interface is used for State
Synchronization between Cluster Members. The use of more than one Sync Interfaces
for redundancy is not supported because the CPU load will increase significantly due to
duplicate tasks performed by all configured Synchronization Networks. Synonyms:
Secured Interface, Trusted Interface.

R80.40 CLI Reference Guide | 1897

Glossary

Synchronization Network
A set of interfaces on Cluster Members that were configured as interfaces, over which
State Synchronization information will be passed (as Delta Sync packets ). The use of
more than one Synchronization Network for redundancy is not supported because the
CPU load will increase significantly due to duplicate tasks performed by all configured
Synchronization Networks. Synonyms: Sync Network, Secured Network, Trusted
Network.

System Counter
SmartView Monitor data or report on status, activity, and resource usage of Check Point
products.

Target Domain Management Server

Domain Management Server on a Multi-Domain Server, on which you configured the
objects of your Virtual Systems. In this case, object of your VSX Gateway or VSX Cluster
are defined on a different Domain Management Server (Main Domain Management
Server).

Terminal Servers Identity Agent

Dedicated client agent installed on Microsoft® Windows-based application server that
hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. This client agent
acquires and reports identities to the Check Point Identity Awareness Security Gateway.
In the past, this client agent was called Multi-User Host (MUH) Agent. You can download
the Terminal Servers Identity Agent from Support Center.

Threat Emulation
Check Point Software Blade on a Security Gateway that monitors the behavior of files in
a sandbox to determine whether or not they are malicious. Acronym: TE.

Threat Emulation Private Cloud Appliance

Check Point appliance that is certified to support the Threat Emulation Software Blade.

Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from
files. Acronym: TEX.

R80.40 CLI Reference Guide | 1898

Glossary

ThreatCloud
The cyber intelligence center of all of Check Point products. Dynamically updated based
on an innovative global network of threat sensors and invites organizations to share
threat data and collaborate in the fight against modern malware.

ThreatCloud Repository
Cloud database with more than 250 million Command and Control (C&C) IP, URL, and
DNS addresses and over 2,000 different botnet communication patterns, used by the
ThreatSpect engine to classify bots and viruses. See:
https://www.checkpoint.com/infinity-vision/threatcloud/

ThreatSpect Engine
Unique multi-tiered engine that analyzes network traffic and correlates data across
multiple layers (reputation, signatures, suspicious mail outbreaks, behavior patterns) to
detect bots and viruses.

Transactions
In the context of the Identity Collector, involves the aggregation of events from identity
sources, the creation of a request, and the sending of this request to a target. The target
then replies with a response. A transaction refers to this request-response.

Updatable Object
Network object that represents an external service, such as Microsoft 365, AWS, Geo
locations, and more.

URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over
which web sites can be accessed by a given group of users, computers or networks.
Acronym: URLF.

User Database
Check Point internal database that contains all users defined and managed in
SmartConsole.

User Directory
Check Point Software Blade on a Management Server that integrates LDAP and other
external user management servers with Check Point products and security solutions.

R80.40 CLI Reference Guide | 1899

Glossary

User Group
Named group of users with related responsibilities.

User Template
Property set that defines a type of user on which a security policy will be enforced.

UserCheck
Functionality in your Security Gateway or Cluster and endpoint clients that gives users a
warning when there is a potential risk of data loss or security violation. This helps users
to prevent security incidents and to learn about the organizational security policy.

Virtual Device
Logical object that emulates the functionality of a type of physical network object. Virtual
Device can be on of these: Virtual Router, Virtual System, or Virtual Switch.

Virtual Router
Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical
router. Acronym: VR.

Virtual Switch
Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical
switch. Acronym: VSW.

Virtual System
Virtual Device on a VSX Gateway or VSX Cluster Member that implements the
functionality of a Security Gateway. Acronym: VS.

Virtual System Load Sharing

VSX Cluster technology that assigns Virtual System traffic to different Active Cluster
Members. Acronym: VSLS.

R80.40 CLI Reference Guide | 1900

Glossary

VMAC
Virtual MAC Address. When this feature is enabled in a ClusterXL (in the High
Availability or Load Sharing Unicast mode), the current Active or Pivot Cluster Member
sends Gratuitous ARP Requests (G-ARP) for its Cluster Virtual IP (VIP) addresses and
Virtual MAC (VMAC) addresses in G-ARP updates. Cluster Members create a VMAC
address for each Cluster VIP address. This feature helps avoid issues during a cluster
failover, when switches do not integrate G-ARP updates into their ARP cache table.

VPN Community
A named collection of VPN domains, each protected by a VPN gateway.

VPN Tunnel
An encrypted connection between two hosts using standard protocols (such as L2TP) to
encrypt traffic going in and decrypt it coming out, creating an encapsulated network
through which data can be safely shared as though on a physical private line.

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer
or cluster with virtual abstractions of Check Point Security Gateways and other network
devices. These Virtual Devices provide the same functionality as their physical
counterparts.

VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that provide
the functionality of physical network devices. It holds at least one Virtual System, which
is called VS0.

Warp Jump
If two Virtual Systems connect to the same Virtual Switch or Virtual Router, then
internally traffic that must pass from a network behind one Virtual System to a network
behind another Virtual System, "jumps" from one Virtual System to another Virtual
System without passing through the Virtual Switch or Virtual Router.

Warp Link
Logical interface that is created automatically in a VSX topology between: (1) Virtual
System and Virtual Switch (2) Virtual System and Virtual Router. Acronym: WRP.

R80.40 CLI Reference Guide | 1901

Glossary

WFQ
Weighted Fair Queuing. An algorithm to precisely control bandwidth allocation in QoS.

WFRED
Weighted Flow Random Early Drop. A mechanism for managing the packet buffers of
QoS. Adjusting automatically and dynamically to the network traffic situation, WFRED
remains transparent to the user.

Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides
real-time phishing prevention based on URLs. Acronym: ZPH.

R80.40 CLI Reference Guide | 1902

Newry & Armagh Directory
0% (1)
Newry & Armagh Directory
166 pages
CP R80.20 GA CLI ReferenceGuide
No ratings yet
CP R80.20 GA CLI ReferenceGuide
1,146 pages
Aouadi & Marsat, 2016
No ratings yet
Aouadi & Marsat, 2016
22 pages
CP R80.40 CLI ReferenceGuide
No ratings yet
CP R80.40 CLI ReferenceGuide
1,782 pages
CP R81.10 CLI ReferenceGuide
No ratings yet
CP R81.10 CLI ReferenceGuide
1,710 pages
CP R81.10 CLI ReferenceGuide
No ratings yet
CP R81.10 CLI ReferenceGuide
1,697 pages
CP R80.20.M1 CLI ReferenceGuide
No ratings yet
CP R80.20.M1 CLI ReferenceGuide
227 pages
CP R80.20 GA ReleaseNotes
No ratings yet
CP R80.20 GA ReleaseNotes
30 pages
CP R70 CLI ReferenceGuide
No ratings yet
CP R70 CLI ReferenceGuide
186 pages
CP R81 CLI ReferenceGuide
No ratings yet
CP R81 CLI ReferenceGuide
1,673 pages
CP R77 CLI ReferenceGuide
100% (1)
CP R77 CLI ReferenceGuide
131 pages
CP R77 CLI ReferenceGuide
No ratings yet
CP R77 CLI ReferenceGuide
131 pages
Endpoint Security Management Server: Installation and Upgrade Guide
No ratings yet
Endpoint Security Management Server: Installation and Upgrade Guide
34 pages
CP R80.40 Installation and Upgrade Guide
No ratings yet
CP R80.40 Installation and Upgrade Guide
799 pages
CheckPoint R80.10 ReleaseNotes
No ratings yet
CheckPoint R80.10 ReleaseNotes
27 pages
CP R80.30 GA Installation and Upgrade Guide PDF
No ratings yet
CP R80.30 GA Installation and Upgrade Guide PDF
636 pages
CP R80.40 Installation and Upgrade Guide
No ratings yet
CP R80.40 Installation and Upgrade Guide
833 pages
CP R80.30 Installation and Upgrade Guide - Cleaned PDF
No ratings yet
CP R80.30 Installation and Upgrade Guide - Cleaned PDF
688 pages
CP R81.10 Installation and Upgrade Guide
No ratings yet
CP R81.10 Installation and Upgrade Guide
618 pages
CP R81.10 Installation and Upgrade Guide
No ratings yet
CP R81.10 Installation and Upgrade Guide
614 pages
CP R81.10 Installation and Upgrade Guide
No ratings yet
CP R81.10 Installation and Upgrade Guide
622 pages
CP R82 CLI ReferenceGuide
No ratings yet
CP R82 CLI ReferenceGuide
2,119 pages
CP R80.10 Installation and Upgrade Guide
No ratings yet
CP R80.10 Installation and Upgrade Guide
246 pages
CP R80.10 Installation and Upgrade Guide
No ratings yet
CP R80.10 Installation and Upgrade Guide
202 pages
CP R80.10 ReleaseNotes
No ratings yet
CP R80.10 ReleaseNotes
21 pages
CP E80.40 EndpointSecurity AdminGuide
No ratings yet
CP E80.40 EndpointSecurity AdminGuide
157 pages
Next Generation Security Gateway Guide R80.30
No ratings yet
Next Generation Security Gateway Guide R80.30
629 pages
Check Point Security Management: Administration Guide
No ratings yet
Check Point Security Management: Administration Guide
172 pages
CP R80 SecurityManagement AdminGuide
100% (1)
CP R80 SecurityManagement AdminGuide
172 pages
R80.20 TechTalk
No ratings yet
R80.20 TechTalk
34 pages
Firewall Installation Guide
No ratings yet
Firewall Installation Guide
172 pages
ATRG ClusterXL R6x R7x R8x (09-June-2020)
No ratings yet
ATRG ClusterXL R6x R7x R8x (09-June-2020)
168 pages
CP R80 SecurityManagement AdminGuide
No ratings yet
CP R80 SecurityManagement AdminGuide
175 pages
CP R77.20.20 1430 1450 ApplianceLocal AdminGuide
No ratings yet
CP R77.20.20 1430 1450 ApplianceLocal AdminGuide
174 pages
CP R80 Gaia InstallationAndUpgradeGuide
No ratings yet
CP R80 Gaia InstallationAndUpgradeGuide
33 pages
B CLI Reference Guide
No ratings yet
B CLI Reference Guide
320 pages
ECS4210 - Series - CLI Manual
No ratings yet
ECS4210 - Series - CLI Manual
712 pages
CP R80.40 EndpointSecurity AdminGuide
No ratings yet
CP R80.40 EndpointSecurity AdminGuide
295 pages
IBM Endpoint Manager For Remote Control Installation Guide
No ratings yet
IBM Endpoint Manager For Remote Control Installation Guide
144 pages
PAN-OS® 8.0 CLI Quick Start
No ratings yet
PAN-OS® 8.0 CLI Quick Start
48 pages
Checkpoint Firewall R81 Installation Guide
100% (1)
Checkpoint Firewall R81 Installation Guide
701 pages
Pan-Os Cli Quick Start
No ratings yet
Pan-Os Cli Quick Start
44 pages
CP R75.20 Installation and Upgrade Guide
No ratings yet
CP R75.20 Installation and Upgrade Guide
144 pages
CP R77.20 EndpointSecurity AdminGuide
No ratings yet
CP R77.20 EndpointSecurity AdminGuide
168 pages
ECS4510-Series CLI-R03 0904
No ratings yet
ECS4510-Series CLI-R03 0904
954 pages
Ecs4130-28t Cli-R01 20210706
No ratings yet
Ecs4130-28t Cli-R01 20210706
894 pages
附件02-CP R80.40 SmartProvisioning AdminGuide
No ratings yet
附件02-CP R80.40 SmartProvisioning AdminGuide
689 pages
Checkpoint R65 CLI Reference Guide PDF
No ratings yet
Checkpoint R65 CLI Reference Guide PDF
184 pages
SVC Bkmap Cliguidebk
No ratings yet
SVC Bkmap Cliguidebk
1,066 pages
CP R75.40 Gaia AdminGuide
No ratings yet
CP R75.40 Gaia AdminGuide
210 pages
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
No ratings yet
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
305 pages
Pan-Os Cli Command PDF
100% (1)
Pan-Os Cli Command PDF
48 pages
R80 CCSMStudyGuide
No ratings yet
R80 CCSMStudyGuide
8 pages
Mastering C++ Network Automation: Run Automation across Configuration Management, Container Orchestration, Kubernetes, and Cloud Networking
From Everand
Mastering C++ Network Automation: Run Automation across Configuration Management, Container Orchestration, Kubernetes, and Cloud Networking
Justin Barbara
No ratings yet
Mastering C++ Network Automation
From Everand
Mastering C++ Network Automation
Justin Barbara
No ratings yet
Kubernetes and Cloud Native Associate (KCNA) Exam Preparation
From Everand
Kubernetes and Cloud Native Associate (KCNA) Exam Preparation
Georgio Daccache
No ratings yet
DevOps for the Desperate: A Hands-On Survival Guide
From Everand
DevOps for the Desperate: A Hands-On Survival Guide
Bradley Smith
No ratings yet
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
From Everand
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
Joe Brian
No ratings yet
J2EE AntiPatterns
From Everand
J2EE AntiPatterns
Bill Dudney
4/5 (2)
Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN
From Everand
Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN
Lin Song
5/5 (1)
VMware NSX Network Essentials
From Everand
VMware NSX Network Essentials
Sreejith.C
No ratings yet
Deploying and Managing a Cloud Infrastructure: Real-World Skills for the CompTIA Cloud+ Certification and Beyond: Exam CV0-001
From Everand
Deploying and Managing a Cloud Infrastructure: Real-World Skills for the CompTIA Cloud+ Certification and Beyond: Exam CV0-001
Abdul Salam
No ratings yet
What Is Valuation Class Valuation Category & Valuation Type? Valuation Class: It Is Used To Determine The G/L Account Valuation Category
No ratings yet
What Is Valuation Class Valuation Category & Valuation Type? Valuation Class: It Is Used To Determine The G/L Account Valuation Category
2 pages
MS XII MATHS PB Set 9
No ratings yet
MS XII MATHS PB Set 9
8 pages
Free SWOT Analysis Template
No ratings yet
Free SWOT Analysis Template
10 pages
P Ramachandra Rao Vs State of Karnataka
No ratings yet
P Ramachandra Rao Vs State of Karnataka
20 pages
PR-Master-4 5 4 809-En
No ratings yet
PR-Master-4 5 4 809-En
150 pages
Logo Criteria
No ratings yet
Logo Criteria
1 page
Python by Example Book 2 (Data Manipulation and Analysis)
No ratings yet
Python by Example Book 2 (Data Manipulation and Analysis)
105 pages
FRAGOLA - 1996 - Reliability and Risk Data - An Historical Perspective
No ratings yet
FRAGOLA - 1996 - Reliability and Risk Data - An Historical Perspective
12 pages
Coffee Marketing Research
No ratings yet
Coffee Marketing Research
9 pages
Doctrine of Last Antecedent
100% (1)
Doctrine of Last Antecedent
21 pages
States and Regions Unit Lesson Plan Capitals and Landmarks-3
No ratings yet
States and Regions Unit Lesson Plan Capitals and Landmarks-3
3 pages
DLL - Mapeh 3 - Q2 - W3
No ratings yet
DLL - Mapeh 3 - Q2 - W3
3 pages
SQC QZ2
No ratings yet
SQC QZ2
10 pages
Help With Accounting Homework Problems
100% (1)
Help With Accounting Homework Problems
7 pages
Tubai
No ratings yet
Tubai
3 pages
h18144 Dell Emc Powerstore Family Top Reasons
No ratings yet
h18144 Dell Emc Powerstore Family Top Reasons
2 pages
Chateau de Baie Condominium Corporation V Spouses Raymond and Ma. Rosario Moreno Digest
No ratings yet
Chateau de Baie Condominium Corporation V Spouses Raymond and Ma. Rosario Moreno Digest
2 pages
Literature Review Definition in Nursing
100% (1)
Literature Review Definition in Nursing
5 pages
IP Ratings Chart V3 PDF
No ratings yet
IP Ratings Chart V3 PDF
1 page
اسهامات تطبيقات التكنولوجيا المالية في تطوير الصناعة المالية الاسلامية منصات التمويل الجماعي الاسلامية نموذجا
No ratings yet
اسهامات تطبيقات التكنولوجيا المالية في تطوير الصناعة المالية الاسلامية منصات التمويل الجماعي الاسلامية نموذجا
22 pages
BR917058EN CYME72 NewFeatures
No ratings yet
BR917058EN CYME72 NewFeatures
4 pages
Kolhapuri Chappal Craft Cluster Study
100% (2)
Kolhapuri Chappal Craft Cluster Study
54 pages
Be-Electrical Sem8 Ehevt May16
No ratings yet
Be-Electrical Sem8 Ehevt May16
3 pages
GO - Baosteel
No ratings yet
GO - Baosteel
56 pages
Nmwebsearch Chart Update Results: Document Query
No ratings yet
Nmwebsearch Chart Update Results: Document Query
4 pages
Standard Bidding Document (SBD 4)
No ratings yet
Standard Bidding Document (SBD 4)
3 pages
Fastpatch 2 GO en
No ratings yet
Fastpatch 2 GO en
2 pages
Real Estate Agent Email List
No ratings yet
Real Estate Agent Email List
16 pages