Thursday, June 23, 2011

Checkpoint useful command reference

(excluding switch options)


cpconfig reconfigures an existing VPN-1/Firewall-1 installation

cpstart starts all Check Point applications running on a machine
(invokes fwstart, fgstart, uagstart, etc.)

cpstop stops all Check Point applications running on a machine

fwstart loads the VPN-1/Firewall-1 Module and starts:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons

fwstop kills the following processes:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
It also unloads the VPN-1/Firewall-1 Module

cp_permission sets up the permissions for CPMI


fw load compiles and installs a Security Policy to the targets VPN-1/
Firewall-1 Modules. This is done in two ways:
1. fw load compiles and installs an Inspection Script (*.pf) file to
the designated VPN-1/Firewall-1 Modules.
2. fw load converts a Rule Base (*.W) file created by the GUI into an
Inspection Script (*.pf) file, then installs it to the
designated VPN-1/Firewall-1 Modules.

fw bload compiles and installs a Security Policy to the targets embedded
VPN-1/Firewall-1 Modules. This is done in one of two ways.
1. fw bload compiles and installs an Inspection Script (*.pf) file to the
Firewall-1 embedded system specified by
2. fw bload converts a Rule Base (*.W) file created by the GUI
into an Inspection Script (*.pf) file and then compiles and
installs it to the Firewall-1 embedded system specified by

fw unload uninstalls the currently loaded Inspection Code from selected

fw fetch fetches the Inspection Code from the specified host and installs
to the kernel

fw putkey installs a VPN-1/Firewall-1 authentication password on a host.
This password is used to authenticate internal communications
between VPN-1/Firewall-1 Modules and between a Check
Point Module and Management Server. That is, the password
is used to authenticate the control channel the first time
communication is established.

fw dbload downloads the user database and network object information
(for example, encryption keys) to selected targets


cpstat displays the status of target hosts in various formats
(replaces fwstat, fw fgstat, fgate state, etc.)

cpstat_monitor a utility that runs on the Check Point Management Station
which can trigger pre-defined actions when the system
changes its status or when an event has occurred.
This is done by defining limits (or thresholds) on status
Parameters, and actions to be taken.

fw lichosts prints a list of hosts protected by the VPN-1/Firewall-1/n
products. The list of hosts is in the file $FWDIR/database/

fw ver displays the VPN-1/Firewall-1 major version number, the build
number, and a copyright notice

fw sam inhibits (blocks) connections to and from specific IP addresses
without the need to change the Security Policy. The command is


fw ctl sends control information to the VPN-1/Firewall-1 Kernel Module
pstat displays VPN-1/Firewall-1 internal statistics
iflist displays the IP interfaces known to the kernel by name and
internal number
arp displays ARP proxy table

fw kill sends a signal to a VPN-1/Firewall-1 daemon

fwm the VPN-1/Firewall-1 Management Server in the Client/Server
implementation of the Management Server, and is used for commu-
nicating with the GUI and adding, updating, and removing admini-

fwell manages Access Lists for Wellfleet (Bay Networks) routers

fw tab displays the content of INSPECT tables on the target hosts in
various formats.

snmp_trap sends an SNMP trap to the specified host. The message may
appear in the command line, or as one in the program input

dynamic_objects specifies an IP address to which the dynamic object will
be resolved on this machine

dbedit edits the objects file on the Management Server

queryDB_util enables searching the object database according to search

Log File Management

fw log displays the content of Log Files

fw logswitch creates a new Log File. The current Log File is
closed and renamed $FWDIR/log/date.log and a new Log
File with the default name ($FWDIR/log/fw.log) is created

fw logexport exports the Log File to an ASCII file

fw repairlog rebuilds a Log files pointer files. The three files fw.logptr,
fw.loginitial_ptr and fw.logaccount_ptr are recreated from
data in the specified Log file


cphastart - enables the High Availability feature on the machine. In NT,
this is done when the VPN-1/Firewall-1 Module is started. In
Solaris, the cphastart command is part of the fwstart script

cphastop - disables the High Availability feature on the machine

cphaprob - defines critical processes. When a critical process fails, the
machine is considered to have failed.

cpha_export (Solaris only) writes MAC address information to stdout. If
the output is redirected to a file, it can be
input (stdin) to cpha_import on another

cpha_import (Solaris only) imports MAC address information from stdin
and updates the machines MAC address
accordingly. The normal procedure is to
redirect stdin to read a file created by
cpha_export on the primary machine

fw hastat displays information about High Availability machines and their


fw dbimport imports users into the VPN-1/Firewall-1 User Database from
an external file. You can create this file yourself, or use a file
generated by fw dbexport

fw dbexport - exports the VPN-1/Firewall-1 User Database to a file. The
file may be in one of the following formats:
1. the same Usage as the import file for fw dbimport
2. LDIF Usage, which can be imported into an LDAP
Server using ldapmodify

ldapmodify - imports users to an LDAP server. The input file must be in
the LDIF format

fw ldapsearch - queries an LDAP directory and returns the results

fw expdate - changes the expiration date of users (but not templates) in the
VPN-1/Firewall-1 User Database to the date specified by the
first parameter. This change can be optionally applied only to
selected users by specifying the second parameter


fw ca putkey distributes the Certificate Authority Key to a Check Point

fw ca genkey - is used to generate the Certificate Authority Key on a
Management Server

fw certify ssl is used to generate a Certificate Authority certificate on a
Check Point Module

fw internalca - enables hybrid authentication mode, which allows the
server to perform IKE key exchange with the clients using
authentication schemes non-interoperable with IKE.

Instructs the Management Server to initiate an Internal CA,
which involves creating an Internal CA database, gener-
ating public and private keys, issuing a certificate and
saving it.

fw ikecrypt - encrypts the password of a SecuRemote user using IKE.
The resulting string must then be stored in the LDAP

fw sic_reset - resets Secure Internal Communication (SIC) on the
Management Server. The user will be prompted before
the operation actually takes place.

This command deletes the internal Certificate Authority,
deletes the Management Server certificate, deletes the
Certificate Revocation List (CRL), and updates the objects


cplic put - is used to install one or more Local licenses. This command
installs a license on a local machine it cannot be performed

cplic print - prints details of Check Point licenses on the local machine.
On a Module, this command will print all licenses that are
installed on the local machine both Local and Central

cplic del - deletes a single Check Point license on a host. Use it to delete
unwanted evaluation, expired and other licenses. On a Module,
this command will work only for a Local license.

cplic check is used to check whether the license on the machine will allow
a given feature to be used. This command is used mainly for
Technical Support purposes.

cprlic put can be used only from the Management Server, to attach
(install) one or more:
- Central licenses on an NG Module
- Local licenses on the appropriate NG Module
- Version 4.1 licenses on the appropriate version 4.1 Module

cprlic add - is used to add one or more licenses to the license repository
the Management Server.

cprlic print - displays the details of Check Point licenses stored in the
license repository on the Management Server

cprlic del used to detach a Central license from an NG Module. This
command deletes the license from the Module. A Central
license remains in the repository an an unattached license.
The license is available for attachment to another Module.
This command can be executed only on a Management

cprlic rm - removes a license from the license repository on the
Management Server. It can be executed ONLY after the
license was detached using the cprlic del command.
Once the license has been removed from the repository,
it can no longer be used. To re-use it, use the cprlic add
Or cprlic put command.

cprlic get - retrieves all licenses from a Module into the license
repository on the Management Server. Do this to synchronize
the repository with the Module, if NG and version 4.1 Local
licenses were added (or deleted) locally, and hence do not yet
(or still) exist in the license repository. Retrieving licenses
will also delete from the repository Local licenses that do
not exist on the Module.


cppkg add is used to add an installation package file to the Product
Repository. The package file can be located on a CD or a
local or network drive. Cppkg does not overwrite existing
packages. Only SecureUpdate packages can be added to the
Product Repository.

cppkg delete is used to delete a product package from the repository.

cppkg search - is used to list the contents of the Product Repository. Use
this command to see the product and OS strings required
to install a product package using the cprinstall command,
or to delete a package using the cppkg delete command.

cppkg setroot - is used to create a new repository root directory location,
and to move existing product packages into the new
repository. The default Product Repository location is
created when the Management Server is installed.

cppkg getroot - is used to find out the location of the Product Repository

cprinstall get - is used to obtain details of the products and the Operating
System installed on the specified Module, and to update
the Product Repository database.

cprinstall test - is used to test whether the product can be installed on
remote Module. It verifies that the Operating System and
currently installed products are appropriate for the package,
and that there is enough disk space to install the product.

cprinstall install is used to install Check Point products on remote

cprinstall uninstall is used to uninstall products on remote Modules

cprinstall boot is used to boot the remote computer

cprinstall stop is used to stop the operation of other cprinstall commands.
In particular, this command stops the remote installation of
a product even during transfer of files, file extraction,
and pre-installation testing. The operation can be stopped
at any time up to the actual installation.


vpn accel - used for turning on (or off) the accelerator card. When it is
installed, it is enabled by default. You can also check its
status with the command vpn accel stat

lunadiag - a software diagnostics utility specific to the Luna accelerator
card in the Luna package. The utility is documented in the
file lunadiag.txt


vpn ver - displays the VPN-1 major version number, the build number, and
a copyright notice. Usage and options are the same as for fw ver

vpn debug - debug the VPN-1 daemon

vpn drv - installs the VPN-1 kernel (vpnk) and connects to the Firewall-1
kernel (fwk)

vpn intelrng - displays the status of the Intel RNG (random number
generator). This command is a Windows NT and Windows
2000 only command.


cpwd_admin - is used to show the status of processes, and to configure

cpridstop used to stop cprid

cpridstart - used to start cprid (cprid is independent of cpstart and


etmstart - loads the FloodGate Module and starts the FloodGate-1 daemon
(fgd). Also starts the Management Server, provided it is on the
same machine as the FloodGate Module.

etmstop - kills the FloodGate-1 daemon (fgd) and then unloads the
FloodGate Module. Also stops the Management Server,
Provided it is on the same machine as the FloodGate Module.

fgate load - installs a QoS Policy on the specified FloodGate Modules.
If targets is not specified, the QoS Policy is installed on
the local host.

fgate unload - uninstalls a QoS Policy from the specified FloodGate

fgate fetch - fetches the FloodGate QoS Policy that was last installed on
the local host. You must specify the machine where the
FloodGate QoS Policy is found. Use localhost in case
there is no Management Server or if the Management
Server is down.

fgate stat - displays the status of target hosts in various formats. The
default format displays the following information for each
host: host name, Rule Base (or FloodGate Module) file name,
date and time loaded, and the interface and direction loaded.

fgate ver - displays the FloodGate-1 version number. The version of the
GUI is displayed in the opening screen, and can be viewed
at any time from the Help menu.

fgate kill - sends a signal to a FloodGate-1 daemon


upgrade_fwopsec - upgrades OPSEC configuration information on the
Management Server from pre-NG to NG format, based
on the upgraded Module information. If you have not
changed any of the defaults, then there is no need to
run the upgrade_fwopsec command. However, if you
have changed the defaults, then you should run the
upgrade_fwopsec command.


fwstop-default - kills VPN-1/Firewall-1 processes and loads the Default

fwstop-proc - kills VPN-1/Firewall-1 processes but keeps the current
kernel policy. The Security Policy remains loaded in the
kernel, though user mode processes (cpd, fwd, fwm, vpnd,
fwssd) dont work. Logs, kernel traps, resources, all
security server connections will all stop working. The state
of the kernel remains unchanged. Whatever was loaded in
the kernel is kept. Therefore, rules with generic allow/
reject/drop rules, based only on service will continue

control_bootsec enables or disables Boot Security. The command turns
both the Default Filter and the initial policy off or on,
in the correct sequence.

fwboot bootconf use to change IP Forwarding or Default Filter settings.
This command is located in $FWDIR/boot

comp_init_policy u - removes the current initial policy, and ensures that
it wont be generated in the future when cpconfig
is run

comp_init_policy g - generates the initial policy and ensures that it will
be loaded the next time a policy is fetched (at
fwstart, or at next boot, or via the fw fetch localhost
command). After running this command, cpconfig
will add an initial policy when needed.

defaultfilter.boot - installed by default. It allows:
- all outgoing communications
- incoming communications on ports through which there were previous
outgoing communications
- ICMP packets
- broadcast packets

defaultfilter.drop - drops all communications in and out of the gateway
during the period of vulnerability. If the boot process
requires that the gateway communicate with other
hosts, then the drop default Security Policy should not
be used.

fw defaultgen - use to compile the default filter

No comments: