Check Point CLI
Informational
Useful Check Point Commands
cpconfig
|
change SIC, licenses and more
|
cpview -t
|
show top style performance counters
|
cphaprob stat
|
list the state of the high availability cluster members. Should show active and standby devices.
|
cphaprob -a if
|
display status of monitored interfaces in a cluster
|
cphaprob -l list
|
display registered cluster devices and status
|
cphaprob syncstat
|
display sync transport layer statistics
|
cphaprob ldstat
|
display sync serialization statistics
|
cphastop
|
stop a cluster member from passing traffic. Stops synchronization. (emergency only)
|
clusterXL_admin down –p
|
disable this node from cluster membership
|
cphaconf cluster_id get
|
get cluster Global ID membership
|
cphaconf set_ccp broadcast/multicast
|
set cluster mode
|
cplic print
|
license information
|
cpstart
|
start all checkpoint services
|
cpstat fw
|
show policy name, policy install time and interface table
|
cpstat ha
|
high availability state
|
cpstat blades
|
top rule hits and amount of connections
|
cpstat os -f all
|
checkpoint interface table, routing table, version, memory status, cpu load, disk space
|
cpstat os -f cpu
|
checkpoint cpu status
|
cpstat os -f multi_cpu
|
checkpoint cpu load distribution
|
cpstat os -f sensors
|
hardware environment (temperature/fan/voltage)
|
cpstat os -f routing
|
checkpoint routing table
|
cpstat mg -f log_server
|
monitor log servers performance (events/sec)
|
cpstop
|
stop all checkpoint services
|
cpwd_admin monitor_list
|
list processes actively monitored. Firewall should contain cpd and vpnd.
|
show sysenv all
|
show hardware sensors (fans,power supply,temp,volt)
|
show asset all
|
show serial numbers and hardware info
|
show route destination xx.xx.xx.xx
|
show routing for specific host
|
ip route get xx.xx.xx.xx
|
show routing for specific host
|
iclid / show cluster state
|
show cluster fail over history
|
promote_util
|
promote the Secondary Management server to become the Primary server
|
cp_conf sic init key123 norestart
|
reset SIC without restarting the firewall process
|
Useful FW Commands
fw ver
|
firewall version
|
fw ctl iflist
|
show interface names
|
fw ctl pstat
|
show control kernel memory and connections
|
fwaccel stat
|
show SecureXL status
|
fw fetch
|
get the policy from the firewall manager
|
fwm load
|
compile and install a policy on the target's gateways.
|
fw getifs
|
list interfaces and IP addresses
|
fw log
|
show the content of the connections log
|
fw log -b "MMM DD, YYYY HH:MM:SS" "MMM DD, YYYY HH:MM:SS"
|
search the current log for activity between specific times
|
fw log -c drop
|
search for dropped packets in the active log; also can use accept or reject to search
|
fw log -f
|
tail the current log
|
fwm logexport -i -o |
export an old log file on the firewall manager
|
fw logswitch
|
rotate logs
|
fw lslogs
|
list firewall logs
|
fw stat
|
firewall status, should contain the name of the policy and the relevant interfaces.
|
fw stat -l
|
show which policy is associated with which interface and package drop, accept and reject
|
fw tab
|
displays firewall tables
|
fw tab -s -t connections
|
number of connections in state table
|
fw tab -f -t vpn_routing -u
|
routing for remote vpns
|
fw tab -s -t userc_users
|
number of remote users connected (VPN)
|
fw tab -t xlate -x
|
clear all translated entries
|
fw unloadlocal
|
clear local firewall policy
|
fw monitor -e "accept host(10.1.1.10);"
|
trace the packet flow to/from the specified host
|
fw ctl zdebug + drop | grep 'x.x.x.x|y.y.y.y'
|
Check reason of your packet being dropped
|