Checkpoint firewall common commands part 3

For administration and configuration tasks:

cpconfig  -Menu based configuration tool. Options depend on the installed products and modules.

sysconfig -Start SPLAT OS and Check Point product configuration tool.

cp_conf admin add <user> <pass> <perm> -Add admin user with password pass and permissions perm where w is read/write access and r is read only. Note:permission w does not allow account administration.

cp_admin_convert -Export admin definitions created in cpconfig to SmartDashboard.

fwm lock_admin -v -View list of locked administrators.

fwm lock_admin -u <user> -Unlock admin user . Unlock all with -ua .

cp_conf admin del <user> -Delete the admin account user .

fwm expdate <dd-mmm-yyy> [-f <dd-mmm-yyyy>] -Set new expiration date for all users or with -f for all users matching the expiration date filter: fwm expdate 31-Dec-2020 -f 31-Dec-2014.

cp_conf client add <ip>,cp_conf client del <ip> -Add/delete GUI clients. You can delete multiple clients at once.

cpca_client -Manage parts of the ICA. View, create and revoke certificates, start and stop the ICA Web Tool.

patch add cd <patch> -Install the patch <patch> from CD.

lvm_manager -Manage partition sizes on GAiA. See sk95566 for info and download link.

show users -Show configured users and their homedir, UID/GID and shell.

add user <user> -Add a new user with username <user> .

set user <user> shell -Set the login shell of user <user> to <shell> . Setting it to <shell> f.i. /bin/bash will log in <user> directly into expert mode.

set user <user> password -Set new password for <user> .

set selfpasswd -Change your own password.

set expert-password -Set or change password for entering expert mode.

save config -Save configuration changes.

showusers -Display a list of configured SecurePlatform administrators.

adduser <user> -Add a new user with username <user> .

chsh -s <shell> <user>  -Change the login shell for <user> to <shell> on SPLAT .

passwd -Change your own password.

passwd -Change expert password in expert mode on SPLAT systems.

start transaction -Start transaction mode. All changes made will be applied at once if you exit transaction mode with commit or discarded if you exit with rollback .

show version os edition -Show which OS edition (32 or 64-bit) is running.

set edition default 32-bit|64-bit -Switch between 32 and 64-bit kernel. 64-bit needs at least 6GB of RAM (or 1GB running in a VM).

For backup and restore :

add backup -Create backup in /var/CPbackup/backups/ or on a remote server (scp/ftp/tftp).
add backup local
add backup scp ip <ip> path </pa/th/> username <user> interactive

set backup restore -Restore backup.
set backup -restore local <TAB>
set backup -restore scp ip <ip> path </pa/th/> file <file> username <user> interactive

show backups -List locally stored backups.

add snapshot,delete snapshot -Add and delete sytstem snapshots. Example add snapshot <name> [descr <”my destription”>]

set snapshot revert,set snapshot export,set snapshot import -Export/import or revert to a certain system snapshot. E.g.:
set snapshot revert <name>
set snapshot export <name> path <path> name <name>

show snapshots -Show list of local snapshots.

upgrade_export <file>,migrate export <file> -Tool from $FWDIR/bin/upgrade_tools. Saves only CheckPoint configuration (policy, objects…) and no OS settings.

upgrade_import <file>,migrate import <file> -Import config package generated with migrate tools.

backup -Create backup in /var/CPbackup/backups/ or on a remote server (scp/ftp/tftp). Also see sk54100.
backup [-f <file>] backup –scp <ip> <user> <pass> [-path </pa/th/> <file>]

restore -Restore backup from local package or via scp/ftp/tftp. Delete local backup packages. Menu based.

snapshot -Take a snapshot of the entire system. Without options it’s menu based. Note: cpstop is issued!
snapshot –file <file>
snapshot –scp <ip> <user> <pass> <file>

revert -Reboot system from snapshot. Same syntax as snapshot.

For VPN troubleshooting :

vpn tu -Start a menu based VPN TunnelUtil program where you can list and delete Security Associations (SAs) for peers.

vpn shell -Start the VPN shell.

vpn debug ikeon|ikeoff -Debug IKE into $FWDIR/log/ike.elg . Analyze ike.elg with the IKEView tool.

vpn debug on|off -Debug VPN into $FWDIR/log/vpnd.elg . Analyze vpnd.elg

vpn debug trunc -Truncate and stamp logs, enable IKE & VPN debug.

vpn drv stat -Show status of VPN-1 kernel module.

vpn overlap_encdom -Show, if any, overlapping VPN domains.

vpn macutil <user> -Show MAC for Secure Remote user <user> .

For Multi domain security management:

mdsconfig -MDS replacement for cpconfig.

mdsenv [dms_name] -Set the environment variables for MDS or DMS level.

mdsstart [-m|-s],mdsstop [-m] -Starts/stops the MDS and all DMS (10 at a time). Start only the MDS with -m or DMS subsequently with -s .

mdsstat [dms_name]|[-m] -Show status of the MDS and all DMS or a certain customer’s DMS. Use -m for only MDS status.

cpinfo -c <dms> –Create a cpinfo for the customer DMS <dms>. Remember to run mdsenv <dms> in advance.

mcd <dir> – Change directory to $FWDIR/<dir> of the current DMS.

mdsstop_customer <dms> -Stop single DMS <dms>.

mdsstart_customer <dms> -Start single DMS <dms>.

mds_backup [-l] [-d directory] -Backup binaries and data to current directory. Change output directory with -d , exclude logs with -l , do a dry run with -v . You can exclude files by specifying them in $MDSDIR/conf/mds_exclude.dat.

./mds_restore <file> -Restore MDS backup from file. Notice: you may need to copy mds_backup from $MDSDIR/scripts/ as well as gtar and gzip from $MDS_SYSTEM/shared/ to the directory with the backup file. Normally, mds_backup does this during backup.

cma_migrate -Import and if necessary upgrade an export_database created management server or DMS database package.

mdscmd <subcmds> [-m mds -u user -p pass] -Connect to a (remote) MDS as CPMI client and configure or manage it. See mdscmd help.

vsx_util <subcommand> -Perfom VSX maintenance from the main DMS. See vsx_util -h for subcommands.

For ClusterXL configuration and troubleshooting:

cphaprob state -View HA state of all cluster members.

cphaprob -a if -View interface status and CCP state.

cphaprob -ia list -View list and state of critical cluster devices.

fw hastat -View HA state of local machine.

cp_conf ha enable|disable [norestart] -Enable or disable HA.

cphastart,cphastop -Enable / Disable ClusterXL on the cluster member. On HA Legacy Mode cphastop might stop the entire cluster.

cphaprob syncstat -View sync transport layer statistics. Reset with -reset.

fw ctl pstat -View sync status and packet statistics. See sk34476.

fw ctl setsync <off|start> -Stop or start synchronization in a cluster.

fw -d fullsync <member-ip> -Start a full synchronization with debugging output.

cphaconf set_ccp <broadcast|multicast> -Configure Cluster Control Protocol (CCP) to use unicast or multicast messages. By default set to multicast.

cphaconf debug_data -View multicast MAC addresses used.

clusterXL_admin [-p] <up|down> -Perform a graceful manual failover by registering a faildevice. Survives a reboot with -p switch set.

show vrrp interfaces -Detailed status of VRRP interfaces. For a brief overview you can also use show vrrp in the iclid shell.

cphaprob tablestat -View IPs and interface IDs for all cluster members.

cphaprob igmp -View IGMP status for CCP multicast mode.