Checkpoint firewall common commands Part 3
For administration and configuration tasks:
cpconfig -Menu based configuration tool. Options depend on the installed products and modules.
sysconfig -Start SPLAT OS and Check Point product configuration tool.
cp_conf admin add <user> <pass> <perm> -Add admin user with password pass and permissions perm where w is read/write access and r is read only. Note:permission w does not allow account administration.
cp_admin_convert -Export admin definitions created in cpconfig to SmartDashboard.
fwm lock_admin -v -View list of locked administrators.
fwm lock_admin -u <user> -Unlock admin user . Unlock all with -ua .
cp_conf admin del <user> -Delete the admin account user .
fwm expdate <dd-mmm-yyy> [-f <dd-mmm-yyyy>] -Set new expiration date for all users or with -f for all users matching the expiration date filter: fwm expdate 31-Dec-2020 -f 31-Dec-2014.
cp_conf client add <ip>,cp_conf client del <ip> -Add/delete GUI clients. You can delete multiple clients at once.
cpca_client -Manage parts of the ICA. View, create and revoke certificates, start and stop the ICA Web Tool.
patch add cd <patch> -Install the patch <patch> from CD.
lvm_manager -Manage partition sizes on GAiA. See sk95566 for info and download link.
show users -Show configured users and their homedir, UID/GID and shell.
add user <user> -Add a new user with username <user> .
set user <user> shell -Set the login shell of user <user> to <shell> . Setting it to <shell> f.i. /bin/bash will log in <user> directly into expert mode.
set user <user> password -Set new password for <user> .
set selfpasswd -Change your own password.
set expert-password -Set or change password for entering expert mode.
save config -Save configuration changes.
showusers -Display a list of configured SecurePlatform administrators.
adduser <user> -Add a new user with username <user> .
chsh -s <shell> <user> -Change the login shell for <user> to <shell> on SPLAT .
passwd -Change your own password.
passwd -Change expert password in expert mode on SPLAT systems.
start transaction -Start transaction mode. All changes made will be applied at once if you exit transaction mode with commit or discarded if you exit with rollback .
show version os edition -Show which OS edition (32 or 64-bit) is running.
set edition default 32-bit|64-bit -Switch between 32 and 64-bit kernel. 64-bit needs at least 6GB of RAM (or 1GB running in a VM).
For backup and restore :
add backup -Create backup in /var/CPbackup/backups/ or on a remote server (scp/ftp/tftp).
Example:
add backup local
add backup scp ip <ip> path </pa/th/> username <user> interactive
set backup restore -Restore backup.
Examples:
set backup -restore local <TAB>
set backup -restore scp ip <ip> path </pa/th/> file <file> username <user> interactive
show backups -List locally stored backups.
add snapshot,delete snapshot -Add and delete sytstem snapshots. Example add snapshot <name> [descr <”my destription”>]
set snapshot revert,set snapshot export,set snapshot import -Export/import or revert to a certain system snapshot. E.g.:
set snapshot revert <name>
set snapshot export <name> path <path> name <name>
show snapshots -Show list of local snapshots.
upgrade_export <file>,migrate export <file> -Tool from $FWDIR/bin/upgrade_tools. Saves only CheckPoint configuration (policy, objects…) and no OS settings.
upgrade_import <file>,migrate import <file> -Import config package generated with migrate tools.
backup -Create backup in /var/CPbackup/backups/ or on a remote server (scp/ftp/tftp). Also see sk54100.
Examples.:
backup [-f <file>]
backup –scp <ip> <user> <pass> [-path </pa/th/> <file>]
restore -Restore backup from local package or via scp/ftp/tftp. Delete local backup packages. Menu based.
snapshot -Take a snapshot of the entire system. Without options it’s menu based. Note: cpstop is issued!
Examples:
snapshot –file <file>
snapshot –scp <ip> <user> <pass> <file>
revert -Reboot system from snapshot. Same syntax as snapshot.
For VPN troubleshooting :
vpn tu -Start a menu based VPN TunnelUtil program where you can list and delete Security Associations (SAs) for peers.
vpn shell -Start the VPN shell.
vpn debug ikeon|ikeoff -Debug IKE into $FWDIR/log/ike.elg . Analyze ike.elg with the IKEView tool.
vpn debug on|off -Debug VPN into $FWDIR/log/vpnd.elg . Analyze vpnd.elg
vpn debug trunc -Truncate and stamp logs, enable IKE & VPN debug.
vpn drv stat -Show status of VPN-1 kernel module.
vpn overlap_encdom -Show, if any, overlapping VPN domains.
vpn macutil <user> -Show MAC for Secure Remote user <user> .
For Multi domain security management:
mdsconfig -MDS replacement for cpconfig.
mdsenv [dms_name] -Set the environment variables for MDS or DMS level.
mdsstart [-m|-s],mdsstop [-m] -Starts/stops the MDS and all DMS (10 at a time). Start only the MDS with -m or DMS subsequently with -s .
mdsstat [dms_name]|[-m] -Show status of the MDS and all DMS or a certain customer’s DMS. Use -m for only MDS status.
cpinfo -c <dms> –Create a cpinfo for the customer DMS <dms>. Remember to run mdsenv <dms> in advance.
mcd <dir> – Change directory to $FWDIR/<dir> of the current DMS.
mdsstop_customer <dms> -Stop single DMS <dms>.
mdsstart_customer <dms> -Start single DMS <dms>.
mds_backup [-l] [-d directory] -Backup binaries and data to current directory. Change output directory with -d , exclude logs with -l , do a dry run with -v . You can exclude files by specifying them in $MDSDIR/conf/mds_exclude.dat.
./mds_restore <file> -Restore MDS backup from file. Notice: you may need to copy mds_backup from $MDSDIR/scripts/ as well as gtar and gzip from $MDS_SYSTEM/shared/ to the directory with the backup file. Normally, mds_backup does this during backup.
cma_migrate -Import and if necessary upgrade an export_database created management server or DMS database package.
mdscmd <subcmds> [-m mds -u user -p pass] -Connect to a (remote) MDS as CPMI client and configure or manage it. See mdscmd help.
vsx_util <subcommand> -Perfom VSX maintenance from the main DMS. See vsx_util -h for subcommands.
For ClusterXL configuration and troubleshooting:
cphaprob state -View HA state of all cluster members.
cphaprob -a if -View interface status and CCP state.
cphaprob -ia list -View list and state of critical cluster devices.
fw hastat -View HA state of local machine.
cp_conf ha enable|disable [norestart] -Enable or disable HA.
cphastart,cphastop -Enable / Disable ClusterXL on the cluster member. On HA Legacy Mode cphastop might stop the entire cluster.
cphaprob syncstat -View sync transport layer statistics. Reset with -reset.
fw ctl pstat -View sync status and packet statistics. See sk34476.
fw ctl setsync <off|start> -Stop or start synchronization in a cluster.
fw -d fullsync <member-ip> -Start a full synchronization with debugging output.
cphaconf set_ccp <broadcast|multicast> -Configure Cluster Control Protocol (CCP) to use unicast or multicast messages. By default set to multicast.
cphaconf debug_data -View multicast MAC addresses used.
clusterXL_admin [-p] <up|down> -Perform a graceful manual failover by registering a faildevice. Survives a reboot with -p switch set.
show vrrp interfaces -Detailed status of VRRP interfaces. For a brief overview you can also use show vrrp in the iclid shell.
cphaprob tablestat -View IPs and interface IDs for all cluster members.
cphaprob igmp -View IGMP status for CCP multicast mode.
cpconfig -Menu based configuration tool. Options depend on the installed products and modules.
sysconfig -Start SPLAT OS and Check Point product configuration tool.
cp_conf admin add <user> <pass> <perm> -Add admin user with password pass and permissions perm where w is read/write access and r is read only. Note:permission w does not allow account administration.
cp_admin_convert -Export admin definitions created in cpconfig to SmartDashboard.
fwm lock_admin -v -View list of locked administrators.
fwm lock_admin -u <user> -Unlock admin user . Unlock all with -ua .
cp_conf admin del <user> -Delete the admin account user .
fwm expdate <dd-mmm-yyy> [-f <dd-mmm-yyyy>] -Set new expiration date for all users or with -f for all users matching the expiration date filter: fwm expdate 31-Dec-2020 -f 31-Dec-2014.
cp_conf client add <ip>,cp_conf client del <ip> -Add/delete GUI clients. You can delete multiple clients at once.
cpca_client -Manage parts of the ICA. View, create and revoke certificates, start and stop the ICA Web Tool.
patch add cd <patch> -Install the patch <patch> from CD.
lvm_manager -Manage partition sizes on GAiA. See sk95566 for info and download link.
show users -Show configured users and their homedir, UID/GID and shell.
add user <user> -Add a new user with username <user> .
set user <user> shell -Set the login shell of user <user> to <shell> . Setting it to <shell> f.i. /bin/bash will log in <user> directly into expert mode.
set user <user> password -Set new password for <user> .
set selfpasswd -Change your own password.
set expert-password -Set or change password for entering expert mode.
save config -Save configuration changes.
showusers -Display a list of configured SecurePlatform administrators.
adduser <user> -Add a new user with username <user> .
chsh -s <shell> <user> -Change the login shell for <user> to <shell> on SPLAT .
passwd -Change your own password.
passwd -Change expert password in expert mode on SPLAT systems.
start transaction -Start transaction mode. All changes made will be applied at once if you exit transaction mode with commit or discarded if you exit with rollback .
show version os edition -Show which OS edition (32 or 64-bit) is running.
set edition default 32-bit|64-bit -Switch between 32 and 64-bit kernel. 64-bit needs at least 6GB of RAM (or 1GB running in a VM).
For backup and restore :
add backup -Create backup in /var/CPbackup/backups/ or on a remote server (scp/ftp/tftp).
Example:
add backup local
add backup scp ip <ip> path </pa/th/> username <user> interactive
set backup restore -Restore backup.
Examples:
set backup -restore local <TAB>
set backup -restore scp ip <ip> path </pa/th/> file <file> username <user> interactive
show backups -List locally stored backups.
add snapshot,delete snapshot -Add and delete sytstem snapshots. Example add snapshot <name> [descr <”my destription”>]
set snapshot revert,set snapshot export,set snapshot import -Export/import or revert to a certain system snapshot. E.g.:
set snapshot revert <name>
set snapshot export <name> path <path> name <name>
show snapshots -Show list of local snapshots.
upgrade_export <file>,migrate export <file> -Tool from $FWDIR/bin/upgrade_tools. Saves only CheckPoint configuration (policy, objects…) and no OS settings.
upgrade_import <file>,migrate import <file> -Import config package generated with migrate tools.
backup -Create backup in /var/CPbackup/backups/ or on a remote server (scp/ftp/tftp). Also see sk54100.
Examples.:
backup [-f <file>]
backup –scp <ip> <user> <pass> [-path </pa/th/> <file>]
restore -Restore backup from local package or via scp/ftp/tftp. Delete local backup packages. Menu based.
snapshot -Take a snapshot of the entire system. Without options it’s menu based. Note: cpstop is issued!
Examples:
snapshot –file <file>
snapshot –scp <ip> <user> <pass> <file>
revert -Reboot system from snapshot. Same syntax as snapshot.
For VPN troubleshooting :
vpn tu -Start a menu based VPN TunnelUtil program where you can list and delete Security Associations (SAs) for peers.
vpn shell -Start the VPN shell.
vpn debug ikeon|ikeoff -Debug IKE into $FWDIR/log/ike.elg . Analyze ike.elg with the IKEView tool.
vpn debug on|off -Debug VPN into $FWDIR/log/vpnd.elg . Analyze vpnd.elg
vpn debug trunc -Truncate and stamp logs, enable IKE & VPN debug.
vpn drv stat -Show status of VPN-1 kernel module.
vpn overlap_encdom -Show, if any, overlapping VPN domains.
vpn macutil <user> -Show MAC for Secure Remote user <user> .
For Multi domain security management:
mdsconfig -MDS replacement for cpconfig.
mdsenv [dms_name] -Set the environment variables for MDS or DMS level.
mdsstart [-m|-s],mdsstop [-m] -Starts/stops the MDS and all DMS (10 at a time). Start only the MDS with -m or DMS subsequently with -s .
mdsstat [dms_name]|[-m] -Show status of the MDS and all DMS or a certain customer’s DMS. Use -m for only MDS status.
cpinfo -c <dms> –Create a cpinfo for the customer DMS <dms>. Remember to run mdsenv <dms> in advance.
mcd <dir> – Change directory to $FWDIR/<dir> of the current DMS.
mdsstop_customer <dms> -Stop single DMS <dms>.
mdsstart_customer <dms> -Start single DMS <dms>.
mds_backup [-l] [-d directory] -Backup binaries and data to current directory. Change output directory with -d , exclude logs with -l , do a dry run with -v . You can exclude files by specifying them in $MDSDIR/conf/mds_exclude.dat.
./mds_restore <file> -Restore MDS backup from file. Notice: you may need to copy mds_backup from $MDSDIR/scripts/ as well as gtar and gzip from $MDS_SYSTEM/shared/ to the directory with the backup file. Normally, mds_backup does this during backup.
cma_migrate -Import and if necessary upgrade an export_database created management server or DMS database package.
mdscmd <subcmds> [-m mds -u user -p pass] -Connect to a (remote) MDS as CPMI client and configure or manage it. See mdscmd help.
vsx_util <subcommand> -Perfom VSX maintenance from the main DMS. See vsx_util -h for subcommands.
For ClusterXL configuration and troubleshooting:
cphaprob state -View HA state of all cluster members.
cphaprob -a if -View interface status and CCP state.
cphaprob -ia list -View list and state of critical cluster devices.
fw hastat -View HA state of local machine.
cp_conf ha enable|disable [norestart] -Enable or disable HA.
cphastart,cphastop -Enable / Disable ClusterXL on the cluster member. On HA Legacy Mode cphastop might stop the entire cluster.
cphaprob syncstat -View sync transport layer statistics. Reset with -reset.
fw ctl pstat -View sync status and packet statistics. See sk34476.
fw ctl setsync <off|start> -Stop or start synchronization in a cluster.
fw -d fullsync <member-ip> -Start a full synchronization with debugging output.
cphaconf set_ccp <broadcast|multicast> -Configure Cluster Control Protocol (CCP) to use unicast or multicast messages. By default set to multicast.
cphaconf debug_data -View multicast MAC addresses used.
clusterXL_admin [-p] <up|down> -Perform a graceful manual failover by registering a faildevice. Survives a reboot with -p switch set.
show vrrp interfaces -Detailed status of VRRP interfaces. For a brief overview you can also use show vrrp in the iclid shell.
cphaprob tablestat -View IPs and interface IDs for all cluster members.
cphaprob igmp -View IGMP status for CCP multicast mode.
Comments
Post a Comment