CLI Tools

Checkpoint Command Line

Interface

SPLAT Shells
Splat Operating System Shells
Standard mode shell Gives some
limited commands for Administration
of device
Expert mode shell Gives access to
root of the system for advanced
administration and troubleshooting

Commands
passwd To change the password of the current
user
timezone To set the timezone
time to see the current time
date to see the current date
exit Exits from the current user session
shutdown Shuts down the Device

 reboot Reboots the Device

ver Splat Version with build. Can be used when logging
ticket with Support
audit audit show <number of entries you want to view>
ping ping X.X.X.X
traceroute traceroute X.X.X.X
netstat shows the established connections on the
Firewall

 netstat rn shows the routing table

grep command can be used at the end of
the normal commands to grab specific name
you wish to search for. Example, in your
routing table, you wish the routing at your
interface eth3. You'll use below command;
netstat -rn | grep eth3
If you wish to display the routing table per
page, use | more at the end of your
command line. Example;
netstat -rn | more

 ifconfig use shift + pageup to view

the complete content
ip addr same as ifconfig with some
limited info
dns willtell you what is the DNS
server the firewall uses
webui webui enable <port
number>

 lockout lockout enable <number of

attempts> <time in minutes>
lockout show
unlockuser to unlock the locked user
checkuserlock
Arp Shows the arp entries on the Firewall

 fw directory lists the files and options under firewall

module
fw ver shows the firewall version with the build info
fw stat - shows last time when the security policy was
installed on the SPLAT Firewall
fw unloadlocal - this uninstalls the security policy
completely from the machine. Any active connections like
NAT connections or VPN connections i.e. any connections
going through the Firewall will be dropped.
This will open up the machine for any traffic i.e. any any
allow until policies are installed from the Management
server

 fw tab -s -t connections shows

number of connections in state table
-s is for summary
fw tab -t xlate -x clear all translated
entries (emergency only)

 cpstop - stopping checkpoint services. When its ran remotely

even the admin connection to the firewall will also be dropped
because it will essentially shut down the security policy and
every other service running on the module
cpstart - restart those services
If you are managing the console remotely and do not want to
get disconnected from the Firewall you can use cpstop and
cpstart in the single command by using semi colon in between
as belowcpstop ; cpstart
It will stop the checkpoint services and then its going to restart
and pull the security policies configured on the firewall

 cpconfig - Gives the ability to reset our

SIC
SIC should be reset when you change the
hostname of the Firewall which is tied to
the certificate under the ICA. If the ip
address is changed, then its not required
Sysconfig is used to enter the network
setting on the SPLAT machine and see the
products configured on that SPLAT

 cpinfo - File which is required to provide to

Support for troubleshooting purposes. Theres a
software
package built in the splat for cpinfo. It gives the
snapshot of the cp configurations running on the
firewall or the management server.
cpinfo -o test.tgz
ls

 cpinfo - File which is required to provide to

Support for troubleshooting purposes.
There is a software package built in the
splat for cpinfo. It gives the snapshot of
the cp configurations running on the
firewall or the management server.
Its created by using the below command
cpinfo -o <filename.tgz>
Do an ls to list the file

 fwm ver
fwd ver
fwm help

Important Checkpoint Directories (in

expert mode)
FWDIR/conf Directory
FWDIR/log Directory
FWDIR/bin Directory

 FWDIR/conf Directory- It contains Rulebases,

objects and the user database
cd $FWDIR/conf
ls
It

contains 4 important sub directories

objects_5_0.C
Objects.C
rulebases_5_0.fws
fwauth.ndb

 objects_5_0.C
Includes all the modified object values
under smartview dashboard. This file
does not get pushed to the Firewall
objects.C
Whenever we compile a policy this file
gets delivered to the firewall by install
policy option, objects_5_0.C file will be
going to be converted to objects.C file
which is actually pushed to the firewall.

 rulebases_5_0.fws
It includes the security policies, NAT
policies and application control policies
fwauth.ndb
It contains all of firewall users and
groups information which also located
in the same FWDIR/conf directory and
FWDIR/database directory

 FWDIR/log directory It contains log

files
cd FWDIR/log
ls

 fw.log file
This file is the logging file on the firewall which will
be constantly growing by including the data
coming back to the management server through
the firewalls
fw logswitch
Creates a new Log File. The current Log File is
closed and renamed $FWDIR/log/date.log and a
new Log File with the default name
($FWDIR/log/fw.log) is created
fw logexport exports the Log File to an ASCII file

 FWDIR/bin Directory
cd FWDIR/bin
ls

 One of the most important backup

and restore files are stored in this
directory.
cd upgrade_tools
ls

 upgrade_export - should be taken on

a weekly basis for the scs if there are
lot of policy changes. Command to
start upgrade export is
./upgrade-export test.tgz

 Its going to backup all the policy information and

the configuration existing on SCS
UUpgrade Import and Upgrade export is strictly
used for policy backup and restore from the SCS.
It is typically used when you are moving policy
between machines or when you do the upgrade
process.
Lets say if you are moving from Solaris to SPLAT,
upgrade tools will provide the flexibility to import
and export the policy database between different
OS's.

 Using upgrade export you can take the

configuration from a windows machine to
a SPLAT to Solaris or to a Redhat machine.
Whereas snapshot and cpbackup will be
working only for SPLAT where it can only
be used on a single machine for restoring
something with a same hostname, same
ip address and same software level.

 To import the exported configuration,

use the command:
./upgrade_import

 cplic put - is used to install one or more

Local licenses. This command installs a
license on a local machine and it cannot
be performed remotely.
cplic print - prints details of Check Point
licenses on the local machine. On a
Module, this command will print all
licenses that are installed on the local
machine both Local and Central licenses.

 fw lichosts prints a list of hosts

protected by the VPN-1/Firewall-1/n
products. The list of hosts is in the file
$FWDIR/database/fwd.h
fw sam inhibits (blocks) connections to
and from specific IP addresseswithout
the need to change the Security Policy.
The command is logged

 Command to sniff the packets on

specific interface are as below;
tcpdump -i -s 1500net 10.200.1.0/24 -w/var/tmp/xxw.pcap
OR
tcpdump -i -s 1500net eth0 -w/var/tmp/xxw.pcap

*the interface name is the interface

sets on your device. If you want to
filter based on the network address,
you should put as above, if filter
based on host, change it to 'host
10.200.1.1'.

 The -s 1500 indicate the normal 1500

size packet you want to capture. If
you don't define 1500, the packets
captured will show incomplete
details.
-w is used to save the files to a
specific folder. By defining the file
extension with .pcap, you'd be able to
double click the file to open it via
ethereal.

 cpstat os -f cpu shows cpu status

cpstat os -f routing Shows routing
table
fw lslogs lists firewall logs
fw stat -l shows which policy is
associated with which interface and
package drop, accept and reject