Friday, February 8, 2013

Checkpoint Commands

  • List of files that you want to run on a regular schedule
[Expert]# crontab -l

  • Displays on the monitor screen the user name of the owner of the current session
[Expert]#id -un

  • Watching how quickly a logfile is growing
[Expert]#watch -n 10 -d ls -l /var/adm/messages
[Expert]#watch -n 1 'cphaprob -a if'

  • Ping
[Expert]#ping -S src_addr dst_addr

[Expert@dlpws]# pwd
[Expert@dlpws]# ftp
Connected to (
220 Welcome to Quick 'n Easy FTP Server
Name ( admin
331 Password required for admin
230 User successfully logged in.
Remote system type is UNIX.
ftp> !ls
dlpws.tgz migrate migrate.conf upgrade_export upgrade_import
ftp> put dlpws.tgz
local: dlpws.tgz remote: dlpws.tgz
227 Entering Passive Mode (192,168,80,80,4,0)
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete
97100209 bytes sent in 22.6 secs (4.2e+03 Kbytes/sec)

N.B! specifica comando locale e non sul server ftp : ftp> !ls
  •  Netstat
[Expert@dlpws]# netstat -an | egrep -e "(:260|:161)"



#cpconfig reconfigures an existing VPN-1/Firewall-1 installation

#cpstart starts all Check Point applications running on a machine
(invokes fwstart, fgstart, uagstart, etc.)

#cpstop stops all Check Point applications running on a machine

#fwstart loads the VPN-1/Firewall-1 Module and starts:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons

#fwstop kills the following processes:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
It also unloads the VPN-1/Firewall-1 Module

#cp_permission sets up the permissions for CPMI


#fw load compiles and installs a Security Policy to the targets VPN-1/
Firewall-1 Modules. This is done in two ways:
1. fw load compiles and installs an Inspection Script (*.pf) file to 
the designated VPN-1/Firewall-1 Modules.
2. fw load converts a Rule Base (*.W) file created by the GUI into an
Inspection Script (*.pf) file, then installs it to the 
designated VPN-1/Firewall-1 Modules.

#fw bload compiles and installs a Security Policy to the targets embedded
VPN-1/Firewall-1 Modules. This is done in one of two ways.
1. fw bload compiles and installs an Inspection Script (*.pf) file to the
Firewall-1 embedded system specified by 
2. fw bload converts a Rule Base (*.W) file created by the GUI
into an Inspection Script (*.pf) file and then compiles and 
installs it to the Firewall-1 embedded system specified by

#fw unload uninstalls the currently loaded Inspection Code from selected

#fw fetch fetches the Inspection Code from the specified host and installs
it to the kernel

#fw putkey installs a VPN-1/Firewall-1 authentication password on a host.
This password is used to authenticate internal communications
between VPN-1/Firewall-1 Modules and between a Check 
Point Module and Management Server. That is, the password 
is used to authenticate the control channel the first time 
communication is established.

#fw dbload downloads the user database and network object information 
(for example, encryption keys) to selected targets


#cpstat displays the status of target hosts in various formats
(replaces fwstat, fw fgstat, fgate state, etc.)

#cpstat_monitor a utility that runs on the Check Point Management Station
which can trigger pre-defined actions when the system
changes its status or when an event has occurred.
This is done by defining limits (or thresholds) on status
Parameters, and actions to be taken.

#fw lichosts prints a list of hosts protected by the VPN-1/Firewall-1/n 
products. The list of hosts is in the file $FWDIR/database/

#fw ver displays the VPN-1/Firewall-1 major version number, the build 
number, and a copyright notice

#fw sam inhibits (blocks) connections to and from specific IP addresses
without the need to change the Security Policy. The command is


#fw ctl sends control information to the VPN-1/Firewall-1 Kernel Module
#pstat displays VPN-1/Firewall-1 internal statistics
#iflist displays the IP interfaces known to the kernel by name and
internal number
#arp displays ARP proxy table

#fw kill sends a signal to a VPN-1/Firewall-1 daemon

#fwm the VPN-1/Firewall-1 Management Server in the Client/Server 
implementation of the Management Server, and is used for commu-
nicating with the GUI and adding, updating, and removing admini-

#fwell manages Access Lists for Wellfleet (Bay Networks) routers

#fw tab displays the content of INSPECT tables on the target hosts in 
various formats.

#snmp_trap sends an SNMP trap to the specified host. The message may 
appear in the command line, or as one in the program input

#dynamic_objects specifies an IP address to which the dynamic object will
be resolved on this machine

#dbedit edits the objects file on the Management Server

#queryDB_util enables searching the object database according to search

Log File Management

#fw log displays the content of Log Files

#fw logswitch creates a new Log File. The current Log File is 
closed and renamed $FWDIR/log/date.log and a new Log
File with the default name ($FWDIR/log/fw.log) is created

#fw logexport exports the Log File to an ASCII file

#fw repairlog rebuilds a Log files pointer files. The three files fw.logptr,
fw.loginitial_ptr and fw.logaccount_ptr are recreated from
data in the specified Log file


#cphastart - enables the High Availability feature on the machine. In NT, 
this is done when the VPN-1/Firewall-1 Module is started. In
Solaris, the cphastart command is part of the fwstart script

#cphastop - disables the High Availability feature on the machine

#cphaprob - defines critical processes. When a critical process fails, the 
machine is considered to have failed.

cpha_export (Solaris only) writes MAC address information to stdout. If
the output is redirected to a file, it can be
input (stdin) to cpha_import on another

cpha_import (Solaris only) imports MAC address information from stdin
and updates the machines MAC address 
accordingly. The normal procedure is to 
redirect stdin to read a file created by 
cpha_export on the primary machine

#fw hastat displays information about High Availability machines and their

sk20576: How to set ClusterXL Control Protocol (CCP) in Broadcast / Multicast mode in ClusterXL
*blog clustering-security-gateway-ha-clusterxl/9245-sync-interface-flapping

  • To change the CCP mode to broadcast mode, run:

    [Expert@HostName]# cphaconf set_ccp broadcast

    Note: this change must be done on all members of the cluster.
  • To change the CCP mode to multicast mode, run:

    [Expert@HostName]# cphaconf set_ccp multicast

    Note: this change must be done on all members of the cluster.
  • To check the current mode, run:

    [Expert@HostName]# cphaprob -a if


    #fw dbimport imports users into the VPN-1/Firewall-1 User Database from 
    an external file. You can create this file yourself, or use a file
    generated by fw dbexport

    #fw dbexport - exports the VPN-1/Firewall-1 User Database to a file. The 
    file may be in one of the following formats:
    1. the same Usage as the import file for fw dbimport
    2. LDIF Usage, which can be imported into an LDAP
    Server using ldapmodify

    #ldapmodify - imports users to an LDAP server. The input file must be in 
    the LDIF format

    #fw ldapsearch - queries an LDAP directory and returns the results

    #fw expdate - changes the expiration date of users (but not templates) in the
    VPN-1/Firewall-1 User Database to the date specified by the
    first parameter. This change can be optionally applied only to
    selected users by specifying the second parameter


    #fw ca putkey distributes the Certificate Authority Key to a Check Point

    #fw ca genkey - is used to generate the Certificate Authority Key on a
    Management Server

    #fw certify ssl is used to generate a Certificate Authority certificate on a 
    Check Point Module

    #fw internalca - enables hybrid authentication mode, which allows the 
    server to perform IKE key exchange with the clients using
    authentication schemes non-interoperable with IKE. 

    Instructs the Management Server to initiate an Internal CA,
    which involves creating an Internal CA database, gener-
    ating public and private keys, issuing a certificate and 
    saving it.

    #fw ikecrypt - encrypts the password of a SecuRemote user using IKE. 
    The resulting string must then be stored in the LDAP

    #fw sic_reset - resets Secure Internal Communication (SIC) on the 
    Management Server. The user will be prompted before
    the operation actually takes place.

    This command deletes the internal Certificate Authority,
    deletes the Management Server certificate, deletes the
    Certificate Revocation List (CRL), and updates the objects


    #cplic put - is used to install one or more Local licenses. This command 
    installs a license on a local machine it cannot be performed

    #cplic print - prints details of Check Point licenses on the local machine. 
    On a Module, this command will print all licenses that are
    installed on the local machine both Local and Central 

    #cplic del - deletes a single Check Point license on a host. Use it to delete
    unwanted evaluation, expired and other licenses. On a Module,
    this command will work only for a Local license.

    #cplic check is used to check whether the license on the machine will allow
    a given feature to be used. This command is used mainly for
    Technical Support purposes.

    #cprlic put can be used only from the Management Server, to attach 
    (install) one or more:
    - Central licenses on an NG Module
    - Local licenses on the appropriate NG Module
    - Version 4.1 licenses on the appropriate version 4.1 Module

    #cprlic add - is used to add one or more licenses to the license repository
    on the Management Server.

    #cprlic print - displays the details of Check Point licenses stored in the
    license repository on the Management Server

    #cprlic del used to detach a Central license from an NG Module. This 
    command deletes the license from the Module. A Central
    license remains in the repository an an unattached license.
    The license is available for attachment to another Module.
    This command can be executed only on a Management 

    #cprlic rm - removes a license from the license repository on the 
    Management Server. It can be executed ONLY after the
    license was detached using the cprlic del command. 
    Once the license has been removed from the repository, 
    it can no longer be used. To re-use it, use the cprlic add
    Or cprlic put command.

    #cprlic get - retrieves all licenses from a Module into the license
    repository on the Management Server. Do this to synchronize
    the repository with the Module, if NG and version 4.1 Local
    licenses were added (or deleted) locally, and hence do not yet
    (or still) exist in the license repository. Retrieving licenses
    will also delete from the repository Local licenses that do 
    not exist on the Module.


    #cppkg add is used to add an installation package file to the Product
    Repository. The package file can be located on a CD or a
    local or network drive. Cppkg does not overwrite existing
    packages. Only SecureUpdate packages can be added to the
    Product Repository.

    #cppkg delete is used to delete a product package from the repository.

    #cppkg search - is used to list the contents of the Product Repository. Use
    this command to see the product and OS strings required
    to install a product package using the cprinstall command,
    or to delete a package using the cppkg delete command.

    #cppkg setroot - is used to create a new repository root directory location, 
    and to move existing product packages into the new 
    repository. The default Product Repository location is
    created when the Management Server is installed.

    #cppkg getroot - is used to find out the location of the Product Repository

    #cprinstall get - is used to obtain details of the products and the Operating
    System installed on the specified Module, and to update
    the Product Repository database.

    #cprinstall test - is used to test whether the product can be installed on
    remote Module. It verifies that the Operating System and
    currently installed products are appropriate for the package,
    and that there is enough disk space to install the product.

    #cprinstall install is used to install Check Point products on remote

    #cprinstall uninstall is used to uninstall products on remote Modules

    #cprinstall boot is used to boot the remote computer

    #cprinstall stop is used to stop the operation of other cprinstall commands.
    In particular, this command stops the remote installation of
    a product even during transfer of files, file extraction, 
    and pre-installation testing. The operation can be stopped
    at any time up to the actual installation.


    #vpn accel - used for turning on (or off) the accelerator card. When it is 
    installed, it is enabled by default. You can also check its
    status with the command vpn accel stat

    #lunadiag - a software diagnostics utility specific to the Luna accelerator
    card in the Luna package. The utility is documented in the
    file lunadiag.txt


    #vpn ver - displays the VPN-1 major version number, the build number, and 
    a copyright notice. Usage and options are the same as for fw ver

    #vpn debug - debug the VPN-1 daemon

    #vpn drv - installs the VPN-1 kernel (vpnk) and connects to the Firewall-1
    kernel (fwk)

    #vpn intelrng - displays the status of the Intel RNG (random number 
    generator). This command is a Windows NT and Windows
    2000 only command.


    #cpwd_admin - is used to show the status of processes, and to configure 

    #cpridstop used to stop cprid

    #cpridstart - used to start cprid (cprid is independent of cpstart and


    #etmstart - loads the FloodGate Module and starts the FloodGate-1 daemon
    (fgd). Also starts the Management Server, provided it is on the
    same machine as the FloodGate Module.

    #etmstop - kills the FloodGate-1 daemon (fgd) and then unloads the 
    FloodGate Module. Also stops the Management Server,
    Provided it is on the same machine as the FloodGate Module.

    #fgate load - installs a QoS Policy on the specified FloodGate Modules.
    If targets is not specified, the QoS Policy is installed on 
    the local host.

    #fgate unload - uninstalls a QoS Policy from the specified FloodGate 

    #fgate fetch - fetches the FloodGate QoS Policy that was last installed on
    the local host. You must specify the machine where the
    FloodGate QoS Policy is found. Use localhost in case
    there is no Management Server or if the Management
    Server is down.

    #fgate stat - displays the status of target hosts in various formats. The 
    default format displays the following information for each
    host: host name, Rule Base (or FloodGate Module) file name,
    date and time loaded, and the interface and direction loaded.

    #fgate ver - displays the FloodGate-1 version number. The version of the 
    GUI is displayed in the opening screen, and can be viewed
    at any time from the Help menu.

    #fgate kill - sends a signal to a FloodGate-1 daemon


    #upgrade_fwopsec - upgrades OPSEC configuration information on the 
    Management Server from pre-NG to NG format, based
    on the upgraded Module information. If you have not
    changed any of the defaults, then there is no need to
    run the upgrade_fwopsec command. However, if you
    have changed the defaults, then you should run the
    upgrade_fwopsec command.


    #fwstop-default - kills VPN-1/Firewall-1 processes and loads the Default

    #fwstop-proc - kills VPN-1/Firewall-1 processes but keeps the current 
    kernel policy. The Security Policy remains loaded in the
    kernel, though user mode processes (cpd, fwd, fwm, vpnd,
    fwssd) dont work. Logs, kernel traps, resources, all 
    security server connections will all stop working. The state
    of the kernel remains unchanged. Whatever was loaded in
    the kernel is kept. Therefore, rules with generic allow/
    reject/drop rules, based only on service will continue 

    #control_bootsec enables or disables Boot Security. The command turns 
    both the Default Filter and the initial policy off or on,
    in the correct sequence.

    #fwboot bootconf use to change IP Forwarding or Defaultfilter settings. 
    This command is located in $FWDIR/boot

    #comp_init_policy u - removes the current initial policy, and ensures that
    it wont be generated in the future when cpconfig
    is run

    #comp_init_policy g - generates the initial policy and ensures that it will 
    be loaded the next time a policy is fetched (at 
    fwstart, or at next boot, or via the fw fetch localhost
    command). After running this command, cpconfig
    will add an initial policy when needed.

    #defaultfilter.boot - installed by default. It allows:
    - all outgoing communications
    - incoming communications on ports through which there were previous
    outgoing communications
    - ICMP packets
    - broadcast packets

    #defaultfilter.drop - drops all communications in and out of the gateway 
    during the period of vulnerability. If the boot process
    requires that the gateway communicate with other 
    hosts, then the drop default Security Policy should not
    be used.

    #fw defaultgen - use to compile the default filter


    How can I show ALL traffic on a specified interface?

    #tcpdump -i eth0
    Will show ALL traffic on interface eth0.

    How can I capture a specified number of packets?

    #tcpdump -c 20 -i eth0
    The -c argument specifies the number of packets to capture. For example, this command will capture 20 packets on the specified interface eth0 and quit:

    How do I show the MAC address in the capture?

    #tcpdump -e -i eth0
    This filter will display the MAC address as well as the basic information.

    How can I look for the Welchia Worm with TCPDUMP?

    #tcpdump -tnn -i eth0 "icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA && icmp[10]==0xAA && icmp[11]==0xAA"
    Sure can. Try this script. Keep in mind that your sniffer will need to be located where it can see all traffic on your network for this to be useful.

    How can I use TCPDUMP to determine the top talker on my network?

    #tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
    Depending on how busy your network is, you might want to lower the `-c 20000' (packet count) to fit your needs. This script will capture 20,000 packets and sort by top talkers

    Check Point's fw monitor is a powerful built-in tool to assist with inspecting and capturing network traffic at the packet level. The fw monitor utility captures network packets at multiple capture points along the VPN-1/FireWall-1 inspection chain. These packets can be inspected using either Wireshark or Check Point's CPethereal. Wireshark is available from, and the capture viewer is free.

    In many deployment and support scenarios, capturing network packets is an essential functionality. The utilities tcpdump or snoop are normally used for this task. The fw monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools.

    No Security Flaws
    tcpdump and snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's fw monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump or snoop, because of their security risks.

    Available on All VPN-1/FireWall-1 Installations
    fw monitor is a built-in firewall tool that needs no separate installation.

    Multiple Capture Positions within the VPN-1/FireWall-1 Kernel Module Chain
    fw monitor allows you to capture packets at multiple capture positions within the VPN-1/FireWall-1 kernel module chain, both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall.

    Same Tool and Syntax on All Platforms
    fw monitor is available on all different platforms; tools like snoop or tcpdump are often platform-dependent, or have specific "enhancements" on certain platforms. fw monitor and all it's related functionality and syntax is identical across all platforms.

    Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS. fw monitor adds its own modules to capture packets. fw monitor can capture all packets that are seen and/or forwarded by the firewall.

    There are four inspection points along the passage of a packet through a firewall:
    1. Before the virtual machine, in the inbound direction (i or PREIN)
    2. After the virtual machine, in the inbound direction (I or POSTIN)
    3. Before the virtual machine, in the outbound direction (o or PREOUT)
    4. After the virtual machine, in the outbound direction (O or POSTOUT)
    The term "virtual machine" refers to most of the packet processing done by the firewall, and not only to the INSPECT code execution (including virtual defragmentation, NAT, encryption, etc.).

    Once started, the command will compile the specified INSPECT filter program, and load it to the kernel (not replacing the Security Policy). The program will then continuously get packets from the kernel, and display them in the terminal window (from which the command was issued). Upon an interrupt signal (key combination Ctrl + C) or other user initiated signal, the program will stop displaying packets, unload the monitor filter and exit.

    The fw monitor command has an extensive number of associated options for capturing packets. Not all of these options and their combinations are listed below. The idea is to load a special INSPECT filter (separate from the one that is used to implement the Security Policy) that will be used to filter out packets of interest. The fw monitor syntax for capturing all packets crossing a firewall is:

    fw monitor -o filename.txt 

    Additional Options:
    • -h: displays a usage string
    • -d / -D: prints debug messages (two different debug levels)
    • -m: shows a combination of the four instances (i / I / o / O); this parameter should be followed by a string consisting of some of these four characters. Only those instances will be monitored. For example, use "-m iI" to monitor only inbound traffic, or "-m IO" to see only packets that pass through the firewall. The default is "iIoO" for all packets.
    • -x <offset>, <length>: prints packet data; specify the starting offset to print, and the number of bytes to print.
    • -l <length>: limits the packet length; determines the number of bytes read from the kernel for each packet. If you use this option, include enough bytes, so the IP and protocol headers fit. If you use "-x" to print packet data, ensure the data you requested also fits. The default is calculated, so it will have all headers and data used by -x.
    • -o <filename>: prints to the specified file, in snoop format. To read the file, use the snoop utility. If used, the -x and -i options will be ignored. (All data will be printed.)
    • -u: prints the connection's unique ID (UUID)
    • -s: prints the connection's session UUID; for FTP data connections, prints the control connections
    • -t: when compiling the INSPECT script, includes tcpip.def; allows TCP/IP macros in the script.
    • -i: after writing each packet, flushes the standard output; useful if you want to kill the monitor, but be sure that all data is written to the file.
    • -ci <count>, -co <count>: limits the number of inbound and/or outbound packets; once the specified number has been reached, the monitor will stop. The default is to stop on the key combination Ctrl + C only.
    • -p: monitor position
    • -vs <vsid> or <vsname>: specifies on which virtual component the packets should be captured; this option is only available for VSX.

    • fw monitor -o fwmon.out -e '((src= and dst= or (dst= and src=, accept;'

    1. The following command will monitor all HTTP packets:

      fw monitor -m iIoO -e "accept [20:2,b]=80 or [22:2,b]=80;" -o monitor.out
    2. The following command will monitor all packets with either a source IP address of, or a destination IP address of AAA.bbb.CCC.ddd:

      fw monitor -m iIoO -e "accept [12,b]= or [16,b]=AAA.bbb.CCC.ddd;" -o monitor.out
    Detailed information regarding the usage of the fw monitor command can be found in the "How to use fw monitor" document.

    Viewing Checkpoint fw monitor files in Wireshark

    Filed under: checkpoint — Tags:  — networknerd @ 11:48 am
    Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
    To view this additional information in wireshark some extra configuration is required.
    1. Select edit/preferences/protocols/ethernet
    2. Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
    3. Select edit/preferences/User Interface/columns
    4. Click add to add a new column and name it interface.
    5. From the format dropdown listbox select FW-1 monitor if/direction and press ok
    Save the text below to a file colorise.txt
    # DO NOT EDIT THIS FILE! It was created by Wireshark
    @FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
    @FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
    @[email protected] contains "o"@[44461,55512,59110][0,0,0]
    @FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]
    1. Select View/coloring rules
    2. Click import and open the saved file from above
    3. Select the last 4 rules and move them to the top of the list by clicking the up button
    4. Press ok
    Your now ready to view the fw monitor files in wireshark.

    No comments:

    YouTube Channel