This post summarises some basic but useful CLI commands for your daily working reference especially for those who are just starting to configure your Check Point Gaia products. For some advanced usage, please check another post "Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)" in this blog.
1. show version all
FW-CP1>show version all
Product version Check Point Gaia R77.20 OS build 124 OS kernel version 2.6.18-92cp OS edition 32-bit |
2. show interface DMZ / show interfaces
FW-CP1>show interface DMZ
state on mac-addr 00:1c:7f:37:9e:b9 type ethernet link-state link up mtu 1500 auto-negotiation on speed 100M ipv6-autoconfig Not configured duplex full monitor-mode Not configured link-speed 100M/full comments ipv4-address 10.91.72.15/24 ipv6-address Not Configured ipv6-local-link-address Not Configured Statistics: TX bytes:130970299 packets:1278980 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:391610509 packets:1382114 errors:0 dropped:0 overruns:0 frame:0 FW-CP1>show interfaces Mgmt eth1 eth2 eth3 eth3.100 eth3.102 lo |
3. set interface DMZ ipv4-address 40.40.40.1 subnet-mask 255.255.255.0
set interface DMZ state on
Note: if you are running a FW at Virtual machine, by default, only eth0 interface is on.
add interface lo loopback 2010:10:99::1/64
delete interface lo loopback loop01
delete interface lo loopback loop01
5. Show configuration and Save Config
6. show arp dynamic all
7. set hostname
FW-CP1>show configuration
# # Configuration of FW-CP1 # Language version: 12.1v1 # # Exported by admin on Fri May 15 13:51:26 2015 # set max-path-splits 8 set tracefile maxnum 10 set tracefile size 1 set expert-password-hash $1$BBBNBcBB$BdeldpEXBxaayLxqIsKNn. add dhcp client interface eth3 set dhcp client interface eth3 timeout 60 set dhcp client interface eth3 retry 300 set dhcp client interface eth3 reboot 10 add allowed-client host any-host set core-dump enable set core-dump total 1000 set core-dump per_process 2 set message caption off set syslog filename /var/log/messages set syslog cplogs off set syslog mgmtauditlogs on set syslog auditlog permanent set clienv debug 0 set clienv echo-cmd off set clienv output pretty set clienv prompt "%M" set clienv rows 63 set clienv syntax-check off set arp table cache-size 4096 set arp table validity-timeout 60 set arp announce 2 set edition 32-bit set snmp agent off set snmp agent-version any set snmp community public read-only set snmp traps trap authorizationError disable set snmp traps trap coldStart disable set snmp traps trap configurationChange disable set snmp traps trap configurationSave disable set snmp traps trap fanFailure disable set snmp traps trap highVoltage disable set snmp traps trap linkUpLinkDown disable set snmp traps trap lowDiskSpace disable set snmp traps trap lowVoltage disable set snmp traps trap overTemperature disable set snmp traps trap powerSupplyFailure disable set snmp traps trap raidVolumeState disable set snmp traps trap vrrpv2AuthFailure disable set snmp traps trap vrrpv2NewMaster disable set snmp traps trap vrrpv3NewMaster disable set snmp traps trap vrrpv3ProtoError disable set dns primary 8.8.8.8 set web table-refresh-rate 15 set web session-timeout 10 set web ssl-port 443 set web daemon-enable on set net-access telnet off set inactivity-timeout 10 set timezone America / New_York set format date dd-mmm-yyyy set format time 24-hour set format netmask Dotted set password-controls min-password-length 6 set password-controls complexity 2 set password-controls palindrome-check true set password-controls history-checking true set password-controls history-length 10 set password-controls password-expiration never set password-controls expiration-warning-days 7 set password-controls expiration-lockout-days never set password-controls force-change-when no set password-controls deny-on-nonuse enable false set password-controls deny-on-nonuse allowed-days 365 set password-controls deny-on-fail enable false set password-controls deny-on-fail failures-allowed 10 set password-controls deny-on-fail allow-after 1200 set ipv6-state off add command tecli path /bin/tecli_start description "Threat Emulation Blade shell" set ntp active on set ntp server primary 10.9.1.5 version 1 set ntp server secondary 10.1.1.17 version 1 set aaa tacacs-servers state off set aaa radius-servers super-user-uid 96 add user John uid 0 homedir /home/John set user John gid 100 shell /etc/cli.sh set user John password-hash $1$elk75EVv$JS.5C89qzA5nllgEedjGh/ set user admin shell /etc/cli.sh set user admin password-hash $1$OadYapIm$QGqVCFYLWNvvcHWORFo0Y. set user monitor shell /etc/cli.sh set user monitor password-hash * add rba user John roles adminRole set hostname FW-CP1 set interface eth3 state on add interface eth3 vlan 104 set interface eth3 state on add interface eth3 vlan 106 set interface Mgmt link-speed 100M/full set interface Mgmt state on set interface Mgmt auto-negotiation on set interface Mgmt ipv4-address 10.9.2.5 mask-length 24 set interface eth1 comments "Internet" set interface eth1 link-speed 1000M/full set interface eth1 state on set interface eth1 auto-negotiation on set interface eth1 mtu 1500 set interface eth1 ipv4-address 2.13.11.1 mask-length 29 set interface eth2 comments "Transfer" set interface eth2 link-speed 100M/full set interface eth2 state on set interface eth2 auto-negotiation on set interface eth2 mtu 1500 set interface eth2 ipv4-address 10.9.9.1 mask-length 24 set interface eth3 state on set interface eth3.104 comments "Customers" set interface eth3.104 state on set interface eth3.104 ipv4-address 10.9.100.1 mask-length 24 set interface eth3.106 comments "Transmission 106" set interface eth3.106 state on set interface eth3.106 ipv4-address 10.9.102.1 mask-length 24 set interface lo state on set interface lo ipv4-address 127.0.0.1 mask-length 8 set static-route default nexthop gateway address 20.15.11.7 priority 1 on set static-route 10.0.0.0/8 nexthop gateway address 10.9.7.1 priority 1 on set rip update-interval default set rip expire-interval default set rip auto-summary on set management interface Mgmt set ospf area backbone on set lcd screensaver mode model set lcd screensaver timeout 30 FW-CP1> save config |
CP-FW1> show arp dynamic all
Dynamic Arp Parameters IP Address Mac Address 192.168.20.2 00:1B:54:13:98:41 192.168.20.250 00:17:59:F3:7E:E0 10.1.1.36 00:90:FB:2B:91:53 192.168.20.37 00:90:0B:17:E5:66 172.17.3.88 72:AC:19:9C:19:D0 172.17.3.42 00:1C:7F:32:CC:12 172.17.3.83 FE:4A:40:06:60:ED 172.17.3.6 54:4A:00:19:AE:C0 172.17.3.43 00:1C:7F:32:CC:12 CP-FW1> show arp static all Static Arp Entries IP Address MAC Address CP-FW1> show arp table validity-timeout 60 CP-FW1> show arp table cache-size 1024 CP-FW1> |
7. set hostname
CP-FW1> set hostname firewall-test
|
8. set static-route 4.4.4.0/24 nexthop gateway address 7.7.7.6 on
CP-FW1> set static-route 4.4.4.0/24 nexthop gateway address 9.9.9.2 off
// - delete a route CP-FW1> set static-route 4.4.4.0/24 off CP-FW1> set static-route 172.116.14.0/24 nexthop blackhole CP-FW1> set static-route 40.40.40.0/24 rank 2 FW-CP1>show route static Codes: C - Connected, S - Static, R - RIP, B - BGP, O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA) A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed, U - Unreachable, i - Inactive S 0.0.0.0/0 via 20.13.11.7, eth1, cost 0, age 142743 S 10.9.8.0/24 via 10.9.9.7, eth2, cost 0, age 77668 Infra S 10.9.13.0/24 via 10.9.9.7, eth2, cost 0, age 77668 Customers S 10.0.0.0/8 via 10.9.7.1, Mgmt, cost 0, age 105717 S 1.24.7.9/32 via 10.9.10.21, eth3.102, cost 0, age 80698 Test1 |
9. set date 2012-08-10
10. reboot & halt
11. fw unloadlocalUnload local firewall policy from the appliance.
12. cpstop / cpstart
13. fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75.40 - Build 275
14. cpstat
15. Increase session time-out time
It is especially useful before doing upgrade.
16. Information about processes, memory, paging, block IO, traps, and cpu activity.
Reference:
This is Check Point VPN-1(TM) & FireWall-1(R) R75.40 - Build 275
FW-CP1> cpstat os
Product Name: SVN Foundation SVN Foundation Version String: R77.20 SVN Foundation Build Number: 990170256 SVN Foundation Status: OK OS Name: Gaia OS Major Version: 2 OS Minor Version: 6 OS Build Number: - OS SP Major: - OS SP Minor: - OS Version Level: Appliance SN: 338B04265 Appliance Name: Check Point 4200 Appliance Manufacture: CheckPoint |
15. Increase session time-out time
It is especially useful before doing upgrade.
set web session-timeout 1440
set inactivity-timeout 720 |
16. Information about processes, memory, paging, block IO, traps, and cpu activity.
FW-CP1> vmstat 1 |awk '{now=strftime("%Y-%m-%d %T "); print now $0}' 2014-10-29 09:26:47 procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------ 2014-10-29 09:26:47 r b swpd free buff cache si so bi bo in cs us sy id wa st 2014-10-29 09:26:47 1 0 448004 10748 1928 126520 10 13 53 581 118 155 8 11 81 1 0 2014-10-29 09:26:49 1 0 448004 10748 1936 126520 0 0 0 84 1123 2197 5 10 84 0 0 2014-10-29 09:26:51 1 0 448004 10780 1936 126520 0 0 0 0 1123 2145 3 6 92 0 0 2014-10-29 09:26:53 1 0 448004 10500 1944 126512 0 0 0 82 1123 2204 6 13 82 0 0 2014-10-29 09:26:55 1 0 448004 10500 1944 126520 0 0 0 0 1125 2139 6 11 84 0 0 |
17. CPView – Check Point and System Online statistics Info
It is a nice tool for gathering system information and statistics introduced from R77.
[Expert@CP-1:0]# cpview Initializing...Server Connection Menu for your Master Terminal Server |------------------------------------------------------------------------------| | CPVIEW.Overview 16Aug2015 10:45:42 | |------------------------------------------------------------------------------| | Overview SysInfo Traffic I/S Software-blades | |------------------------------------------------------------------------------| | CPU: | | | | Num of CPUs: 1 | | | | CPU Used | | 0 0% | | ---------------------------------------------------------------------------- | | Memory: | | | | Total MB Used MB Free MB | | Physical 934 684 250 | | FW Kernel 696 62 634 | | Swap 2,047 0 2,047 | | ---------------------------------------------------------------------------- | | Traffic counters: | | | | Throughput 930bps | | Packet rate 1pps | | Connection rate 0cps | | Concurrent conns 42 | | ---------------------------------------------------------------------------- | | Disk space (top 3 used partitions): | | | | Partition Total MB Used MB Free MB | | /boot 144 105 31 | | / 8,063 4,928 2,725 | | /var/log 60,475 6,665 50,738 | | ---------------------------------------------------------------------------- | | Events: | | | | # of monitored daemons crashed since last cpstart 0 | | | | | |------------------------------------------------------------------------------| |
18. TOP
By default, it will sort by PID. You can type O to get into Sort Change Window. Then you can change which field you want to sort it. K for %CPU are n for %mem are most useful sorting field.
19. Check Point Visio Stencils for Downloading
Check Point released their new products stencils public for downloading. You will not need Check Point account to download. It does not include some old models. Following appliance includes in this 3M file:
Check Point SK Link sk101866.
Here is Download Link from Check Point Website: http://dl3.checkpoint.com/paid/90/902caf44a13d71e91a35315e4a28caa8/CheckPoint_Stencils_for_Visio.zip?HashKey=1480871979_bb9dd6cf9a98c6bf41f3cd1fd147c855&xtn=.zip
20. Change WebUI port to 4434
from Command line:
R77.30 & R80 Gaia InstallationVideos:
Check Point R77.30 Lab Series 2 - Installing Gaia Cluster Gateways (51sec)
Check Point R77.30 Lab Series 3 - Clustering : First Time Wizard and Management
Note: I have moved some advanced Checkpoint CLI commands into another post, please check "Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)" in this blog.
[Expert@CP-M-DMZ:0]# top
top - 10:17:21 up 10 days, 24 min, 1 user, load average: 0.35, 0.26, 0.26 Tasks: 83 total, 2 running, 81 sleeping, 0 stopped, 0 zombie Cpu(s): 6.6%us, 9.9%sy, 0.0%ni, 83.2%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5468 admin 21 0 67728 6832 3996 S 1.7 0.7 198:41.66 DAService 3966 admin 15 0 32900 13m 8804 S 0.3 1.5 52:12.94 confd 4005 admin 15 0 30600 11m 8764 S 0.3 1.2 58:01.37 snmpd 1 admin 15 0 2040 648 560 S 0.0 0.1 0:01.09 init 2 admin RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/0 3 admin 15 0 0 0 0 S 0.0 0.0 0:00.18 ksoftirqd/0 4 admin RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0 5 admin 10 -5 0 0 0 S 0.0 0.0 0:00.27 events/0 6 admin 10 -5 0 0 0 S 0.0 0.0 0:00.04 khelper 7 admin 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread 8 admin RT -5 0 0 0 S 0.0 0.0 0:00.00 kmem_kthread 11 admin 10 -5 0 0 0 S 0.0 0.0 0:00.09 kblockd/0 12 admin 20 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid 113 admin 20 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/0 116 admin 10 -5 0 0 0 S 0.0 0.0 0:00.00 khubd 118 admin 10 -5 0 0 0 S 0.0 0.0 0:00.00 kseriod 178 admin 15 0 0 0 0 S 0.0 0.0 0:00.96 pdflush 179 admin 15 0 0 0 0 S 0.0 0.0 0:00.01 pdflush 180 admin 17 -5 0 0 0 S 0.0 0.0 0:00.55 kswapd0 181 admin 20 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0 344 admin 11 -5 0 0 0 S 0.0 0.0 0:00.00 kpsmoused 369 admin 14 -5 0 0 0 S 0.0 0.0 0:00.00 ata/0 |
By default, it will sort by PID. You can type O to get into Sort Change Window. Then you can change which field you want to sort it. K for %CPU are n for %mem are most useful sorting field.
Current Sort Field: K for window 1:Def Select sort field via field letter, type any other key to return a: PID = Process Id b: PPID = Parent Process Pid c: RUSER = Real user name d: UID = User Id e: USER = User Name f: GROUP = Group Name g: TTY = Controlling Tty h: PR = Priority i: NI = Nice value j: P = Last used cpu (SMP) * K: %CPU = CPU usage l: TIME = CPU Time m: TIME+ = CPU Time, hundredths n: %MEM = Memory usage (RES) o: VIRT = Virtual Image (kb) p: SWAP = Swapped size (kb) q: RES = Resident size (kb) r: CODE = Code size (kb) s: DATA = Data+Stack size (kb) t: SHR = Shared Mem size (kb) u: nFLT = Page Fault count v: nDRT = Dirty Pages count w: S = Process Status x: COMMAND = Command name/line y: WCHAN = Sleeping in Function z: Flags = Task Flags <sched.h> Note1: If a selected sort field can't be shown due to screen width or your field order, the '<' and '>' keys will be unavailable until a field within viewable range is chosen. Note2: Field sorting uses internal values, not those in column display. Thus, the TTY & WCHAN fields will violate strict ASCII collating sequence. (shame on you if WCHAN is chosen) |
At TOP window, type lower case o will get you Field Define Window. h will get you help window.
19. Check Point Visio Stencils for Downloading
Check Point released their new products stencils public for downloading. You will not need Check Point account to download. It does not include some old models. Following appliance includes in this 3M file:
- 2200
- 3200
- 4000
- 5000
- 12000
- 13000
- 15000
- 21000
- 23000
- 41000-61000
- Accessories
- SandBlast
- Smart-1
- SMB-ROBO
Check Point SK Link sk101866.
Here is Download Link from Check Point Website: http://dl3.checkpoint.com/paid/90/902caf44a13d71e91a35315e4a28caa8/CheckPoint_Stencils_for_Visio.zip?HashKey=1480871979_bb9dd6cf9a98c6bf41f3cd1fd147c855&xtn=.zip
from Command line:
webui disable webui enable 4434 |
Unfortunately after a cpstop/cpstart or reboot, the 4434 port will not survive. It rolled back to 443 again.
Solution:
Firewall ->Properties -> SecurePlatform -> change main url to :http://x.x.x.x:4434
goto command line do webui changes
push policy.
R77.30 & R80 Gaia InstallationVideos:
Check Point R77.30 Lab Series 1 - Installing Management Server (51sec)
Check Point R80 Management Installation in VmWare Part 1- Installation and First Time Wizard
Check Point R80 Management Installation in Vmware Part 2 - SmartConsole
Check Point R80 Management Installation in Vmware Part 3- Dashboard
Note: I have moved some advanced Checkpoint CLI commands into another post, please check "Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)" in this blog.
What is a default expert mode password right after installation?
ReplyDeleteThere is no default expert mode password. you need to set expert mode password using SG> set expert mode password
ReplyDeleteNone, it will ask you to enter the password when you will try to enter expert mode first time.
ReplyDeleteuse following command to set expert password in Gaia system:
DeleteHostName> set expert-password plain
if it is asking your current password, that means somebody has set it before. Using 'show configuration' to check the configuration.
What is the command to delete static route entry in GAIA ?
ReplyDeleteset static-route 4.4.4.0/24 nexthop gateway address 9.9.9.2 off
Deletehow to increase syslog level in checkpoint
ReplyDeletehow to check Software-blades and check License activate or not activate?
ReplyDeleteI am not sure if this command and output from one of firewalls will help you:
DeletePub-cp2> cplic print
Host Expiration Features
10.9.2.37 never CPAP-SG27X CPSG-PPK CPSB-FW CPSM-C-2 CPEP-SA-5 CPSB-VPN CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-IPS-S1 CK-00-90-FB-35-1A-42
10.9.2.37 never CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
10.9.2.37 never cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
10.9.2.37 never CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
Contract Coverage:
# ID Expiration SKU
===+===========+============+====================
1 | A12585 | 27Feb2016 | CPES-SS-STANDARD-ONSITE-ADD
+-----------+------------+--------------------
|Covers: CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
===+===========+============+====================
2 | Y580QQ | 1Aug2016 | CPCES-CO-STANDARD-ADD
+-----------+------------+--------------------
|Covers: CPAP-SG27X CPSG-PPK CPSB-FW CPSM-C-2 CPEP-SA-5 CPSB-VPN CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-IPS-S1 CK-00-90-FB-35-1A-42
===+===========+============+====================
3 | T8HPP6 | 27Feb2016 | CPES-SS-STANDARD-ONSITE-ADD
+-----------+------------+--------------------
|Covers: cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
| CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
===+===========+============+====================
4 | E3544P | 27Feb2016 | CPSB-IPS-S-1Y
+-----------+------------+--------------------
|Covers: CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
===+===========+============+====================
5 | W8HTY42 | 27Feb2016 | CPSB-IPS-S-1Y
+-----------+------------+--------------------
|Covers: cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
| CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
===+===========+============+====================
6 | Y7A21RH | 27Feb2016 | CPSB-APCL-S-1Y
+-----------+------------+--------------------
|Covers: cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
| CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
===+===========+============+====================
7 | IT1141 | 1Aug2016 | CPSB-IPS-S-1Y
+-----------+------------+--------------------
|Covers: CPAP-SG27X CPSG-PPK CPSB-FW CPSM-C-2 CPEP-SA-5 CPSB-VPN CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-IPS-S1 CK-00-90-FB-35-1A-42
===+===========+============+====================
8 | 9563S5 | 27Feb2016 | CPSB-APCL-S-1Y
+-----------+------------+--------------------
|Covers: CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
===+===========+============+====================