Checkpoint R65 CLI Reference Guide

8/3/2019 Checkpoint R65 CLI Reference Guide

1/184

Command Line InterfaceReference Guide

Version NGX R65

February 2007


2/184


3/184

2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors oromissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check PointExpress CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity ClientlessSecurity, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,

SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, WebIntelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates. ZoneAlarm is a CheckPoint Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Theproducts described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected byother U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.


4/184


5/184

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 12Summary of Contents ....................................................................................... 13Related Documentation .................................................................................... 14More Information ............................................................................................. 17Feedback ........................................................................................................ 18

Chapter 1 Introduction to the CLIIntroduction .................................................................................................... 20General Information ......................................................................................... 21

Debugging SmartConsole Clients .................................................................. 21

Chapter 2 SmartCenter and Firewall Commands

comp_init_policy ............................................................................................ 24

cp_admin_convert........................................................................................... 25cpca_client .................................................................................................... 25

cpca_client create_cert ............................................................................... 26cpca_client revoke_cert ............................................................................... 26cpca_client set_mgmt_tools......................................................................... 27

cp_conf ......................................................................................................... 28cp_conf sic ................................................................................................ 28cp_conf admin ........................................................................................... 29

cp_conf ca ................................................................................................. 29cp_conf finger ............................................................................................ 29cp_conf lic ................................................................................................. 29cp_conf client ............................................................................................ 30cp_conf ha ................................................................................................. 30cp_conf snmp............................................................................................. 30cp_conf auto .............................................................................................. 30cp_conf sxl................................................................................................. 30

cpconfig ........................................................................................................ 31

cplic.............................................................................................................. 31cplic check ................................................................................................ 32cplic db_add .............................................................................................. 33cplic db_print............................................................................................. 34cplic db_rm................................................................................................ 35cplic del .................................................................................................... 35cplic del .............................................................................. 36

cplic get .................................................................................................... 36cplic put .................................................................................................... 37


6/184

6

cplic put ... ......................................................................... 39cplic print .................................................................................................. 41cplic upgrade ............................................................................................. 41

cp_merge....................................................................................................... 43cp_merge delete_policy ............................................................................... 43cp_merge export_policy ............................................................................... 44cp_merge import_policy and cp_merge restore_policy..................................... 45cp_merge list_policy ................................................................................... 46

cppkg ............................................................................................................ 47cppkg add.................................................................................................. 47cppkg delete .............................................................................................. 49

cppkg get................................................................................................... 50cppkg getroot ............................................................................................. 50cppkg print ................................................................................................ 50cppkg setroot ............................................................................................. 51

cpridrestart .................................................................................................... 52

cpridstart ....................................................................................................... 52

cpridstop ....................................................................................................... 53

cprinstall ....................................................................................................... 53cprinstall boot ............................................................................................ 54cprinstall cprestart...................................................................................... 54cprinstall cpstart......................................................................................... 54cprinstall cpstop......................................................................................... 55cprinstall get .............................................................................................. 55cprinstall install.......................................................................................... 56cprinstall stop ............................................................................................ 57cprinstall uninstall ...................................................................................... 58

cprinstall upgrade....................................................................................... 59cprinstall verify........................................................................................... 59cprinstall verify_upgrade.............................................................................. 61

cpstart........................................................................................................... 61

cpstat............................................................................................................ 62

cpstop ........................................................................................................... 64

cpwd_admin................................................................................................... 65cpwd_admin start ....................................................................................... 66cpwd_admin stop........................................................................................ 66cpwd_admin list ......................................................................................... 67cpwd_admin exist ....................................................................................... 68cpwd_admin kill ......................................................................................... 68cpwd_admin config ..................................................................................... 68

dbedit ........................................................................................................... 70

dbver............................................................................................................. 74dbver create ............................................................................................... 74


7/184

Table of Contents 7

dbver export ............................................................................................... 75dbver import............................................................................................... 75dbver print ................................................................................................. 76dbver print_all ............................................................................................ 76

dynamic_objects............................................................................................. 76

fw ................................................................................................................. 77fw ctl......................................................................................................... 78fw expdate ................................................................................................. 81fw fetch ..................................................................................................... 81fw fetchlogs................................................................................................ 83fw isp_link ................................................................................................. 84

fw kill ........................................................................................................ 84fw lea_notify............................................................................................... 85fw lichosts.................................................................................................. 85fw log ........................................................................................................ 86fw logswitch .............................................................................................. 89fw mergefiles.............................................................................................. 92fw monitor.................................................................................................. 93fw lslogs .................................................................................................. 101fw putkey ................................................................................................. 103

fw repairlog .............................................................................................. 104fw sam..................................................................................................... 105fw stat ..................................................................................................... 110fw tab ...................................................................................................... 112fw ver ...................................................................................................... 113

fwm............................................................................................................. 113fwm dbimport........................................................................................... 114fwm dbexport ........................................................................................... 116

fwm dbload .............................................................................................. 119fw hastat.................................................................................................. 119fwm ikecrypt ............................................................................................ 119fwm load.................................................................................................. 120fwm lock_admin ....................................................................................... 121fwm logexport........................................................................................... 122fwm sic_reset ........................................................................................... 124fwm unload ............................................................................... 125fwm ver.................................................................................................... 125

GeneratorApp ............................................................................................... 126

inet_alert ..................................................................................................... 127

ldapcmd ...................................................................................................... 130

ldapcompare ................................................................................................ 131

ldapconvert .................................................................................................. 132

ldapmodify................................................................................................... 135

ldapsearch ................................................................................................... 136


8/184


9/184

Table of Contents 9

scc restartsc............................................................................................. 172scc passcert ............................................................................................. 172scc setmode ................................................................................ 172scc setpolicy ............................................................................................ 173scc sp...................................................................................................... 173scc startsc................................................................................................ 173scc status ................................................................................................ 173scc stopsc................................................................................................ 173scc suppressdialogs .................................................................................. 174scc userpass............................................................................................. 174scc ver..................................................................................................... 174

Chapter 6 ClusterXL Commandscphaconf...................................................................................................... 175

cphaprob ..................................................................................................... 176

cphastart ..................................................................................................... 177

cphastop...................................................................................................... 177


10/184

10


11/184

11

Preface PPreface

In This Chapter

Who Should Use This Guide page 12

Summary of Contents page 13

Related Documentation page 14

More Information page 17

Feedback page 18


12/184

Who Should Use This Guide

12

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

System administration.

The underlying operating system.

Internet protocols (IP, TCP, UDP etc.).


13/184

Summary of Contents

Preface 13

Summary of ContentsThis guide contains the following chapters:

Chapter Description

Chapter 1, Introduction tothe CLI

Purpose of this guide, and how to debugSmartConsole clients.

Chapter 2, SmartCenter andFirewall Commands

Commands for controlling the SmartCenterserver and the firewall components of theSmartCenter server and of Check Point gateways.

Chapter 3, VPN Commands The vpn command and its subcommands, usedfor controlling the VPN component of CheckPoint gateways.

Chapter 4, SmartViewMonitor Commands

The rtm command its subcommands, used toexecute SmartView Monitor operations.

Chapter 5, SecureClient

Commands

The scc command and its subcommands are

VPN commands that are executed onSecureClient. They are used to generate statusinformation, stop and start services, or connectto defined sites using specific user profiles.

Chapter 6, ClusterXLCommands

Commands used for controlling, monitoring andtroubleshooting ClusterXL gateway clusters.


14/184

Related Documentation

14

Related DocumentationThe NGX R65 release includes the following documentation

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security ProductSuite Getting StartedGuide

Contains an overview of NGX R65 and step by stepproduct installation and upgrade procedures. Thisdocument also provides information about WhatsNew, Licenses, Minimum hardware and softwarerequirements, etc.

Upgrade Guide Explains all available upgrade paths for Check Pointproducts from VPN-1/FireWall-1 NG forward. Thisguide is specifically geared towards upgrading toNGX R65.

SmartCenterAdministration Guide

Explains SmartCenter Management solutions. Thisguide provides solutions for control over

configuring, managing, and monitoring securitydeployments at the perimeter, inside the network, atall user endpoints.

Firewall andSmartDefenseAdministration Guide

Describes how to control and secure networkaccess; establish network connectivity; useSmartDefense to protect against network andapplication level attacks; use Web Intelligence toprotect web servers and applications; the integrated

web security capabilities; use Content VectoringProtocol (CVP) applications for anti-virus protection,and URL Filtering (UFP) applications for limitingaccess to web sites; secure VoIP traffic.

Virtual Private NetworksAdministration Guide

This guide describes the basic components of aVPN and provides the background for thetechnology that comprises the VPN infrastructure.


15/184


Preface 15

Eventia ReporterAdministration Guide Explains how to monitor and audit traffic, andgenerate detailed or summarized reports in theformat of your choice (list, vertical bar, pie chartetc.) for all events logged by Check Point VPN-1Power, SecureClient and SmartDefense.

SecurePlatform/SecurePlatform ProAdministration Guide

Explains how to install and configureSecurePlatform. This guide will also teach you howto manage your SecurePlatform and explainsDynamic Routing (Unicast and Multicast) protocols.

Provider-1/SiteManager-1Administration Guide

Explains the Provider-1/SiteManager-1 securitymanagement solution. This guide provides detailsabout a three-tier, multi-policy managementarchitecture and a host of Network Operating Centeroriented features that automate time-consumingrepetitive tasks common in Network Operating

Center environments.

TABLE P-2 Integrity Server documentation

Title Description

Integrity AdvancedServer InstallationGuide

Explains how to install, configure, and maintain theIntegrity Advanced Server.

Integrity AdvancedServer AdministratorConsole Reference

Provides screen-by-screen descriptions of userinterface elements, with cross-references to relevantchapters of the Administrator Guide. This documentcontains an overview of Administrator Consolenavigation, including use of the help system.

Integrity AdvancedServer AdministratorGuide

Explains how to managing administrators andendpoint security with Integrity Advanced Server.

Integrity AdvancedServer GatewayIntegration Guide

Provides information about how to integrating yourVirtual Private Network gateway device with IntegrityAdvanced Server. This guide also contains informationregarding deploying the unified SecureClient/Integrityclient package.

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Description


16/184


16

Integrity AdvancedServer SystemRequirements

Provides information about client and serverrequirements.

Integrity Agent for LinuxInstallation andConfiguration Guide

Explains how to install and configure Integrity Agentfor Linux.

Integrity XML Policy

Reference Guide

Provides the contents of Integrity client XML policy

files.Integrity ClientManagement Guide

Explains how to use of command line parameters tocontrol Integrity client installer behavior andpost-installation behavior.

TABLE P-2 Integrity Server documentation (continued)

Title Description


17/184

More Information

Preface 17

More Information For additional technical information about Check Point products, consult Check

Points SecureKnowledge at https://secureknowledge.checkpoint.com/.

See the latest version of this document in the User Center athttp://www.checkpoint.com/support/technical/documents
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttps://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/


18/184


19/184

19

Chapter 1

Introduction to the CLIIn This Chapter

Introduction page 20

General Information page 21

Introduction


20/184

Introduction

20

IntroductionThis guide documents the Command Line Interface (CLI) commands across

different Check Point Products and features. The commands are documentedaccording to the product for which they are used.

Within each product chapter, the commands are arranged alphabetically.

For Provider-1/SiteManager-1 line commands, see the Provider-1/SiteManager-1Administration Guide.

For QoS line commands, see the QoS Administration Guide.

For SmartLSM line commands, see the SmartLSM Administration Guide.

General Information


21/184

General Information

Chapter 1 Introduction to the CLI 21

General Information

Debugging SmartConsole ClientsIt is possible to obtain debugging information on any of the SmartConsole clientsby running these clients in a debug mode. You can save the debug information in adefault text file, or you can specify another file in which this information should besaved.

Usage: -d -o

Syntax:

parameter meaning

-d enter the debug mode. If -o is omitted,debug information is saved into a file

with the default name:_debug_output.txt.

-o This optional parameter, followed by afile name indicates in which text filedebug information should be saved.

General Information


22/184

General Information

22


23/184

23

Chapter 2

SmartCenter and FirewallCommandsIn This Chapter

comp_init_policy page 24

cp_admin_convert page 25

cpca_client page 25

cp_conf page 28

cpconfig page 31

cplic page 31cp_merge page 43

cppkg page 47

cpridrestart page 52

cpridstart page 52

cpridstop page 53

cprinstall page 53

cpstart page 61

cpstat page 62

cpstop page 64

cpwd_admin page 65

dbedit page 70

dbver page 74

comp_init_policy


24/184

24

comp_init_policy

Description Use the comp_init_policy command to generate and load, or to remove,the Initial Policy.

Usage $FWDIR/bin/comp_init_policy [-u | -g]

dynamic_objects page 76

fw page 77

fwm page 113

GeneratorApp page 126

inet_alert page 127

ldapcmd page 130

ldapcompare page 131

ldapconvert page 132

ldapmodify page 135ldapsearch page 136

log_export page 138

queryDB_util page 141

rs_db_tool page 143

sam_alert page 144

svr_webupload_config page 145

cp_admin_convert


25/184

Chapter 2 SmartCenter and Firewall Commands 25

Syntax

cp_admin_convert

Description Use this command to automatically export administrator definitions thatwere created in cpconfig to SmartDashboard.

Usage cp_admin_convert

After running the command, the system will allow you to chooseadministrators for export from among the defined administrators.

cpca_client

Description This command and all its derivatives are used to execute operations on

the ICA.

Argument Description

-u Removes the current Initial Policy, andensures that it will not be generated infuture when cpconfig is run.

-g Can be used if there is no Initial Policy.If there is, make sure that after removingthe policy, you delete the$FWDIR\state\local\FW1\ folder.Generates the Initial Policy and ensuresthat it will be loaded the next time a

policy is fetched (at cpstart, or at nextboot, or via the fw fetchlocalhostcommand). After running this command,cpconfig will add an Initial Policy whenneeded.

The comp_init_policy -g command willonly work if there is no previous Policy.

If you perform the following commands:comp_init_policy -g + fw fetchlocalhostcomp_init_policy -g + cpstartcomp_init_policy -g + rebootThe original policy will still be loaded.

cpca_client create_cert


26/184

26

Usage cpca_client

In This Section

cpca_client create_certDescription This command prompts the ICA to issue a SIC certificate for the

SmartCenter server.

Usage cpca_client [-d] create_cert [-p ] -n "CN=" -f

Syntax

cpca_client revoke_cert

Description This command is used to revoke a certificate issued by the ICA.

Usage cpca_client [-d] revoke_cert [-p ] -n "CN="

cpca_client create_cert page 26




-d Debug flag

-p Specifies the port which is used toconnect to the CA (if the CA was notrun from the default port 18209)

-n "CN=" sets the CN

-f specifies the file name where thecertificate and keys are saved.

cpca_client set_mgmt_tools


27/184


Syntax

cpca_client set_mgmt_toolsDescription This command is used to invoke or terminate the ICA Management

Tool.

Usage cpca_client [-d] set_mgmt_tools on|off [-p ][-no_ssl] [-a|-u "administrator|user DN" -a|-u"administrator|user DN" ... ]

Syntax

Comments Note the following:

1. If the command is run without -a or -u the list of the permitted users andadministrators isnt changed. The server can be stopped or started with the

previously defined permitted users and administrators.


-d debug flag

-p specifies the port which is used toconnect to the CA (if the CA was notrun from the default port 18209)

-n "CN=" sets the CN


-d debug flag

set_mgmt_tools on|off on - Start the ICA Managementtool

off - Stop the ICA Managementtool

-p Specifies the port which is used toconnect to the CA (if the appropriateservice was not run from the defaultport 18265)

-no_ssl Configures the server to use clearhttp rather than https.

-a|-u"administrator|user

DN"

Sets the DNs of the administrators or

user that permitted to use the ICAManagement tool

cp_conf


28/184

28

2. If two consecutive start operations are initiated the ICA Management Tool willnot respond, unless you change the SSL mode. Once the SSL mode has beenmodified, the server can be stopped and restarted.

cp_conf

Description This command is used to configure/reconfigure a VPN-1 installation viathe CLI. The configuration options shown depend on the installedconfiguration and products.

Usage cp_conf

In This Section

cp_conf sic

Description Enables the user to manage SIC.

Usage cp_conf sic state # Get the current Trust statecp_conf sic init [norestart] # InitializeSICcp_conf sic cert_pull # Pull certificate (DAIP only)

cp_conf sic page 28

cp_conf admin page 29

cp_conf ca page 29

cp_conf finger page 29

cp_conf lic page 29

cp_conf client page 30

cp_conf ha page 30

cp_conf snmp page 30

cp_conf auto page 30

cp_conf sxl page 30

cp_conf admin


29/184


cp_conf admin

Description Use this command to manage the Check Point Administrator.

Usage cp_conf admin get # Get the list of administrators.cp_conf admin add # Addadministratorwhere permissions:w - read/writer - read onlycp_conf admin del ... # Deleteadministrators.

cp_conf ca

Description Use this command to initialize the Certificate Authority

Usage cp_conf ca init # Initializes Internal CA.cp_conf ca fqdn # Sets the name of the Internal CA.

cp_conf finger

Description Displays the fingerprint which will be used on first-time launch toverify the identity of the SmartCenter server being accessed by theSmartConsole. This fingerprint is a text string derived from theSmartCenter servers certificate

Usage cp_conf finger get # Get Certificate's Fingerprint.

cp_conf lic

Description Use this command to enable the administrator to add a licensemanually and to view the license installed.

Usage cp_conf lic get # Get licenses installed.cp_conf lic add -f # Add license from file.cp_conf lic add -m # Add license manually.cp_conf lic del # Delete license.

cp_conf client


30/184

30

cp_conf client

Description Use this command to manage the GUI Clients allowed to connect tothe management.

Usage cp_conf client get # Get the GUI Clients listcp_conf client add < GUI Client > # Add one GUI Clientcp_conf client del < GUI Client 1> < GUI Client 2>... #Delete GUI Clientscp_conf client createlist < GUI Client 1> < GUI Client2>... # Create new list.

cp_conf ha

Description Use this command to enable or disable the High Availability module.

Usage cp_conf ha enable/disable [norestart] # Enable/DisableHA\n",

cp_conf snmp

Description Use this command activate or deactivate SNMP.

Usage cp_conf snmp get # Get SNMP Extension status.cp_conf snmp activate/deactivate [norestart] # DeactivateSNMP Extension.

cp_conf auto

Description Use this command to determine whether or not theFirewall/SmartCenter starts automatically after the machine restarts.

Usage cp_conf auto get [fw1] [fg1] [rm] [all] # Get the autostate of products.cp_conf auto ... #Enable/Disable auto start.

cp_conf sxl

Description Use this command to enable or disable the SecureXL acceleration

module.

cpconfig


31/184


Usage cp_conf sxl # Enable/Disable SecureXL.

cpconfig

Description This command is used to run a Command Line version of the CheckPoint Configuration Tool. This tool is used to configure/reconfigure aVPN-1 installation. The configuration options shown depend on theinstalled configuration and products. Amongst others, these optionsinclude:

Licenses - modify the necessary Check Point licenses

Administrators - modify the administrators authorized to connect tothe SmartCenter server via the SmartConsole

GUI Clients - modify the list of GUI Client machines from which theadministrators are authorized to connect to a SmartCenter server

Certificate Authority - install the Certificate Authority on theSmartCenter server in a first-time installation

Key Hit Session - enter a random seed to be used for cryptographicpurposes.

Secure Internal Communication - set up trust between the gateway onwhich this command is being run and the SmartCenter server

Fingerprint - display the fingerprint which will be used on first-timelaunch to verify the identity of the SmartCenter server being accessedby the SmartConsole. This fingerprint is a text string derived from theSmartCenter servers certificate.

Usage cpconfig

Further Info. See the Getting StartedGuide and the SmartCenterAdministration Guide.

cplic

Description This command and all its derivatives relate to the subject of Check Pointlicense management. All cplic commands are located in $CPDIR/bin.License Management is divided into three types of commands:

Local licensing commandsare executed on local machines.

Remote licensing commandsare commands which affect remotemachines are executed on the SmartCenter server.

License repository commandsare executed on the SmartCenter server.

Usage cplic

cplic check


32/184

32

In This Section

cplic check

Description Use thiscommand to check whether the license on the local machinewill allow a given feature to be used.

Usage cplic check [-p ] [-v ] [-ccount] [-t ] [-r routers] [-S SRusers]

Syntax

cplic check page 32

cplic db_add page 33cplic db_print page 34

cplic db_rm page 35

cplic del page 35

cplic del page 36

cplic get page 36

cplic put page 37

cplic put ... page 39

cplic print page 41

cplic upgrade page 41


-p The product for which licenseinformation is requested. Forexample fw1, netso.

-v The product version for whichlicense information is requested.For example 4.1, 5.0

-c count Count the licenses connected tothis feature

-t Check license status on futuredate. Use the format ddmmmyyyy.A given feature may be valid on agiven date on one license, but

invalid in another.

cplic db_add


33/184


cplic db_add

Description The cplic db_add command is used to add one or more licenses tothe license repository on the SmartCenter server. When local licenseare added to the license repository, they are automatically attached to

its intended Check Point gateway, central licenses need to undergothe attachment process.

Usage cplic db_add < -l license-file | host expiration-datesignature SKU/features >

Syntax

Comments This command is a license repository command, it can only be

executed on the SmartCenter server.

Copy/paste the following parameters from the license received fromthe User Center. More than one license can be added.

host - the target hostname or IP address

expiration date - The license expiration date.

signature -The License signature string. For example:

aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)

-r routers Check how many routers areallowed. The feature option is notneeded.

-S SRusers Check how many SecuRemoteusers are allowed. The featureoption is not needed

The for which licenseinformation is requested.


-l license-file adds the license(s) from

license-file. The followingoptions are NOT needed:Host Expiration-Date SignatureSKU/feature


cplic db_print


34/184

34

SKU/features - The SKU of the license summarizes the featuresincluded in the license. For example: CPSUITE-EVAL-3DES-vNG

Example If the file 192.168.5.11.lic contains one or more licenses, the

command: cplic db_add -l 192.168.5.11.lic will produce outputsimilar to the following:

cplic db_print

Description The cplic db_print command displays the details of Check Pointlicenses stored in the license repository on the SmartCenter server.

Usage cplic db_print [-n noheader] [-x printsignatures] [-t type] [-a attached]

Syntax



Adding license to database ...Operation Done


Object name Print only the licenses attached toObject name. Object name is thename of the Check Point gatewayobject, as defined inSmartDashboard.

-all Print all the licenses in the licenserepository

-noheader(or -n)

Print licenses with no header.

-x Print licenses with their signature

-t(or -type)

Print licenses with their type:Central or Local.

-a(or -attached)

Show which object the license isattached to. Useful if the -alloption is specified.

cplic db_rm

li db


35/184


cplic db_rm

Description The cplic db_rm command removes a license from the licenserepository on the SmartCenter server. It can be executed ONLY after

the license was detached using the cplic del command. Once thelicense has been removed from the repository, it can no longer beused.

Usage cplic db_rm

Syntax

Example cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn



cplic del

Description Use this command to delete a single Check Point license on a host,including unwanted evaluation, expired, and other licenses. Thiscommand is used for both local and remote machines

Usage cplic del [-F ]

Syntax


SignatureThe signature string within thelicense.


-F Send the output to instead of the screen.

The signature string within thelicense.

cplic del

cplic del


36/184

36

cplic del

Description Use this command to detach a Central license from a Check Pointgateway. When this command is executed, the license repository is

automatically updated. The Central license remains in the repositoryas an unattached license. This command can be executed only on aSmartCenter server.

Usage cplic del [-F outputfile] [-ip dynamic ip]

Syntax

Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.

cplic get

Description The cplic get command retrieves all licenses from a Check Pointgateway (or from all Check Point gateways) into the license repositoryon the SmartCenter server. Do this to synchronize the repository withthe Check Point gateway(s). When the command is run, all localchanges will be updated.

Usage cplic get [-v41]


object name The name of the Check Pointgateway object, as defined inSmartDashboard.

-F outputfile Divert the output to outputfilerather than to the screen.

-ip dynamic ip Delete the license on the Check

Point gateway with the specified IPaddress. This parameter is used fordeleting a license on a DAIP CheckPoint gateway

Note - If this parameter is used, thenobject name must be a DAIP gateway.

Signature The signature string within thelicense.

cplic put

Syntax i i


37/184


Syntax

Example If the Check Point gateway with the object name caruso contains fourLocal licenses, and the license repository contains two other Locallicenses, the command: cplic get caruso produces output similar tothe followingGet retrieved 4 licenses.Get removed 2 licenses.


cplic put

Description The cplic put command is used to install one or more Local licenseson a local machine.

Usage cplic put [-o overwrite] [-c check-only] [-s select] [-F

][-P Pre-boot] [-k kernel-only]


ipaddr The IP address of the Check Pointgateway from which licenses are to

be retrieved.

hostname The name of the Check Pointgateway object (as defined inSmartDashboard) from whichlicenses are to be retrieved.

-all Retrieve licenses from all CheckPoint gateways in the managednetwork.

-v41 Retrieve version 4.1 licenses fromthe NF Check Point gateway. Used toupgrade version 4.1 licenses.

cplic put

Syntax A t D i ti


38/184

38

Syntax

Comments Copy and paste the following parameters from the license receivedfrom the User Center.

host - One of the following:

All platforms - The IP address of the external interface (in dotnotation); last part cannot be 0 or 255.

Sun OS4 and Solaris2 - The response to the hostid command

(beginning with 0x).


-overwrite(or-o)

On a SmartCenter server this willerase all existing licenses and

replace them with the newlicense(s). On a Check Point gatewaythis will erase only Local licensesbut not Central licenses, that areinstalled remotely.

-check-only(or-c)

Verify the license. Checks if the IP ofthe license matches the machine,

and if the signature is valid

select(or-s)

Select only the Local licenses whoseIP address matches the IP addressof the machine.

-F outputfile Outputs the result of the commandto the designated file rather than tothe screen.

-Preboot(or-P)

Use this option after upgrading toVPN-1/FireWall-1 NG FP2 and beforerebooting the machine. Use of thisoption will prevent certain errormessages.

-kernel-only

(or -k)

Push the current valid licenses to

the kernel. For Support use only.-l license-file Installs the license(s) in

license-file, which can be amulti-license file. The followingoptions are NOT needed:host expiration-date signature

SKU/features

cplic put ...

HP-UX - The response to the uname -i command (beginning with 0d).


39/184


HP UX The response to the uname i command (beginning with 0d).

AIX - The response to the uname -l command (beginning with 0d), orthe response to the uname -m command (beginning and ending with

00). expiration date - The license expiration date. Can be never



SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the features

included in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab

Example cplic put -l 215.153.142.130.lic produces output similar to thefollowing:

cplic put ...

Description Use the cplic put command to attach one or more central or locallicense remotely.When this command is executed, the license

repository is also updated.Usage cplic put [-ip dynamic ip] [-F ]

< -l license-file | host expiration-date signatureSKU/features >

Host Expiration SKU215.153.142.130 26Dec2001 CPMP-EVAL-1-3DES-NG

CK0123456789ab

cplic put ...


40/184

40


This is a Copy and paste the following parameters from the license

received from the User Center. More than one license can be attached host - the target hostname or IP address

expiration date - The license expiration date. Can be never



SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the featuresincluded in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab


Object name The name of the Check Point

gateway object, as defined inSmartDashboard.

-ip dynamic ip Install the license on the CheckPoint gateway with the specified IPaddress. This parameter is used forinstalling a license on a DAIP CheckPoint gateway.

NOTE: If this parameter is used,then object name must be a DAIPCheck Point gateway.

-F outputfile Divert the output to outputfilerather than to the screen.

-l license-file Installs the license(s) fromlicense-file. The following optionsare NOT needed:Host Expiration-Date SignatureSKU/features

cplic print

cplic print


41/184


p p

Description The cplic print command (located in $CPDIR/bin) prints details ofCheck Point licenses on the local machine.

Usage cplic print [-n noheader][-x prints signatures][-t type][-F] [-p preatures]

Syntax

Comments On a Check Point gateway, this command will print all licenses thatare installed on the local machine both Local and Central licenses.

cplic upgrade

Description Use the cplic upgrade command to upgrade licenses in the licenserepository using licenses in a license file obtained from the UserCenter.

Usage cplic upgrade

Syntax

Example The following example explains the procedure which needs to takeplace in order to upgrade the licenses in the license repository.

Upgrade the SmartCenter server to the latest version.

Ensure that there is connectivity between the SmartCenter serverand the remote workstations with the version 4.1 products.


-noheader(or-n)

Print licenses with no header.

-x Print licenses with their signature-type(or -t)

Prints licenses showing their type:Central or Local.

-F Divert the output to outputfile.

-preatures

(or-p)

Print licenses resolved to primitive

features.


l inputfile Upgrades the licenses in the licenserepository and Check Point gatewaysto match the licenses in

cplic upgrade

Import all licenses into the license repository. This can also be


42/184

42

done afterupgrading the products on the remote workstations toNG

Run the command: cplic get all. For example

To see all the licenses in the repository, run the command:

cplic db_print -all a

Upgrade the version 4.1 products on the remote Check Pointgateways.

In the User Center (http://www.checkpoint.com/usercenter), viewthe licenses for the products that were upgraded from version 4.1to NG and create new upgraded licenses.

Download a file containing the upgraded NG licenses. Onlydownload licenses for the products that were upgraded fromversion 4.1 to NG.

If you did not import the version 4.1 licenses into the repository instep , import the version 4.1 licenses now using the commandcplic get -all -v41

Run the license upgrade command: cplic upgrade l

Getting licenses from all modules ...

count:root(su) [~] # cplic get -allgolda:Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.count:

Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.

count:root(su) [~] # cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:==================================================

Host Expiration Features192.168.8.11 Never CPFW-FIG-25-41 CK-49C3A3CC7121 golda192.168.5.11 26Nov2002 CPSUITE-EVAL-3DES-NG CK-1234567890 count

cp_merge

- The licenses in the downloaded license file and in the licenseit d
http://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenter


43/184


repository are compared.

- If the certificate keys and features match, the old licenses in therepository and in the remote workstations are updated with thenew licenses.

- A report of the results of the license upgrade is printed.

In the following example, there are two NG licenses in the file.One does not match any license on a remote workstation, the othermatches a version 4.1 license on a remote workstation that shouldbe upgraded:


Further Info. See the SmartUpdatechapter of the SmartCenterAdministrationGuide.

cp_merge

Description The cp_merge utility has two main functionalities

Export and import of policy packages

Merge of objects from a given file into SmartCenter database

Usage cp_merge help

Syntax

In This Section

cp_merge delete_policy

Description This command provides the options of deleting an existing policypackage. Note that the default policy can be deleted by delete action.


help Displays the usage for cp_merge.

cp_merge delete_policy page 43

cp_merge export_policy page 44

cp_merge import_policy and cp_merge restore_policy page 45

cp_merge list_policy page 46

cp_merge export_policy

Usage cp_merge delete_policy [-s ] [-u | -c] [-p ] -n


44/184

44

] [ p ] n

Syntax

Comments Further considerations:

1. Either use certificate file or user and password

2. Optional

Example Delete the policy package called standard.

cp_merge delete_policy -n Standard

cp_merge export_policy

Description This command provides the options of leaving the policy package inthe active repository, or deleting it as part of the export process. The

default policy cannot be deleted during the export action.Usage cp_merge export_policy [-s ] [-u | -c

] [-p ][-n | -l ] [-d ] [-f] [-r]

Syntax


-s Specify the database server IPAddress or DNS name.2

-u The administrators name.1,2

-c The path to the certificate file.1

-p The administrators password.1

-n The policy package to export.2,3


-s Specify the database server IPAddress or DNS name.2

-u The database administrators name.1


-p The administrators password.1

-n


45/184




2. Optional

3. If both -n and -l are omitted all policy packages are exported.

4. If both -n and -l are present -l is ignored.

Example Export policy package Standard to filecp_merge export_policy -n Standard -fStandardPolicyPackageBackup.pol -d C:\bak

cp_merge import_policy and cp_merge restore_policy

Description This command provides the options to overwrite an existing policypackage with the same name, or preventing overwriting when thesame policy name already exists

Usage cp_merge import_policy|restore_policy [-s ] [-u | -c ] [-p ][-n ] [-d ] -f [-v]

Syntax

-l Export the policy package whichencloses the policy name.2,3,4

-d Specify the output directory.2

-f Specify the output file name (wherethe default file name is .pol).2

-r Remove the original policy from therepository.2


-s Specify the database server IPaddress or DNS name.2

-u The administrators name.1,2


-p The administrators password.1,2

cp_merge list_policy



46/184

46

Comments Further considerations


2. Optional

The cp_mergerestore_policy works only locally on the SmartCenterserver and it will not work from remote machines.

Caution: A FireWall-1 policy from .W file can be restoredusing this utility; however, important information may be lost when

the policy is translated into .W format. This restoration should beused only if there is no other backup of the policy.

Example Import the policy package saved in file Standard.pol into therepository and rename it to StandardCopy.cp_merge import_policy -f Standard.pol -n StandardCopy

cp_merge list_policy

Usage cp_merge list_policy [-s ] [-u | -c] [-p ]

Syntax



-n


47/184


Example List all policy packages which reside in the specified repository:cp_merge list -s localhost

cppkg

Description This command is used to manage the product repository. It is alwaysexecuted on the SmartCenter server.

In This Section

cppkg add

Description The cppkg addcommand is used to add a product package to the

product repository. Only SmartUpdate packages can be added to theproduct repository.

Products can be added to the Repository as described in the followingprocedures, by importing a file downloaded from the Download Centerweb site athttp://www.checkpoint.com/techsupport/downloads/downloads.html.The package file can be added to the Repository directly from the CDor from a local or network drive.

Usage cppkg add

cppkg add page 47

cppkg delete page 49

cppkg get page 50

cppkg getroot page 50

cppkg print page 50

cppkg setroot page 51

cppkg add

Syntax Argument Description
http://www.checkpoint.com/techsupport/downloads/downloads.htmlhttp://www.checkpoint.com/techsupport/downloads/downloads.html


48/184

48

Comments cppkg add does not overwrite existing packages. To overwrite existingpackages, you must first delete existing packages.

Example [d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-NG_FP2\

Enter package name:

----------------------

(1) SVNfoundation

(2) firewall

(3) floodgate

(4) rtm

(e) Exit

Enter you choice : 1

Enter package OS :

----------------------

(1) win32

(2) solaris

(3) linux

package-full-path If the package to be added to therepository is on a local disk or

network drive, type the full path tothe package.

CD drive If the package to be added to therepository is on a CD:For Windows machines type the CDdrive letter, e.g.d:\

For UNIX machines, type the CD rootpath, e.g./caruso/image/CPsuite-NG/FP2

You will be asked to specify theproduct and appropriate OperatingSystem (OS).

cppkg delete

(4) hpux

(5) ipso


49/184


(5) ipso

(6) aix

(e) Exit

Enter your choice : 1

You choose to add SVNfoundation for win32 OS. Is thiscorrect? [y/n] : y

Adding package from CD ...Package added to repository.

cppkg delete

Description The command is used to delete a product package from the

repository. To delete a product package you must specify a number ofoptions. To see the format of the options and to view the contents ofthe product repository, use the cppkg print command.

Usage cppkg delete [ [sp]]


vendor Package vendor (e.g. checkpoint).product Package name

Options are: SVNfoundation,firewall, floodgate.

version Package version (e.g. NG).

os Package Operating System. Optionsare:win32 for Windows NT and Windows2000, solaris, hpux, ipso, aix,linux.

sp Package service pack (e.g. fcs forNG R54 initial release, FP1, FP2 etc.)This parameter is optional. Itsdefault is fcs.

cppkg get

Comments It is not possible to undo the cppkg del command.

Example [d: \winnt\fw1\ng\bin]cppkg del


50/184

50

p [ \ \ \ g\ ] pp g

Getting information from package repository. Please wait...

Select package:

-----------------------

(1) checkpoint SVNfoundation NG win32 FCS_FP1

(2) checkpoint SVNfoundation NG win32 FP1

(e) Exit

Enter your choice : 2

You choose to delete checkpoint SVNfoundation NG win32 FP1Is this correct? [y/n] : y

Package removed from repository.

cppkg get

Description This command synchronizes the Package Repository database withthe content of the actual package repository under $SUROOT.

Usage cppkg get

cppkg getroot

Description The command is used to find out the location of the productrepository. The default product repository location on Windowsmachines is C:\SUroot. On UNIX it is /var/SUroot

Usage cppkg getroot

Example # cppkg getrootCurrent repository root is set to : /var/suroot/

cppkg print

Description The command is used to list the contents of the product repository.

cppkg setroot

Use cppkg print to see the product and OS strings required to installa product package using the cprinstall command, or to delete apackage sing the k d l t command


51/184


package using the cppkg delete command.

Usage cppkg print

Example

cppkg setroot

Description The command is used to create a new repository root directorylocation, and to move existing product packages into the newrepository.

The default product repository location is created when theSmartCenter server is installed. On Windows machines the defaultlocation is C:\SUroot and on UNIX it is /var/SUroot. Use thiscommand to change the default location.

When changing repository root directory:

The contents of the old repository is copied into the newrepository.

The $SUROOT environment variable gets the value of the new rootpath.

A product package in the new location will be overwritten by apackage in the old location, if the packages are the same (that is,they have the same ID strings).

The repository root directory should have at least 200 Mbyte of freedisk space.

Usage cppkg setroot

[d:\winnt\fw1\ng\bin]cppkg print

Getting information from package repository. Please wait...

Vendor Product Version OS SP Descript

ion-------------------------------------------------------------checkpoint SVNfoundation NG win32 FCS_FP1 SVNfoundation NG Feature Pack 1 for 4.1 upgradecheckpoint SVNfoundation NG win32 FP1 SVNfoundation Feature Pack 1 for NG upgrade

cpridrestart


repository-root-directo The desired location for the product


52/184

52

Comments It is important to reboot the SmartCenter server after performing thiscommand, in order to set the new $SUROOT environment variable.

Example # cppkg setroot /var/new_surootRepository root is set to : /var/new_suroot/

Note: When changing repository root directory :

1. Old repository content will be copied into the newrepository.

2. A package in the new location will be overwritten by apackage in the old location, if the packages have the samename.

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ?[y/n] : y

Repository root was set to : /var/new_suroot

Notice : To complete the setting of your directory, rebootthe machine!

cpridrestart

Description Stops and starts the Check Point Remote Installation Daemon (cprid).This is the daemon that is used for remote upgrade and installation ofproducts. It is part of the SVN Foundation. In Windows it is a service.

cpridstart

Description Start the Check Point Remote Installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. Itis part of the SVN Foundation. In Windows it is a service.

Usage cpridstart

repository root directory-full-path

The desired location for the productrepository.

cpridstop

cpridstop

Description Stop the Check Point Remote installation Daemon (cprid). This is the


53/184


Description Stop the Check Point Remote installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. It

is part of the SVN Foundation. In Windows it is a service.Usage cpridstop

cprinstall

Description Use cprinstall commands to perform remote installation of product

packages, and associated operations.

On the SmartCenter server, cprinstall commands require licensesfor SmartUpdate

On the remote Check Point gateways the following are required:

Trust must be established between the SmartCenter server and theCheck Point gateway.

cpd must run. cprid remote installation daemon must run. cprid is available on

VPN-1/FireWall-1 4.1 SP2 and higher, and as part of SVN Foundation

for NG and higher.

In This Section

cprinstall boot page 54cprinstall cprestart page 54

cprinstall cpstart page 54

cprinstall cpstop page 55

cprinstall get page 55

cprinstall install page 56

cprinstall stop page 57cprinstall uninstall page 58

cprinstall upgrade page 59

cprinstall verify page 59

cprinstall verify_upgrade page 61

cprinstall boot

cprinstall boot

Description The command is used to boot the remote computer.


54/184

54

p p

Usage cprinstall boot

Syntax

Example # cprinstall boot harlin

cprinstall cprestart

Description This command enables cprestart to be run remotely.

All products on the Check Point gateway must be of the same versionof NG.

Usage cprinstall cprestart

Syntax

cprinstall cpstart

Description This command enables cpstart to be run remotely.


Usage cprinstall cpstart

Syntax


Object name Object name of the Check Pointgateway defined in SmartDashboard.





cprinstall cpstop

cprinstall cpstop

Description This command enables cpstop to be run remotely.


55/184


All products on the Check Point gateway must be of the same version

of NG.

Usage cprinstall cpstop

Syntax

cprinstall get

Description The cprinstall get command is used to obtain details of theproducts and the Operating System installed on the specified CheckPoint gateway, and to update the database.

Usage cprinstall get

Syntax



-proc Kills Check Point daemons andSecurity servers while maintainingthe active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.

-nopolicy


Object name The name of the Check Point gateway objectdefined in SmartDashboard.

cprinstall install

Example [c:\winnt\fw1\5.0\bin]cprinstall get fred

Getting information from fred...


56/184

56

cprinstall install

Description The cprinstall install command is used to install Check Pointproducts on remote Check Point gateways. To install a productpackage you must specify a number of options. Use the cppkg printcommand and copy the required options.

Usage cprinstall install [-boot] [sp]

Syntax

Operating system Version SP----------------------------------------------------------solaris 5.7 fcs

Vendor Product Version SP---------------------------------------------------------CheckPoint VPN-1 Power NG fcsCheckPoint SVNfoundation NG fcs


-boot Boot the remote computer afterinstalling the package.

Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the ReleaseNotes for details.


vendor Package vendor (e.g. checkpoint)

cprinstall stop

product Package nameO ti i



57/184


Comments Before transferring any files, this command runs the cprinstall

verify command to verify that the Operating System is appropriateand that the product is compatible with previously installed products.

Example

cprinstall stop

Description This command is used to stop the operation of other cprinstallcommands. In particular, this command stops the remote installationof a product - even during transfer of files, file extraction, andpre-installation verification. The operation can be stopped at any timeup to the actual installation.

cprinstall stop can be run from one command prompt to stop arunning operation at another command prompt.

Usage cprinstall stop

Options are: SVNfoundation,

firewall, floodgate.version Package version (e.g. NG FP2)

sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)

# cprinstall install -boot fred checkpoint firewall NG FP1

Installing firewall NG FP1 on fred...Info : Testing Check Point GatewayInfo : Test completed successfully.

Info : Transferring Package to Check Point GatewayInfo : Extracting package on Check Point GatewayInfo : Installing package on Check Point GatewayInfo : Product was successfully applied.Info : Rebooting the Check Point GatewayInfo : Checking boot statusInfo : Reboot completed successfully.Info : Checking Check Point Gateway

Info : Operation completed successfully.

cprinstall uninstall


object name Object name of the Check Pointgateway defined in SmartDashboard


58/184

58

Example

cprinstall uninstall

Description The cprinstall uninstall command is used to uninstall products onremote Check Point gateways. To uninstall a product package youmust specify a number of options. Use the cppkg print commandand copy the required options.

Usage cprinstall uninstall [-boot] [sp]

Syntax

gateway, defined in SmartDashboard.

[c:\winnt\fw1\5.0\bin] cprinstall stop Check PointGateway01Info : Stop request sent


-boot Boot the remote computer afterinstalling the package.Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the Release

Notes for details.Object name Object name of the Check Point

gateway defined in SmartDashboard.

vendor Package vendor (e.g. checkpoint)

product Package nameOptions are: SVNfoundation,

firewall, floodgate.version Package version (e.g. NG FP2)

sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)

cprinstall upgrade

Comments Beforeuninstalling any files, this command runs the cprinstallverify command to verify that the Operating System is appropriateand that the product is installed.


59/184


Afteruninstalling, retrieve the Check Point gateway data by runningcprinstall get.

Example

cprinstall upgrade

Description Use the cprinstall upgrade command to upgrade all products on aCheck Point gateway to the latest version.


Usage cprinstall upgrade [-boot]

Syntax

Comments When cprinstall upgrade is run, the command first verifies whichproducts are installed on the Check Point gateway, and that there is a

matching product package in the product repository with the sameOS, and then installs the product package on the remote Check Pointgateway.

cprinstall verify

Description The cprinstall verifycommand is used to verify:

# cprinstall uninstall fred checkpoint firewall NG FP1

Uninstalling firewall NG FP1 from fred...

Info : Removing package from Check Point Gateway

Info : Product was successfully applied.

Operation Success.Please get network object data to complete the

operation.


-boot Boot the remote Check Point

gateway after completing the remoteinstallation.

object name Object name of the Check Pointgateway, defined in SmartDashboard.

cprinstall verify

If a specific product can be installed on the remote Check Pointgateway.

That the Operating System and currently installed products areappropriate for the package


60/184

60

appropriate for the package.

That there is enough disk space to install the product. That there is a CPRID connection.

Usage cprinstall verify [sp]

Syntax

Example The following examples show a successful and a failed verify

operation:

Verify succeeds:



vendor Package vendor (e.g. checkpoint).

product Package nameOptions are: SVNfoundation,firewall, floodgate.

version Package version (e.g. NG).

sp Package service pack (e.g. fcs for NGwith Application Intelligenceinitial release, FP1, FP2 etc.) Thisparameter is optional. Its default isfcs.

cprinstall verify harlin checkpoint SVNfoundation NG_FP4

Verifying installation of SVNfoundation NG FP4 on harlin...Info : Testing Check Point Gateway.Info : Test completed successfully.

Info : Installation Verified, The product can be installed.

cprinstall verify_upgrade

Verify fails:cprinstall verify harlin checkpoint SVNfoundation NGFCS_FP4


61/184


cprinstall verify_upgrade

Description Use the cprinstall verify_upgrade command to verify the successof the upgrade of all products on a Check Point gateway to the latestversion, before performing the upgrade. This command isautomatically performed by the cprinstall upgrade command.

All products on the Check Point gateway must be of the same version

of NG.

Usage cprinstall verify_upgrade

Syntax

Comments When the command is run, the command verifies which products areinstalled on the Check Point gateway, and that there is a matchingproduct package in the product repository with the same OS.

cpstart

Description This command is used to start all Check Point processes andapplications running on a machine.

Usage cpstart

Comments This command cannot be used to start cprid. cprid is invoked when themachine is booted and it runs independently.

Verifying installation of SVNfoundation NG FCS_FP4 onharlin...Info : Testing Check Point GatewayInfo : SVN Foundation NG is already installed on192.168.5.134Operation Success.Product cannot be installed, did not passdependency check.


object name Object name of the Check Pointgateway, defined in SmartDashboard.

cpstat

cpstat

Description cpstat displays the status of Check Point applications, either on the localmachine or on another machine, in various formats.


62/184

62

Usage cpstat [-h host][-p port][-s SICname][-f flavor][-opolling][-c count][-e period][-d] application_flag


-h host A resolvable hostname, adot-notation address (forexample:192.168.33.23), or a DAIP

object name. The default islocalhost.

-p port Port number of the AMON server.The default is the standard AMONport (18192)

-s Secure Internal Communication(SIC) name of the AMON server.

-f flavor The flavor of the output (as itappears in the configuration file).The default is the first flavor foundin the configuration file.

-o Polling interval (seconds) specifies the

pace of the results.

The default is 0, meaning the resultsare shown only once.

-c Specifies how many times the resultsare shown. The default is 0, meaningthe results are repeatedly shown.

cpstat

-e Specifies the interval (seconds) overwhich statistical olds are



63/184


The following flavors can be added to the application flags: fw "default", "interfaces", "all", "policy", "perf",

"hmem", "kmem", "inspect", "cookies", "chains", "fragments","totals", "ufp", "http", "ftp", "telnet", "rlogin", "smtp","pop3", "sync"

vpn default, product, IKE, ipsec, traffic,compression, accelerator, nic, statistics,watermarks, all

fg all

ha default, all

os default, "ifconfig", routing, "memory, "old_memory","cpu", "disk", "perf", "multi_cpu", "multi_disk", "all","average_cpu", "average_memory", "statistics"

mg default

persistency product, Tableconfig, SourceConfig

computed. Ignored for regular olds.-d Debug mode.

application_flag One of the following: fw FireWall-1 vpn VPN fg FloodGate-1 (QoS) ha ClusterXL (High

Availability) os SVN Foundation and OS

Status mg for SmartCenter persistency - for historical

status values polsrv

uas svr cpsemd cpsead asm ls ca

cpstop

polsrv default, all

uas default

svr default

cpsemd default


64/184

64

cpsemd default

cpsead default

asm default, WS

ls default

ca default, crl, cert, user, all

Example

cpstop

Description This command is used to terminate all Check Point processes andapplications, running on a machine.

Usage cpstop

cpstop -fwflag [-proc | -default]

> cpstat fw

Policy name: StandardInstall time: Wed Nov 1 15:25:03 2000

Interface table-----------------------------------------------------------------|Name|Dir|Total *|Accept**|Deny|Log|

-----------------------------------------------------------------|hme0|in |739041*|738990**|51 *|7**|-----------------------------------------------------------------|hme0|out|463525*|463525**| 0 *|0**|-----------------------------------------------------------------*********|1202566|1202515*|51**|7**|

cpwd_admin


-fwflag -proc Kills Check Point daemons andSecurity servers while maintaining


65/184


Comments This command cannot be used to terminate cprid. cprid is invokedwhen the machine is booted and it runs independently.

cpwd_admin

Description cpwd (also known as WatchDog) is a process that invokes and monitorscritical processes such as Check Point daemons on the local machine,and attempts to restart them if they fail. Among the processes monitoredby Watchdog are cpd, fwd, fwm. cpwd is part of the SVN Foundation.

fwd does not work in a Management Only machine. To work with fwd in aManagement Only machine add -n (for example, fwd -n).

cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file.In addition, monitoring information is written to the console on UNIXplatforms, and to the Windows Event Viewer.

The cpwd_admin utility is used to show the status of processes, and toconfigure cpwd.

Usage cpwd_admin

In This Section

the active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.

-fwflag -default Kills Check Point daemons andSecurity servers. The active SecurityPolicy running in the kernel isreplaced with the default filter..

cpwd_admin start page 66

cpwd_admin stop page 66

cpwd_admin list page 67

cpwd_admin start

cpwd_admin exist page 68

cpwd_admin kill page 68

cpwd_admin config page 68


66/184

66

cpwd_admin start

Description Start a new process by cpwd.

Usage cpwd_admin start -name -path -command

Syntax

Example To start and monitor the fwm process.cpwd_admin start -name FWM -path $FWDIR/bin/fwm -commandfwm

cpwd_admin stop

Description Stop a process which is being monitored by cpwd.

Usage cpwd_admin stop -name [-path -command ]


-name A name for the process to bewatched by WatchDog.

-path The full path to the executableincluding the executable name

-command

The name of the executable file.

cpwd_admin list


-name A name for the process to bewatched by WatchDog.


67/184


Comments If -path and -command are not stipulated, cpwd will abruptlyterminate the process.

Example stop the FWM process using fw kill.cpwd_admin stop -name FWM -path $FWDIR/bin/fw -command fwkill fwm

cpwd_admin list

Description This command is used to print a status of the selected processesbeing monitored by cpwd.

Usage cpwd_admin list

Output The status report output includes the following information:

APP Application. The name of the process. PID Process Identification Number.

STAT Whether the process Exists (E) or has been Terminated(T).

#START How many times the process has been started since cpwdtook control of the process.

START TIME The last time the process was run.

COMMAND The command that cpwd used to start the process.For example:

-path Optional: the full path to theexecutable (including the executablename) that is used to stop theprocess.

-command

Optional: the name of the executablefile mentioned in -path

#cpwd_admin list APP PID STAT #START START_TIME COMMANDCPD 463 E 1 [20:56:10] 21/5/2001 cpdFWD 440 E 1 [20:56:24] 21/5/2001 fwdFWM 467 E 1 [20:56:25] 21/5/2001 fwm

cpwd_admin exist

cpwd_admin exist

Description This command is used to check whether cpwd is alive.

Usage cpwd_admin exist


68/184

68

cpwd_admin kill

Description This command is used to kill cpwd.

Usage cpwd_admin kill

cpwd_admin config

Description This command is used to set cpwd configuration parameters. Whenparameters are changed, these changes will not take affect until cpwdhas been stopped and restarted.

Usage cpwd_admin config -p

cpwd_admin config -a

cpwd_admin config -d

cpwd_admin config -r

Syntax

Where the values are as follows:


config -p Shows the cpwd parameters addedusing the config -a option.

config -a Add one or more monitoringparameters to the cpwd configuration.

config -d Delete one or more parameters fromthe cpwd configuration

config -r Restore the default cpwd parameters.

cpwd_admin config


timeout (any value in

seconds)

If rerun_mode=1, how much timepasses from process failure to rerun.


69/184


The default is 60 seconds.

no_limit(any value in seconds)

Maximum number of times that cpwdwill try to restart a process. Thedefault is 5.

zero_timeout(any value in seconds)

After failing no_limit times torestart a process, cpwd will wait

zero_timeout seconds beforeretrying. The default is 7200seconds. Should be greater thantimeout.

sleep_mode 1 - wait timeout 0 - ignore timeout. Rerun the

process immediately

dbg_mode 1 - Accept pop-up error messages(with exit-code#0) displayed when

a process terminates abruptly

(Windows NT only).

0 -Do not receive pop-up errormessages. This is useful if pop-up

error messages freeze the

machine. This is the default(Windows NT only).

dbedit

rerun_mode 1 - Rerun a failed process. Thisis the default.



70/184

70

Example The following example shows two configuration parameters beingchanged:

timeout to 120 seconds, and no_limit to 10.

config -a and cpwd_adminconfig -d have no effect if cpwd isrunning. They will affect cpwd the next time it is run.

dbedit

Description This command is used by administrators to edit the objects file on theSmartCenter server. From version NG, there is an objects fi

Documents

Checkpoint R65 CLI Reference Guide