4100013 command line interface version ngx r62

8/3/2019 4100013 Command Line Interface Version NGX R62

1/176

Command Line InterfaceVersion NGX R62

August 2006


2/176


3/176

2003-2006 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or

omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2006 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, CooperativeEnforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,

FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy LifecycleManagement, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXLTurbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor,Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare,SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1UTM Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge,VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, andthe Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentionedherein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No.5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.


4/176


5/176

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 12Summary of Contents ....................................................................................... 13Related Documentation .................................................................................... 14More Information ............................................................................................. 16

Chapter 1 Introduction to the CLI

Introduction .................................................................................................... 18General Information ......................................................................................... 19

Debugging SmartConsole Clients .................................................................. 19

Chapter 2 SmartCenter and Firewall Commands

comp_init_policy ............................................................................................ 22

cpca_client .................................................................................................... 23

cpca_client create_cert ............................................................................... 24cpca_client revoke_cert ............................................................................... 24cpca_client set_mgmt_tools......................................................................... 24

cpconfig ........................................................................................................ 25

cplic.............................................................................................................. 26cplic check ................................................................................................ 27cplic db_add .............................................................................................. 28cplic db_print............................................................................................. 28

cplic db_rm................................................................................................ 29cplic del .................................................................................................... 30cplic del .............................................................................. 30cplic get .................................................................................................... 31cplic put .................................................................................................... 32cplic put ............................................................................. 34cplic print .................................................................................................. 36cplic upgrade ............................................................................................. 36

cp_merge....................................................................................................... 38cp_merge delete_policy ............................................................................... 38cp_merge export_policy ............................................................................... 39cp_merge import_policy and cp_merge restore_policy..................................... 40cp_merge list_policy ................................................................................... 41

cppkg ............................................................................................................ 42cppkg add.................................................................................................. 42cppkg delete .............................................................................................. 44

cppkg get................................................................................................... 45cppkg getroot ............................................................................................. 45


6/176

6

cppkg print ................................................................................................ 45cppkg setroot ............................................................................................. 46

cpridrestart .................................................................................................... 47

cpridstart ....................................................................................................... 47

cpridstop ....................................................................................................... 48

cprinstall ....................................................................................................... 48cprinstall boot ............................................................................................ 49cprinstall cprestart...................................................................................... 49cprinstall cpstart......................................................................................... 49cprinstall cpstop......................................................................................... 50

cprinstall get .............................................................................................. 50cprinstall install.......................................................................................... 51cprinstall stop ............................................................................................ 52cprinstall uninstall ...................................................................................... 53cprinstall upgrade....................................................................................... 54cprinstall verify........................................................................................... 54cprinstall verify_upgrade.............................................................................. 56

cpstart........................................................................................................... 56

cpstat............................................................................................................ 57

cpstop ........................................................................................................... 58

cpwd_admin................................................................................................... 59cpwd_admin start ....................................................................................... 60cpwd_admin stop........................................................................................ 60cpwd_admin list ......................................................................................... 61cpwd_admin exist ....................................................................................... 62cpwd_admin kill ......................................................................................... 62

cpwd_admin config ..................................................................................... 62

dbedit ........................................................................................................... 64

dbver............................................................................................................. 68dbver create ............................................................................................... 68dbver export ............................................................................................... 69dbver import............................................................................................... 69dbver print ................................................................................................. 70dbver print_all ............................................................................................ 70

dynamic_objects............................................................................................. 70

fw ................................................................................................................. 71fw ctl......................................................................................................... 72fw expdate ................................................................................................. 75fw fetch ..................................................................................................... 75fw fetchlogs ............................................................................................... 77fw isp_link ................................................................................................. 78

fw kill ........................................................................................................ 78fw lea_notify............................................................................................... 79


7/176

Table of Contents 7

fw lichosts.................................................................................................. 79fw log ........................................................................................................ 80fw logswitch .............................................................................................. 83fw mergefiles.............................................................................................. 86fw monitor.................................................................................................. 87fw lslogs .................................................................................................... 95fw putkey ................................................................................................... 97fw repairlog ................................................................................................ 98fw sam....................................................................................................... 99fw stat ..................................................................................................... 104fw tab ...................................................................................................... 106fw ver ...................................................................................................... 107

fwm............................................................................................................. 107fwm dbimport........................................................................................... 108fwm dbexport ........................................................................................... 110fwm dbload .............................................................................................. 113fw hastat.................................................................................................. 113fwm ikecrypt ............................................................................................ 113fwm load.................................................................................................. 114fwm lock_admin ....................................................................................... 116

fwm logexport........................................................................................... 116fwm sic_reset ........................................................................................... 118fwm unload ............................................................................... 119fwm ver.................................................................................................... 119

GeneratorApp ............................................................................................... 120

inet_alert ..................................................................................................... 121

ldapcmd ...................................................................................................... 124

ldapcompare ................................................................................................ 125ldapconvert .................................................................................................. 126

ldapmodify................................................................................................... 129

ldapsearch ................................................................................................... 130

log_export .................................................................................................... 132

queryDB_util ................................................................................................ 135

rs_db_tool .................................................................................................... 137

sam_alert..................................................................................................... 138

svr_webupload_config ................................................................................... 139

Chapter 3 VPN-1 Commands

VPN ............................................................................................................ 141vpn accel ................................................................................................. 142

vpn compreset.......................................................................................... 144vpn compstat ........................................................................................... 145


8/176

8

vpn crl_zap .............................................................................................. 145vpn crlview............................................................................................... 145vpn debug................................................................................................ 146vpn drv .................................................................................................... 148vpn export_p12 ........................................................................................ 148vpn macutil.............................................................................................. 149vpn nssm_toplogy ..................................................................................... 149vpn overlap_encdom ................................................................................. 150vpn sw_topology ....................................................................................... 151vpn tu...................................................................................................... 152vpn ver .................................................................................................... 152

Chapter 4 SmartView Monitor CommandsRTM............................................................................................................ 155

rtm debug ................................................................................................ 156rtm drv .................................................................................................... 156rtm monitor or rtm monitor -

filter ..................................................................................................... 156rtm monitor -v..................................... 160rtm rtmd .................................................................................................. 161

rtm stat ................................................................................................... 161rtm ver..................................................................................................... 162rtmstart ................................................................................................... 162rtmstop.................................................................................................... 162

Chapter 5 SecureClient Commands

SCC............................................................................................................. 163scc connect.............................................................................................. 164scc connectnowait .................................................................................... 164scc disconnect ......................................................................................... 165scc erasecreds.......................................................................................... 165scc listprofiles .......................................................................................... 165scc numprofiles ........................................................................................ 166scc restartsc............................................................................................. 166scc passcert ............................................................................................. 166scc setmode ................................................................................ 166

scc setpolicy ............................................................................................ 167scc sp...................................................................................................... 167scc startsc ............................................................................................... 167scc status ................................................................................................ 167scc stopsc................................................................................................ 167scc suppressdialogs .................................................................................. 168scc userpass............................................................................................. 168scc ver..................................................................................................... 168

Chapter 2 ClusterXL Commands


9/176

Table of Contents 9

cphaconf...................................................................................................... 173

cphaprob ..................................................................................................... 174

cphastart ..................................................................................................... 175

cphastop...................................................................................................... 175


10/176

10


11/176

11

Preface PPreface

In This Chapter

Who Should Use This Guide page 12

Summary of Contents page 13

Related Documentation page 14

More Information page 16


12/176

Who Should Use This Guide

12

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

System administration.

The underlying operating system.

Internet protocols (IP, TCP, UDP etc.).


13/176

Summary of Contents

Preface 13

Summary of ContentsThis guide describes the VPN components of VPN-1 Power. It contains the

following sections and chapters:

This section describes the basic components of a VPN and provides the backgroundfor the technology that comprises the VPN infrastructure.

Chapter Description

Chapter 1, Introduction to

the CLI

Purpose of this guide, and how to debug

SmartConsole clients.Chapter 2, SmartCenter andFirewall Commands

Commands for controlling the SmartCenterserver and the firewall components of theSmartCenter server and of Check Point gateways.

Chapter 3, VPN-1Commands

The vpn command and its subcommands, usedfor controlling the VPN component of CheckPoint gateways.

Chapter 4, SmartViewMonitor Commands

The rtm command its subcommands, used toexecute SmartView Monitor operations.

Chapter 5, SecureClientCommands

The scc command and its subcommands areVPN commands that are executed onSecureClient. They are used to generate statusinformation, stop and start services, or connectto defined sites using specific user profiles.

Chapter 2, ClusterXLCommands

Commands used for controlling, monitoring andtroubleshooting ClusterXL gateway clusters.


14/176


15/176

Related Documentation

Preface 15

TABLE P-2 Integrity Server documentation

Title Description

Integrity AdvancedServer InstallationGuide

Covers how to install, configure, and maintain theIntegrity Advanced Server.

Integrity AdvancedServer AdministratorGuide - multi-domain

Explains how to managing administrators andendpoint security with Integrity Advanced Server in amulti-domain deployment.

Integrity Advanced

Server AdministrationGuide - Single domain

Explains how to managing administrators and

endpoint security with Integrity Advanced Server in asingle-domain deployment.

Integrity AdvancedServer SystemRequirements

Covers system requirements for Integrity AdvancedServer.

Integrity XML PolicyReference Guide

Describes the contents of Integrity client XML policyfiles.

Gateway Integrity Guide Covers the steps necessary to integrate your gatewaydevice with Integrity Advanced Server and enablecooperative enforcement for remote access protection.

Integrity AdvancedServer ImplementationGuide

Provides an overview of Integrity Advanced Serverfeatures and concepts.

Integrity Secure Client Covers systems requirements for Check Point Integrity

SecureClient

System Requirements Covers system requirements for Integrity AdvancedServer

Integrity ClientManagement Guide

Covers choosing an Integrity client type, and itsconsequent management

iclient Covers system requirements and instructions forinstalling, upgrading, configuring, uninstalling, andusing Integrity client

Client log upload utility Covers the Integrity Client log upload utility.


16/176

More Information

16

More Information For additional technical information about Check Point products, consult Check

Points SecureKnowledge at https://secureknowledge.checkpoint.com/.

See the latest version of this document in the User Center athttp://www.checkpoint.com/support/technical/documents
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttps://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/


17/176

17

Chapter 1

Introduction to the CLIIn This Chapter

Introduction page 18

General Information page 19


18/176

Introduction

18

IntroductionThis guide documents the Command Line Interface (CLI) commands across

different Check Point Products and features. The commands are documentedaccording to the product for which they are used.

Within each product chapter, the commands are arranged alphabetically.

For Provider-1/SiteManager-1 CLI commands, see the Provider-1/SiteManager-1User Guide.

G l I f ti


19/176

General Information

Chapter 1 Introduction to the CLI 19

General Information

Debugging SmartConsole ClientsIt is possible to obtain debugging information on any of the SmartConsole clientsby running these clients in a debug mode. You can save the debug information in adefault text file, or you can specify another file in which this information should besaved.

Usage: -d -o

Syntax:

parameter meaning

-d enter the debug mode. If -o is omitted,debug information is saved into a file

with the default name:_debug_output.txt.

-o This optional parameter, followed by afile name indicates in which text filedebug information should be saved.

General Information


20/176

General Information

20


21/176

21

Chapter 2

SmartCenter and FirewallCommandsIn This Chapter

comp_init_policy page 22

cpca_client page 23

cpconfig page 25

cplic page 26

cp_merge page 38

cppkg page 42cpridrestart page 47

cpridstart page 47

cpridstop page 48

cprinstall page 48

cpstart page 56

cpstat page 57

cpstop page 58

cpwd_admin page 59

dbedit page 64

dbver page 68

dynamic_objects page 70

fw page 71

comp init policy


22/176

comp_init_policy

22

comp_init_policy

Description Use the comp_init_policy command to generate and load, or to remove,the Initial Policy.

Usage $FWDIR/bin/comp_init_policy [-u | -g]

fwm page 107

GeneratorApp page 120

inet_alert page 121ldapcmd page 124

ldapcompare page 125

ldapconvert page 126

ldapmodify page 129

ldapsearch page 130

log_export page 132queryDB_util page 135

rs_db_tool page 137

sam_alert page 138

svr_webupload_config page 139

cpca_client


23/176

p

Chapter 2 SmartCenter and Firewall Commands 23

Syntax

cpca_client

Description This command and all its derivatives are used to execute operations onthe ICA.

Usage cpca_client

In This Section

Argument Description

-u Removes the current Initial Policy, andensures that it will not be generated infuture when cpconfig is run.

-g Can be used if there is no Initial Policy.If there is, make sure that after removingthe policy, you delete the$FWDIR\state\local\FW1\ folder.Generates the Initial Policy and ensuresthat it will be loaded the next time a

policy is fetched (at cpstart, or at nextboot, or via the fw fetchlocalhostcommand). After running this command,cpconfig will add an Initial Policy whenneeded.

The comp_init_policy -g command willonly work if there is no previous Policy.If you perform the following commands:comp_init_policy -g + fw fetchlocalhostcomp_init_policy -g + cpstartcomp_init_policy -g + rebootThe original policy will still be loaded.

cpca_client create_cert page 24



cpca_client create_cert


24/176

24

cpca_client create_cert

Description This command prompts the ICA to issue a SIC certificate for theSmartCenter server.

Usage cpca_client [-d] create_cert [-p ] -n "CN=" -f

Syntax

cpca_client revoke_cert

Description This command is used to revoke a certificate issued by the ICA.

Usage cpca_client [-d] revoke_cert [-p ] -n "CN="

Syntax

cpca_client set_mgmt_tools

Description This command is used to invoke or terminate the ICA ManagementTool.

Usage cpca_client [-d] set_mgmt_tools on|off [-p ]

[-no_ssl] [-a|-u "administrator|user DN" -a|-u"administrator|user DN" ... ]


-d Debug flag

-p Specifies the port which is used to

connect to the CA (if the CA was notrun from the default port 18209)

-n "CN=" sets the CN

-f specifies the file name where thecertificate and keys are saved.


-d debug flag

-p specifies the port which is used toconnect to the CA (if the CA was notrun from the default port 18209)

-n "CN=" sets the CN

cpconfig


25/176


Syntax

Comments Note the following:

1. If the command is ran without -a or -u the list of the permitted users andadministrators isnt changed. The server can be stopped or started with thepreviously defined permitted users and administrators.

2. If two consecutive start operations are initiated the ICA Management Tool willnot respond, unless you change the ssl mode. Once the ssl mode has been

modified, the server can be stopped and restarted.

cpconfig

Description This command is used to run a Command Line version of the CheckPoint Configuration Tool. This tool is used to configure/reconfigure a

VPN-1 installation. The configuration options shown depend on theinstalled configuration and products. Amongst others, these optionsinclude:

Licenses - modify the necessary Check Point licenses

Administrators - modify the administrators authorized to connect tothe SmartCenter server via the SmartConsole

GUI Clients - modify the list of GUI Client machines from which the

administrators are authorized to connect to a SmartCenter server


-d debug flag

set_mgmt_tools on|off on - Start the ICA Managementtool

off - Stop the ICA Managementtool

-p Specifies the port which is used toconnect to the CA (if the appropriateservice was not run from the default

port 18265)-no_ssl Configures the server to use clear

http rather than https.

-a|-u"administrator|userDN"

Sets the DNs of the administrators oruser that permitted to use the ICAManagement tool

cplic


26/176

26

Certificate Authority - install the Certificate Authority on theSmartCenter server in a first-time installation

Key Hit Session - enter a random seed to be used for cryptographic

purposes. Secure Internal Communication - set up trust between the gateway on

which this command is being run and the SmartCenter server

Fingerprint - display the fingerprint which will be used on first-timelaunch to verify the identity of the SmartCenter server being accessedby the SmartConsole. This fingerprint is a text string derived from theSmartCenter servers certificate.

Usage cpconfig

Further Info. See the Getting StartedGuide and the SmartCenterGuide.

cplic

Description This command and all its derivatives relate to the subject of Check Pointlicense management. All cplic commands are located in $CPDIR/bin.License Management is divided into three types of commands:

Local licensing commandsare executed on local machines.

Remote licensing commandsare commands which affect remotemachines are executed on the SmartCenter server.

License repository commandsare executed on the SmartCenter server

Usage cplic

In This Section

cplic check page 27

cplic db_add page 28

cplic db_print page 28

cplic db_rm page 29

cplic del page 30

cplic del page 30

cplic get page 31

cplic put page 32

cplic check


27/176


cplic check

Description Use thiscommand to check whether the license on the local machinewill allow a given feature to be used.

Usage cplic check [-p ] [-v ] [-ccount] [-t ] [-r routers] [-S SRusers]

Syntax

cplic put ... page 34

cplic print page 36

cplic upgrade page 36


-p The product for which licenseinformation is requested. Forexample fw1, netso.

-v The product version for whichlicense information is requested.For example 4.1, 5.0

-c count Count the licenses connected tothis feature

-t Check license status on futuredate. Use the format ddmmmyyyy.A given feature may be valid on agiven date on one license, butinvalid in another.

-r routers Check how many routers areallowed. The feature option is notneeded.

-S SRusers Check how many SecuRemoteusers are allowed. The featureoption is not needed

The for which licenseinformation is requested.

cplic db_add


28/176

28

cplic db_add

Description The cplic db_add command is used to add one or more licenses tothe license repository on the SmartCenter server. When local licenseare added to the license repository, they are automatically attached toits intended Check Point gateway, central licenses need to undergothe attachment process.

Usage cplic db_add < -l license-file | host expiration-datesignature SKU/features >

Syntax

Comments This command is a license repository command, it can only be

executed on the SmartCenter server.

Copy/paste the following parameters from the license received fromthe User Center. More than one license can be added.

host - the target hostname or IP address

expiration date - The license expiration date.

signature -The License signature string. For example:

aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)

SKU/features - The SKU of the license summarizes the featuresincluded in the license. For example: CPSUITE-EVAL-3DES-vNG

Example If the file 192.168.5.11.lic contains one or more licenses, thecommand: cplic db_add -l 192.168.5.11.lic will produce outputsimilar to the following:

cplic db_print

Description The cplic db_print command displays the details of Check Point

licenses stored in the license repository on the SmartCenter server.


-l license-file adds the license(s) fromlicense-file. The followingoptions are NOT needed:Host Expiration-Date SignatureSKU/feature

Adding license to database ...Operation Done

cplic db_rm


29/176


Usage cplic db_print [-n noheader] [-x printsignatures] [-t type] [-a attached]

Syntax



cplic db_rm

Description The cplic db_rm command removes a license from the licenserepository on the SmartCenter server. It can be executed ONLY afterthe license was detached using the cplic del command. Once thelicense has been removed from the repository, it can no longer beused.

Usage cplic db_rm

Syntax

Example cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn


Object name Print only the licenses attached toObject name. Object name is thename of the Check Point gatewayobject, as defined inSmartDashboard.

-all Print all the licenses in the license

repository-noheader(or -n)

Print licenses with no header.

-x Print licenses with their signature

-t(or -type)

Print licenses with their type:Central or Local.

-a(or -attached)

Show which object the license isattached to. Useful if the -alloption is specified.


Signature The signature string within thelicense.

cplic del


30/176

30



cplic del

Description Use this command to delete a single Check Point license on a host,including unwanted evaluation, expired, and other licenses. Thiscommand is used for both local and remote machines

Usage cplic del [-F ]

Syntax

cplic del

Description Use this command to detach a Central license from a Check Pointgateway. When this command is executed, the license repository isautomatically updated. The Central license remains in the repositoryas an unattached license. This command can be executed only on aSmartCenter server.

Usage cplic del [-F outputfile] [-ip dynamic ip]


-F Send the output to instead of the screen.

The signature string within thelicense.

cplic get


31/176


Syntax

Comments This is a Remote Licensing Commandwhich affects remote machines

that is executed on the SmartCenter server.

cplic get

Description The cplic get command retrieves all licenses from a Check Pointgateway (or from all Check Point gateways) into the license repository

on the SmartCenter server. Do this to synchronize the repository withthe Check Point gateway(s). When the command is run, all localchanges will be updated.

Usage cplic get [-v41]


object name The name of the Check Pointgateway object, as defined in

SmartDashboard.

-F outputfile Divert the output to outputfilerather than to the screen.

-ip dynamic ip Delete the license on the CheckPoint gateway with the specified IPaddress. This parameter is used for

deleting a license on a DAIP CheckPoint gatewayNote - If this parameter is used, thenobject name must be a DAIP gateway.

Signature The signature string within thelicense.

cplic put


32/176

32

Syntax

Example If the Check Point gateway with the object name caruso contains fourLocal licenses, and the license repository contains two other Locallicenses, the command: cplic get caruso produces output similar tothe followingGet retrieved 4 licenses.Get removed 2 licenses.

Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.

cplic put

Description The cplic put command is used to install one or more Local licenseson a local machine.

Usage cplic put [-o overwrite] [-c check-only] [-s select] [-F

][-P Pre-boot] [-k kernel-only]


ipaddr The IP address of the Check Pointgateway from which licenses are to

be retrieved.

hostname The name of the Check Pointgateway object (as defined inSmartDashboard) from whichlicenses are to be retrieved.

-all Retrieve licenses from all Check

Point gateways in the managednetwork.

-v41 Retrieve version 4.1 licenses fromthe NF Check Point gateway. Used toupgrade version 4.1 licenses.

cplic put


33/176


Syntax

Comments Copy and paste the following parameters from the license receivedfrom the User Center.

host - One of the following:

All platforms - The IP address of the external interface (in dotnotation); last part cannot be 0 or 255.

Sun OS4 and Solaris2 - The response to the hostid command

(beginning with 0x).


-overwrite(or-o)

On a SmartCenter server this willerase all existing licenses and

replace them with the newlicense(s). On a Check Point gatewaythis will erase only Local licensesbut not Central licenses, that areinstalled remotely.

-check-only(or-c)

Verify the license. Checks if the IP ofthe license matches the machine,

and if the signature is valid

select(or-s)

Select only the Local licenses whoseIP address matches the IP addressof the machine.

-F outputfile Outputs the result of the commandto the designated file rather than tothe screen.

-Preboot(or-P)

Use this option after upgrading toVPN-1/FireWall-1 NG FP2 and beforerebooting the machine. Use of thisoption will prevent certain errormessages.

-kernel-only

(or -k)

Push the current valid licenses to

the kernel. For Support use only.-l license-file Installs the license(s) in

license-file, which can be amulti-license file. The followingoptions are NOT needed:host expiration-date signature

SKU/features

cplic put ...


34/176

34

HP-UX - The response to the uname -i command (beginning with 0d).

AIX - The response to the uname -l command (beginning with 0d), orthe response to the uname -m command (beginning and ending with

00). expiration date - The license expiration date. Can be never



SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the features

included in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab

Example cplic put -l 215.153.142.130.lic produces output similar to thefollowing:

cplic put ...

Description Use the cplic put command to attach one or more central or locallicense remotely.When this command is executed, the license

repository is also updated.Usage cplic put [-ip dynamic ip] [-F ]

< -l license-file | host expiration-date signatureSKU/features >

Host Expiration SKU215.153.142.130 26Dec2001 CPMP-EVAL-1-3DES-NG

CK0123456789ab

cplic put ...


35/176



This is a Copy and paste the following parameters from the license

received from the User Center. More than one license can be attached host - the target hostname or IP address

expiration date - The license expiration date. Can be never



SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the featuresincluded in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab


Object name The name of the Check Point

gateway object, as defined inSmartDashboard.

-ip dynamic ip Install the license on the CheckPoint gateway with the specified IPaddress. This parameter is used forinstalling a license on a DAIP CheckPoint gateway.

NOTE: If this parameter is used,then object name must be a DAIPCheck Point gateway.

-F outputfile Divert the output to outputfilerather than to the screen.

-l license-file Installs the license(s) fromlicense-file. The following optionsare NOT needed:Host Expiration-Date SignatureSKU/features

cplic print

cplic print


36/176

36

cplic print

Description The cplic print command (located in $CPDIR/bin) prints details ofCheck Point licenses on the local machine.

Usage cplic print [-n noheader][-x prints signatures][-t type][-F] [-p preatures]

Syntax

Comments On a Check Point gateway, this command will print all licenses thatare installed on the local machine both Local and Central licenses.

cplic upgrade

Description Use the cplic upgrade command to upgrade licenses in the licenserepository using licenses in a license file obtained from the UserCenter.

Usage cplic upgrade

Syntax

Example The following example explains the procedure which needs to takeplace in order to upgrade the licenses in the license repository.

Upgrade the SmartCenter server to the latest version.

Ensure that there is connectivity between the SmartCenter serverand the remote workstations with the version 4.1 products.


-noheader(or-n)

Print licenses with no header.

-x Print licenses with their signature-type(or -t)

Prints licenses showing their type:Central or Local.

-F Divert the output to outputfile.

-preatures

(or-p)

Print licenses resolved to primitive

features.


l inputfile Upgrades the licenses in the licenserepository and Check Point gatewaysto match the licenses in

cplic upgrade

Import all licenses into the license repository This can also be


37/176


Import all licenses into the license repository. This can also bedone afterupgrading the products on the remote workstations toNG

Run the command: cplic get all. For example

To see all the licenses in the repository, run the command:

cplic db_print -all a

Upgrade the version 4.1 products on the remote Check Pointgateways.

In the User Center (http://www.checkpoint.com/usercenter), viewthe licenses for the products that were upgraded from version 4.1

to NG and create new upgraded licenses. Download a file containing the upgraded NG licenses. Onlydownload licenses for the products that were upgraded fromversion 4.1 to NG.

If you did not import the version 4.1 licenses into the repository instep , import the version 4.1 licenses now using the commandcplic get -all -v41

Run the license upgrade command: cplic upgrade l

Getting licenses from all modules ...

count:root(su) [~] # cplic get -allgolda:Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.count:

Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.

count:root(su) [~] # cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:==================================================

Host Expiration Features192.168.8.11 Never CPFW-FIG-25-41 CK-49C3A3CC7

121 golda192.168.5.11 26Nov2002 CPSUITE-EVAL-3DES-NG CK-1234567890 count

cp_merge

- The licenses in the downloaded license file and in the license
http://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenter


38/176

38

The licenses in the downloaded license file and in the licenserepository are compared.

- If the certificate keys and features match, the old licenses in therepository and in the remote workstations are updated with thenew licenses.

- A report of the results of the license upgrade is printed.

In the following example, there are two NG licenses in the file.One does not match any license on a remote workstation, the othermatches a version 4.1 license on a remote workstation that shouldbe upgraded:


Further Info. See the SmartUpdatechapter of the SmartCenterGuide.

cp_merge

Description The cp_merge utility has two main functionalities Export and import of policy packages

Merge of objects from a given file into SmartCenter database

Usage cp_merge help

Syntax

In This Section

cp_merge delete_policy

Description This command provides the options of deleting an existing policypackage. Note that the default policy can be deleted by delete action.


help Displays the usage for cp_merge.

cp_merge delete_policy page 38

cp_merge export_policy page 39

cp_merge import_policy and cp_merge restore_policy page 40

cp_merge list_policy page 41

cp_merge export_policy

Usage cp merge delete policy [-s ] [-u | -c


39/176


g p_ g _p y [ ] [ |] [-p ] -n

Syntax

Comments Further considerations:

1. Either use certificate file or user and password

2. Optional

Example Delete the policy package called standard.

cp_merge delete_policy -n Standard

cp_merge export_policy

Description This command provides the options of leaving the policy package inthe active repository, or deleting it as part of the export process. The

default policy cannot be deleted during the export action.Usage cp_merge export_policy [-s ] [-u | -c

] [-p ][-n | -l ] [-d ] [-f] [-r]

Syntax


-s Specify the database server IPAddress or DNS name.2

-u The administrators name.1,2

-c The path to the certificate file.1

-p The administrators password.1

-n The policy package to export.2,3


-s Specify the database server IPAddress or DNS name.2

-u The database administrators name.1


-p The administrators password.1

-n


40/176

40



2. Optional

3. If both -n and -l are omitted all policy packages are exported.

4. If both -n and -l are present -l is ignored.

Example Export policy package Standard to filecp_merge export_policy -n Standard -fStandardPolicyPackageBackup.pol -d C:\bak

cp_merge import_policy and cp_merge restore_policy

Description This command provides the options to overwrite an existing policypackage with the same name, or preventing overwriting when thesame policy name already exists

Usage cp_merge import_policy|restore_policy [-s ] [-u | -c ] [-p ][-n ] [-d ] -f [-v]

Syntax

-l Export the policy package whichencloses the policy name.2,3,4

-d Specify the output directory.2

-f Specify the output file name (wherethe default file name is .pol).2

-r Remove the original policy from therepository.2


-s Specify the database server IPaddress or DNS name.2

-u The administrators name.1,2


-p The administrators password.1,2


cp_merge list_policy



41/176


Comments Further considerations


2. Optional

The cp_mergerestore_policy works only locally on the SmartCenterserver and it will not work from remote machines.

Caution: A FireWall-1 policy from .W file can be restoredusing this utility; however, important information may be lost when

the policy is translated into .W format. This restoration should beused only if there is no other backup of the policy.

Example Import the policy package saved in file Standard.pol into therepository and rename it to StandardCopy.cp_merge import_policy -f Standard.pol -n StandardCopy

cp_merge list_policy

Usage cp_merge list_policy [-s ] [-u | -c] [-p ]

Syntax



-n


42/176

42

Example List all policy packages which reside in the specified repository:cp_merge list -s localhost

cppkg

Description This command is used to manage the product repository. It is alwaysexecuted on the SmartCenter server.

In This Section

cppkg add

Description The cppkg addcommand is used to add a product package to the

product repository. Only SmartUpdate packages can be added to theproduct repository.

Products can be added to the Repository as described in the followingprocedures, by importing a file downloaded from the Download Centerweb site athttp://www.checkpoint.com/techsupport/downloads/downloads.html.The package file can be added to the Repository directly from the CD

or from a local or network drive.Usage cppkg add

cppkg add page 42

cppkg delete page 44

cppkg get page 45

cppkg getroot page 45

cppkg print page 45

cppkg setroot page 46

cppkg add

Syntax Argument Description
http://www.checkpoint.com/techsupport/downloads/downloads.htmlhttp://www.checkpoint.com/techsupport/downloads/downloads.html


43/176


Comments cppkg add does not overwrite existing packages. To overwrite existingpackages, you must first delete existing packages.

Example [d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-NG_FP2\

Enter package name:

----------------------

(1) SVNfoundation(2) firewall

(3) floodgate

(4) rtm

(e) Exit

Enter you choice : 1

Enter package OS :

----------------------

(1) win32

(2) solaris

(3) linux

package-full-path If the package to be added to therepository is on a local disk or

network drive, type the full path tothe package.

CD drive If the package to be added to therepository is on a CD:For Windows machines type the CDdrive letter, e.g.d:\

For UNIX machines, type the CD rootpath, e.g./caruso/image/CPsuite-NG/FP2

You will be asked to specify theproduct and appropriate OperatingSystem (OS).

cppkg delete

(4) hpux


44/176

44

(5) ipso

(6) aix

(e) Exit

Enter your choice : 1

You choose to add SVNfoundation for win32 OS. Is thiscorrect? [y/n] : y

Adding package from CD ...Package added to repository.

cppkg delete

Description The command is used to delete a product package from therepository. To delete a product package you must specify a number ofoptions. To see the format of the options and to view the contents ofthe product repository, use the cppkg print command.

Usage cppkg delete [ [sp]]


vendor Package vendor (e.g. checkpoint).product Package name

Options are: SVNfoundation,firewall, floodgate.

version Package version (e.g. NG).

os Package Operating System. Options

are:win32 for Windows NT and Windows2000, solaris, hpux, ipso, aix,linux.

sp Package service pack (e.g. fcs forNG R54 initial release, FP1, FP2 etc.)This parameter is optional. Itsdefault is fcs.

cppkg get

Comments It is not possible to undo the cppkg del command.


45/176


Example [d: \winnt\fw1\ng\bin]cppkg del

Getting information from package repository. Please wait...

Select package:

-----------------------

(1) checkpoint SVNfoundation NG win32 FCS_FP1

(2) checkpoint SNVfoundation NG win32 FP1

(e) Exit

Enter your choice : 2

You choose to delete checkpoint SVNfoundation NG win32 FP1Is this correct? [y/n] : y

Package removed from repository.

cppkg get

Description This command synchronizes the Package Repository database withthe content of the actual package repository under $SUROOT.

Usage cppkg get

cppkg getroot

Description The command is used to find out the location of the productrepository. The default product repository location on Windowsmachines is C:\SUroot. On UNIX it is /var/SUroot

Usage cppkg getroot

Example # cppkg getrootCurrent repository root is set to : /var/suroot/

cppkg print

Description The command is used to list the contents of the product repository.

cppkg setroot

Use cppkg print to see the product and OS strings required to installa product package using the cprinstall command or to delete a


46/176

46

a product package using the cprinstall command, or to delete apackage using the cppkg delete command.

Usage cppkg print

Example

cppkg setroot

Description The command is used to create a new repository root directorylocation, and to move existing product packages into the newrepository.

The default product repository location is created when theSmartCenter server is installed. On Windows machines the defaultlocation is C:\SUroot and on UNIX it is /var/SUroot. Use thiscommand to change the default location.

When changing repository root directory:

The contents of the old repository is copied into the newrepository.

The $SUROOT environment variable gets the value of the new rootpath.

A product package in the new location will be overwritten by apackage in the old location, if the packages are the same (that is,they have the same ID strings).

The repository root directory should have at least 200 Mbyte of freedisk space.

Usage cppkg setroot

[d:\winnt\fw1\ng\bin]cppkg print

Getting information from package repository. Please wait...

Vendor Product Version OS SP Descript

ion-------------------------------------------------------------checkpoint SVNfoundation NG win32 FCS_FP1 SVNfoundation NG Feature Pack 1 for 4.1 upgradecheckpoint SVNfoundation NG win32 FP1 SVNfoundation Feature Pack 1 for NG upgrade

cpridrestart



47/176


Comments It is important to reboot the SmartCenter server after performing thiscommand, in order to set the new $SUROOT environment variable.

Example # cppkg setroot /var/new_surootRepository root is set to : /var/new_suroot/

Note: When changing repository root directory :

1. Old repository content will be copied into the newrepository.

2. A package in the new location will be overwritten by apackage in the old location, if the packages have the samename.

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ?[y/n] : y

Repository root was set to : /var/new_suroot

Notice : To complete the setting of your directory, rebootthe machine!

cpridrestart

Description Stops and starts the Check Point Remote Installation Daemon (cprid).This is the daemon that is used for remote upgrade and installation ofproducts. It is part of the SVN Foundation. In Windows it is a service.

cpridstart

Description Start the Check Point Remote Installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. Itis part of the SVN Foundation. In Windows it is a service.

Usage cpridstart

repository-root-directory-full-path

The desired location for the productrepository.

cpridstop

cpridstop


48/176

48

Description Stop the Check Point Remote installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. It

is part of the SVN Foundation. In Windows it is a service.Usage cpridstop

cprinstall

Description Use cprinstall commands to perform remote installation of product

packages, and associated operations.

On the SmartCenter server, cprinstall commands require licensesfor SmartUpdate

On the remote Check Point gateways the following are required:

Trust must be established between the SmartCenter server and theCheck Point gateway.

cpd must run. cprid remote installation daemon must run. cprid is available on

VPN-1/FireWall-1 4.1 SP2 and higher, and as part of SVN Foundation

for NG and higher.

In This Section

cprinstall boot page 49cprinstall cprestart page 49

cprinstall cpstart page 49

cprinstall cpstop page 50

cprinstall get page 50

cprinstall install page 51

cprinstall stop page 52cprinstall uninstall page 53

cprinstall upgrade page 54

cprinstall verify page 54

cprinstall verify_upgrade page 56

cprinstall boot

cprinstall boot

D i ti Th d i d t b t th t t


49/176


Description The command is used to boot the remote computer.

Usage cprinstall boot

Syntax

Example # cprinstall boot harlin

cprinstall cprestart

Description This command enables cprestart to be run remotely.

All products on the Check Point gateway must be of the same versionof NG.

Usage cprinstall cprestart

Syntax

cprinstall cpstart

Description This command enables cpstart to be run remotely.


Usage cprinstall cpstart

Syntax


Object name Object name of the Check Pointgateway defined in SmartDashboard.





cprinstall cpstop

cprinstall cpstop

Description This command enables t to be run remotely


50/176

50

Description This command enables cpstop to be run remotely.


Usage cprinstall cpstop

Syntax

cprinstall get

Description The cprinstall get command is used to obtain details of theproducts and the Operating System installed on the specified CheckPoint gateway, and to update the database.

Usage cprinstall get

Syntax



-proc Kills Check Point daemons andSecurity servers while maintainingthe active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.

-nopolicy


Object name The name of the Check Point gateway objectdefined in SmartDashboard.

cprinstall install

Example [c:\winnt\fw1\5.0\bin]cprinstall get fred

G tti i f ti f f d


51/176


cprinstall install

Description The cprinstall install command is used to install Check Pointproducts on remote Check Point gateways. To install a productpackage you must specify a number of options. Use the cppkg printcommand and copy the required options.

Usage cprinstall install [-boot] [sp]

Syntax

Getting information from fred...

Operating system Version SP----------------------------------------------------------solaris 5.7 fcs

Vendor Product Version SP---------------------------------------------------------CheckPoint VPN-1 Power NG fcsCheckPoint SVNfoundation NG fcs


-boot Boot the remote computer afterinstalling the package.

Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the ReleaseNotes for details.


vendor Package vendor (e.g. checkpoint)

cprinstall stop

product Package name



52/176

52

Comments Before transferring any files, this command runs the cprinstall

verify command to verify that the Operating System is appropriateand that the product is compatible with previously installed products.

Example

cprinstall stop

Description This command is used to stop the operation of other cprinstallcommands. In particular, this command stops the remote installationof a product - even during transfer of files, file extraction, andpre-installation verification. The operation can be stopped at any timeup to the actual installation.

cprinstall stop can be run from one command prompt to stop arunning operation at another command prompt.

Usage cprinstall stop

product Package nameOptions are: SVNfoundation,

firewall, floodgate.version Package version (e.g. NG FP2)

sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)

# cprinstall install -boot fred checkpoint firewall NG FP1

Installing firewall NG FP1 on fred...Info : Testing Check Point GatewayInfo : Test completed successfully.

Info : Transferring Package to Check Point GatewayInfo : Extracting package on Check Point GatewayInfo : Installing package on Check Point GatewayInfo : Product was successfully applied.Info : Rebooting the Check Point GatewayInfo : Checking boot statusInfo : Reboot completed successfully.Info : Checking Check Point GatewayInfo : Operation completed successfully.

cprinstall uninstall


object name Object name of the Check Point


53/176


Example

cprinstall uninstall

Description The cprinstall uninstall command is used to uninstall products onremote Check Point gateways. To uninstall a product package youmust specify a number of options. Use the cppkg print commandand copy the required options.

Usage cprinstall uninstall [-boot] [sp]

Syntax

j jgateway, defined in SmartDashboard.

[c:\winnt\fw1\5.0\bin] cprinstall stop Check PointGateway01Info : Stop request sent


-boot Boot the remote computer afterinstalling the package.Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the Release

Notes for details.


vendor Package vendor (e.g. checkpoint)

product Package nameOptions are: SVNfoundation,

firewall, floodgate.version Package version (e.g. NG FP2)

sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)

cprinstall upgrade

Comments Beforeuninstalling any files, this command runs the cprinstallverify command to verify that the Operating System is appropriateand that the product is installed.


54/176

54

and that the product is installed.

Afteruninstalling, retrieve the Check Point gateway data by runningcprinstall get.

Example

cprinstall upgrade

Description Use the cprinstall upgrade command to upgrade all products on a

Check Point gateway to the latest version.All products on the Check Point gateway must be of the same versionof NG.

Usage cprinstall upgrade [-boot]

Syntax

Comments When cprinstall upgrade is run, the command first verifies whichproducts are installed on the Check Point gateway, and that there is a

matching product package in the product repository with the sameOS, and then installs the product package on the remote Check Pointgateway.

cprinstall verify

Description The cprinstall verifycommand is used to verify:

# cprinstall uninstall fred checkpoint firewall NG FP1

Uninstalling firewall NG FP1 from fred...

Info : Removing package from Check Point Gateway

Info : Product was successfully applied.

Operation Success.Please get network object data to complete the

operation.


-boot Boot the remote Check Pointgateway after completing the remoteinstallation.

object name Object name of the Check Pointgateway, defined in SmartDashboard.

cprinstall verify

If a specific product can be installed on the remote Check Pointgateway.

That the Operating System and currently installed products are


55/176


That the Operating System and currently installed products areappropriate for the package.

That there is enough disk space to install the product.

That there is a CPRID connection.

Usage cprinstall verify [sp]

Syntax

Example The following examples show a successful and a failed verifyoperation:

Verify succeeds:



vendor Package vendor (e.g. checkpoint).

product Package nameOptions are: SVNfoundation,firewall, floodgate.

version Package version (e.g. NG).

sp Package service pack (e.g. fcs for NGwith Application Intelligenceinitial release, FP1, FP2 etc.) Thisparameter is optional. Its default isfcs.

cprinstall verify harlin checkpoint SVNfoundation NG_FP4

Verifying installation of SVNfoundation NG FP4 on harlin...Info : Testing Check Point Gateway.Info : Test completed successfully.

Info : Installation Verified, The product can be installed.

cprinstall verify_upgrade

Verify fails:cprinstall verify harlin checkpoint SVNfoundation NGFCS_FP4


56/176

56

cprinstall verify_upgrade

Description Use the cprinstall verify_upgrade command to verify the successof the upgrade of all products on a Check Point gateway to the latestversion, before performing the upgrade. This command isautomatically performed by the cprinstall upgrade command.

All products on the Check Point gateway must be of the same version

of NG.

Usage cprinstall verify_upgrade

Syntax

Comments When the command is run, the command verifies which products areinstalled on the Check Point gateway, and that there is a matchingproduct package in the product repository with the same OS.

cpstart

Description This command is used to start all Check Point processes andapplications running on a machine.

Usage cpstart

Comments This command cannot be used to start cprid. cprid is invoked when themachine is booted and it runs independently.

Verifying installation of SVNfoundation NG FCS_FP4 onharlin...Info : Testing Check Point GatewayInfo : SVN Foundation NG is already installed on192.168.5.134Operation Success.Product cannot be installed, did not passdependency check.


object name Object name of the Check Pointgateway, defined in SmartDashboard.

cpstat

cpstat

Description cpstat displays the status of Check Point applications, either on the localhi th hi i i f t


57/176


machine or on another machine, in various formats.

Usage cpstat [-h host][-p port][-f flavour][-d] application_flag

Syntax

Where the flavors are:

fwm "fw", with flavours: "default", "all", "policy","performance", "hmem", "kmem", "inspect", "cookies", "chains","fragments", "totals", "ufp_caching", "http_stat", "ftp_stat","telnet_stat", "rlogin_stat", "ufp_stat", "smtp_stat"

vpn product, general, IKE, ipsec, fwz,accelerator, all

fg all

mg default


-h host A resolvable hostname, or adot-notation address (forexample,192.168.33.23). Thedefault is localhost.

-p port Port number of the AMON server.The default is the standard AMONport (18192)

-f flavour The flavor of the output (as appearsin the configuration file). The defaultis to use the first flavor found inconfiguration file.

-d debug flag

application_flag One of: fwm FireWall-1 vpn VPN-1 fg FloodGate-1 (QoS)

ha ClusterXL (HighAvailability)

os SVN Foundation and OSStatus

mg for SmartCenter

cpstop

os default, routing

ha default, all

Example


58/176

58

Example

cpstop

Description This command is used to terminate all Check Point processes and

applications, running on a machine.Usage cpstop

cpstop -fwflag [-proc | -default]

> cpstat fw

Policy name: StandardInstall time: Wed Nov 1 15:25:03 2000

Interface table-----------------------------------------------------------------

|Name|Dir|Total *|Accept**|Deny|Log|-----------------------------------------------------------------|hme0|in |739041*|738990**|51 *|7**|-----------------------------------------------------------------|hme0|out|463525*|463525**| 0 *|0**|-----------------------------------------------------------------

*********|1202566|1202515*|51**|7**|

cpwd_admin


-fwflag -proc Kills Check Point daemons andSecurity servers while maintaining


59/176


Comments This command cannot be used to terminate cprid. cprid is invokedwhen the machine is booted and it runs independently.

cpwd_admin

Description cpwd (also known as WatchDog) is a process that invokes and monitorscritical processes such as Check Point daemons on the local machine,and attempts to restart them if they fail. Among the processes monitoredby Watchdog are cpd, fwd, fwm. cpwd is part of the SVN Foundation.

fwd does not work in a Management Only machine. To work with fwd in aManagement Only machine add -n (for example, fwd -n).

cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file.In addition, monitoring information is written to the console on UNIXplatforms, and to the Windows Event Viewer.

The cpwd_admin utility is used to show the status of processes, and toconfigure cpwd.

Usage cpwd_admin

In This Section

Security servers while maintaining

the active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.

-fwflag -default Kills Check Point daemons andSecurity servers. The active SecurityPolicy running in the kernel is

replaced with the default filter..

cpwd_admin start page 60

cpwd_admin stop page 60

cpwd_admin list page 61

cpwd_admin start

cpwd_admin exist page 62

cpwd_admin kill page 62

cpwd admin config page 62


60/176

60

cpwd_admin start

Description Start a new process by cpwd.

Usage cpwd_admin start -name -path -command

Syntax

Example To start and monitor the fwm process.cpwd_admin start -name FWM -path $FWDIR/bin/fwm -commandfwm

cpwd_admin stop

Description Stop a process which is being monitored by cpwd.

Usage cpwd_admin stop -name [-path -command ]

cpwd_admin config page 62


-name A name for the process to bewatched by WatchDog.

-path The full path to the executableincluding the executable name

-command

The name of the executable file.

cpwd_admin list


-name A name for the process to bewatched by WatchDog.


61/176


Comments If -path and -command are not stipulated, cpwd will abrupbtlyterminate the process.

Example stop the FWM process using fw kill.cpwd_admin stop -name FWM -path $FWDIR/bin/fw -command fwkill fwm

cpwd_admin list

Description This command is used to print a status of the selected processesbeing monitored by cpwd.

Usage cpwd_admin list

Output The status report output includes the following information:

APP Application. The name of the process. PID Process Identification Number.

STAT Whether the process Exists (E) or has been Terminated(T).

#START How many times the process has been started since cpwdtook control of the process.

START TIME The last time the process was run.

COMMAND The command that cpwd used to start the process.For example:

y g

-path Optional: the full path to theexecutable (including the executablename) that is used to stop theprocess.

-command

Optional: the name of the executablefile mentioned in -path

#cpwd_admin list APP PID STAT #START START_TIME COMMANDCPD 463 E 1 [20:56:10] 21/5/2001 cpdFWD 440 E 1 [20:56:24] 21/5/2001 fwdFWM 467 E 1 [20:56:25] 21/5/2001 fwm

cpwd_admin exist

cpwd_admin exist

Description This command is used to check whether cpwd is alive.

Usage cpwd admin exist


62/176

62

Usage cpwd_admin exist

cpwd_admin kill

Description This command is used to kill cpwd.

Usage cpwd_admin kill

cpwd_admin config

Description This command is used to set cpwd configuration parameters. Whenparameters are changed, these changes will not take affect until cpwdhas been stopped and restarted.

Usage cpwd_admin config -p

cpwd_admin config -a

cpwd_admin config -d

cpwd_admin config -r

Syntax

Where the values are as follows:

Argument Descriptionconfig -p Shows the cpwd parameters added

using the config -a option.

config -a Add one or more monitoringparameters to the cpwd configuration.

config -d Delete one or more parameters fromthe cpwd configuration

config -r Restore the default cpwd parameters.

cpwd_admin config


timeout (any value in If rerun_mode=1, how much time


63/176


seconds) passes from process failure to rerun.The default is 60 seconds.

no_limit(any value in seconds)

Maximum number of times that cpwdwill try to restart a process. Thedefault is 5.

zero_timeout(any value in seconds)

After failing no_limit times torestart a process, cpwd will wait

zero_timeout seconds beforeretrying. The default is 7200seconds. Should be greater thantimeout.

sleep_mode 1 - wait timeout 0 - ignore timeout. Rerun the

process immediately

dbg_mode 1 - Accept pop-up error messages(with exit-code#0) displayed when

a process terminates abruptly

(Windows NT only).

0 -Do not receive pop-up errormessages. This is useful if pop-up

error messages freeze the

machine. This is the default(Windows NT only).

dbedit

rerun_mode 1 - Rerun a failed process. Thisis the default.



64/176

64

Example The following example shows two configuration parameters beingchanged:timeout to 120 seconds, and no_limit to 10.

config -a and cpwd_adminconfig -d have no effect if cpwd isrunning. They will affect cpwd the next time it is run.

dbedit

Description This command is used by administrators to edit the objects file on theSmartCenter server. From version NG, there is an objects file on thegateway and a new file, objects_5_0.C on the SmartCenter server. A newobjects.C file is created on the gateway (based on the objects_5_0.C on

0 - Do not rerun a failed process.Perform only monitoring.

stop_timeout The time in seconds that the cpwdwill wait for a stop command to becompleted. Default is 60 seconds.

reset_startups Indicates the time in seconds thatthe cpwd waits after the process

begins before it resets thestartup_counter. Default value is 1hour, meaning that an hour after theprocess begins its startup counter isreset to 0.

# C:\>cpwd_admin config -pWD doesn't have configuration parameters

C:\>cpwd_admin config -a timeout=120 no_limit=12

C:\>cpwd_admin config -pWD Configuration parameters are:timeout : 120no_limit : 12cpwd_admin config -a timeout=120 no_limit=10

dbedit

the SmartCenter server) whenever a Policy is installed. Editing theobjects.C file on the gateway is no longer required or desirable, since itwill be overwritten the next time a Policy is installed.

Usage dbedit [-s server] [- u user | -c certificate] [-p password]


65/176


g | p p

[-f filename] [-r db-open-reason] [-help]


-s server The SmartCenter server on which theobjects_5_0.C file to be edited islocated. If this is not specified in thecommand line, then the user will be

prompted for it.If the server is not localhost, theuser will be required to authenticate.

-u user |-c certificate

The users name (the name used forthe SmartConsole) or the full path tothe certificate file.

-p password The users password (the passwordused for the SmartConsole).

-f filename The name of the file containing thecommands. If filename is not given,then the user will be prompted forcommands.

-r db-open-reason A non-mandatory flag used to openthe database with a string that statesthe reason. This reason will beattached to audit logs on databaseoperations.

-help Print usage and short explanation.

dbedit

dbedit commands:


create[object type]

Create an object with its defaultvalues


66/176

66

[object_type][object_name]

values.The create command may use anextended (or owned) object.Changes are committed to thedatabase only by an update or quitcommand.

modify[table_name][object_name][field_name] [value]

Modify fields of an object which is: stored in the database (the

command will lock the object insuch case).

newly created by dbeditExtended Formats for owned objectscan be used:For example, [field_name] =Field_A:Field_B

update[table_name][object_name]

Update the database with the object.This command will check the objectvalidity and will issue an errormessage if appropriate.

delete[table_name][object_name]

Delete an object from the databaseand from the client implicitdatabase.

addelement[table_name][object_name][field_name] [value]

Add an element (of type string) to amultiple field.

dbedit

rmelement[table_name]

Remove an element (of type string)from a multiple field.



67/176


Example Replace the owned object with a new null object, where NULL is areserved word specifying a null object:

Example Extended Format

firewall_properties owns the object floodgate_preferences.floodgate_preferences has a Boolean attribute turn_on_logging, whichwill be set to true.

comments is a field of the owned object contained in the orderedcontainer. The 0 value indicates the first element in the container (zerobased index).

[object_name][field_name] [value]

rename[table_name][object_name][new_object_name]

Assign a new name for a givenobject. The operation also performsan update.Example:

Rename network object London toChicago.rename network_objects londonchicago

quit Quit dbedit and update the databasewith modified objects not yetcommitted.

modify network_objects my_obj firewall_setting NULL

modify properties firewall_propertiesfloodgate_preferences:turn_on_logging true

m

4100013 command line interface version ngx r62

Documents