4100013 command line interface version ngx r62
TRANSCRIPT
-
8/3/2019 4100013 Command Line Interface Version NGX R62
1/176
Command Line InterfaceVersion NGX R62
August 2006
-
8/3/2019 4100013 Command Line Interface Version NGX R62
2/176
-
8/3/2019 4100013 Command Line Interface Version NGX R62
3/176
2003-2006 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2006 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, CooperativeEnforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy LifecycleManagement, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXLTurbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor,Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare,SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1UTM Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge,VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, andthe Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentionedherein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No.5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
-
8/3/2019 4100013 Command Line Interface Version NGX R62
4/176
-
8/3/2019 4100013 Command Line Interface Version NGX R62
5/176
Table of Contents 5
Contents
Preface Who Should Use This Guide.............................................................................. 12Summary of Contents ....................................................................................... 13Related Documentation .................................................................................... 14More Information ............................................................................................. 16
Chapter 1 Introduction to the CLI
Introduction .................................................................................................... 18General Information ......................................................................................... 19
Debugging SmartConsole Clients .................................................................. 19
Chapter 2 SmartCenter and Firewall Commands
comp_init_policy ............................................................................................ 22
cpca_client .................................................................................................... 23
cpca_client create_cert ............................................................................... 24cpca_client revoke_cert ............................................................................... 24cpca_client set_mgmt_tools......................................................................... 24
cpconfig ........................................................................................................ 25
cplic.............................................................................................................. 26cplic check ................................................................................................ 27cplic db_add .............................................................................................. 28cplic db_print............................................................................................. 28
cplic db_rm................................................................................................ 29cplic del .................................................................................................... 30cplic del .............................................................................. 30cplic get .................................................................................................... 31cplic put .................................................................................................... 32cplic put ............................................................................. 34cplic print .................................................................................................. 36cplic upgrade ............................................................................................. 36
cp_merge....................................................................................................... 38cp_merge delete_policy ............................................................................... 38cp_merge export_policy ............................................................................... 39cp_merge import_policy and cp_merge restore_policy..................................... 40cp_merge list_policy ................................................................................... 41
cppkg ............................................................................................................ 42cppkg add.................................................................................................. 42cppkg delete .............................................................................................. 44
cppkg get................................................................................................... 45cppkg getroot ............................................................................................. 45
-
8/3/2019 4100013 Command Line Interface Version NGX R62
6/176
6
cppkg print ................................................................................................ 45cppkg setroot ............................................................................................. 46
cpridrestart .................................................................................................... 47
cpridstart ....................................................................................................... 47
cpridstop ....................................................................................................... 48
cprinstall ....................................................................................................... 48cprinstall boot ............................................................................................ 49cprinstall cprestart...................................................................................... 49cprinstall cpstart......................................................................................... 49cprinstall cpstop......................................................................................... 50
cprinstall get .............................................................................................. 50cprinstall install.......................................................................................... 51cprinstall stop ............................................................................................ 52cprinstall uninstall ...................................................................................... 53cprinstall upgrade....................................................................................... 54cprinstall verify........................................................................................... 54cprinstall verify_upgrade.............................................................................. 56
cpstart........................................................................................................... 56
cpstat............................................................................................................ 57
cpstop ........................................................................................................... 58
cpwd_admin................................................................................................... 59cpwd_admin start ....................................................................................... 60cpwd_admin stop........................................................................................ 60cpwd_admin list ......................................................................................... 61cpwd_admin exist ....................................................................................... 62cpwd_admin kill ......................................................................................... 62
cpwd_admin config ..................................................................................... 62
dbedit ........................................................................................................... 64
dbver............................................................................................................. 68dbver create ............................................................................................... 68dbver export ............................................................................................... 69dbver import............................................................................................... 69dbver print ................................................................................................. 70dbver print_all ............................................................................................ 70
dynamic_objects............................................................................................. 70
fw ................................................................................................................. 71fw ctl......................................................................................................... 72fw expdate ................................................................................................. 75fw fetch ..................................................................................................... 75fw fetchlogs ............................................................................................... 77fw isp_link ................................................................................................. 78
fw kill ........................................................................................................ 78fw lea_notify............................................................................................... 79
-
8/3/2019 4100013 Command Line Interface Version NGX R62
7/176
Table of Contents 7
fw lichosts.................................................................................................. 79fw log ........................................................................................................ 80fw logswitch .............................................................................................. 83fw mergefiles.............................................................................................. 86fw monitor.................................................................................................. 87fw lslogs .................................................................................................... 95fw putkey ................................................................................................... 97fw repairlog ................................................................................................ 98fw sam....................................................................................................... 99fw stat ..................................................................................................... 104fw tab ...................................................................................................... 106fw ver ...................................................................................................... 107
fwm............................................................................................................. 107fwm dbimport........................................................................................... 108fwm dbexport ........................................................................................... 110fwm dbload .............................................................................................. 113fw hastat.................................................................................................. 113fwm ikecrypt ............................................................................................ 113fwm load.................................................................................................. 114fwm lock_admin ....................................................................................... 116
fwm logexport........................................................................................... 116fwm sic_reset ........................................................................................... 118fwm unload ............................................................................... 119fwm ver.................................................................................................... 119
GeneratorApp ............................................................................................... 120
inet_alert ..................................................................................................... 121
ldapcmd ...................................................................................................... 124
ldapcompare ................................................................................................ 125ldapconvert .................................................................................................. 126
ldapmodify................................................................................................... 129
ldapsearch ................................................................................................... 130
log_export .................................................................................................... 132
queryDB_util ................................................................................................ 135
rs_db_tool .................................................................................................... 137
sam_alert..................................................................................................... 138
svr_webupload_config ................................................................................... 139
Chapter 3 VPN-1 Commands
VPN ............................................................................................................ 141vpn accel ................................................................................................. 142
vpn compreset.......................................................................................... 144vpn compstat ........................................................................................... 145
-
8/3/2019 4100013 Command Line Interface Version NGX R62
8/176
8
vpn crl_zap .............................................................................................. 145vpn crlview............................................................................................... 145vpn debug................................................................................................ 146vpn drv .................................................................................................... 148vpn export_p12 ........................................................................................ 148vpn macutil.............................................................................................. 149vpn nssm_toplogy ..................................................................................... 149vpn overlap_encdom ................................................................................. 150vpn sw_topology ....................................................................................... 151vpn tu...................................................................................................... 152vpn ver .................................................................................................... 152
Chapter 4 SmartView Monitor CommandsRTM............................................................................................................ 155
rtm debug ................................................................................................ 156rtm drv .................................................................................................... 156rtm monitor or rtm monitor -
filter ..................................................................................................... 156rtm monitor -v..................................... 160rtm rtmd .................................................................................................. 161
rtm stat ................................................................................................... 161rtm ver..................................................................................................... 162rtmstart ................................................................................................... 162rtmstop.................................................................................................... 162
Chapter 5 SecureClient Commands
SCC............................................................................................................. 163scc connect.............................................................................................. 164scc connectnowait .................................................................................... 164scc disconnect ......................................................................................... 165scc erasecreds.......................................................................................... 165scc listprofiles .......................................................................................... 165scc numprofiles ........................................................................................ 166scc restartsc............................................................................................. 166scc passcert ............................................................................................. 166scc setmode ................................................................................ 166
scc setpolicy ............................................................................................ 167scc sp...................................................................................................... 167scc startsc ............................................................................................... 167scc status ................................................................................................ 167scc stopsc................................................................................................ 167scc suppressdialogs .................................................................................. 168scc userpass............................................................................................. 168scc ver..................................................................................................... 168
Chapter 2 ClusterXL Commands
-
8/3/2019 4100013 Command Line Interface Version NGX R62
9/176
Table of Contents 9
cphaconf...................................................................................................... 173
cphaprob ..................................................................................................... 174
cphastart ..................................................................................................... 175
cphastop...................................................................................................... 175
-
8/3/2019 4100013 Command Line Interface Version NGX R62
10/176
10
-
8/3/2019 4100013 Command Line Interface Version NGX R62
11/176
11
Preface PPreface
In This Chapter
Who Should Use This Guide page 12
Summary of Contents page 13
Related Documentation page 14
More Information page 16
-
8/3/2019 4100013 Command Line Interface Version NGX R62
12/176
Who Should Use This Guide
12
Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of
System administration.
The underlying operating system.
Internet protocols (IP, TCP, UDP etc.).
-
8/3/2019 4100013 Command Line Interface Version NGX R62
13/176
Summary of Contents
Preface 13
Summary of ContentsThis guide describes the VPN components of VPN-1 Power. It contains the
following sections and chapters:
This section describes the basic components of a VPN and provides the backgroundfor the technology that comprises the VPN infrastructure.
Chapter Description
Chapter 1, Introduction to
the CLI
Purpose of this guide, and how to debug
SmartConsole clients.Chapter 2, SmartCenter andFirewall Commands
Commands for controlling the SmartCenterserver and the firewall components of theSmartCenter server and of Check Point gateways.
Chapter 3, VPN-1Commands
The vpn command and its subcommands, usedfor controlling the VPN component of CheckPoint gateways.
Chapter 4, SmartViewMonitor Commands
The rtm command its subcommands, used toexecute SmartView Monitor operations.
Chapter 5, SecureClientCommands
The scc command and its subcommands areVPN commands that are executed onSecureClient. They are used to generate statusinformation, stop and start services, or connectto defined sites using specific user profiles.
Chapter 2, ClusterXLCommands
Commands used for controlling, monitoring andtroubleshooting ClusterXL gateway clusters.
-
8/3/2019 4100013 Command Line Interface Version NGX R62
14/176
-
8/3/2019 4100013 Command Line Interface Version NGX R62
15/176
Related Documentation
Preface 15
TABLE P-2 Integrity Server documentation
Title Description
Integrity AdvancedServer InstallationGuide
Covers how to install, configure, and maintain theIntegrity Advanced Server.
Integrity AdvancedServer AdministratorGuide - multi-domain
Explains how to managing administrators andendpoint security with Integrity Advanced Server in amulti-domain deployment.
Integrity Advanced
Server AdministrationGuide - Single domain
Explains how to managing administrators and
endpoint security with Integrity Advanced Server in asingle-domain deployment.
Integrity AdvancedServer SystemRequirements
Covers system requirements for Integrity AdvancedServer.
Integrity XML PolicyReference Guide
Describes the contents of Integrity client XML policyfiles.
Gateway Integrity Guide Covers the steps necessary to integrate your gatewaydevice with Integrity Advanced Server and enablecooperative enforcement for remote access protection.
Integrity AdvancedServer ImplementationGuide
Provides an overview of Integrity Advanced Serverfeatures and concepts.
Integrity Secure Client Covers systems requirements for Check Point Integrity
SecureClient
System Requirements Covers system requirements for Integrity AdvancedServer
Integrity ClientManagement Guide
Covers choosing an Integrity client type, and itsconsequent management
iclient Covers system requirements and instructions forinstalling, upgrading, configuring, uninstalling, andusing Integrity client
Client log upload utility Covers the Integrity Client log upload utility.
-
8/3/2019 4100013 Command Line Interface Version NGX R62
16/176
More Information
16
More Information For additional technical information about Check Point products, consult Check
Points SecureKnowledge at https://secureknowledge.checkpoint.com/.
See the latest version of this document in the User Center athttp://www.checkpoint.com/support/technical/documents
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttps://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/ -
8/3/2019 4100013 Command Line Interface Version NGX R62
17/176
17
Chapter 1
Introduction to the CLIIn This Chapter
Introduction page 18
General Information page 19
-
8/3/2019 4100013 Command Line Interface Version NGX R62
18/176
Introduction
18
IntroductionThis guide documents the Command Line Interface (CLI) commands across
different Check Point Products and features. The commands are documentedaccording to the product for which they are used.
Within each product chapter, the commands are arranged alphabetically.
For Provider-1/SiteManager-1 CLI commands, see the Provider-1/SiteManager-1User Guide.
G l I f ti
-
8/3/2019 4100013 Command Line Interface Version NGX R62
19/176
General Information
Chapter 1 Introduction to the CLI 19
General Information
Debugging SmartConsole ClientsIt is possible to obtain debugging information on any of the SmartConsole clientsby running these clients in a debug mode. You can save the debug information in adefault text file, or you can specify another file in which this information should besaved.
Usage: -d -o
Syntax:
parameter meaning
-d enter the debug mode. If -o is omitted,debug information is saved into a file
with the default name:_debug_output.txt.
-o This optional parameter, followed by afile name indicates in which text filedebug information should be saved.
General Information
-
8/3/2019 4100013 Command Line Interface Version NGX R62
20/176
General Information
20
-
8/3/2019 4100013 Command Line Interface Version NGX R62
21/176
21
Chapter 2
SmartCenter and FirewallCommandsIn This Chapter
comp_init_policy page 22
cpca_client page 23
cpconfig page 25
cplic page 26
cp_merge page 38
cppkg page 42cpridrestart page 47
cpridstart page 47
cpridstop page 48
cprinstall page 48
cpstart page 56
cpstat page 57
cpstop page 58
cpwd_admin page 59
dbedit page 64
dbver page 68
dynamic_objects page 70
fw page 71
comp init policy
-
8/3/2019 4100013 Command Line Interface Version NGX R62
22/176
comp_init_policy
22
comp_init_policy
Description Use the comp_init_policy command to generate and load, or to remove,the Initial Policy.
Usage $FWDIR/bin/comp_init_policy [-u | -g]
fwm page 107
GeneratorApp page 120
inet_alert page 121ldapcmd page 124
ldapcompare page 125
ldapconvert page 126
ldapmodify page 129
ldapsearch page 130
log_export page 132queryDB_util page 135
rs_db_tool page 137
sam_alert page 138
svr_webupload_config page 139
cpca_client
-
8/3/2019 4100013 Command Line Interface Version NGX R62
23/176
p
Chapter 2 SmartCenter and Firewall Commands 23
Syntax
cpca_client
Description This command and all its derivatives are used to execute operations onthe ICA.
Usage cpca_client
In This Section
Argument Description
-u Removes the current Initial Policy, andensures that it will not be generated infuture when cpconfig is run.
-g Can be used if there is no Initial Policy.If there is, make sure that after removingthe policy, you delete the$FWDIR\state\local\FW1\ folder.Generates the Initial Policy and ensuresthat it will be loaded the next time a
policy is fetched (at cpstart, or at nextboot, or via the fw fetchlocalhostcommand). After running this command,cpconfig will add an Initial Policy whenneeded.
The comp_init_policy -g command willonly work if there is no previous Policy.If you perform the following commands:comp_init_policy -g + fw fetchlocalhostcomp_init_policy -g + cpstartcomp_init_policy -g + rebootThe original policy will still be loaded.
cpca_client create_cert page 24
cpca_client create_cert page 24
cpca_client create_cert page 24
cpca_client create_cert
-
8/3/2019 4100013 Command Line Interface Version NGX R62
24/176
24
cpca_client create_cert
Description This command prompts the ICA to issue a SIC certificate for theSmartCenter server.
Usage cpca_client [-d] create_cert [-p ] -n "CN=" -f
Syntax
cpca_client revoke_cert
Description This command is used to revoke a certificate issued by the ICA.
Usage cpca_client [-d] revoke_cert [-p ] -n "CN="
Syntax
cpca_client set_mgmt_tools
Description This command is used to invoke or terminate the ICA ManagementTool.
Usage cpca_client [-d] set_mgmt_tools on|off [-p ]
[-no_ssl] [-a|-u "administrator|user DN" -a|-u"administrator|user DN" ... ]
Argument Description
-d Debug flag
-p Specifies the port which is used to
connect to the CA (if the CA was notrun from the default port 18209)
-n "CN=" sets the CN
-f specifies the file name where thecertificate and keys are saved.
Argument Description
-d debug flag
-p specifies the port which is used toconnect to the CA (if the CA was notrun from the default port 18209)
-n "CN=" sets the CN
cpconfig
-
8/3/2019 4100013 Command Line Interface Version NGX R62
25/176
Chapter 2 SmartCenter and Firewall Commands 25
Syntax
Comments Note the following:
1. If the command is ran without -a or -u the list of the permitted users andadministrators isnt changed. The server can be stopped or started with thepreviously defined permitted users and administrators.
2. If two consecutive start operations are initiated the ICA Management Tool willnot respond, unless you change the ssl mode. Once the ssl mode has been
modified, the server can be stopped and restarted.
cpconfig
Description This command is used to run a Command Line version of the CheckPoint Configuration Tool. This tool is used to configure/reconfigure a
VPN-1 installation. The configuration options shown depend on theinstalled configuration and products. Amongst others, these optionsinclude:
Licenses - modify the necessary Check Point licenses
Administrators - modify the administrators authorized to connect tothe SmartCenter server via the SmartConsole
GUI Clients - modify the list of GUI Client machines from which the
administrators are authorized to connect to a SmartCenter server
Argument Description
-d debug flag
set_mgmt_tools on|off on - Start the ICA Managementtool
off - Stop the ICA Managementtool
-p Specifies the port which is used toconnect to the CA (if the appropriateservice was not run from the default
port 18265)-no_ssl Configures the server to use clear
http rather than https.
-a|-u"administrator|userDN"
Sets the DNs of the administrators oruser that permitted to use the ICAManagement tool
cplic
-
8/3/2019 4100013 Command Line Interface Version NGX R62
26/176
26
Certificate Authority - install the Certificate Authority on theSmartCenter server in a first-time installation
Key Hit Session - enter a random seed to be used for cryptographic
purposes. Secure Internal Communication - set up trust between the gateway on
which this command is being run and the SmartCenter server
Fingerprint - display the fingerprint which will be used on first-timelaunch to verify the identity of the SmartCenter server being accessedby the SmartConsole. This fingerprint is a text string derived from theSmartCenter servers certificate.
Usage cpconfig
Further Info. See the Getting StartedGuide and the SmartCenterGuide.
cplic
Description This command and all its derivatives relate to the subject of Check Pointlicense management. All cplic commands are located in $CPDIR/bin.License Management is divided into three types of commands:
Local licensing commandsare executed on local machines.
Remote licensing commandsare commands which affect remotemachines are executed on the SmartCenter server.
License repository commandsare executed on the SmartCenter server
Usage cplic
In This Section
cplic check page 27
cplic db_add page 28
cplic db_print page 28
cplic db_rm page 29
cplic del page 30
cplic del page 30
cplic get page 31
cplic put page 32
cplic check
-
8/3/2019 4100013 Command Line Interface Version NGX R62
27/176
Chapter 2 SmartCenter and Firewall Commands 27
cplic check
Description Use thiscommand to check whether the license on the local machinewill allow a given feature to be used.
Usage cplic check [-p ] [-v ] [-ccount] [-t ] [-r routers] [-S SRusers]
Syntax
cplic put ... page 34
cplic print page 36
cplic upgrade page 36
Argument Description
-p The product for which licenseinformation is requested. Forexample fw1, netso.
-v The product version for whichlicense information is requested.For example 4.1, 5.0
-c count Count the licenses connected tothis feature
-t Check license status on futuredate. Use the format ddmmmyyyy.A given feature may be valid on agiven date on one license, butinvalid in another.
-r routers Check how many routers areallowed. The feature option is notneeded.
-S SRusers Check how many SecuRemoteusers are allowed. The featureoption is not needed
The for which licenseinformation is requested.
cplic db_add
-
8/3/2019 4100013 Command Line Interface Version NGX R62
28/176
28
cplic db_add
Description The cplic db_add command is used to add one or more licenses tothe license repository on the SmartCenter server. When local licenseare added to the license repository, they are automatically attached toits intended Check Point gateway, central licenses need to undergothe attachment process.
Usage cplic db_add < -l license-file | host expiration-datesignature SKU/features >
Syntax
Comments This command is a license repository command, it can only be
executed on the SmartCenter server.
Copy/paste the following parameters from the license received fromthe User Center. More than one license can be added.
host - the target hostname or IP address
expiration date - The license expiration date.
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)
SKU/features - The SKU of the license summarizes the featuresincluded in the license. For example: CPSUITE-EVAL-3DES-vNG
Example If the file 192.168.5.11.lic contains one or more licenses, thecommand: cplic db_add -l 192.168.5.11.lic will produce outputsimilar to the following:
cplic db_print
Description The cplic db_print command displays the details of Check Point
licenses stored in the license repository on the SmartCenter server.
Argument Description
-l license-file adds the license(s) fromlicense-file. The followingoptions are NOT needed:Host Expiration-Date SignatureSKU/feature
Adding license to database ...Operation Done
cplic db_rm
-
8/3/2019 4100013 Command Line Interface Version NGX R62
29/176
Chapter 2 SmartCenter and Firewall Commands 29
Usage cplic db_print [-n noheader] [-x printsignatures] [-t type] [-a attached]
Syntax
Comments This command is a license repository command, it can only be
executed on the SmartCenter server.
cplic db_rm
Description The cplic db_rm command removes a license from the licenserepository on the SmartCenter server. It can be executed ONLY afterthe license was detached using the cplic del command. Once thelicense has been removed from the repository, it can no longer beused.
Usage cplic db_rm
Syntax
Example cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn
Argument Description
Object name Print only the licenses attached toObject name. Object name is thename of the Check Point gatewayobject, as defined inSmartDashboard.
-all Print all the licenses in the license
repository-noheader(or -n)
Print licenses with no header.
-x Print licenses with their signature
-t(or -type)
Print licenses with their type:Central or Local.
-a(or -attached)
Show which object the license isattached to. Useful if the -alloption is specified.
Argument Description
Signature The signature string within thelicense.
cplic del
-
8/3/2019 4100013 Command Line Interface Version NGX R62
30/176
30
Comments This command is a license repository command, it can only be
executed on the SmartCenter server.
cplic del
Description Use this command to delete a single Check Point license on a host,including unwanted evaluation, expired, and other licenses. Thiscommand is used for both local and remote machines
Usage cplic del [-F ]
Syntax
cplic del
Description Use this command to detach a Central license from a Check Pointgateway. When this command is executed, the license repository isautomatically updated. The Central license remains in the repositoryas an unattached license. This command can be executed only on aSmartCenter server.
Usage cplic del [-F outputfile] [-ip dynamic ip]
Argument Description
-F Send the output to instead of the screen.
The signature string within thelicense.
cplic get
-
8/3/2019 4100013 Command Line Interface Version NGX R62
31/176
Chapter 2 SmartCenter and Firewall Commands 31
Syntax
Comments This is a Remote Licensing Commandwhich affects remote machines
that is executed on the SmartCenter server.
cplic get
Description The cplic get command retrieves all licenses from a Check Pointgateway (or from all Check Point gateways) into the license repository
on the SmartCenter server. Do this to synchronize the repository withthe Check Point gateway(s). When the command is run, all localchanges will be updated.
Usage cplic get [-v41]
Argument Description
object name The name of the Check Pointgateway object, as defined in
SmartDashboard.
-F outputfile Divert the output to outputfilerather than to the screen.
-ip dynamic ip Delete the license on the CheckPoint gateway with the specified IPaddress. This parameter is used for
deleting a license on a DAIP CheckPoint gatewayNote - If this parameter is used, thenobject name must be a DAIP gateway.
Signature The signature string within thelicense.
cplic put
-
8/3/2019 4100013 Command Line Interface Version NGX R62
32/176
32
Syntax
Example If the Check Point gateway with the object name caruso contains fourLocal licenses, and the license repository contains two other Locallicenses, the command: cplic get caruso produces output similar tothe followingGet retrieved 4 licenses.Get removed 2 licenses.
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
cplic put
Description The cplic put command is used to install one or more Local licenseson a local machine.
Usage cplic put [-o overwrite] [-c check-only] [-s select] [-F
][-P Pre-boot] [-k kernel-only]
Argument Description
ipaddr The IP address of the Check Pointgateway from which licenses are to
be retrieved.
hostname The name of the Check Pointgateway object (as defined inSmartDashboard) from whichlicenses are to be retrieved.
-all Retrieve licenses from all Check
Point gateways in the managednetwork.
-v41 Retrieve version 4.1 licenses fromthe NF Check Point gateway. Used toupgrade version 4.1 licenses.
cplic put
-
8/3/2019 4100013 Command Line Interface Version NGX R62
33/176
Chapter 2 SmartCenter and Firewall Commands 33
Syntax
Comments Copy and paste the following parameters from the license receivedfrom the User Center.
host - One of the following:
All platforms - The IP address of the external interface (in dotnotation); last part cannot be 0 or 255.
Sun OS4 and Solaris2 - The response to the hostid command
(beginning with 0x).
Argument Description
-overwrite(or-o)
On a SmartCenter server this willerase all existing licenses and
replace them with the newlicense(s). On a Check Point gatewaythis will erase only Local licensesbut not Central licenses, that areinstalled remotely.
-check-only(or-c)
Verify the license. Checks if the IP ofthe license matches the machine,
and if the signature is valid
select(or-s)
Select only the Local licenses whoseIP address matches the IP addressof the machine.
-F outputfile Outputs the result of the commandto the designated file rather than tothe screen.
-Preboot(or-P)
Use this option after upgrading toVPN-1/FireWall-1 NG FP2 and beforerebooting the machine. Use of thisoption will prevent certain errormessages.
-kernel-only
(or -k)
Push the current valid licenses to
the kernel. For Support use only.-l license-file Installs the license(s) in
license-file, which can be amulti-license file. The followingoptions are NOT needed:host expiration-date signature
SKU/features
cplic put ...
-
8/3/2019 4100013 Command Line Interface Version NGX R62
34/176
34
HP-UX - The response to the uname -i command (beginning with 0d).
AIX - The response to the uname -l command (beginning with 0d), orthe response to the uname -m command (beginning and ending with
00). expiration date - The license expiration date. Can be never
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)
SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the features
included in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab
Example cplic put -l 215.153.142.130.lic produces output similar to thefollowing:
cplic put ...
Description Use the cplic put command to attach one or more central or locallicense remotely.When this command is executed, the license
repository is also updated.Usage cplic put [-ip dynamic ip] [-F ]
< -l license-file | host expiration-date signatureSKU/features >
Host Expiration SKU215.153.142.130 26Dec2001 CPMP-EVAL-1-3DES-NG
CK0123456789ab
cplic put ...
-
8/3/2019 4100013 Command Line Interface Version NGX R62
35/176
Chapter 2 SmartCenter and Firewall Commands 35
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
This is a Copy and paste the following parameters from the license
received from the User Center. More than one license can be attached host - the target hostname or IP address
expiration date - The license expiration date. Can be never
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. Thehyphens are optional)
SKU/features - A string listing the SKU and the Certificate Key ofthe license. The SKU of the license summarizes the featuresincluded in the license. For example: CPMP-EVAL-1-3DES-NGCK0123456789ab
Argument Description
Object name The name of the Check Point
gateway object, as defined inSmartDashboard.
-ip dynamic ip Install the license on the CheckPoint gateway with the specified IPaddress. This parameter is used forinstalling a license on a DAIP CheckPoint gateway.
NOTE: If this parameter is used,then object name must be a DAIPCheck Point gateway.
-F outputfile Divert the output to outputfilerather than to the screen.
-l license-file Installs the license(s) fromlicense-file. The following optionsare NOT needed:Host Expiration-Date SignatureSKU/features
cplic print
cplic print
-
8/3/2019 4100013 Command Line Interface Version NGX R62
36/176
36
cplic print
Description The cplic print command (located in $CPDIR/bin) prints details ofCheck Point licenses on the local machine.
Usage cplic print [-n noheader][-x prints signatures][-t type][-F] [-p preatures]
Syntax
Comments On a Check Point gateway, this command will print all licenses thatare installed on the local machine both Local and Central licenses.
cplic upgrade
Description Use the cplic upgrade command to upgrade licenses in the licenserepository using licenses in a license file obtained from the UserCenter.
Usage cplic upgrade
Syntax
Example The following example explains the procedure which needs to takeplace in order to upgrade the licenses in the license repository.
Upgrade the SmartCenter server to the latest version.
Ensure that there is connectivity between the SmartCenter serverand the remote workstations with the version 4.1 products.
Argument Description
-noheader(or-n)
Print licenses with no header.
-x Print licenses with their signature-type(or -t)
Prints licenses showing their type:Central or Local.
-F Divert the output to outputfile.
-preatures
(or-p)
Print licenses resolved to primitive
features.
Argument Description
l inputfile Upgrades the licenses in the licenserepository and Check Point gatewaysto match the licenses in
cplic upgrade
Import all licenses into the license repository This can also be
-
8/3/2019 4100013 Command Line Interface Version NGX R62
37/176
Chapter 2 SmartCenter and Firewall Commands 37
Import all licenses into the license repository. This can also bedone afterupgrading the products on the remote workstations toNG
Run the command: cplic get all. For example
To see all the licenses in the repository, run the command:
cplic db_print -all a
Upgrade the version 4.1 products on the remote Check Pointgateways.
In the User Center (http://www.checkpoint.com/usercenter), viewthe licenses for the products that were upgraded from version 4.1
to NG and create new upgraded licenses. Download a file containing the upgraded NG licenses. Onlydownload licenses for the products that were upgraded fromversion 4.1 to NG.
If you did not import the version 4.1 licenses into the repository instep , import the version 4.1 licenses now using the commandcplic get -all -v41
Run the license upgrade command: cplic upgrade l
Getting licenses from all modules ...
count:root(su) [~] # cplic get -allgolda:Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.count:
Retrieved 1 licenses.Detached 0 licenses.Removed 0 licenses.
count:root(su) [~] # cplic db_print -all -a
Retrieving license information from database ...
The following licenses appear in the database:==================================================
Host Expiration Features192.168.8.11 Never CPFW-FIG-25-41 CK-49C3A3CC7
121 golda192.168.5.11 26Nov2002 CPSUITE-EVAL-3DES-NG CK-1234567890 count
cp_merge
- The licenses in the downloaded license file and in the license
http://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenterhttp://www.checkpoint.com/usercenter -
8/3/2019 4100013 Command Line Interface Version NGX R62
38/176
38
The licenses in the downloaded license file and in the licenserepository are compared.
- If the certificate keys and features match, the old licenses in therepository and in the remote workstations are updated with thenew licenses.
- A report of the results of the license upgrade is printed.
In the following example, there are two NG licenses in the file.One does not match any license on a remote workstation, the othermatches a version 4.1 license on a remote workstation that shouldbe upgraded:
Comments This is a Remote Licensing Commandwhich affects remote machinesthat is executed on the SmartCenter server.
Further Info. See the SmartUpdatechapter of the SmartCenterGuide.
cp_merge
Description The cp_merge utility has two main functionalities Export and import of policy packages
Merge of objects from a given file into SmartCenter database
Usage cp_merge help
Syntax
In This Section
cp_merge delete_policy
Description This command provides the options of deleting an existing policypackage. Note that the default policy can be deleted by delete action.
Argument Description
help Displays the usage for cp_merge.
cp_merge delete_policy page 38
cp_merge export_policy page 39
cp_merge import_policy and cp_merge restore_policy page 40
cp_merge list_policy page 41
cp_merge export_policy
Usage cp merge delete policy [-s ] [-u | -c
-
8/3/2019 4100013 Command Line Interface Version NGX R62
39/176
Chapter 2 SmartCenter and Firewall Commands 39
g p_ g _p y [ ] [ |] [-p ] -n
Syntax
Comments Further considerations:
1. Either use certificate file or user and password
2. Optional
Example Delete the policy package called standard.
cp_merge delete_policy -n Standard
cp_merge export_policy
Description This command provides the options of leaving the policy package inthe active repository, or deleting it as part of the export process. The
default policy cannot be deleted during the export action.Usage cp_merge export_policy [-s ] [-u | -c
] [-p ][-n | -l ] [-d ] [-f] [-r]
Syntax
Argument Description
-s Specify the database server IPAddress or DNS name.2
-u The administrators name.1,2
-c The path to the certificate file.1
-p The administrators password.1
-n The policy package to export.2,3
Argument Description
-s Specify the database server IPAddress or DNS name.2
-u The database administrators name.1
-c The path to the certificate file.1
-p The administrators password.1
-n
-
8/3/2019 4100013 Command Line Interface Version NGX R62
40/176
40
Comments Further considerations:
1. Either use certificate file or user and password
2. Optional
3. If both -n and -l are omitted all policy packages are exported.
4. If both -n and -l are present -l is ignored.
Example Export policy package Standard to filecp_merge export_policy -n Standard -fStandardPolicyPackageBackup.pol -d C:\bak
cp_merge import_policy and cp_merge restore_policy
Description This command provides the options to overwrite an existing policypackage with the same name, or preventing overwriting when thesame policy name already exists
Usage cp_merge import_policy|restore_policy [-s ] [-u | -c ] [-p ][-n ] [-d ] -f [-v]
Syntax
-l Export the policy package whichencloses the policy name.2,3,4
-d Specify the output directory.2
-f Specify the output file name (wherethe default file name is .pol).2
-r Remove the original policy from therepository.2
Argument Description
-s Specify the database server IPaddress or DNS name.2
-u The administrators name.1,2
-c The path to the certificate file.1
-p The administrators password.1,2
Argument Description
cp_merge list_policy
Argument Description
-
8/3/2019 4100013 Command Line Interface Version NGX R62
41/176
Chapter 2 SmartCenter and Firewall Commands 41
Comments Further considerations
1. Either use certificate file or user and password
2. Optional
The cp_mergerestore_policy works only locally on the SmartCenterserver and it will not work from remote machines.
Caution: A FireWall-1 policy from .W file can be restoredusing this utility; however, important information may be lost when
the policy is translated into .W format. This restoration should beused only if there is no other backup of the policy.
Example Import the policy package saved in file Standard.pol into therepository and rename it to StandardCopy.cp_merge import_policy -f Standard.pol -n StandardCopy
cp_merge list_policy
Usage cp_merge list_policy [-s ] [-u | -c] [-p ]
Syntax
Comments Further considerations:
1. Either use certificate file or user and password
-n
-
8/3/2019 4100013 Command Line Interface Version NGX R62
42/176
42
Example List all policy packages which reside in the specified repository:cp_merge list -s localhost
cppkg
Description This command is used to manage the product repository. It is alwaysexecuted on the SmartCenter server.
In This Section
cppkg add
Description The cppkg addcommand is used to add a product package to the
product repository. Only SmartUpdate packages can be added to theproduct repository.
Products can be added to the Repository as described in the followingprocedures, by importing a file downloaded from the Download Centerweb site athttp://www.checkpoint.com/techsupport/downloads/downloads.html.The package file can be added to the Repository directly from the CD
or from a local or network drive.Usage cppkg add
cppkg add page 42
cppkg delete page 44
cppkg get page 45
cppkg getroot page 45
cppkg print page 45
cppkg setroot page 46
cppkg add
Syntax Argument Description
http://www.checkpoint.com/techsupport/downloads/downloads.htmlhttp://www.checkpoint.com/techsupport/downloads/downloads.html -
8/3/2019 4100013 Command Line Interface Version NGX R62
43/176
Chapter 2 SmartCenter and Firewall Commands 43
Comments cppkg add does not overwrite existing packages. To overwrite existingpackages, you must first delete existing packages.
Example [d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-NG_FP2\
Enter package name:
----------------------
(1) SVNfoundation(2) firewall
(3) floodgate
(4) rtm
(e) Exit
Enter you choice : 1
Enter package OS :
----------------------
(1) win32
(2) solaris
(3) linux
package-full-path If the package to be added to therepository is on a local disk or
network drive, type the full path tothe package.
CD drive If the package to be added to therepository is on a CD:For Windows machines type the CDdrive letter, e.g.d:\
For UNIX machines, type the CD rootpath, e.g./caruso/image/CPsuite-NG/FP2
You will be asked to specify theproduct and appropriate OperatingSystem (OS).
cppkg delete
(4) hpux
-
8/3/2019 4100013 Command Line Interface Version NGX R62
44/176
44
(5) ipso
(6) aix
(e) Exit
Enter your choice : 1
You choose to add SVNfoundation for win32 OS. Is thiscorrect? [y/n] : y
Adding package from CD ...Package added to repository.
cppkg delete
Description The command is used to delete a product package from therepository. To delete a product package you must specify a number ofoptions. To see the format of the options and to view the contents ofthe product repository, use the cppkg print command.
Usage cppkg delete [ [sp]]
Syntax Argument Description
vendor Package vendor (e.g. checkpoint).product Package name
Options are: SVNfoundation,firewall, floodgate.
version Package version (e.g. NG).
os Package Operating System. Options
are:win32 for Windows NT and Windows2000, solaris, hpux, ipso, aix,linux.
sp Package service pack (e.g. fcs forNG R54 initial release, FP1, FP2 etc.)This parameter is optional. Itsdefault is fcs.
cppkg get
Comments It is not possible to undo the cppkg del command.
-
8/3/2019 4100013 Command Line Interface Version NGX R62
45/176
Chapter 2 SmartCenter and Firewall Commands 45
Example [d: \winnt\fw1\ng\bin]cppkg del
Getting information from package repository. Please wait...
Select package:
-----------------------
(1) checkpoint SVNfoundation NG win32 FCS_FP1
(2) checkpoint SNVfoundation NG win32 FP1
(e) Exit
Enter your choice : 2
You choose to delete checkpoint SVNfoundation NG win32 FP1Is this correct? [y/n] : y
Package removed from repository.
cppkg get
Description This command synchronizes the Package Repository database withthe content of the actual package repository under $SUROOT.
Usage cppkg get
cppkg getroot
Description The command is used to find out the location of the productrepository. The default product repository location on Windowsmachines is C:\SUroot. On UNIX it is /var/SUroot
Usage cppkg getroot
Example # cppkg getrootCurrent repository root is set to : /var/suroot/
cppkg print
Description The command is used to list the contents of the product repository.
cppkg setroot
Use cppkg print to see the product and OS strings required to installa product package using the cprinstall command or to delete a
-
8/3/2019 4100013 Command Line Interface Version NGX R62
46/176
46
a product package using the cprinstall command, or to delete apackage using the cppkg delete command.
Usage cppkg print
Example
cppkg setroot
Description The command is used to create a new repository root directorylocation, and to move existing product packages into the newrepository.
The default product repository location is created when theSmartCenter server is installed. On Windows machines the defaultlocation is C:\SUroot and on UNIX it is /var/SUroot. Use thiscommand to change the default location.
When changing repository root directory:
The contents of the old repository is copied into the newrepository.
The $SUROOT environment variable gets the value of the new rootpath.
A product package in the new location will be overwritten by apackage in the old location, if the packages are the same (that is,they have the same ID strings).
The repository root directory should have at least 200 Mbyte of freedisk space.
Usage cppkg setroot
[d:\winnt\fw1\ng\bin]cppkg print
Getting information from package repository. Please wait...
Vendor Product Version OS SP Descript
ion-------------------------------------------------------------checkpoint SVNfoundation NG win32 FCS_FP1 SVNfoundation NG Feature Pack 1 for 4.1 upgradecheckpoint SVNfoundation NG win32 FP1 SVNfoundation Feature Pack 1 for NG upgrade
cpridrestart
Syntax Argument Description
-
8/3/2019 4100013 Command Line Interface Version NGX R62
47/176
Chapter 2 SmartCenter and Firewall Commands 47
Comments It is important to reboot the SmartCenter server after performing thiscommand, in order to set the new $SUROOT environment variable.
Example # cppkg setroot /var/new_surootRepository root is set to : /var/new_suroot/
Note: When changing repository root directory :
1. Old repository content will be copied into the newrepository.
2. A package in the new location will be overwritten by apackage in the old location, if the packages have the samename.
Change the current repository root ? [y/n] : y
The new repository directory does not exist. Create it ?[y/n] : y
Repository root was set to : /var/new_suroot
Notice : To complete the setting of your directory, rebootthe machine!
cpridrestart
Description Stops and starts the Check Point Remote Installation Daemon (cprid).This is the daemon that is used for remote upgrade and installation ofproducts. It is part of the SVN Foundation. In Windows it is a service.
cpridstart
Description Start the Check Point Remote Installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. Itis part of the SVN Foundation. In Windows it is a service.
Usage cpridstart
repository-root-directory-full-path
The desired location for the productrepository.
cpridstop
cpridstop
-
8/3/2019 4100013 Command Line Interface Version NGX R62
48/176
48
Description Stop the Check Point Remote installation Daemon (cprid). This is theservice that allows for the remote upgrade and installation of products. It
is part of the SVN Foundation. In Windows it is a service.Usage cpridstop
cprinstall
Description Use cprinstall commands to perform remote installation of product
packages, and associated operations.
On the SmartCenter server, cprinstall commands require licensesfor SmartUpdate
On the remote Check Point gateways the following are required:
Trust must be established between the SmartCenter server and theCheck Point gateway.
cpd must run. cprid remote installation daemon must run. cprid is available on
VPN-1/FireWall-1 4.1 SP2 and higher, and as part of SVN Foundation
for NG and higher.
In This Section
cprinstall boot page 49cprinstall cprestart page 49
cprinstall cpstart page 49
cprinstall cpstop page 50
cprinstall get page 50
cprinstall install page 51
cprinstall stop page 52cprinstall uninstall page 53
cprinstall upgrade page 54
cprinstall verify page 54
cprinstall verify_upgrade page 56
cprinstall boot
cprinstall boot
D i ti Th d i d t b t th t t
-
8/3/2019 4100013 Command Line Interface Version NGX R62
49/176
Chapter 2 SmartCenter and Firewall Commands 49
Description The command is used to boot the remote computer.
Usage cprinstall boot
Syntax
Example # cprinstall boot harlin
cprinstall cprestart
Description This command enables cprestart to be run remotely.
All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall cprestart
Syntax
cprinstall cpstart
Description This command enables cpstart to be run remotely.
All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall cpstart
Syntax
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
cprinstall cpstop
cprinstall cpstop
Description This command enables t to be run remotely
-
8/3/2019 4100013 Command Line Interface Version NGX R62
50/176
50
Description This command enables cpstop to be run remotely.
All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall cpstop
Syntax
cprinstall get
Description The cprinstall get command is used to obtain details of theproducts and the Operating System installed on the specified CheckPoint gateway, and to update the database.
Usage cprinstall get
Syntax
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
-proc Kills Check Point daemons andSecurity servers while maintainingthe active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.
-nopolicy
Argument Description
Object name The name of the Check Point gateway objectdefined in SmartDashboard.
cprinstall install
Example [c:\winnt\fw1\5.0\bin]cprinstall get fred
G tti i f ti f f d
-
8/3/2019 4100013 Command Line Interface Version NGX R62
51/176
Chapter 2 SmartCenter and Firewall Commands 51
cprinstall install
Description The cprinstall install command is used to install Check Pointproducts on remote Check Point gateways. To install a productpackage you must specify a number of options. Use the cppkg printcommand and copy the required options.
Usage cprinstall install [-boot] [sp]
Syntax
Getting information from fred...
Operating system Version SP----------------------------------------------------------solaris 5.7 fcs
Vendor Product Version SP---------------------------------------------------------CheckPoint VPN-1 Power NG fcsCheckPoint SVNfoundation NG fcs
Argument Description
-boot Boot the remote computer afterinstalling the package.
Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the ReleaseNotes for details.
Object name Object name of the Check Pointgateway defined in SmartDashboard.
vendor Package vendor (e.g. checkpoint)
cprinstall stop
product Package name
Argument Description
-
8/3/2019 4100013 Command Line Interface Version NGX R62
52/176
52
Comments Before transferring any files, this command runs the cprinstall
verify command to verify that the Operating System is appropriateand that the product is compatible with previously installed products.
Example
cprinstall stop
Description This command is used to stop the operation of other cprinstallcommands. In particular, this command stops the remote installationof a product - even during transfer of files, file extraction, andpre-installation verification. The operation can be stopped at any timeup to the actual installation.
cprinstall stop can be run from one command prompt to stop arunning operation at another command prompt.
Usage cprinstall stop
product Package nameOptions are: SVNfoundation,
firewall, floodgate.version Package version (e.g. NG FP2)
sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)
# cprinstall install -boot fred checkpoint firewall NG FP1
Installing firewall NG FP1 on fred...Info : Testing Check Point GatewayInfo : Test completed successfully.
Info : Transferring Package to Check Point GatewayInfo : Extracting package on Check Point GatewayInfo : Installing package on Check Point GatewayInfo : Product was successfully applied.Info : Rebooting the Check Point GatewayInfo : Checking boot statusInfo : Reboot completed successfully.Info : Checking Check Point GatewayInfo : Operation completed successfully.
cprinstall uninstall
Syntax Argument Description
object name Object name of the Check Point
-
8/3/2019 4100013 Command Line Interface Version NGX R62
53/176
Chapter 2 SmartCenter and Firewall Commands 53
Example
cprinstall uninstall
Description The cprinstall uninstall command is used to uninstall products onremote Check Point gateways. To uninstall a product package youmust specify a number of options. Use the cppkg print commandand copy the required options.
Usage cprinstall uninstall [-boot] [sp]
Syntax
j jgateway, defined in SmartDashboard.
[c:\winnt\fw1\5.0\bin] cprinstall stop Check PointGateway01Info : Stop request sent
Argument Description
-boot Boot the remote computer afterinstalling the package.Only boot after ALL products havethe same version, either NG or NGFP1. Boot will be cancelled incertain scenarios. See the Release
Notes for details.
Object name Object name of the Check Pointgateway defined in SmartDashboard.
vendor Package vendor (e.g. checkpoint)
product Package nameOptions are: SVNfoundation,
firewall, floodgate.version Package version (e.g. NG FP2)
sp Package service pack (e.g. fcs forNG FP2 initial release, FP1 for NGFeature Pack 1.)
cprinstall upgrade
Comments Beforeuninstalling any files, this command runs the cprinstallverify command to verify that the Operating System is appropriateand that the product is installed.
-
8/3/2019 4100013 Command Line Interface Version NGX R62
54/176
54
and that the product is installed.
Afteruninstalling, retrieve the Check Point gateway data by runningcprinstall get.
Example
cprinstall upgrade
Description Use the cprinstall upgrade command to upgrade all products on a
Check Point gateway to the latest version.All products on the Check Point gateway must be of the same versionof NG.
Usage cprinstall upgrade [-boot]
Syntax
Comments When cprinstall upgrade is run, the command first verifies whichproducts are installed on the Check Point gateway, and that there is a
matching product package in the product repository with the sameOS, and then installs the product package on the remote Check Pointgateway.
cprinstall verify
Description The cprinstall verifycommand is used to verify:
# cprinstall uninstall fred checkpoint firewall NG FP1
Uninstalling firewall NG FP1 from fred...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success.Please get network object data to complete the
operation.
Argument Description
-boot Boot the remote Check Pointgateway after completing the remoteinstallation.
object name Object name of the Check Pointgateway, defined in SmartDashboard.
cprinstall verify
If a specific product can be installed on the remote Check Pointgateway.
That the Operating System and currently installed products are
-
8/3/2019 4100013 Command Line Interface Version NGX R62
55/176
Chapter 2 SmartCenter and Firewall Commands 55
That the Operating System and currently installed products areappropriate for the package.
That there is enough disk space to install the product.
That there is a CPRID connection.
Usage cprinstall verify [sp]
Syntax
Example The following examples show a successful and a failed verifyoperation:
Verify succeeds:
Argument Description
Object name Object name of the Check Pointgateway defined in SmartDashboard.
vendor Package vendor (e.g. checkpoint).
product Package nameOptions are: SVNfoundation,firewall, floodgate.
version Package version (e.g. NG).
sp Package service pack (e.g. fcs for NGwith Application Intelligenceinitial release, FP1, FP2 etc.) Thisparameter is optional. Its default isfcs.
cprinstall verify harlin checkpoint SVNfoundation NG_FP4
Verifying installation of SVNfoundation NG FP4 on harlin...Info : Testing Check Point Gateway.Info : Test completed successfully.
Info : Installation Verified, The product can be installed.
cprinstall verify_upgrade
Verify fails:cprinstall verify harlin checkpoint SVNfoundation NGFCS_FP4
-
8/3/2019 4100013 Command Line Interface Version NGX R62
56/176
56
cprinstall verify_upgrade
Description Use the cprinstall verify_upgrade command to verify the successof the upgrade of all products on a Check Point gateway to the latestversion, before performing the upgrade. This command isautomatically performed by the cprinstall upgrade command.
All products on the Check Point gateway must be of the same version
of NG.
Usage cprinstall verify_upgrade
Syntax
Comments When the command is run, the command verifies which products areinstalled on the Check Point gateway, and that there is a matchingproduct package in the product repository with the same OS.
cpstart
Description This command is used to start all Check Point processes andapplications running on a machine.
Usage cpstart
Comments This command cannot be used to start cprid. cprid is invoked when themachine is booted and it runs independently.
Verifying installation of SVNfoundation NG FCS_FP4 onharlin...Info : Testing Check Point GatewayInfo : SVN Foundation NG is already installed on192.168.5.134Operation Success.Product cannot be installed, did not passdependency check.
Argument Description
object name Object name of the Check Pointgateway, defined in SmartDashboard.
cpstat
cpstat
Description cpstat displays the status of Check Point applications, either on the localhi th hi i i f t
-
8/3/2019 4100013 Command Line Interface Version NGX R62
57/176
Chapter 2 SmartCenter and Firewall Commands 57
machine or on another machine, in various formats.
Usage cpstat [-h host][-p port][-f flavour][-d] application_flag
Syntax
Where the flavors are:
fwm "fw", with flavours: "default", "all", "policy","performance", "hmem", "kmem", "inspect", "cookies", "chains","fragments", "totals", "ufp_caching", "http_stat", "ftp_stat","telnet_stat", "rlogin_stat", "ufp_stat", "smtp_stat"
vpn product, general, IKE, ipsec, fwz,accelerator, all
fg all
mg default
Argument Description
-h host A resolvable hostname, or adot-notation address (forexample,192.168.33.23). Thedefault is localhost.
-p port Port number of the AMON server.The default is the standard AMONport (18192)
-f flavour The flavor of the output (as appearsin the configuration file). The defaultis to use the first flavor found inconfiguration file.
-d debug flag
application_flag One of: fwm FireWall-1 vpn VPN-1 fg FloodGate-1 (QoS)
ha ClusterXL (HighAvailability)
os SVN Foundation and OSStatus
mg for SmartCenter
cpstop
os default, routing
ha default, all
Example
-
8/3/2019 4100013 Command Line Interface Version NGX R62
58/176
58
Example
cpstop
Description This command is used to terminate all Check Point processes and
applications, running on a machine.Usage cpstop
cpstop -fwflag [-proc | -default]
> cpstat fw
Policy name: StandardInstall time: Wed Nov 1 15:25:03 2000
Interface table-----------------------------------------------------------------
|Name|Dir|Total *|Accept**|Deny|Log|-----------------------------------------------------------------|hme0|in |739041*|738990**|51 *|7**|-----------------------------------------------------------------|hme0|out|463525*|463525**| 0 *|0**|-----------------------------------------------------------------
*********|1202566|1202515*|51**|7**|
cpwd_admin
Syntax Argument Description
-fwflag -proc Kills Check Point daemons andSecurity servers while maintaining
-
8/3/2019 4100013 Command Line Interface Version NGX R62
59/176
Chapter 2 SmartCenter and Firewall Commands 59
Comments This command cannot be used to terminate cprid. cprid is invokedwhen the machine is booted and it runs independently.
cpwd_admin
Description cpwd (also known as WatchDog) is a process that invokes and monitorscritical processes such as Check Point daemons on the local machine,and attempts to restart them if they fail. Among the processes monitoredby Watchdog are cpd, fwd, fwm. cpwd is part of the SVN Foundation.
fwd does not work in a Management Only machine. To work with fwd in aManagement Only machine add -n (for example, fwd -n).
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file.In addition, monitoring information is written to the console on UNIXplatforms, and to the Windows Event Viewer.
The cpwd_admin utility is used to show the status of processes, and toconfigure cpwd.
Usage cpwd_admin
In This Section
Security servers while maintaining
the active Security Policy running inthe kernel. Rules with genericallow/reject/drop rules, based onservices continue to work.
-fwflag -default Kills Check Point daemons andSecurity servers. The active SecurityPolicy running in the kernel is
replaced with the default filter..
cpwd_admin start page 60
cpwd_admin stop page 60
cpwd_admin list page 61
cpwd_admin start
cpwd_admin exist page 62
cpwd_admin kill page 62
cpwd admin config page 62
-
8/3/2019 4100013 Command Line Interface Version NGX R62
60/176
60
cpwd_admin start
Description Start a new process by cpwd.
Usage cpwd_admin start -name -path -command
Syntax
Example To start and monitor the fwm process.cpwd_admin start -name FWM -path $FWDIR/bin/fwm -commandfwm
cpwd_admin stop
Description Stop a process which is being monitored by cpwd.
Usage cpwd_admin stop -name [-path -command ]
cpwd_admin config page 62
Argument Description
-name A name for the process to bewatched by WatchDog.
-path The full path to the executableincluding the executable name
-command
The name of the executable file.
cpwd_admin list
Syntax Argument Description
-name A name for the process to bewatched by WatchDog.
-
8/3/2019 4100013 Command Line Interface Version NGX R62
61/176
Chapter 2 SmartCenter and Firewall Commands 61
Comments If -path and -command are not stipulated, cpwd will abrupbtlyterminate the process.
Example stop the FWM process using fw kill.cpwd_admin stop -name FWM -path $FWDIR/bin/fw -command fwkill fwm
cpwd_admin list
Description This command is used to print a status of the selected processesbeing monitored by cpwd.
Usage cpwd_admin list
Output The status report output includes the following information:
APP Application. The name of the process. PID Process Identification Number.
STAT Whether the process Exists (E) or has been Terminated(T).
#START How many times the process has been started since cpwdtook control of the process.
START TIME The last time the process was run.
COMMAND The command that cpwd used to start the process.For example:
y g
-path Optional: the full path to theexecutable (including the executablename) that is used to stop theprocess.
-command
Optional: the name of the executablefile mentioned in -path
#cpwd_admin list APP PID STAT #START START_TIME COMMANDCPD 463 E 1 [20:56:10] 21/5/2001 cpdFWD 440 E 1 [20:56:24] 21/5/2001 fwdFWM 467 E 1 [20:56:25] 21/5/2001 fwm
cpwd_admin exist
cpwd_admin exist
Description This command is used to check whether cpwd is alive.
Usage cpwd admin exist
-
8/3/2019 4100013 Command Line Interface Version NGX R62
62/176
62
Usage cpwd_admin exist
cpwd_admin kill
Description This command is used to kill cpwd.
Usage cpwd_admin kill
cpwd_admin config
Description This command is used to set cpwd configuration parameters. Whenparameters are changed, these changes will not take affect until cpwdhas been stopped and restarted.
Usage cpwd_admin config -p
cpwd_admin config -a
cpwd_admin config -d
cpwd_admin config -r
Syntax
Where the values are as follows:
Argument Descriptionconfig -p Shows the cpwd parameters added
using the config -a option.
config -a Add one or more monitoringparameters to the cpwd configuration.
config -d Delete one or more parameters fromthe cpwd configuration
config -r Restore the default cpwd parameters.
cpwd_admin config
Argument Description
timeout (any value in If rerun_mode=1, how much time
-
8/3/2019 4100013 Command Line Interface Version NGX R62
63/176
Chapter 2 SmartCenter and Firewall Commands 63
seconds) passes from process failure to rerun.The default is 60 seconds.
no_limit(any value in seconds)
Maximum number of times that cpwdwill try to restart a process. Thedefault is 5.
zero_timeout(any value in seconds)
After failing no_limit times torestart a process, cpwd will wait
zero_timeout seconds beforeretrying. The default is 7200seconds. Should be greater thantimeout.
sleep_mode 1 - wait timeout 0 - ignore timeout. Rerun the
process immediately
dbg_mode 1 - Accept pop-up error messages(with exit-code#0) displayed when
a process terminates abruptly
(Windows NT only).
0 -Do not receive pop-up errormessages. This is useful if pop-up
error messages freeze the
machine. This is the default(Windows NT only).
dbedit
rerun_mode 1 - Rerun a failed process. Thisis the default.
Argument Description
-
8/3/2019 4100013 Command Line Interface Version NGX R62
64/176
64
Example The following example shows two configuration parameters beingchanged:timeout to 120 seconds, and no_limit to 10.
config -a and cpwd_adminconfig -d have no effect if cpwd isrunning. They will affect cpwd the next time it is run.
dbedit
Description This command is used by administrators to edit the objects file on theSmartCenter server. From version NG, there is an objects file on thegateway and a new file, objects_5_0.C on the SmartCenter server. A newobjects.C file is created on the gateway (based on the objects_5_0.C on
0 - Do not rerun a failed process.Perform only monitoring.
stop_timeout The time in seconds that the cpwdwill wait for a stop command to becompleted. Default is 60 seconds.
reset_startups Indicates the time in seconds thatthe cpwd waits after the process
begins before it resets thestartup_counter. Default value is 1hour, meaning that an hour after theprocess begins its startup counter isreset to 0.
# C:\>cpwd_admin config -pWD doesn't have configuration parameters
C:\>cpwd_admin config -a timeout=120 no_limit=12
C:\>cpwd_admin config -pWD Configuration parameters are:timeout : 120no_limit : 12cpwd_admin config -a timeout=120 no_limit=10
dbedit
the SmartCenter server) whenever a Policy is installed. Editing theobjects.C file on the gateway is no longer required or desirable, since itwill be overwritten the next time a Policy is installed.
Usage dbedit [-s server] [- u user | -c certificate] [-p password]
-
8/3/2019 4100013 Command Line Interface Version NGX R62
65/176
Chapter 2 SmartCenter and Firewall Commands 65
g | p p
[-f filename] [-r db-open-reason] [-help]
Syntax Argument Description
-s server The SmartCenter server on which theobjects_5_0.C file to be edited islocated. If this is not specified in thecommand line, then the user will be
prompted for it.If the server is not localhost, theuser will be required to authenticate.
-u user |-c certificate
The users name (the name used forthe SmartConsole) or the full path tothe certificate file.
-p password The users password (the passwordused for the SmartConsole).
-f filename The name of the file containing thecommands. If filename is not given,then the user will be prompted forcommands.
-r db-open-reason A non-mandatory flag used to openthe database with a string that statesthe reason. This reason will beattached to audit logs on databaseoperations.
-help Print usage and short explanation.
dbedit
dbedit commands:
Argument Description
create[object type]
Create an object with its defaultvalues
-
8/3/2019 4100013 Command Line Interface Version NGX R62
66/176
66
[object_type][object_name]
values.The create command may use anextended (or owned) object.Changes are committed to thedatabase only by an update or quitcommand.
modify[table_name][object_name][field_name] [value]
Modify fields of an object which is: stored in the database (the
command will lock the object insuch case).
newly created by dbeditExtended Formats for owned objectscan be used:For example, [field_name] =Field_A:Field_B
update[table_name][object_name]
Update the database with the object.This command will check the objectvalidity and will issue an errormessage if appropriate.
delete[table_name][object_name]
Delete an object from the databaseand from the client implicitdatabase.
addelement[table_name][object_name][field_name] [value]
Add an element (of type string) to amultiple field.
dbedit
rmelement[table_name]
Remove an element (of type string)from a multiple field.
Argument Description
-
8/3/2019 4100013 Command Line Interface Version NGX R62
67/176
Chapter 2 SmartCenter and Firewall Commands 67
Example Replace the owned object with a new null object, where NULL is areserved word specifying a null object:
Example Extended Format
firewall_properties owns the object floodgate_preferences.floodgate_preferences has a Boolean attribute turn_on_logging, whichwill be set to true.
comments is a field of the owned object contained in the orderedcontainer. The 0 value indicates the first element in the container (zerobased index).
[object_name][field_name] [value]
rename[table_name][object_name][new_object_name]
Assign a new name for a givenobject. The operation also performsan update.Example:
Rename network object London toChicago.rename network_objects londonchicago
quit Quit dbedit and update the databasewith modified objects not yetcommitted.
modify network_objects my_obj firewall_setting NULL
modify properties firewall_propertiesfloodgate_preferences:turn_on_logging true
m