cli tools updated

7/25/2019 CLI Tools Updated

1/31

CLI Tools

Checkpoint Command Line

Interface


2/31

SPLAT Shells

Splat Operating System Shells

Standard mode shell Gives some

limited commands for Administrationof device

Epert mode shell Gives access toroot of the system for advancedadministration and tro!"leshooting


3/31

Commands

pass#d To change the pass#ord of the c!rrent!ser

time$one To set the time$one

time to see the c!rrent time

date to see the c!rrent date

eit Eits from the c!rrent !ser session

sh!tdo#n Sh!ts do#n the %evice


4/31


5/31

netstat rn sho#s the ro!ting ta"le

grep command can "e !sed at the end ofthe normal commands to gra" speci-c nameyo! #ish to search for( Eample. in yo!rro!ting ta"le. yo! #ish the ro!ting at yo!rinterface eth/( 0o!1ll !se "elo# command2

netstat 3rn 4 grep eth/If yo! #ish to display the ro!ting ta"le perpage. !se 4 more at the end of yo!rcommand line( Eample2

netstat 3rn 4 more


6/31

ifcon-g !se shift 5 page!p to vie#

the complete content ip addr same as ifcon-g #ith some

limited info

dns #illtell yo! #hat is the %6Sserver the -re#all !ses

#e"!i #e"!i ena"le )port

n!m"er*


7/31

locko!t locko!t ena"le )n!m"er ofattempts* )time in min!tes*

locko!t sho#

!nlock!ser to !nlock the locked !ser

check!serlock

Arp Sho#s the arp entries on the ,ire#all


8/31

f# directory lists the -les and options !nder -re#allmod!le

f# ver sho#s the -re#all version #ith the "!ild info

f# stat 3 sho#s last time #hen the sec!rity policy #asinstalled on the SPLAT ,ire#all

f# !nloadlocal 3 this !ninstalls the sec!rity policycompletely from the machine( Any active connections like6AT connections or 'P6 connections i(e( any connectionsgoing thro!gh the ,ire#all #ill "e dropped(

This #ill open !p the machine for any tra7c i(e( any anyallo# !ntil policies are installed from the 8anagementserver


9/31

f# ta" 3s 3t connections sho#sn!m"er of connections in state ta"le3s is for s!mmary

f# ta" 3t late 3 clear all translatedentries 9emergency only:


10/31

cpstop 3 stopping checkpoint services( ;hen its ran remotelyeven the admin connection to the -re#all #ill also "e dropped

"eca!se it #ill essentially sh!t do#n the sec!rity policy andevery other service r!nning on the mod!le

cpstart 3 restart those services

If yo! are managing the console remotely and do not #ant to

get disconnected from the ,ire#all yo! can !se cpstop andcpstart in the single command "y !sing semi colon in "et#eenas "elo#3

cpstop 2 cpstart

It #ill stop the checkpoint services and then its going to restartand p!ll the sec!rity policies con-g!red on the -re#all


11/31

cpcon-g 3 Gives the a"ility to reset o!rSIC

SIC sho!ld "e reset #hen yo! change thehostname of the ,ire#all #hich is tied tothe certi-cate !nder the ICA( If the ipaddress is changed. then its not re

Syscon-g is !sed to enter the net#orksetting on the SPLAT machine and see theprod!cts con-g!red on that SPLAT


12/31

cpinfo 3 ,ile #hich is re

-re#all or the management server(

cpinfo 3o test(tg$

ls


13/31

cpinfo 3 ,ile #hich is re

Its created "y !sing the "elo# commandcpinfo 3o )-lename(tg$*

%o an ls to list the -le


14/31

f#m ver

f#d ver

f#m help


15/31


16/31

,;%I&=conf %irectory3 It contains &!le"ases.

o">ects and the !ser data"ase

cd ?,;%I&=confls

It contains @ important s!" directories o">ectsB(C O">ects(C

r!le"asesB(f#s f#a!th(nd"


17/31

o">ectsB(C

Incl!des all the modi-ed o">ect val!es!nder smartvie# dash"oard( This -ledoes not get p!shed to the ,ire#all

o">ects(C;henever #e compile a policy this -legets delivered to the -re#all "y installpolicy option. o">ectsB(C -le #ill "e

going to "e converted to o">ects(C -le#hich is act!ally p!shed to the -re#all(


18/31

r!le"asesB(f#s

It incl!des the sec!rity policies. 6ATpolicies and application control policies

f#a!th(nd"

It contains all of -re#all !sers andgro!ps information #hich also locatedin the same ,;%I&=conf directory and

,;%I&=data"ase directory


19/31

,;%I&=log directory It contains log-les

cd ,;%I&=log

ls


20/31


21/31

,;%I&="in %irectory

cd ,;%I&="in

ls


22/31

One of the most important "ack!p

and restore -les are stored in thisdirectory(

cd !pgradetools

ls


23/31

!pgradeeport 3 sho!ld "e taken on

a #eekly "asis for the scs if there arelot of policy changes( Command tostart !pgrade eport is

(=!pgrade3eport test(tg$


24/31

Its going to "ack!p all the policy information andthe con-g!ration eisting on SCS

DDpgrade Import and Dpgrade eport is strictly!sed for policy "ack!p and restore from the SCS(

It is typically !sed #hen yo! are moving policy"et#een machines or #hen yo! do the !pgradeprocess(

Lets say if yo! are moving from Solaris to SPLAT.!pgrade tools #ill provide the ei"ility to import

and eport the policy data"ase "et#een diFerentOS1s(


25/31

Dsing !pgrade eport yo! can take thecon-g!ration from a #indo#s machine toa SPLAT to Solaris or to a &edhat machine(

;hereas snapshot and cp"ack!p #ill "e#orking only for SPLAT #here it can only"e !sed on a single machine for restoringsomething #ith a same hostname. same

ip address and same soft#are level(


26/31

To import the eported con-g!ration.!se the command

(=!pgradeimport


27/31

cplic p!t 3 is !sed to install one or moreLocal licenses( This command installs alicense on a local machine and it cannot"e performed remotely(

cplic print 3 prints details of Check Pointlicenses on the local machine( On a8od!le. this command #ill print alllicenses that are installed on the localmachine "oth Local and Central licenses(


28/31

f# lichosts prints a list of hosts

protected "y the 'P63H=,ire#all3H=nprod!cts( The list of hosts is in the -le?,;%I&=data"ase=f#d(h

f# sam inhi"its 9"locks: connections toand from speci-c IP addresses#itho!t

the need to change the Sec!rity Policy(The command is logged


29/31

Command to sniF the packets onspeci-c interface are as "elo#2

tcpd!mp 3i 3s HBnet H((H(=@ 3#=var=tmp=#(pcap

O&

tcpd!mp 3i 3s HBnet eth 3#=var=tmp=#(pcap

Jthe interface name is the interfacesets on yo!r device( If yo! #ant to-lter "ased on the net#ork address.

yo! sho!ld p!t as a"ove. if -lter"ased on host. change it to 1hostH((H(H1(


30/31

The 3s HB indicate the normal HBsi$e packet yo! #ant to capt!re( If

yo! don1t de-ne HB. the packetscapt!red #ill sho# incompletedetails(

3# is !sed to save the -les to aspeci-c folder( Ky de-ning the -leetension #ith (pcap. yo!1d "e a"le to

do!"le click the -le to open it viaethereal(


31/31

cpstat os 3f cp! sho#s cp! stat!s

cpstat os 3f ro!ting Sho#s ro!tingta"le

f# lslogs lists -re#all logs

f# stat 3l sho#s #hich policy isassociated #ith #hich interface andpackage drop. accept and re>ect

cli tools updated

Documents