Press "Enter" to skip to content

Basic Check Point Gaia CLI Commands and Installation Videos (Tips and Tricks)

12

This post summarises some basic but useful CLI commands  for your daily working reference especially for those who are just starting to configure your Check Point Gaia products. 

For some advanced usage, please check another post  Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)”  in this blog


1. show version all

FW-CP1>show version all
Product version Check Point Gaia R77.20
OS build 124
OS kernel version 2.6.18-92cp
OS edition 32-bit

2. show interface DMZ / show interfaces

FW-CP1>show interface DMZ
state on
mac-addr 00:1c:7f:37:9e:b9
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed 100M
ipv6-autoconfig Not configured
duplex full
monitor-mode Not configured
link-speed 100M/full
comments
ipv4-address 10.91.72.15/24
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:130970299 packets:1278980 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:391610509 packets:1382114 errors:0 dropped:0 overruns:0 frame:0


FW-CP1>show interfaces
Mgmt
eth1
eth2
eth3
eth3.100
eth3.102
lo

3. set interface DMZ ipv4-address 40.40.40.1 subnet-mask 255.255.255.0

set interface DMZ state on


Note: if you are running a FW at Virtual machine, by default, only eth0 interface is on.

4. add interface lo loopback 10.10.99.1/24

add interface lo loopback 2010:10:99::1/64
delete interface lo loopback loop01
5. Show configuration and Save Config

FW-CP1>show configuration
#
# Configuration of FW-CP1
# Language version: 12.1v1
#
# Exported by admin on Fri May 15 13:51:26 2015
#
set max-path-splits 8
set tracefile maxnum 10
set tracefile size 1
set expert-password-hash $1$BBBNBcBB$BdeldpEXBxaayLxqIsKNn.
add dhcp client interface eth3
set dhcp client interface eth3 timeout 60
set dhcp client interface eth3 retry 300
set dhcp client interface eth3 reboot 10
add allowed-client host any-host
set core-dump enable
set core-dump total 1000
set core-dump per_process 2
set message caption off
set syslog filename /var/log/messages
set syslog cplogs off
set syslog mgmtauditlogs on
set syslog auditlog permanent
set clienv debug 0
set clienv echo-cmd off
set clienv output pretty
set clienv prompt “%M”
set clienv rows 63
set clienv syntax-check off
set arp table cache-size 4096
set arp table validity-timeout 60
set arp announce 2
set edition 32-bit
set snmp agent off
set snmp agent-version any
set snmp community public read-only
set snmp traps trap authorizationError disable
set snmp traps trap coldStart disable
set snmp traps trap configurationChange disable
set snmp traps trap configurationSave disable
set snmp traps trap fanFailure disable
set snmp traps trap highVoltage disable
set snmp traps trap linkUpLinkDown disable
set snmp traps trap lowDiskSpace disable
set snmp traps trap lowVoltage disable
set snmp traps trap overTemperature disable
set snmp traps trap powerSupplyFailure disable
set snmp traps trap raidVolumeState disable
set snmp traps trap vrrpv2AuthFailure disable
set snmp traps trap vrrpv2NewMaster disable
set snmp traps trap vrrpv3NewMaster disable
set snmp traps trap vrrpv3ProtoError disable
set dns primary 8.8.8.8
set web table-refresh-rate 15
set web session-timeout 10
set web ssl-port 443
set web daemon-enable on
set net-access telnet off
set inactivity-timeout 10
set timezone America / New_York
set format date dd-mmm-yyyy
set format time 24-hour
set format netmask Dotted
set password-controls min-password-length 6
set password-controls complexity 2
set password-controls palindrome-check true
set password-controls history-checking true
set password-controls history-length 10
set password-controls password-expiration never
set password-controls expiration-warning-days 7
set password-controls expiration-lockout-days never
set password-controls force-change-when no
set password-controls deny-on-nonuse enable false
set password-controls deny-on-nonuse allowed-days 365
set password-controls deny-on-fail enable false
set password-controls deny-on-fail failures-allowed 10
set password-controls deny-on-fail allow-after 1200
set ipv6-state off
add command tecli path /bin/tecli_start description “Threat Emulation Blade shell”
set ntp active on
set ntp server primary 10.9.1.5 version 1
set ntp server secondary 10.1.1.17 version 1
set aaa tacacs-servers state off
set aaa radius-servers super-user-uid 96
add user John uid 0 homedir /home/John
set user John gid 100 shell /etc/cli.sh
set user John password-hash $1$elk75EVv$JS.5C89qzA5nllgEedjGh/
set user admin shell /etc/cli.sh
set user admin password-hash $1$OadYapIm$QGqVCFYLWNvvcHWORFo0Y.
set user monitor shell /etc/cli.sh
set user monitor password-hash *
add rba user John roles adminRole
set hostname FW-CP1
set interface eth3 state on
add interface eth3 vlan 104
set interface eth3 state on
add interface eth3 vlan 106
set interface Mgmt link-speed 100M/full
set interface Mgmt state on
set interface Mgmt auto-negotiation on
set interface Mgmt ipv4-address 10.9.2.5 mask-length 24
set interface eth1 comments “Internet”
set interface eth1 link-speed 1000M/full
set interface eth1 state on
set interface eth1 auto-negotiation on
set interface eth1 mtu 1500
set interface eth1 ipv4-address 2.13.11.1 mask-length 29
set interface eth2 comments “Transfer”
set interface eth2 link-speed 100M/full
set interface eth2 state on
set interface eth2 auto-negotiation on
set interface eth2 mtu 1500
set interface eth2 ipv4-address 10.9.9.1 mask-length 24
set interface eth3 state on
set interface eth3.104 comments “Customers”
set interface eth3.104 state on
set interface eth3.104 ipv4-address 10.9.100.1 mask-length 24
set interface eth3.106 comments “Transmission 106”
set interface eth3.106 state on
set interface eth3.106 ipv4-address 10.9.102.1 mask-length 24
set interface lo state on
set interface lo ipv4-address 127.0.0.1 mask-length 8
set static-route default nexthop gateway address 20.15.11.7 priority 1 on
set static-route 10.0.0.0/8 nexthop gateway address 10.9.7.1 priority 1 on
set rip update-interval default
set rip expire-interval default
set rip auto-summary on
set management interface Mgmt
set ospf area backbone on
set lcd screensaver mode model
set lcd screensaver timeout 30

FW-CP1> save config

6. show arp dynamic all

CP-FW1> show arp dynamic all
Dynamic Arp Parameters

IP Address                 Mac Address                
192.168.20.2                    00:1B:54:13:98:41
192.168.20.250                  00:17:59:F3:7E:E0
10.1.1.36                       00:90:FB:2B:91:53
192.168.20.37                   00:90:0B:17:E5:66
172.17.3.88                     72:AC:19:9C:19:D0
172.17.3.42                     00:1C:7F:32:CC:12
172.17.3.83                     FE:4A:40:06:60:ED
172.17.3.6                      54:4A:00:19:AE:C0
172.17.3.43                     00:1C:7F:32:CC:12


CP-FW1> show arp static all
Static Arp Entries

IP Address                 MAC Address                

CP-FW1> show arp table validity-timeout
60
    
CP-FW1> show arp table cache-size 
1024
CP-FW1> 

7. set hostname

CP-FW1> set hostname firewall-test

8. set static-route 4.4.4.0/24 nexthop gateway address 7.7.7.6 on

CP-FW1> set static-route 4.4.4.0/24 nexthop gateway address 9.9.9.2 off 

// – delete a route 

CP-FW1> set static-route 4.4.4.0/24 off  

CP-FW1> set static-route 172.116.14.0/24 nexthop blackhole 

CP-FW1> set static-route 40.40.40.0/24 rank 2

FW-CP1>show route static
Codes: C – Connected, S – Static, R – RIP, B – BGP,
       O – OSPF IntraArea (IA – InterArea, E – External, N – NSSA)
       A – Aggregate, K – Kernel Remnant, H – Hidden, P – Suppressed,
       U – Unreachable, i – Inactive

S         0.0.0.0/0           via 20.13.11.7, eth1, cost 0, age 142743
S         10.9.8.0/24      via 10.9.9.7, eth2, cost 0, age 77668
                                  Infra
S         10.9.13.0/24      via 10.9.9.7, eth2, cost 0, age 77668
                                  Customers
S         10.0.0.0/8          via 10.9.7.1, Mgmt, cost 0, age 105717
S         1.24.7.9/32      via 10.9.10.21, eth3.102, cost 0, age 80698
                                  Test1



9. set date 2012-08-10


10. reboot & halt

11. fw unloadlocalUnload local firewall policy from the appliance.

12. cpstop / cpstart

13. fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75.40 – Build 275

14. cpstat

FW-CP1> cpstat os
Product Name:                  SVN Foundation
SVN Foundation Version String: R77.20
SVN Foundation Build Number:   990170256
SVN Foundation Status:         OK
OS Name:                       Gaia
OS Major Version:              2
OS Minor Version:              6
OS Build Number:               –
OS SP Major:                   –
OS SP Minor:                   –
OS Version Level:
Appliance SN:                  338B04265
Appliance Name:                Check Point 4200
Appliance Manufacture:         CheckPoint

15. Increase session time-out time

It is especially useful before doing upgrade.

set web session-timeout 1440
set inactivity-timeout 720

16. Information about processes, memory, paging, block IO, traps, and cpu activity.


FW-CP1> vmstat 1 |awk ‘{now=strftime(“%Y-%m-%d %T “); print now $0}’
2014-10-29 09:26:47 procs ———–memory———- —swap– —–io—- –system– —–cpu——
2014-10-29 09:26:47 r b swpd free buff cache si so bi bo in cs us sy id wa st
2014-10-29 09:26:47 1 0 448004 10748 1928 126520 10 13 53 581 118 155 8 11 81 1 0
2014-10-29 09:26:49 1 0 448004 10748 1936 126520 0 0 0 84 1123 2197 5 10 84 0 0
2014-10-29 09:26:51 1 0 448004 10780 1936 126520 0 0 0 0 1123 2145 3 6 92 0 0
2014-10-29 09:26:53 1 0 448004 10500 1944 126512 0 0 0 82 1123 2204 6 13 82 0 0
2014-10-29 09:26:55 1 0 448004 10500 1944 126520 0 0 0 0 1125 2139 6 11 84 0 0

17. CPView – Check Point and System Online statistics Info

It is a nice tool for gathering system information and statistics introduced from R77.


[Expert@CP-1:0]# cpview
Initializing…Server Connection Menu for your Master Terminal Server
|——————————————————————————|
| CPVIEW.Overview                                           16Aug2015 10:45:42 |
|——————————————————————————|
| Overview SysInfo Traffic I/S Software-blades                                 |
|——————————————————————————|
| CPU:                                                                         |
|                                                                              |
| Num of CPUs:      1                                                          |
|                                                                              |
|       CPU      Used                                                          |
|         0        0%                                                          |
| —————————————————————————- |
| Memory:                                                                      |
|                                                                              |
|            Total MB   Used MB   Free MB                                      |
| Physical        934       684       250                                      |
| FW Kernel       696        62       634                                      |
| Swap          2,047         0     2,047                                      |
| —————————————————————————- |
| Traffic counters:                                                            |
|                                                                              |
| Throughput                930bps                                             |
| Packet rate                 1pps                                             |
| Connection rate             0cps                                             |
| Concurrent conns           42                                                |
| —————————————————————————- |
| Disk space (top 3 used partitions):                                          |
|                                                                              |
| Partition  Total MB   Used MB   Free MB                                      |
| /boot           144       105        31                                      |
| /             8,063     4,928     2,725                                      |
| /var/log     60,475     6,665    50,738                                      |
| —————————————————————————- |
| Events:                                                                      |
|                                                                              |
| # of monitored daemons crashed since last cpstart         0                  |
|                                                                              |
|                                                                              |
|——————————————————————————|

18. TOP

[Expert@CP-M-DMZ:0]# top 
top – 10:17:21 up 10 days, 24 min,  1 user,  load average: 0.35, 0.26, 0.26
Tasks:  83 total,   2 running,  81 sleeping,   0 stopped,   0 zombie
Cpu(s):  6.6%us,  9.9%sy,  0.0%ni, 83.2%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND             
 5468 admin     21   0 67728 6832 3996 S  1.7  0.7 198:41.66 DAService           
 3966 admin     15   0 32900  13m 8804 S  0.3  1.5  52:12.94 confd               
 4005 admin     15   0 30600  11m 8764 S  0.3  1.2  58:01.37 snmpd               
    1 admin     15   0  2040  648  560 S  0.0  0.1   0:01.09 init                   
    2 admin     RT  -5     0    0    0 S  0.0  0.0   0:00.00 migration/0       
    3 admin     15   0     0    0    0 S  0.0  0.0   0:00.18 ksoftirqd/0         
    4 admin     RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0          
    5 admin     10  -5     0    0    0 S  0.0  0.0   0:00.27 events/0            
    6 admin     10  -5     0    0    0 S  0.0  0.0   0:00.04 khelper            
    7 admin     10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread             
    8 admin     RT  -5     0    0    0 S  0.0  0.0   0:00.00 kmem_kthread        
   11 admin     10  -5     0    0    0 S  0.0  0.0   0:00.09 kblockd/0           
   12 admin     20  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid              
  113 admin     20  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/0               
  116 admin     10  -5     0    0    0 S  0.0  0.0   0:00.00 khubd               
  118 admin     10  -5     0    0    0 S  0.0  0.0   0:00.00 kseriod             
  178 admin     15   0     0    0    0 S  0.0  0.0   0:00.96 pdflush             
  179 admin     15   0     0    0    0 S  0.0  0.0   0:00.01 pdflush             
  180 admin     17  -5     0    0    0 S  0.0  0.0   0:00.55 kswapd0             
  181 admin     20  -5     0    0    0 S  0.0  0.0   0:00.00 aio/0               
  344 admin     11  -5     0    0    0 S  0.0  0.0   0:00.00 kpsmoused           
  369 admin     14  -5     0    0    0 S  0.0  0.0   0:00.00 ata/0               


By default, it will sort by PID. You can type O to get into Sort Change Window. Then you can change which field you want to sort it. K for %CPU are n for %mem are most useful sorting field.


Current Sort Field:  K  for window 1:Def
Select sort field via field letter, type any other key to return 
  a: PID        = Process Id
  b: PPID       = Parent Process Pid
  c: RUSER      = Real user name
  d: UID        = User Id
  e: USER       = User Name
  f: GROUP      = Group Name
  g: TTY        = Controlling Tty
  h: PR         = Priority
  i: NI         = Nice value
  j: P          = Last used cpu (SMP)
* K: %CPU       = CPU usage
  l: TIME       = CPU Time
  m: TIME+      = CPU Time, hundredths
  n: %MEM       = Memory usage (RES)
  o: VIRT       = Virtual Image (kb)
  p: SWAP       = Swapped size (kb)
  q: RES        = Resident size (kb)
  r: CODE       = Code size (kb)
  s: DATA       = Data+Stack size (kb)
  t: SHR        = Shared Mem size (kb)
  u: nFLT       = Page Fault count
  v: nDRT       = Dirty Pages count
  w: S          = Process Status
  x: COMMAND    = Command name/line
  y: WCHAN      = Sleeping in Function
  z: Flags      = Task Flags <sched.h>
Note1:
  If a selected sort field can’t be
  shown due to screen width or your
  field order, the ‘<‘ and ‘>’ keys
  will be unavailable until a field
  within viewable range is chosen.
Note2:
  Field sorting uses internal values,
  not those in column display.  Thus,
  the TTY & WCHAN fields will violate
  strict ASCII collating sequence.
  (shame on you if WCHAN is chosen)

At TOP window, type lower case o will get you Field Define Window. h will get you help window.


19. Check Point Visio Stencils for Downloading
Check Point  released their new products stencils public for downloading. You will not need Check Point account to download. It does not include some old models. Following appliance includes in this 3M file:

  • 2200
  • 3200
  • 4000
  • 5000
  • 12000
  • 13000
  • 15000
  • 21000
  • 23000
  • 41000-61000
  • Accessories
  • SandBlast
  • Smart-1
  • SMB-ROBO

Check Point SK Link sk101866.

Here is Download Link from Check Point Website: http://dl3.checkpoint.com/paid/90/902caf44a13d71e91a35315e4a28caa8/CheckPoint_Stencils_for_Visio.zip?HashKey=1480871979_bb9dd6cf9a98c6bf41f3cd1fd147c855&xtn=.zip

20. Check Point R77.30&R80 Gaia Videos:

Check Point R77.30 Lab Series 1 – Installing Management Server (51sec) 

Check Point R77.30 Lab Series 2 – Installing Gaia Cluster Gateways (51sec)

Check Point R77.30 Lab Series 3 – Clustering : First Time Wizard and Management

Check Point R80 Management Installation in VmWare Part 1- Installation and First Time Wizard
Check Point R80 Management Installation in Vmware Part 2 – SmartConsole 
Check Point R80 Management Installation in Vmware Part 3- Dashboard 

Note: I have moved some advanced Checkpoint CLI commands into another post, please check “Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)” in this blog.

http://www.51sec.org/page/3/

Reference:

  1. Anonymous Anonymous

    What is a default expert mode password right after installation?

  2. There is no default expert mode password. you need to set expert mode password using SG> set expert mode password

  3. Anonymous Anonymous

    None, it will ask you to enter the password when you will try to enter expert mode first time.

  4. Anonymous Anonymous

    Wonԁerful ωebsіte. Lots of useful
    infо herе. I'm sending it to a few pals ans additionally sharing in delicious. And naturally, thanks to your sweat!
    Here is my site : url shortner

  5. use following command to set expert password in Gaia system:
    HostName> set expert-password plain

    if it is asking your current password, that means somebody has set it before. Using 'show configuration' to check the configuration.

  6. I am not sure if this command and output from one of firewalls will help you:

    Pub-cp2> cplic print
    Host Expiration Features
    10.9.2.37 never CPAP-SG27X CPSG-PPK CPSB-FW CPSM-C-2 CPEP-SA-5 CPSB-VPN CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-IPS-S1 CK-00-90-FB-35-1A-42
    10.9.2.37 never CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
    10.9.2.37 never cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
    10.9.2.37 never CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15

    Contract Coverage:

    # ID Expiration SKU
    ===+===========+============+====================
    1 | A12585 | 27Feb2016 | CPES-SS-STANDARD-ONSITE-ADD
    +———–+————+——————–
    |Covers: CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
    ===+===========+============+====================
    2 | Y580QQ | 1Aug2016 | CPCES-CO-STANDARD-ADD
    +———–+————+——————–
    |Covers: CPAP-SG27X CPSG-PPK CPSB-FW CPSM-C-2 CPEP-SA-5 CPSB-VPN CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-IPS-S1 CK-00-90-FB-35-1A-42
    ===+===========+============+====================
    3 | T8HPP6 | 27Feb2016 | CPES-SS-STANDARD-ONSITE-ADD
    +———–+————+——————–
    |Covers: cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
    | CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
    ===+===========+============+====================
    4 | E3544P | 27Feb2016 | CPSB-IPS-S-1Y
    +———–+————+——————–
    |Covers: CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
    ===+===========+============+====================
    5 | W8HTY42 | 27Feb2016 | CPSB-IPS-S-1Y
    +———–+————+——————–
    |Covers: cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
    | CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
    ===+===========+============+====================
    6 | Y7A21RH | 27Feb2016 | CPSB-APCL-S-1Y
    +———–+————+——————–
    |Covers: cpap-sg420x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-apcl-s1 CK-00-1C-7F-34-9C-05
    | CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-34-9C-05
    ===+===========+============+====================
    7 | IT1141 | 1Aug2016 | CPSB-IPS-S-1Y
    +———–+————+——————–
    |Covers: CPAP-SG27X CPSG-PPK CPSB-FW CPSM-C-2 CPEP-SA-5 CPSB-VPN CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-IPS-S1 CK-00-90-FB-35-1A-42
    ===+===========+============+====================
    8 | 9563S5 | 27Feb2016 | CPSB-APCL-S-1Y
    +———–+————+——————–
    |Covers: CPAP-SG420X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-32-CC-15
    ===+===========+============+====================

  7. Hi people…Nic work you have here… I need the command to set an interface to default, remove the values assigned to the interface via Checkpoint CLI..Please help anyone

Leave a Reply