Checkpoint CLI

There is a CLI in checkpoint and we need to now bacics for some certain situations like restoring policy if we pushed some wrong one and management server cannot communicate with gateway. Or we would like to check the linux related stuff on the appliance like arp, ifconfig, routing. There are also some checkpoint commands that can be helpful like the one for restoring the SIC connection. But the ultimate reason to know the basic of CLI in checkpoint is to be able to recover the checkpoint appliance when you can login to gateway just via the console.

There are two modes of operations in checkpoint CLI:

  • CLISH/Super Shell „>“ – this is the checkpoint shell and if you see the „username>“ you are in clish
  • Linux Bash „#“ – you get in by typing expert in the CLISH, you have to configure password before you log in to expert mode
  • See the picture. The pound symbol # is just a commend as you see. Checkpoint takes that as a comment and dont process it, however you read it!!

Gateway CLI

cli

If you want to check the status of SIC you use cp_conf sic state. If you want to restore the communication of SIC you type cpconfig and choose from the menu. SIC is menu 5.

cli

To see all features allowed and its expirations just type „cplic print“. To see build number and status of OS just type „cpstat os“.

If you are tshooting the identity awareness in CLI and you want to see who is allowed to pass checkpoint, i. e. you want to see the ip-username association you can use very useful command called „pdp monitor client_type portal“. PDP is the process responsible for identity awareness thats why the command is named like this. You can also type down „pdp monitor ip 10.1.1.50“ to see what user is behind this IP. You can also revoke specific IP address via command „pdp control revoke_ip 10.1.1.50“

cli

cli

Another cool feature is to capture the traffic via „fw monitor“ command. As you can see from the picture below we wants to capture just 40 bytes of each packet and store the output in the capture.pcap file

cli

 

Manager CLI

Some of the commands works both supershell and bash. For example the „fw stat, fw ver, fw getifs (get interfaces)“ command. You can also log in the CLI of management server itself. There you can add users from CLI, delete them or even you can create backup which is very important if you mess up something and you want to rollback. Here is the screen of the CLI in management server.

cli

If you want to restore backup you just put „set backup restore local“ in the supershell mode and TAB for autocomplete

cli

If you want to work with database revisions in Manager like in GUI you can in CLI also. You need to go to bash and then put the „dbver“ command. You enter the dbver console and you just follow the aid shown in CLI. As you see you can create delete import export db… Check the screen.

cli

You can also check all available databases stored by simple command „print_all“ as you see from the picture above. The logs are stored in the Manager under the /$FWDIR/log folder. ls the content of folder in bash.