This post summarises some basic but useful CLI commands for your daily working reference especially for those who are just starting to configure your Check Point Gaia products.
For some advanced usage, please check another post “Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)” in this blog.
1. show version all
|
FW-CP1>
show version all
Product version Check Point Gaia R77.20 OS build 124 OS kernel version 2.6.18-92cp OS edition 32-bit |
2. show interface DMZ / show interfaces
|
FW-CP1>
show interface DMZ
state on mac-addr 00:1c:7f:37:9e:b9 type ethernet link-state link up mtu 1500 auto-negotiation on speed 100M ipv6-autoconfig Not configured duplex full monitor-mode Not configured link-speed 100M/full comments ipv4-address 10.91.72.15/24 ipv6-address Not Configured ipv6-local-link-address Not Configured Statistics: TX bytes:130970299 packets:1278980 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:391610509 packets:1382114 errors:0 dropped:0 overruns:0 frame:0 FW-CP1> show interfaces Mgmt eth1 eth2 eth3 eth3.100 eth3.102 lo |
3. set interface DMZ ipv4-address 40.40.40.1 subnet-mask 255.255.255.0
set interface DMZ state on
Note: if you are running a FW at Virtual machine, by default, only eth0 interface is on.
4. add interface lo loopback 10.10.19.1/24
add interface lo loopback 2010:10:99::1/64
delete interface lo loopback loop01
delete interface lo loopback loop01
5. Show configuration and Save Config
|
FW-CP1>
show configuration
# # Configuration of FW-CP1 # Language version: 12.1v1 # # Exported by admin on Fri May 15 13:51:26 2015 # set max-path-splits 8 set tracefile maxnum 10 set tracefile size 1 set expert-password-hash $1$BBBNBcBB$BdeldpEXBxaayLxqIsKNn. add dhcp client interface eth3 set dhcp client interface eth3 timeout 60 set dhcp client interface eth3 retry 300 set dhcp client interface eth3 reboot 10 add allowed-client host any-host set core-dump enable set core-dump total 1000 set core-dump per_process 2 set message caption off set syslog filename /var/log/messages set syslog cplogs off set syslog mgmtauditlogs on set syslog auditlog permanent set clienv debug 0 set clienv echo-cmd off set clienv output pretty set clienv prompt “%M” set clienv rows 63 set clienv syntax-check off set arp table cache-size 4096 set arp table validity-timeout 60 set arp announce 2 set edition 32-bit set snmp agent off set snmp agent-version any set snmp community public read-only set snmp traps trap authorizationError disable set snmp traps trap coldStart disable set snmp traps trap configurationChange disable set snmp traps trap configurationSave disable set snmp traps trap fanFailure disable set snmp traps trap highVoltage disable set snmp traps trap linkUpLinkDown disable set snmp traps trap lowDiskSpace disable set snmp traps trap lowVoltage disable set snmp traps trap overTemperature disable set snmp traps trap powerSupplyFailure disable set snmp traps trap raidVolumeState disable set snmp traps trap vrrpv2AuthFailure disable set snmp traps trap vrrpv2NewMaster disable set snmp traps trap vrrpv3NewMaster disable set snmp traps trap vrrpv3ProtoError disable set dns primary 8.8.8.8 set web table-refresh-rate 15 set web session-timeout 10 set web ssl-port 443 set web daemon-enable on set net-access telnet off set inactivity-timeout 10 set timezone America / New_York set format date dd-mmm-yyyy set format time 24-hour set format netmask Dotted set password-controls min-password-length 6 set password-controls complexity 2 set password-controls palindrome-check true set password-controls history-checking true set password-controls history-length 10 set password-controls password-expiration never set password-controls expiration-warning-days 7 set password-controls expiration-lockout-days never set password-controls force-change-when no set password-controls deny-on-nonuse enable false set password-controls deny-on-nonuse allowed-days 365 set password-controls deny-on-fail enable false set password-controls deny-on-fail failures-allowed 10 set password-controls deny-on-fail allow-after 1200 set ipv6-state off add command tecli path /bin/tecli_start description “Threat Emulation Blade shell” set ntp active on set ntp server primary 10.9.1.5 version 1 set ntp server secondary 10.1.1.17 version 1 set aaa tacacs-servers state off set aaa radius-servers super-user-uid 96 add user John uid 0 homedir /home/John set user John gid 100 shell /etc/cli.sh set user John password-hash $1$elk75EVv$JS.5C89qzA5nllgEedjGh/ set user admin shell /etc/cli.sh set user admin password-hash $1$OadYapIm$QGqVCFYLWNvvcHWORFo0Y. set user monitor shell /etc/cli.sh set user monitor password-hash * add rba user John roles adminRole set hostname FW-CP1 set interface eth3 state on add interface eth3 vlan 104 set interface eth3 state on add interface eth3 vlan 106 set interface Mgmt link-speed 100M/full set interface Mgmt state on set interface Mgmt auto-negotiation on set interface Mgmt ipv4-address 10.9.2.5 mask-length 24 set interface eth1 comments “Internet” set interface eth1 link-speed 1000M/full set interface eth1 state on set interface eth1 auto-negotiation on set interface eth1 mtu 1500 set interface eth1 ipv4-address 2.13.11.1 mask-length 29 set interface eth2 comments “Transfer” set interface eth2 link-speed 100M/full set interface eth2 state on set interface eth2 auto-negotiation on set interface eth2 mtu 1500 set interface eth2 ipv4-address 10.9.9.1 mask-length 24 set interface eth3 state on set interface eth3.104 comments “Customers” set interface eth3.104 state on set interface eth3.104 ipv4-address 10.9.100.1 mask-length 24 set interface eth3.106 comments “Transmission 106” set interface eth3.106 state on set interface eth3.106 ipv4-address 10.9.102.1 mask-length 24 set interface lo state on set interface lo ipv4-address 127.0.0.1 mask-length 8 set static-route default nexthop gateway address 20.15.11.7 priority 1 on set static-route 10.0.0.0/8 nexthop gateway address 10.9.7.1 priority 1 on set rip update-interval default set rip expire-interval default set rip auto-summary on set management interface Mgmt set ospf area backbone on set lcd screensaver mode model set lcd screensaver timeout 30 FW-CP1> save config |
6. show arp dynamic all
|
CP-FW1>
show arp dynamic all
Dynamic Arp Parameters IP Address Mac Address 192.168.20.2 00:1B:54:13:98:41 192.168.20.250 00:17:59:F3:7E:E0 10.1.1.36 00:90:FB:2B:91:53 192.168.20.37 00:90:0B:17:E5:66 172.17.3.88 72:AC:19:9C:19:D0 172.17.3.42 00:1C:7F:32:CC:12 172.17.3.83 FE:4A:40:06:60:ED 172.17.3.6 54:4A:00:19:AE:C0 172.17.3.43 00:1C:7F:32:CC:12 CP-FW1> show arp static all Static Arp Entries IP Address MAC Address CP-FW1> show arp table validity-timeout 60 CP-FW1> show arp table cache-size 1024 CP-FW1> |
7. set hostname
|
CP-FW1>
set hostname firewall-test
|
8. set static-route 4.4.4.0/24 nexthop gateway address 7.7.7.6 on
|
CP-FW1>
set static-route 4.4.4.0/24 nexthop gateway address 9.9.9.2 off
// – delete a route CP-FW1> set static-route 4.4.4.0/24 off CP-FW1> set static-route 172.116.14.0/24 nexthop blackhole CP-FW1> set static-route 40.40.40.0/24 rank 2 FW-CP1> show route static Codes: C – Connected, S – Static, R – RIP, B – BGP, O – OSPF IntraArea (IA – InterArea, E – External, N – NSSA) A – Aggregate, K – Kernel Remnant, H – Hidden, P – Suppressed, U – Unreachable, i – Inactive S 0.0.0.0/0 via 20.13.11.7, eth1, cost 0, age 142743 S 10.9.8.0/24 via 10.9.9.7, eth2, cost 0, age 77668 Infra S 10.9.13.0/24 via 10.9.9.7, eth2, cost 0, age 77668 Customers S 10.0.0.0/8 via 10.9.7.1, Mgmt, cost 0, age 105717 S 1.24.7.9/32 via 10.9.10.21, eth3.102, cost 0, age 80698 Test1 |
9. set date 2012-08-10
10. reboot & halt
11. fw unloadlocalUnload local firewall policy from the appliance.
12. cpstop / cpstart
13. fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75.40 – Build 275
This is Check Point VPN-1(TM) & FireWall-1(R) R75.40 – Build 275
14. cpstat
|
FW-CP1>
cpstat os
Product Name: SVN Foundation SVN Foundation Version String: R77.20 SVN Foundation Build Number: 990170256 SVN Foundation Status: OK OS Name: Gaia OS Major Version: 2 OS Minor Version: 6 OS Build Number: – OS SP Major: – OS SP Minor: – OS Version Level: Appliance SN: 338B04265 Appliance Name: Check Point 4200 Appliance Manufacture: CheckPoint |
15. Increase session time-out time
It is especially useful before doing upgrade.
|
set web session-timeout 1440
set inactivity-timeout 720 |
16. Information about processes, memory, paging, block IO, traps, and cpu activity.
|
FW-CP1> vmstat 1 |awk ‘{now=strftime(“%Y-%m-%d %T “); print now $0}’ 2014-10-29 09:26:47 procs ———–memory———- —swap– —–io—- –system– —–cpu—— 2014-10-29 09:26:47 r b swpd free buff cache si so bi bo in cs us sy id wa st 2014-10-29 09:26:47 1 0 448004 10748 1928 126520 10 13 53 581 118 155 8 11 81 1 0 2014-10-29 09:26:49 1 0 448004 10748 1936 126520 0 0 0 84 1123 2197 5 10 84 0 0 2014-10-29 09:26:51 1 0 448004 10780 1936 126520 0 0 0 0 1123 2145 3 6 92 0 0 2014-10-29 09:26:53 1 0 448004 10500 1944 126512 0 0 0 82 1123 2204 6 13 82 0 0 2014-10-29 09:26:55 1 0 448004 10500 1944 126520 0 0 0 0 1125 2139 6 11 84 0 0 |
17. CPView – Check Point and System Online statistics Info
It is a nice tool for gathering system information and statistics introduced from R77.
|
[[email protected]:0]# cpview Initializing…Server Connection Menu for your Master Terminal Server |——————————————————————————| | CPVIEW.Overview 16Aug2015 10:45:42 | |——————————————————————————| | Overview SysInfo Traffic I/S Software-blades | |——————————————————————————| | CPU: | | | | Num of CPUs: 1 | | | | CPU Used | | 0 0% | | —————————————————————————- | | Memory: | | | | Total MB Used MB Free MB | | Physical 934 684 250 | | FW Kernel 696 62 634 | | Swap 2,047 0 2,047 | | —————————————————————————- | | Traffic counters: | | | | Throughput 930bps | | Packet rate 1pps | | Connection rate 0cps | | Concurrent conns 42 | | —————————————————————————- | | Disk space (top 3 used partitions): | | | | Partition Total MB Used MB Free MB | |