
gaia.png?resize=200%2C200&ssl=1gaia.png?resize=200%2C200&ssl=1This post summarises some basic but useful CLI commands  for your daily working reference especially for those who are just starting to configure your Check Point Gaia products. 

For some advanced usage, please check another post  Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)”  in this blog. 

1. show version all

FW-CP1> show version all
Product version Check Point Gaia R77.20
OS build 124
OS kernel version 2.6.18-92cp
OS edition 32-bit

2. show interface DMZ / show interfaces

FW-CP1> show interface DMZ
state on
mac-addr 00:1c:7f:37:9e:b9
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed 100M
ipv6-autoconfig Not configured
duplex full
monitor-mode Not configured
link-speed 100M/full
ipv6-address Not Configured
ipv6-local-link-address Not Configured

TX bytes:130970299 packets:1278980 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:391610509 packets:1382114 errors:0 dropped:0 overruns:0 frame:0

FW-CP1> show interfaces

3. set interface DMZ ipv4-address subnet-mask

set interface DMZ state on

Note: if you are running a FW at Virtual machine, by default, only eth0 interface is on.

4. add interface lo loopback

add interface lo loopback 2010:10:99::1/64
delete interface lo loopback loop01
5. Show configuration and Save Config
FW-CP1> show configuration
# Configuration of FW-CP1
# Language version: 12.1v1
# Exported by admin on Fri May 15 13:51:26 2015
set max-path-splits 8
set tracefile maxnum 10
set tracefile size 1
set expert-password-hash $1$BBBNBcBB$BdeldpEXBxaayLxqIsKNn.
add dhcp client interface eth3
set dhcp client interface eth3 timeout 60
set dhcp client interface eth3 retry 300
set dhcp client interface eth3 reboot 10
add allowed-client host any-host
set core-dump enable
set core-dump total 1000
set core-dump per_process 2
set message caption off
set syslog filename /var/log/messages
set syslog cplogs off
set syslog mgmtauditlogs on
set syslog auditlog permanent
set clienv debug 0
set clienv echo-cmd off
set clienv output pretty
set clienv prompt “%M”
set clienv rows 63
set clienv syntax-check off
set arp table cache-size 4096
set arp table validity-timeout 60
set arp announce 2
set edition 32-bit
set snmp agent off
set snmp agent-version any
set snmp community public read-only
set snmp traps trap authorizationError disable
set snmp traps trap coldStart disable
set snmp traps trap configurationChange disable
set snmp traps trap configurationSave disable
set snmp traps trap fanFailure disable
set snmp traps trap highVoltage disable
set snmp traps trap linkUpLinkDown disable
set snmp traps trap lowDiskSpace disable
set snmp traps trap lowVoltage disable
set snmp traps trap overTemperature disable
set snmp traps trap powerSupplyFailure disable
set snmp traps trap raidVolumeState disable
set snmp traps trap vrrpv2AuthFailure disable
set snmp traps trap vrrpv2NewMaster disable
set snmp traps trap vrrpv3NewMaster disable
set snmp traps trap vrrpv3ProtoError disable
set dns primary
set web table-refresh-rate 15
set web session-timeout 10
set web ssl-port 443
set web daemon-enable on
set net-access telnet off
set inactivity-timeout 10
set timezone America / New_York
set format date dd-mmm-yyyy
set format time 24-hour
set format netmask Dotted
set password-controls min-password-length 6
set password-controls complexity 2
set password-controls palindrome-check true
set password-controls history-checking true
set password-controls history-length 10
set password-controls password-expiration never
set password-controls expiration-warning-days 7
set password-controls expiration-lockout-days never
set password-controls force-change-when no
set password-controls deny-on-nonuse enable false
set password-controls deny-on-nonuse allowed-days 365
set password-controls deny-on-fail enable false
set password-controls deny-on-fail failures-allowed 10
set password-controls deny-on-fail allow-after 1200
set ipv6-state off
add command tecli path /bin/tecli_start description “Threat Emulation Blade shell”
set ntp active on
set ntp server primary version 1
set ntp server secondary version 1
set aaa tacacs-servers state off
set aaa radius-servers super-user-uid 96
add user John uid 0 homedir /home/John
set user John gid 100 shell /etc/cli.sh
set user John password-hash $1$elk75EVv$JS.5C89qzA5nllgEedjGh/
set user admin shell /etc/cli.sh
set user admin password-hash $1$OadYapIm$QGqVCFYLWNvvcHWORFo0Y.
set user monitor shell /etc/cli.sh
set user monitor password-hash *
add rba user John roles adminRole
set hostname FW-CP1
set interface eth3 state on
add interface eth3 vlan 104
set interface eth3 state on
add interface eth3 vlan 106
set interface Mgmt link-speed 100M/full
set interface Mgmt state on
set interface Mgmt auto-negotiation on
set interface Mgmt ipv4-address mask-length 24
set interface eth1 comments “Internet”
set interface eth1 link-speed 1000M/full
set interface eth1 state on
set interface eth1 auto-negotiation on
set interface eth1 mtu 1500
set interface eth1 ipv4-address mask-length 29
set interface eth2 comments “Transfer”
set interface eth2 link-speed 100M/full
set interface eth2 state on
set interface eth2 auto-negotiation on
set interface eth2 mtu 1500
set interface eth2 ipv4-address mask-length 24
set interface eth3 state on
set interface eth3.104 comments “Customers”
set interface eth3.104 state on
set interface eth3.104 ipv4-address mask-length 24
set interface eth3.106 comments “Transmission 106”
set interface eth3.106 state on
set interface eth3.106 ipv4-address mask-length 24
set interface lo state on
set interface lo ipv4-address mask-length 8
set static-route default nexthop gateway address priority 1 on
set static-route nexthop gateway address priority 1 on
set rip update-interval default
set rip expire-interval default
set rip auto-summary on
set management interface Mgmt
set ospf area backbone on
set lcd screensaver mode model
set lcd screensaver timeout 30

FW-CP1> save config

6. show arp dynamic all

CP-FW1> show arp dynamic all
Dynamic Arp Parameters

IP Address                 Mac Address                           00:1B:54:13:98:41                  00:17:59:F3:7E:E0                       00:90:FB:2B:91:53                   00:90:0B:17:E5:66                     72:AC:19:9C:19:D0                     00:1C:7F:32:CC:12                     FE:4A:40:06:60:ED                      54:4A:00:19:AE:C0                     00:1C:7F:32:CC:12

CP-FW1> show arp static all
Static Arp Entries

IP Address                 MAC Address                

CP-FW1> show arp table validity-timeout
CP-FW1> show arp table cache-size 

7. set hostname

CP-FW1> set hostname firewall-test

8. set static-route nexthop gateway address on

CP-FW1> set static-route nexthop gateway address off 

// – delete a route 

CP-FW1>  set static-route off  

CP-FW1>  set static-route nexthop blackhole 

CP-FW1>  set static-route rank 2

FW-CP1> show route static
Codes: C – Connected, S – Static, R – RIP, B – BGP,
       O – OSPF IntraArea (IA – InterArea, E – External, N – NSSA)
       A – Aggregate, K – Kernel Remnant, H – Hidden, P – Suppressed,
       U – Unreachable, i – Inactive

S           via, eth1, cost 0, age 142743
S      via, eth2, cost 0, age 77668
S      via, eth2, cost 0, age 77668
S          via, Mgmt, cost 0, age 105717
S      via, eth3.102, cost 0, age 80698

9. set date 2012-08-10

10. reboot & halt

11. fw unloadlocalUnload local firewall policy from the appliance.

12. cpstop / cpstart

13. fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75.40 – Build 275

14. cpstat

FW-CP1> cpstat os
Product Name:                  SVN Foundation
SVN Foundation Version String: R77.20
SVN Foundation Build Number:   990170256
SVN Foundation Status:         OK
OS Name:                       Gaia
OS Major Version:              2
OS Minor Version:              6
OS Build Number:               –
OS SP Major:                   –
OS SP Minor:                   –
OS Version Level:
Appliance SN:                  338B04265
Appliance Name:                Check Point 4200
Appliance Manufacture:         CheckPoint

15. Increase session time-out time

It is especially useful before doing upgrade.

set web session-timeout 1440
set inactivity-timeout 720

16. Information about processes, memory, paging, block IO, traps, and cpu activity.

FW-CP1>   vmstat 1 |awk ‘{now=strftime(“%Y-%m-%d %T “); print now $0}’
2014-10-29 09:26:47 procs ———–memory———- —swap– —–io—- –system– —–cpu——
2014-10-29 09:26:47 r b swpd free buff cache si so bi bo in cs us sy id wa st
2014-10-29 09:26:47 1 0 448004 10748 1928 126520 10 13 53 581 118 155 8 11 81 1 0
2014-10-29 09:26:49 1 0 448004 10748 1936 126520 0 0 0 84 1123 2197 5 10 84 0 0
2014-10-29 09:26:51 1 0 448004 10780 1936 126520 0 0 0 0 1123 2145 3 6 92 0 0
2014-10-29 09:26:53 1 0 448004 10500 1944 126512 0 0 0 82 1123 2204 6 13 82 0 0
2014-10-29 09:26:55 1 0 448004 10500 1944 126520 0 0 0 0 1125 2139 6 11 84 0 0
17. CPView – Check Point and System Online statistics Info

It is a nice tool for gathering system information and statistics introduced from R77.

[[email protected]:0]# cpview
Initializing…Server Connection Menu for your Master Terminal Server
| CPVIEW.Overview                                           16Aug2015 10:45:42 |
| Overview SysInfo Traffic I/S Software-blades                                 |
| CPU:                                                                         |
|                                                                              |
| Num of CPUs:      1                                                          |
|                                                                              |
|       CPU      Used                                                          |
|         0        0%                                                          |
| —————————————————————————- |
| Memory:                                                                      |
|                                                                              |
|            Total MB   Used MB   Free MB                                      |
| Physical        934       684       250                                      |
| FW Kernel       696        62       634                                      |
| Swap          2,047         0     2,047                                      |
| —————————————————————————- |
| Traffic counters:                                                            |
|                                                                              |
| Throughput                930bps                                             |
| Packet rate                 1pps                                             |
| Connection rate             0cps                                             |
| Concurrent conns           42                                                |
| —————————————————————————- |
| Disk space (top 3 used partitions):                                          |
|                                                                              |
| Partition  Total MB   Used MB   Free MB                                      |
| /boot           144       105        31                                      |
| /             8,063     4,928     2,725                                      |
| /var/log     60,475     6,665    50,738                                      |
| —————————————————————————- |
| Events:                                                                      |
|                                                                              |
| # of monitored daemons crashed since last cpstart         0                  |
|                                                                              |
|                                                                              |
18. TOP

[[email protected]:0]# top 
top – 10:17:21 up 10 days, 24 min,  1 user,  load average: 0.35, 0.26, 0.26
Tasks:  83 total,   2 running,  81 sleeping,   0 stopped,   0 zombie
Cpu(s):  6.6%us,  9.9%sy,  0.0%ni, 83.2%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND             
 5468 admin     21   0 67728 6832 3996 S  1.7  0.7 198:41.66 DAService           
 3966 admin     15   0 32900  13m 8804 S  0.3  1.5  52:12.94 confd               
 4005 admin     15   0 30600  11m 8764 S  0.3  1.2  58:01.37 snmpd               
    1 admin     15   0  2040  648  560 S  0.0  0.1   0:01.09 init                   
    2 admin     RT  -5     0    0    0 S  0.0  0.0   0:00.00 migration/0       
    3 admin     15   0     0    0    0 S  0.0  0.0   0:00.18 ksoftirqd/0         
    4 admin     RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0          
    5 admin     10  -5     0    0    0 S  0.0  0.0   0:00.27 events/0            
    6 admin     10  -5     0    0    0 S  0.0  0.0   0:00.04 khelper            
    7 admin     10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread             
    8 admin     RT  -5     0    0    0 S  0.0  0.0   0:00.00 kmem_kthread        
   11 admin     10  -5     0    0    0 S  0.0  0.0   0:00.09 kblockd/0           
   12 admin     20  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid              
  113 admin     20  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/0               
  116 admin     10  -5     0    0    0 S  0.0  0.0   0:00.00 khubd               
  118 admin     10  -5     0    0    0 S  0.0  0.0   0:00.00 kseriod             
  178 admin     15   0     0    0    0 S  0.0  0.0   0:00.96 pdflush             
  179 admin     15   0     0    0    0 S  0.0  0.0   0:00.01 pdflush             
  180 admin     17  -5     0    0    0 S  0.0  0.0   0:00.55 kswapd0             
  181 admin     20  -5     0    0    0 S  0.0  0.0   0:00.00 aio/0               
  344 admin     11  -5     0    0    0 S  0.0  0.0   0:00.00 kpsmoused           
  369 admin     14  -5     0    0    0 S  0.0  0.0   0:00.00 ata/0               

By default, it will sort by PID. You can type O to get into Sort Change Window. Then you can change which field you want to sort it. K for %CPU are n for %mem are most useful sorting field.

Current Sort Field:  K  for window 1:Def
Select sort field via field letter, type any other key to return 
  a: PID        = Process Id
  b: PPID       = Parent Process Pid
  c: RUSER      = Real user name
  d: UID        = User Id
  e: USER       = User Name
  f: GROUP      = Group Name
  g: TTY        = Controlling Tty
  h: PR         = Priority
  i: NI         = Nice value
  j: P          = Last used cpu (SMP)
* K: %CPU       = CPU usage
  l: TIME       = CPU Time
  m: TIME+      = CPU Time, hundredths
  n: %MEM       = Memory usage (RES)
  o: VIRT       = Virtual Image (kb)
  p: SWAP       = Swapped size (kb)
  q: RES        = Resident size (kb)
  r: CODE       = Code size (kb)
  s: DATA       = Data+Stack size (kb)
  t: SHR        = Shared Mem size (kb)
  u: nFLT       = Page Fault count
  v: nDRT       = Dirty Pages count
  w: S          = Process Status
  x: COMMAND    = Command name/line
  y: WCHAN      = Sleeping in Function
  z: Flags      = Task Flags <sched.h>
  If a selected sort field can’t be
  shown due to screen width or your
  field order, the ‘<‘ and ‘>’ keys
  will be unavailable until a field
  within viewable range is chosen.
  Field sorting uses internal values,
  not those in column display.  Thus,
  the TTY & WCHAN fields will violate
  strict ASCII collating sequence.
  (shame on you if WCHAN is chosen)

At TOP window, type lower case o will get you Field Define Window. h will get you help window.

Note: I have moved some advanced Checkpoint CLI commands into another post, please check “Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)” in this blog.
