NG COMMAND LINE INTERFACE excluding switch options)
SETUP
cpconfig – reconfigures an existing VPN-1/Firewall-1 installation
cpstart – starts all Check Point applications running on a machine
(invokes fwstart, fgstart, uagstart, etc.)
cpstop – stops all Check Point applications running on a machine
fwstart – loads the VPN-1/Firewall-1 Module and starts:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
fwstop – kills the following processes:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
It also unloads the VPN-1/Firewall-1 Module
cp_permission – sets up the permissions for CPMI
CONTROL
fw load – compiles and installs a Security Policy to the target’s VPN-1/Firewall-1 Modules.
This is done in two ways:
1. fw load compiles and installs an Inspection Script (*.pf) file to the designated VPN-1/Firewall-1 Modules.
2. fw load converts a Rule Base (*.W) file created by the GUI into an Inspection Script (*.pf) file, then installs it to the designated VPN-1/Firewall-1 Modules.
fw bload – compiles and installs a Security Policy to the target’s embedded
VPN-1/Firewall-1 Modules. This is done in one of two ways.
1. fw bload compiles and installs an Inspection Script (*.pf) file to the Firewall-1 embedded system specified by
targets.
2. fw bload converts a Rule Base (*.W) file created by the GUI into an Inspection Script (*.pf) file and then compiles and installs it to the Firewall-1 embedded system specified by targets.
fw unload – uninstalls the currently loaded Inspection Code from selected targets
fw fetch – fetches the Inspection Code from the specified host and installs it to the kernel
fw putkey – installs a VPN-1/Firewall-1 authentication password on a host.
This password is used to authenticate internal communications between VPN-1/Firewall-1 Modules and between a Check Point Module and Management Server. That is, the password
is used to authenticate the control channel the first time communication is established.
fw dbload – downloads the user database and network object information (for example, encryption keys) to selected targets
MONITOR
cpstat – displays the status of target hosts in various formats (replaces fwstat, fw fgstat, fgate state, etc.)
cpstat_monitor – a utility that runs on the Check Point Management Station which can trigger pre-defined actions when the system changes its status or when an event has occurred. This is done by defining limits (or thresholds) on status Parameters, and actions to be taken.
fw lichosts – prints a list of hosts protected by the VPN-1/Firewall-1/n products. The list of hosts is in the file $FWDIR/database/fwd.h
fw ver – displays the VPN-1/Firewall-1 major version number, the build number, and a copyright notice
fw sam – inhibits (blocks) connections to and from specific IP addresses without the need to change the Security Policy. The command is logged
UTILITIES
fw ctl – sends control information to the VPN-1/Firewall-1 Kernel Module
pstat – displays VPN-1/Firewall-1 internal statistics
iflist – displays the IP interfaces known to the kernel by name and
internal number
arp – displays ARP proxy table
fw kill – sends a signal to a VPN-1/Firewall-1 daemon
fwm – the VPN-1/Firewall-1 Management Server in the Client/Server implementation of the Management Server, and is used for communicating with the GUI and adding, updating, and removing administrators.
fwell – manages Access Lists for Wellfleet (Bay Networks) routers
fw tab – displays the content of INSPECT tables on the target hosts in
various formats.
snmp_trap – sends an SNMP trap to the specified host. The message may appear in the command line, or as one in the program input (stdin)
dynamic_objects – specifies an IP address to which the dynamic object will be resolved on this machine
dbedit – edits the objects file on the Management Server
queryDB_util – enables searching the object database according to search parameters
Log File Management
fw log – displays the content of Log Files
fw logswitch – creates a new Log File. The current Log File is closed and renamed $FWDIR/log/date.log and a new Log File with the default name ($FWDIR/log/fw.log) is created
fw logexport – exports the Log File to an ASCII file
fw repairlog – rebuilds a Log file’s pointer files. The three files fw.logptr, fw.loginitial_ptr and fw.logaccount_ptr are recreated from data in the specified Log file
HIGH AVAILABILITY
cphastart - enables the High Availability feature on the machine. In NT, this is done when the VPN-1/Firewall-1 Module is started. In Solaris, the cphastart command is part of the fwstart script
cphastop - disables the High Availability feature on the machine
cphaprob - defines critical processes. When a critical process fails, the machine is considered to have failed.
cpha_export (Solaris only) – writes MAC address information to stdout. If the output is redirected to a file, it can be input (stdin) to cpha_import on another machine.
cpha_import (Solaris only) – imports MAC address information from stdin
and updates the machine’s MAC address
accordingly. The normal procedure is to
redirect stdin to read a file created by
cpha_export on the primary machine
fw hastat – displays information about High Availability machines and their states.
USER DATABASE MANAGEMENT
fw dbimport – imports users into the VPN-1/Firewall-1 User Database from an external file. You can create this file yourself, or use a file generated by fw dbexport
fw dbexport - exports the VPN-1/Firewall-1 User Database to a file.
The file may be in one of the following formats:
1. the same Usage as the import file for fw dbimport
2. LDIF Usage, which can be imported into an LDAP
Server using ldapmodify
ldapmodify - imports users to an LDAP server. The input file must be in the LDIF format
fw ldapsearch - queries an LDAP directory and returns the results
fw expdate - changes the expiration date of users (but not templates) in the VPN-1/Firewall-1 User Database to the date specified by the first parameter. This change can be optionally applied only to selected users by specifying the second parameter
Certificates
fw ca putkey – distributes the Certificate Authority Key to a Check Point Module
fw ca genkey - is used to generate the Certificate Authority Key on a Management Server
fw certify ssl – is used to generate a Certificate Authority certificate on a
Check Point Module
fw internalca - enables hybrid authentication mode, which allows the server to perform IKE key exchange with the clients using authentication schemes non-interoperable with IKE.
Instructs the Management Server to initiate an Internal CA, which involves creating an Internal CA database, generating public and private keys, issuing a certificate and saving it.
fw ikecrypt - encrypts the password of a SecuRemote user using IKE. The resulting string must then be stored in the LDAP database.
fw sic_reset - resets Secure Internal Communication (SIC) on the Management Server. The user will be prompted before the operation actually takes place.
This command deletes the internal Certificate Authority,deletes the Management Server certificate, deletes the Certificate Revocation List (CRL), and updates the objects database.
LICENSING
cplic put - is used to install one or more Local licenses. This command installs a license on a local machine – it cannot be performed remotely.
cplic print - prints details of Check Point licenses on the local machine. On a Module, this command will print all licenses that are installed on the local machine – both Local and Central licenses.
cplic del - deletes a single Check Point license on a host. Use it to delete unwanted evaluation, expired and other licenses. On a Module,this command will work only for a Local license.
cplic check – is used to check whether the license on the machine will allow a given feature to be used. This command is used mainly for Technical Support purposes.
cprlic put – can be used only from the Management Server, to attach (install) one or more:
- Central licenses on an NG Module
- Local licenses on the appropriate NG Module
- Version 4.1 licenses on the appropriate version 4.1 Module
cprlic add - is used to add one or more licenses to the license repository on the Management Server.
cprlic print - displays the details of Check Point licenses stored in the license repository on the Management Server
cprlic del – used to detach a Central license from an NG Module. This command deletes the license from the Module. A Central license remains in the repository an an unattached license. The license is available for attachment to another Module.
This command can be executed only on a Management Server.
cprlic rm - removes a license from the license repository on the Management Server. It can be executed ONLY after the license was detached using the cprlic del command.
Once the license has been removed from the repository, it can no longer be used. To re-use it, use the cprlic add Or cprlic put command.
cprlic get - retrieves all licenses from a Module into the license repository on the Management Server. Do this to synchronize the repository with the Module, if NG and version 4.1 Local licenses were added (or deleted) locally, and hence do not yet
(or still) exist in the license repository. Retrieving licenses will also delete from the repository Local licenses that do not exist on the Module.
INSTALLATION MANAGEMENT
cppkg add – is used to add an installation package file to the Product Repository. The package file can be located on a CD or a local or network drive. Cppkg does not overwrite existing packages. Only SecureUpdate packages can be added to the
Product Repository.
cppkg delete – is used to delete a product package from the repository.
cppkg search - is used to list the contents of the Product Repository. Use this command to see the product and OS strings required to install a product package using the cprinstall command, or to delete a package using the cppkg delete command.
cppkg setroot - is used to create a new repository root directory location, and to move existing product packages into the new repository. The default Product Repository location is created when the Management Server is installed.
cppkg getroot - is used to find out the location of the Product Repository
cprinstall get - is used to obtain details of the products and the Operating System installed on the specified Module, and to update the Product Repository database.
cprinstall test - is used to test whether the product can be installed on the
remote Module. It verifies that the Operating System and currently installed products are appropriate for the package,and that there is enough disk space to install the product.
cprinstall install – is used to install Check Point products on remote modules
cprinstall uninstall – is used to uninstall products on remote Modules
cprinstall boot – is used to boot the remote computer
cprinstall stop – is used to stop the operation of other cprinstall commands.
In particular, this command stops the remote installation of a product – even during transfer of files, file extraction, and pre-installation testing. The operation can be stopped at any time up to the actual installation.
VPN-1 ACCELERATOR CARD
vpn accel - used for turning on (or off) the accelerator card. When it is installed, it is enabled by default. You can also check its status with the command vpn accel stat
lunadiag - a software diagnostics utility specific to the Luna accelerator card in the Luna package. The utility is documented in the file lunadiag.txt
VPN COMMANDS
vpn ver - displays the VPN-1 major version number, the build number, and a copyright notice. Usage and options are the same as for fw ver
vpn debug - debug the VPN-1 daemon
vpn drv - installs the VPN-1 kernel(vpnk) and connects to the Firewall-1 kernel (fwk)
vpn intelrng - displays the status of the Intel RNG (random number generator). This command is a Windows NT and Windows
2000 only command.
DAEMONS
cpwd_admin - is used to show the status of processes, and to configure cpwd
cpridstop – used to stop cprid
cpridstart - used to start cprid (cprid is independent of cpstart and cpstop)
FLOODGATE-1 COMMANDS
etmstart - loads the FloodGate Module and starts the FloodGate-1 daemon (fgd). Also starts the Management Server, provided it is on the same machine as the FloodGate Module.
etmstop - kills the FloodGate-1 daemon (fgd) and then unloads the FloodGate Module. Also stops the Management Server, Provided it is on the same machine as the FloodGate Module.
fgate load - installs a QoS Policy on the specified FloodGate Modules.
If targets is not specified, the QoS Policy is installed on the local host.
fgate unload - uninstalls a QoS Policy from the specified FloodGate Modules
fgate fetch - fetches the FloodGate QoS Policy that was last installed on the local host. You must specify the machine where the FloodGate QoS Policy is found. Use “localhost” in case there is no Management Server or if the Management Server is down.
fgate stat - displays the status of target hosts in various formats. The default format displays the following information for each host: host name, Rule Base (or FloodGate Module) file name, date and time loaded, and the interface and direction loaded.
fgate ver - displays the FloodGate-1 version number. The version of the GUI is displayed in the opening screen, and can be viewed at any time from the Help menu.
fgate kill - sends a signal to a FloodGate-1 daemon
OPSEC COMMANDS
upgrade_fwopsec - upgrades OPSEC configuration information on the Management Server from pre-NG to NG format, based on the upgraded Module information. If you have not
changed any of the defaults, then there is no need to run the upgrade_fwopsec command. However, if you have changed the defaults, then you should run the
upgrade_fwopsec command.
BOOT SECURITY
fwstop-default - kills VPN-1/Firewall-1 processes and loads the Default Filter
fwstop-proc - kills VPN-1/Firewall-1 processes but keeps the current kernel policy. The Security Policy remains loaded in the kernel, though user mode processes (cpd, fwd, fwm, vpnd,fwssd) don’t work. Logs, kernel traps, resources, all security server connections will all stop working. The state of the kernel remains unchanged. Whatever was loaded in the kernel is kept. Therefore, rules with generic allow/
reject/drop rules, based only on service will continue working.
control_bootsec – enables or disables Boot Security. The command turns
both the Default Filter and the initial policy off or on, in the correct sequence.
fwboot bootconf – use to change IP Forwarding or Default Filter settings.
This command is located in $FWDIR/boot
comp_init_policy –u - removes the current initial policy, and ensures that
it won’t be generated in the future when cpconfig is run
comp_init_policy –g - generates the initial policy and ensures that it will
be loaded the next time a policy is fetched (at fwstart, or at next boot, or via the fw fetch localhost command). After running this command, cpconfig will add an initial policy when needed.
defaultfilter.boot - installed by default. It allows:
- all outgoing communications
- incoming communications on ports through which there were previous outgoing communications
- ICMP packets
- broadcast packets
defaultfilter.drop - drops all communications in and out of the gateway during the period of vulnerability. If the boot process requires that the gateway communicate with other hosts, then the drop default Security Policy should not be used.
fw defaultgen - use to compile the default filter
Thursday, July 28, 2005
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment