Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Can you explain the impact of using fwstop and cpstop ?

Can u explain the impact of using fwstop and cpstop ?

10 Replies
Highlighted
Employee+
Employee+

I haven't ever issued the command 'fw stop' but I can tell you that 'cp stop' will stop all of the Check Point processes and daemons. I have done 'ev stop' many times before, so I would have to guess that 'fw stop' will stop the Firewall processes while leaving the others running.

Basically, the impact of either command will stop the inspecting and passing of traffic on a security gateway. On a management server, 'fw stop' should have no impact since there are no Firewall services running there. 

Highlighted
Iron

Ok. thanks.. i am wondering for SIC reset the complete firewall services will be stopped right ? So Sic reset becomes random for sites, whether the network also will go down while 'cp stop' comes into picture automatically followed by sic resets ?

0 Kudos
Highlighted
Sapphire

See sk86521: Reset SIC without restarting the firewall process - on SMB, you have to use cpstop / cpstart (or test if  fw_configload also does the job...).

0 Kudos
Highlighted
Sapphire

[Expert@GW_80.20:0]# fwstop
VPN-1 & FireWall-1 was not stopped.
Run cpstop to stop all Check Point products.

/opt/CPsuite-R80.20/fw1/bin/fwstop


# Usage: fwstop -f [-proc | -default | -driver | -all]
#
# -f: needed in order to run fwstop, otherwise will not run
# -default: does not uninstall the kernel, instead loads default filter
# -proc: kill only user-mode processes
#
# in Linux:
# by default the kernel module is not unloaded. -driver unloads it.
# this is not supported. use at your own risk 😉

Highlighted
Iron

thats great. so fw stop wont stop traffic procesing. r u able to pass traffic after executing fw stop. And on what scenario we wil do this ?

0 Kudos
Highlighted

fwstop command should stop firewall module ("VPN-1 & FireWall-1"). It means that traffic will not be passed through a gateway. You might use it when you have a standalone environment and want to stop only firewall, but not management part.

cpstop command stops all Check Point processes on a device.

0 Kudos
Highlighted
Sapphire

That is not fully true as you can read in the fwstop script - issuing "fwstop" will just display a message that explains you have to use it with parameters that guide what it really does only 😉

0 Kudos
Highlighted
Sapphire

I have to stress the point that the syntax is fwstop / cpstop 😉

As i wrote fwstop will kill processes and unload drivers. You can learnabout it in detail by studying this script. The same istrue of cpstart - /pfrm2.0/opt/fw1/bin/cpstart  is a commented script that calls commands and other scripts.

0 Kudos
Highlighted
Admin
Admin

fwstop is a legacy command that predates FireWall-1 NG (R5x).

In general, you should use cpstop, which does the following:

  • Does an orderly shutdown of all Check Point-related processes
  • Disables IP Forwarding
  • Unloads the Access Control and Threat Prevention policies from the kernel module
Iron

thats cool.

0 Kudos