Some useful ones: 

1. fw ctl pstat 

2. cphaprob stat

cphparob stat is my favorite and fw ctl -d setsync start (this is a life savor when you try to bring up a fw and it keeps saying "down"

Here some:

1. fwaccel stats -s 
   why? to check acceleration status on FW
2. cphaprob -a if
   why? when troubleshooting cluster, i verify all interfaces are UP and the Virtual IP address for the cluster interfaces.
3. cpwd_admin list
   why? great way to explain the CP watchdog- run the command with watch -d, and from another terminal terminate one of the PID, and observe how the watchdog bring it back.
   and its also a great way to see that everything is up

Cpview

Top

cpview -t  

I use this often to review mem, core usage at any snapshot in time. When getting a checkup device back or reviewing a DAT file. 

example: cpview -t Oct 2 14:02:00

use + / - keys to advance forward or backwards in 1 minute increments.

Over 20 years, I've probably forgotten more CLI commands than I remember at this point

But here are a few of the ones I still use from time to time:

fw stat

Shows what policy is loaded on the current gateway and what interfaces it has seen traffic on.

If it's DefaultFilter, then your gateway isn't running a real policy and is probably blocking all traffic

Example:

[Expert@oscar:0]# fw stat

HOST      POLICY           DATE              

localhost IntFW            18Jul2017 19:11:16 :  [>eth0] [<eth0] [>eth1] [<eth1] [>eth2] [<eth2]

fw fetch mastername

Fetches the policy from the management station named mastername. You can also use localhost as a way to reload the previously installed policy on the gateway. Note this is not to be confused with fw fetchlocal -d directory which is used in troubleshooting policy installation issues.

push_cert –s Cust_CMA –u admin –p adminpw –o examplegw –k test123

This is probably a command you haven't seen before and there's not even a public SK on it

It is used on the management to establish SIC with a newly installed security gateway without using SmartConsole or SmartDashboard, making it extremely useful in automation scenarios.

Arguments are as follows:

Looking forward to see what everyone else comes up with.

config_system - never having to use the FTW via web browser

any clish command - ability to completely script the configuration of an appliance

upgrade_export/ migrate export - best backup method - easiest to recover when you have it!

1) cphaprob state / cphaprob -a if / cphaprob -l list

To view Cluster health status

2) cpview (with top)

To troubleshoot gateway performance (cpu, memory, connections,...)

3) cpwd_admin list

To check the CP process status

4) fw ctl zdebug drop 

To search for any "silent" drop (such as IPS)

5) fw monitor 

To do a live packet capture

1. mgmt_cli show groups Check Point - Management API reference 

2. mgmt_cli add access-rule Check Point - Management API reference 

3. mgmt_cli install-policy Check Point - Management API reference 

I would expect you to pick management commands

Tomer Sole‌ Dameon Welch Abernathy‌

show diff between dates:

mgmt_cli show changes from-date "2017-02-01T08:20:50" to-date "2017-02-21" --format json
show unused objects:
mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" --format json
run script:
mgmt_cli run-script script-name "ifconfig" script "ifconfig" targets.1 "corporate-gateway" --format json

Surprised no one picked 'cp_merge'

And also though not a part of Gaia/splat 

ofiller /odumper by Martin Hoz saved me precious hours in long nights

Valeri Loukine curious , what's yours ?

Did you know? cp_merge was dropped in R80 and above and replaced with the much more capable:

- import_export_package Python tool for exporting/importing a policy package or parts of it  

- import_export_objects Python tool for exporting types of objects from the management server 

- command-line support for gradually upgrading globally assigned domains is there an easy way to upgrade large-scale environments to R80.10? 

Hard to pick just 3, I am afraid.

Lately using mostly those:

1. watch cphaprob stat

2. vsx stat - l

3. cphaprob -a list

fw ctl affinity -l -v -r

multik stat + cphaprob stat

cplic print

cpview 

fw ctl zdebug drop

Peter Sandkuijl what does the first one achieve?

fw ctl affinity -l -v -r is a useful command when you're attempting to finetune the affinity of an IRQ to an interface. This is especially useful when looking at the amount of traffic received by an interface that deserves more "horsepower" and should not be sharing CPU time with other interfaces. This command will list what interface is connected to what IRQ to what core. "fw ctl affinity -s" will subsequently allow you to set the values.

Note that Multi Queue enabled interfaces will not show up as they are assigned "automagically"

plus

netstat -ni - check drop on interfaces;

and

ps axwf -o pid,cpuid,pcpu,pmem,time,comm - processes and daemons utilization by cpu-core, mem;

it's all for multicore performance tuning.

regards,

--

ak.

I will prefer below commands.

fw ctl zdebug drop

cpview

fw tab -s -t connections

fw ctl pstat

1. cpstat mg - (SMS/CMA) Shows connected clients and status.
2. cpstat ha -f all - (GW) Shows sync details.
3. cpstat blades - (GW) Shows packets accepted, dropped, peak connections, and top rule hits.

I would have to say:

fwmon

tcpdump

cpview

This command allowed me to execute commands, transfer files etc with a remote gateway without needing credentials.  I was able to use it to copy a new shadow file to the remote gateway when password was lost/corrupted.

cprid_util (--help)

1) I created a "watch" command with many tecli commands to monitor TE (deployed on Cloud) live emulations:

watch -d -n 1 "echo \_______________________;echo TE Engine Status:;echo \_______________________;tecli control status;tecli show statistics | grep -E '(engine version is)';echo;echo \_______________________;echo VM Cloud Images;echo \_______________________;tecli ca du al | grep -E '(Image UID)';echo;echo \_______________________;echo Live Cloud Queue:;echo \_______________________;tecli show cloud queue;echo;echo \_______________________;echo History Malicious:;echo \_______________________;echo;tecli ca du al | grep -E '(-----|sha1|malicious)';echo;echo \_______________________;echo TE Cloud Quota Stats:;echo \_______________________;tecli show statistics | grep -E '(day)';echo .......................................................................................................;tecli show statistics | grep -E '(Scanned files:|static analysis|local cache|cloud cache|cloud process time)';echo .......................................................................................................;echo;tecli show cloud quota| grep -E '(Quota identifier|Quota subscription:|Usage for gw:|Remain:|Exceeded:)'"

The outcome would be something like this:

2) cpview 

Definitely, the most complete clish command.

3) fw monitor

Very helpful debugging tool. 

Lots of good ones so far, but just to be different the following commands are somewhat obscure but certainly come in handy occasionally (yes I'm well aware of the -f option for #1 and #2 but using it makes the commands take forever to execute):

1) fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10

This will show the top ten source IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed  from hex to decimal like so: 0a1e0b53 = 10.30.11.83.    For the top 10 destinations, substitute $4 for $2 in the awk command above.

2) How many concurrent connections are currently using a particular Hide NAT address and how close are we to the 50k concurrent connection limit?  Going over the 50k limit causes the new traffic to be dropped and the infamous "NAT Hide failure - there are currently no available ports for hide operation" message. Edit: The 50k limit can be surpassed by setting up what I call a "many to fewer" NAT, see my post in the following thread:

Assume the Hide NAT address in question is 203.0.113.1:

fw tab -u -t connections | grep -ci cb007101

Divide the number reported by 2, and you have your answer. The result must be divided by 2 because each post-NATted connection is represented by 2 flows, one outbound (c2s) and one inbound (s2c). Also the NAT IP address must be converted from the dotted quad format to hexadecimal as shown.

3) show routed cluster-state detailed

An undocumented clish command introduced in R77.30 that shows a concise timeline of ClusterXL failover events in a single display.  Very handy when trying to correlate unexpected ClusterXL failovers to external network events, or trying to determine if unexplained failovers occur with any suspicious regularity that may point to the real culprit.  Definitely beats trying to pore through a sea of Control events (grey wrench icon) in the firewall logs!

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Nice !

Nice indeed!

Gold as always. Tim!

I love that hidden command! Why is it hidden? It is very helpful!

show routed cluster-state detailed is super useful!  What do the columns "Cluster State SIGQUIT History " indicate?  Because I've got a lot of entries!