- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.
Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ).
1) fw ctl zdebug drop
used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....)
2) cpstat fw
quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
3) fw tab -s -t connections
allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
that's it (i have more , but i want to hear yours ...)
plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )
My favorites for security gateways:
cphaprob stat to see the status of high availability
clusterXL_admin up/down to force the cluster node into a particular state (good for forcing failover in a healthy cluster so I can do work on a node)
vpn tu to see IKE/IPSEC security associations, and remove expired ones from gateways that burped
Some of my other favorites that I don't see listed here already are:
enabled_blades to list the blades that are enabled for the gateway by the management server (run in expert mode)
installed_jumbo_take to see what JHFA you have installed (does not work on the base R77.30 install, you have to have a JHFA installed and run in expert mode).
cphaconf cluster_id get Useful to see what the cluster magic id is if you have an id that's different from the default.
ips stat See if IPS is enabled, and what profile its running. When troubleshooting connectivity issues, ips on/off is useful too.
fw sam -v -l long_noalert -J any 123.234.111.222
installed_jumbo_take
mdsstop_customer 192.168.2.1;mdsstart_customer 192.168.2.1
1) Clear ARP cache via CLI
In case you need to clear 1 arp entry the following command can be used:
arp -d [ip address]
In case the complete arp cache needs to be cleared the following single line script can be used:
for i in `awk -F ' ' '{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ ) print $1 }' /proc/net/arp` ; do arp -d $i ; done
2) Flash Network Interface LED
To flash/blink a LED on an interface in order to physically identify the interface in question on a machine.
*Note this does not work on all type of interface cards.
ethtool -p <interface_name>
3) Analyze network traffic via CLI
A script created by a former CP employee, as alternative for SmartView Monitor, cpview or tcpdump you can use the following script in order to analyze traffic patterns. * Note there are some caveats to keep in mind.
http://expert-mode.blogspot.nl/2013/05/checkpoint-top-talkers-script-display.html
https://raw.githubusercontent.com/craigdods/scripts/master/top_talkers.sh
A bit shorter to type version of clear arp: for ip in $(awk '/([[:digit:]]\.)+/ {print $1}' /proc/net/arp) ; do arp -d $ip ; done
Or even shorter way to do so per interface:
ip neighbor flush dev eth3
I've got one more to add to this: cplic print -p
This will show you not only the license you have installed but what features your license breaks down to.
I'm curious how many old-timers remember what sr5000 refers to?
[Expert@oscar:0]# cplic print -p
Host Expiration Primitive-Features
xx.xx.xx.x 22Aug2017 ::CK-xxxxxxxxxxxx fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:swb fw1:6.0:abot fw1:6.0:swb fw1:6.0:appi fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:ips fw1:6.0:swb fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:swb fw1:6.0:identity fw1:6.0:swb cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:dlp fw1:6.0:swb evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_8 fw1:6.0:multicore
Contract Coverage:
# ID Expiration SKU
===+===========+============+====================
1 | PSE6H1R | 20Sep2017 | CPSB-TEX-EVAL
+-----------+------------+--------------------
|Covers: CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx
===+===========+============+====================
2 | F7PG258 | 20Sep2017 | CPSB-TE-EVAL
+-----------+------------+--------------------
|Covers: CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx
===+===========+============+====================
3 | G177T42 | 20Sep2017 | CPSB-CTNT-EVAL
+-----------+------------+--------------------
|Covers: CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx
===+===========+============+====================
4 | D31EF56 | 20Sep2017 | CPSB-IPS-EVAL
+-----------+------------+--------------------
|Covers: CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx
===+===========+============+====================
Securemote 5000 I guess 🙂
Nice one
1) Analyze top talkers via CLI using "fw tab"
As an alternative for SmartView Monitor, cpview, you can use the below script in order to analyze the top 10 source and destinations on a Security Gateway.
Top 10 Source Connections:
fw tab -t connections -u -f | awk -F';' '/Rule/ {source[$3] } ; END { for (name in source) print source[name], name }' | sort -nr | head -10
Top 10 Destination Connections:
fw tab -t connections -u -f | awk -F';' '/Rule/ {dest[$5] } ; END { for (name in dest) print dest[name], name }' | sort -nr | head -10
2) Monitoring concurrent connections via CLI and redirecting output to a file
There are various ways to monitor concurrent connections. You can use the following command in case you need to monitor this and store the output into a file for further analyzes.
The commands are derived from: fw tab -t connections –s and fw ctl pstat | grep Concurrent
The output will be stored in a file named e.g. “connections”.
while [ 1 ];do uptime | awk '{ split($1,DATE," "); printf "%s,", DATE[1]}' >>connections ; fw ctl pstat | grep Concurrent >>connections ;sleep 0.5;done
or
while [ 1 ];do uptime | awk '{ split($1,DATE," "); printf "%s,", DATE[1]}' >>connections ; fw tab -t connections -s | awk '{ i=i+1;split($4,VALS," "); if (i==2) print VALS[1] }' >>connections ;sleep 0.5;done
3) Clearing Connection Tables
The below command clears the entire connection table on a Security Gateway.
[Expert@FW-1:0]# fw tab -t connections -x
This will clear all the entries in table connections !!!
Are you sure (yes/no)? [n]
+ 4) List all cronjob tasks
The below script will allow you to quick list all cronjob tasks configured on a device for all accounts.
[Expert@FW-1:0]# more cron.sh
#!/bin/bash
#List all cron jobs for all users
for user in `cat /etc/passwd | cut -d":" -f1`;
do
crontab -l -u $user;
done
Hi all!
Most of my favourite commands were already mentioned, to add something else to the mix:
Check routes (even if they are not active)
dbget -rv routed (Add | grep if needed)
I remember a strange case where certain routes didn't work, when using ip route, route, netstat we couldn't see thos routes because they were not active.
This command helped me to confirm that the routes were properly configured in the gateway and together with tcpdump and fw monitor the customer was convinced that the issues were in their side 🙂
Example
Interface associated with static route 3 is down
[Expert@BTMOB03:0]# ip route
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.201
default via 192.168.0.1 dev eth0 proto routed
No route even if its on the WebUI
[Expert@BTMOB03:0]# dbget -rv routed | grep 200.2.1
routed:instance:default:static:network:200.2.1.0 t
routed:instance:default:static:network:200.2.1.0:masklen:24 t
routed:instance:default:static:network:200.2.1.0:masklen:24:gateway t
routed:instance:default:static:network:200.2.1.0:masklen:24:gateway:address:75.4.2.1 t
Here we can see that its properly configured
Regards,
Or you could run "show configuration static-route" from clish mode to see what all routes are configured
1) fw ctl zdebug drop | grep 8.8.8.8
2) ping -S src_addr dst_addr
3) ip route get 8.8.8.8 (or) Show route destination 8.8.8.8
I would add ping -I interface dst_addr or ping -I src_addr dst_addr. Found this real useful to send traffic from CMAs to destinations. Basically we now have Cisco extended ping capability in expert mode.
Umm difficult thing to just name 3 ... mine i think would be
fw monitor
mdsstat
cphaprob state
WOW, what an amazing engagment and useful crwodsourcing
So who's volunteering to do a "cheat sheet" out of this ? https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc ?
There's a document to be made from this list...as well as a poll.
I like cprid_util command to remotely execute command on a gateway:
cprid_util -server x.x.x.x -verbose rexec -rcmd "arp"
I'm using it on my hosts discovery/creation script available here:
1)
CPMonitor tool (sk103212) - useful traffic analysis
2)
fw stat -l
HOST IF POLICY DATE TOTAL REJECT DROP ACCEPT LOG
localhost >Mgmt Standard 3Aug2017 6:04:09 394282 0 0 394282 0
localhost <Mgmt Standard 3Aug2017 6:04:09 583248 0 683 582565 519
3)
fw ctl set int print_conns_states 1 (output to dmesg or to kernel debug out-file is defined)
4)
cpstat fw, cpstat mg -f indexer
5)
sar -n DEV
Thx
Can u explain what 4,5 does ?
Mostly statistics per interface. Cannot figure -mg part though. a typo?
"mg" stands for management server.
My 2 cents/agorot:
Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101 Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341 Running time for a file of 900 Mb with 4.7 million records real 5m50.287s user 4m22.890s sys 0m3.190sNo, not my favorite command (while still valid after exporting logs via fw log) , but had to show you what a pain in the neck was to get Rule Hit statistics before they were introduced to the SmartConsole.
NB. Moti Sagey I guess the logical follow up would be - List Top Checkpoint Administrators' Errors You Have Seen ?
I actually wrote once an article on Most Frequent Errors by Checkpoint Administrators (in Hebrew but easy to translate) which could be a start:
http://www.digitalwhisper.co.il/files/Zines/0x4C/DW76-1-Firewall.pdf
The primary reason I had a chapter on INSPECT in my books was for fw monitor.
I, of course, also had an FAQ on it back in the day, which you can read here: https://phoneboy.com/fw1/faq/0410.html
Just to clarify your suggestion, are you talking about configuration errors that Check Point admins commonly make?
Yep, I remember, I had it as well but can't find anymore, probably someone 'borrowed' .I still have the follow up
book by Barry (R.I.P.) .
Pity no one dares to write a book anymore (correction: How could I forget that Tim Hall did write a book about Checkpoint...).
Yes, that is what I meant. In the article I linked to I give my list with the real life examples of (working 10 years for CSP provided me with lots of examples of 'not smart things people do with firewalls'):
In regard to your statement "Pity no one dares to write a book anymore" I can be the first to tell you that writing a book is hard. Your picture though did remind me of some old Check Point books I bought while writing Max Power for pennies on the dollar because they were so outdated. I wasn't looking for content really, just wanted to see how concepts were presented and what content structures worked and which didn't. Dameon's book was by far the most helpful in that regard, and part of the reason I asked him to write the foreword for Max Power. I have attached a picture of all those old Check Point books I was able to find and buy for research purposes:
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
First - my bad, I corrected my post about no one writing books anymore .
Second,I dug a bit about technical book writing and indeed the picture in general is not rosy (as taken from the Internet):
- For a technical book 30000-35000 sold copies is considered a sound success (we are talking about general technical writing - not insanely priced franchises for Universities / exclusive access to technology books a la C# 8 preview)
- Most books never reach such sales
- As a consequence of above the simplistic ROI calculation doesn't justify writing books for money ( a year/two work on a book), as professional hire-for-money employment will bring much more money
- Main driving reasons for writing a book are establishing the author's expert status / generating consulting| training work / possible public speaking engagements
- Prolonged editing/traditional publishing process makes fast changing technology books outdated before the release
- In many publishing houses the author is supposed to do the bulk of promotion by her/himself
- My personal observation: some previously published authors of technical books re-purpose their work into video/streaming courses, online training labs.
All the above is quite accurate. Another dirty little secret is that by signing on with a publisher, you'll MAYBE get 10-15% in royalties and that is only after any cash advance has been extinguished. Also that publisher can re-use elements from your work for practically nothing, and also owns a stake on any of the author's future works on that topic.
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
Sounds fun 😉
Yep, that's why Max Power was self-published through CreateSpace and Amazon. 🙂 I did get approached by a "real" publisher after the book was released. Reading their proposed contract was quite the eye-opener, but at least I got to find out about all these onerous details the easy way (by just reading about them) and not the hard way.
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
Two comments on writing a book:
1. It's a lot of work (first one took me two years).
2. Keeping it up to date is also a constant challenge, especially today, as things evolve at a much more rapid pace than they did in the early 2000s.
Yuri Slobodyanyuk wrote:
Yes, that is what I meant. In the article I linked to I give my list with the real life examples of (working 10 years for CSP provided me with lots of examples of 'not smart things people do with firewalls'):
- Using Dynamic Object as URL filter to block access to some website(s)
- Using easy to brute-force OS/ssh passwords (especially given the capability of changing default admin OS username during install appearing and disappearing intermittently, depending on the version of the firewall)
- Using Reject instead of Drop in Security Rules
- Not using NTP for clock synchronization (and as a consequence lessened value or complete uselessness of logs)
- Not verifying saved back ups
stay tuned
Yuri Slobodyanyuk wrote:
- Removing object that is being used in Security Rules, ignoring the warning
- Not using so easy to use Database Revision Control as 'insurance' against disaster
With R80.10 automatic revisions and session live validations (even when going command-line), these things can no longer happen.
Yuri Slobodyanyuk wrote:
- Installing the wrong Security Policy on the wrong firewall (usually ending up in black-out/downtime)
Tip: Open SmartConsole.exe.config and change <add key="OverridePolicyWarningEnable" value="false"/> from false to true
Am I diverging?
Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.
Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ).
1) fw ctl zdebug drop
used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....)
2) cpstat fw
quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
3) fw tab -s -t connections
allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
that's it (i have more , but i want to hear yours ...)
plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
10 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
Thu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY