Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Yuri_Slobodyany
Collaborator
Jump to solution

cpstat confusion about the documentation

Good day everyone,

I am trying to get to know cpstat command better and find that flags/flavors listed in the CLI Reference (R80.40/R81) do not work quite a lot. Is there something missing on the gateways/SMS I am trying this command out (installed-wise) or is it by intention (documented but not implemented)?

E.g.:

 

[Expert@R81-standalone:0]# cpstat -f default ips
No product has flag 'ips'

[Expert@R81-standalone:0]# cpstat blades -f av
Invalid flavour 'av' for product 'blades'. Use 'cpstat' without any arguments to see supported products and flavours.

 

Of course, all those flags/flavors appear as valid in the documentation and I have all blades enabled on this standalone open server.

Thanks

Reference:

-  https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Topics-CL... 

- SK: Tried quite hard to find an SK for this tool to no avail, would be great if someone could point me to one.

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

Also, just "cpstat" without anything else

 

View solution in original post

10 Replies
_Val_
Admin
Admin

The reference is not exactly matching your version, use https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/SEC...

 

Also, flavors are not required to see IPS. Did you try without "-f default"?

 

0 Kudos
Yuri_Slobodyany
Collaborator

Nope: 

[Expert@R81-standalone:0]# cpstat ips
No product has flag 'ips'

And those are enabled blades:

[Expert@R81-standalone:0]# enabled_blades
fw vpn cvpn urlf av appi ips anti_bot qos mon
[Expert@R81-standalone:0]#

 

Yes, I meant R81 has the same flags as R80.40 with the same errors when trying to use them.

 

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
_Val_
Admin
Admin

Please run "cpstat blades" and show the output

0 Kudos
_Val_
Admin
Admin

Also, just "cpstat" without anything else

 

Yuri_Slobodyany
Collaborator

Got it now - thanks. Each gateway differs in output of cpstat , not sure how - even on production servers with the same blades enabled the options differ. The reference about this -  "Note - The available flags depend on the enabled Software Blades. Some flags are supported only by a Security Gateway, and some flags are supported only by a Management Server."  Even though, gateways where e.g. cpstat ips does work, do not accept -f default to it (as per reference should). So the bottom line is NOT to reference the documentation (I guess it is just a dump of ALL possible options on ALL possible gateways, including SMB/VSX/Crossbeam/etc), but reference output of the cpstat on a particular server, then move on from there.

Thanks again,
case closed.

https://www.linkedin.com/in/yurislobodyanyuk/
_Val_
Admin
Admin

You are welcome.

I do agree that the notion of flags and flavours is a bit odd here, especially considering flavors depend on flags but are called before those in the CLI command 🙂 But this is not a documentation issue, and with a minimal effort, it all clicks into place.

0 Kudos
Yuri_Slobodyany
Collaborator

[Expert@R81-standalone:0]# cpstat blades

Packets accepted : 923861
Packets dropped : 9471
Peak number of connections: 537
Number of connections: 19


Top Rule Hits
-----------------------
|rule index|rule count|
-----------------------
-----------------------

 

Note: This is a lab setup, not production gateway so not much rules/hits seen above.

 

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
_Val_
Admin
Admin

Okay, I believe it should be "cpstat -f ips blades"

 

0 Kudos
_Val_
Admin
Admin

As I mentioned already, it should be:

cpstat -f ips blades

cpstat -f av blades

Does it work for you this way?

cpstat without any input should show you all options

the_rock
Legend
Legend

I agree with @_Val_ . I always just run cpstat without any flags and it will show you all available options, for sure. 

Here is what I see on R81.10 gateway:


Available application_flags:

--------------------------------------------------------------
|Flag |Flavours |
--------------------------------------------------------------
|os |default, ifconfig, routing, routing6, |
| |memory, old_memory, cpu, disk, perf, |
| |multi_cpu, multi_disk, raidInfo, sensors, |
| |power_supply, hw_info, all, average_cpu, |
| |average_memory, statistics, updates, |
| |licensing, connectivity, vsx |
--------------------------------------------------------------
|persistency |product, TableConfig, SourceConfig |
--------------------------------------------------------------
|thresholds |default, active_thresholds, destinations, |
| |error |
--------------------------------------------------------------
|ci |default |
--------------------------------------------------------------
|https_inspection |default, hsm_status, all |
--------------------------------------------------------------
|polsrv |default, all |
--------------------------------------------------------------
|cvpn |cvpnd, sysinfo, products, overall |
--------------------------------------------------------------
|fw |default, interfaces, policy, perf, hmem, |
| |kmem, inspect, cookies, chains, |
| |fragments, totals, totals64, ufp, http, |
| |ftp, telnet, rlogin, smtp, pop3, sync, |
| |log_connection, all |
--------------------------------------------------------------
|vsx |default, stat, traffic, conns, cpu, all, |
| |memory, cpu_usage_per_core |
--------------------------------------------------------------
|vpn |default, product, IKE, ipsec, traffic, |
| |compression, accelerator, nic, |
| |statistics, watermarks, all |
--------------------------------------------------------------
|blades |fw, ips, av, urlf, vpn, cvpn, aspm, dlp, |
| |appi, anti_bot, default, |
| |content_awareness, threat-emulation, |
| |default |
--------------------------------------------------------------
|ha |default, all |
--------------------------------------------------------------
|identityServer |default, authentication, logins, ldap, |
| |components, adquery, idc, muh |
--------------------------------------------------------------
|appi |default, subscription_status, |
| |update_status, RAD_status, top_last_hour, |
| |top_last_day, top_last_week, |
| |top_last_month |
--------------------------------------------------------------
|urlf |default, subscription_status, |
| |update_status, RAD_status, top_last_hour, |
| |top_last_day, top_last_week, |
| |top_last_month |
--------------------------------------------------------------
|dlp |default, dlp, exchange_agents, fingerprint|
--------------------------------------------------------------
|ctnt |default |
--------------------------------------------------------------
|antimalware |default, scanned_hosts, scanned_mails, |
| |subscription_status, update_status, |
| |ab_prm_contracts, av_prm_contracts, |
| |ab_prm_contracts, av_prm_contracts |
--------------------------------------------------------------
|threat-emulation |default, general_statuses, update_status, |
| |scanned_files, malware_detected, |
| |scanned_on_cloud, malware_on_cloud, |
| |average_process_time, emulated_file_size, |
| |queue_size, peak_size, |
| |file_type_stat_file_scanned, |
| |file_type_stat_malware_detected, |
| |file_type_stat_cloud_scanned, |
| |file_type_stat_cloud_malware_scanned, |
| |file_type_stat_filter_by_analysis, |
| |file_type_stat_cache_hit_rate, |
| |file_type_stat_error_count, |
| |file_type_stat_no_resource_count, |
| |contract, downloads_information_current, |
| |downloading_file_information, |
| |queue_table, history_te_incidents, |
| |history_te_comp_hosts |
--------------------------------------------------------------
|scrub |default, subscription_status, |
| |threat_extraction_statistics |
--------------------------------------------------------------
|fg |all |
--------------------------------------------------------------
|PA |default |

 

Then I ran cpstat blades -f ips and got below:

cpstat blades -f ips
Invalid flavour 'ips' for product 'blades'. Use 'cpstat' without any arguments to see supported products and flavours.

 

Also tried what Val suggested cpstat -f ips blades, but same issue.

Its possible that certain flags dont work right, not sure.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events