Create a Post
Showing results for 
Search instead for 
Did you mean: 

Working with Checkpoint files

Hi All,

Could you explain me some the impartant files in $FWDIR and their usage.

since Checkpoint People always works and analyses with files..

It is good to know at least some of the impartent files and their usage.

Thanking you in Advance

6 Replies


Some important directories & files of mgmt. server is listed below.

$CPDIR/conf - Contains parts of the CPShared system
    * cp.license  - license of machine
    * sic_cert.p12 - SIC certificate
$FWDIR/lib - .def files which are used when the rulebase is complied into inspection code for Enforcement points.
$FWDIR/conf - the rule base and the rest of the security policy can be found here.
    * rulebases_5_0.fws - Contains rulebases and duplicate in *.w files
    * objects_5.0.C - Contains all the objects. objects.C is created when sent to the Enforcement Points
$FWDIR/conf/fwauth.* - User Database, main file being fwauth.NDB
$FWDIR/conf/masters - Defines the local log definition in Dashboard
$FWDIR/database/fwauth.* - User Datbase, main file being fwauth.NDB
$FWDIR/log - Logs

$FWDIR/bin/upgrade_tools  - You can do upgrade_export for migration of mgmt. server

Enforcement Point

$CPDIR/conf - Contains parts of the CPShared system
    * cp.license  - license of machine
    * sic_cert.p12 - SIC certificate

$FWDIR/conf/discntd.if - Add interfaces you want to show as disconnected for ClusterXL.


If R80+, rulebases_5_0.fws and objects_5_0.C are not the real true versions of this information as we use a proper database now. 

0 Kudos

In general, you don't manually edit any files here unless instructed by the TAC or a SecureKnowledge article.

Do we maintain a comprehensive list of these files and what they do? No.

If you're curious about a specific file, your best bet is to search SecureKnowledge.


Agreed ! !

Could you please explain the difference between the below directories.




what Type of files will be residing inside theses directories.

0 Kudos
Employee Alumnus
Employee Alumnus

since Checkpoint People always works and analyses with files..

that's just not true anymore, now that we use industry databases for configuration storage, data is binary across multiple files and cannot be opened using "less" etc. Instead, you got mgmt_cli

What we still have is logs for Management processes. But those very often contain data that is only valid if you combine it with other indicators. If you find "failed" and "error" and "corrupt" in various /var/log files at Check Point machines, it is most likely a false-positive taken from Check Point engines which you don't use - so when those engines checks if they need to be activated, they get a negative answer and print data which may intimidate non-Check Point-Developers.

When you want to get files for troubleshooting, this is your resource: search the error at Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ...  and find the relevant SecureKnowledge or CheckMates article.

In addition to self-troubleshooting, you can always open support tickets for problems and this will ensure that we fix its root cause for the benefit of all of our users.


there are still configuration files which I have to modify quite often when it comes to complex vpn environments since simplified mode does not offer much flexibility in the gui:
($FWDIR could also stand for the corresponding compatibility directory on the mgmt server)


   * vpn_route.conf - for complex VPN scenarios
   * vpn_service_based_routing.conf - not that often, but still the only way to implement service based routing with link selection
   * user.def.* - sometimes needed to get 3rd Party VPN working  (eg. subnet_for_range_and_peer, ... )
   * trac_client_1.ttm - eg. to finetune MEP vor Client VPN in complex VPN environments
   * fwrl.conf - to automatically deploy the trac_client_1.ttm to the gateways


   * crypt.def - for excluding traffic from VPN (NON_VPN_TRAFFIC_RULES)
   * implied_rules.def - eg. to exclude specific services from implied rules to get them encrypted
               (eg. LDAP or RADIUS from a vpn client authentication on a remote site via vpn to central auth servers)


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events