- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi All,
I'm looking for a way within R80.10 to see a timestamp for when the last Threat Prevention (but more specifically, IPS) policy was installed. I know I can see firewall through fw stat. IPS stat only shows me that it is enabled and the signature update number which doesn't help for my use case. Is there a way to see when IPS or Threat Prevention policy was installed last? Thanks!
There is in an easy way:
# fw stat -b AMW
This is the information from cpview:
So to compare, the fw stat -b AMW shows the "Threat Prevention Policy Install Time", but in cpview you see the Online Updates of the services updating automatically.
There is not something like "IPS Policy" as you call it. IPS Signatures are applied via Threat Prevent Policy, but Core-Protections and Inspection-Setttings are applied via Access Policy. So both are relevant for you!
You can check this in installation history under Threat Tools in Threat Prevention policy.
Thanks for the reply. I should've mentioned I need a way to verify this from the gateway.
Why?
The Check Point way is to use the centralized management for that.
MGMT also has this with REST API.
Think of it as a troubleshooting/trust but verify step
Exactly! I need a way to verify outside of the management what policy is running on the gateway.
If it is the Check Point way, then why did Check Point build a command to view the firewall policy name and install time into the gateway?
It looks like cpstat will show this.
However, on my gateway (R80.10), the "update time" is N/A...
I also checked with cpstat -f ips blades (which should theoretically also show it) but I get an error on my system.
Maybe it works for you, though?
My gateway shows the same behavior, NA in CPVIEW and cpstat -f ips blades gives me an invalid flavour error. Works if I do cpstat -f fw blades but for some reason doesn't recognize the ips flavour.
'ips stat' will also show the IPS version installed on the gateway.
When I run ips stat it only shows me that IPS is enabled and the signature being used. No timestamp of install time
Correct. Like I mentioned before, it will show the IPS version, which you could match to management.
So the problem is this shows me the current version of the signature database. I need to see the last time the policy was installed. So for example, if I go make a change within my IPS policy, say setting a signature from detect to prevent, or even changing the complete profile from strict to optimized it still shows me the same IPS signature database version. I need a way to show when the last policy was installed. I know it seems overly picky but I need to be able to show a reference for the IPS policy was last installed.
I understand what you are trying to do. While I agree with others that SmartConsole would be best for getting this data or using the API to track this, I get there should be a way from the CLI. This is in no way an approved or verified method and please use at your own risk. The following command seems to return the date/time of the last IPS install.
ls -l /var/opt/CPsuite-R80/fw1/state/<gw_or_cluster_name>/AMW/* | grep IPS | awk '{print $6" "$7" "$8}'
There is in an easy way:
# fw stat -b AMW
This is the information from cpview:
So to compare, the fw stat -b AMW shows the "Threat Prevention Policy Install Time", but in cpview you see the Online Updates of the services updating automatically.
There is not something like "IPS Policy" as you call it. IPS Signatures are applied via Threat Prevent Policy, but Core-Protections and Inspection-Setttings are applied via Access Policy. So both are relevant for you!
Hi Norbert,
Thanks for the reply, that was exactly what I needed! Just tested it out and it shows the Threat Prevention policy install separate from the Firewall policy install.
Hi All.
Please advise do I need read/write account to run such command or I could do it with read-only?
Thank you.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY