Useful CLI commands

Cheatsheets

FortiOS 6.2 Cheat Sheet (https://blog.boll.ch/cheatsheet-fortios-version-6-2/)

CLI Commands

To start a transaction in CLI use execute config-transaction start.

A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all changes are discarded

Commit config changes with execute config-transaction commit.
Abort with execute config-transaction abort.

ShowGeneric Commands

Default Device Information

~~save~~admin ~~config~~/ no password	~~save~~Default ~~the current configuration~~login
~~show commands~~192.168.1.99	~~shows~~Default IP on port1, internal or management port
9600/8-N-1, hw flow control disabled	Default serial console settings

General system commands

get system status	General system information
exec tac support	Generates report for support
tree	List all commands
~~show~~<command> ~~allowed-client~~? ~~all~~/ tab	~~show~~Use ~~allowed~~? ~~clients~~or tab in CLI for help
~~show~~<command> ~~arp~~\| ~~dynamic~~grep ~~all~~[filter]	~~displays~~Grep ~~the~~commands ~~dynamic~~to ~~arp~~filter ~~entries~~output

Fortigate most used ports

UDP/53, UDP/8888	Fortiguard Queries
~~show~~TCP/389, ~~arp proxy all~~UDP/389	~~shows~~LDAP, ~~proxy~~PKI ~~arp~~Authentication
~~show arp static all~~TCP/443	~~displays~~Contract ~~all~~Validation, ~~the~~FortiToken, ~~static~~Firmware ~~arp entry~~Updates
~~show~~TCP/443, asTCP/8890	~~displays~~AV ~~autonomous~~and ~~system~~IPS ~~number~~Update
~~show~~UDP/500, ~~assets all~~ESP	~~display~~IPSEC ~~hardware information~~VPN
~~show~~UDP/500, ~~bgp stats~~UDP/4500	~~shows~~IPSEC ~~bgp~~VPN ~~statistics~~with NAT-Traversal
~~show bgp summary~~	~~shows summary information about bgp~~
~~show vrrp stats~~	~~show vrrp statistics~~
~~show bootp stats~~	~~shows bootp/dhcp relay statistics~~
~~show bootp interface~~	~~show all bootp/dhcp relay interfaces~~
~~show bonding group~~	~~show all bonding groups~~
~~show bridging groups~~	~~show all bridging groups~~
~~show backups~~	~~shows a list of local backups~~
~~show backup status~~	~~show the status of a backup or restore operation being performed~~
~~show backup last-successful~~	~~show the latest successful backup~~
~~show backup logs~~	~~show the logs of the recent backups/restores performed~~
~~show clock~~	~~show current clock~~
~~show configuration~~	~~show configuration~~
~~show-config state~~	~~shows the state of configuration either saved or unsaved~~
~~show date~~	~~shows date~~
~~show dns primary~~	~~shows primary dns server~~
~~show dns secondary~~	~~shows secondary dns server~~
~~show extended commands~~	~~shows all extended commands~~
~~show groups~~	~~shows all user groups~~
~~show hostname~~	~~show host name~~
~~show inactivity-timeout~~	~~shows inactivity-timeout settings~~
~~show interfaces~~	~~shows all interfaces~~
~~show interfaces ethx~~	~~shows settings related to an interface “x~~
~~show interfaces~~	~~show detailed information about all interfaces~~
~~show ipv6-state~~	~~shows ipv6 status as enabled or disabled~~
~~show management interface~~	~~shows management interface configuration~~
~~show ntp active~~	~~shows ntp status as enabled or disabled~~
~~show ntp servers~~	~~shows ntp servers~~
~~show ospf database~~	~~shows ospf database information~~
~~show ospf neighbors~~	~~shows ospf neighbors information~~
~~show ospf summary~~	~~shows ospf summary information~~
~~show pbr rules~~	~~shows policy based routing rules~~
~~show pbr summary~~	~~shows policy based routing summary information~~
~~show pbr tables~~	~~show pbr tables~~
~~show route~~	~~shows routing table~~
~~show routed version~~	~~shows information about routed version~~
~~show snapshots~~	~~shows a list of local snapshots~~
~~show snmp agent-version~~	~~shows whether the version is v1/v2/v3~~
~~show snmp interfaces~~	~~shows snmp agent interface~~
~~show snmp traps receivers~~	~~shows snmp trap receivers~~
~~show time~~	~~shows local machine time~~
~~show timezone~~	~~show configured timezone~~
~~show uptime~~	~~show system uptime~~
~~show users~~	~~show configured users and their homedir, uid/gid and shell~~
~~show user <username>~~	~~shows settings related to a particular user~~
~~show version all~~	~~shows version related to os edition, kernel version, product version etc~~
~~show virtual-system all~~	~~show virtual-systems configured~~
~~show vpn tunnels~~	~~use to show the vpn tunnels~~
~~show vrrp stats~~	~~shows vrrp status~~
~~show vrrp interfaces~~	~~shows vrrp enabled interfaces~~

Set Commands

add allowed-client host any-host / add allowed-client host <ip address>	add any host to the allowed clients list/ add allowed client by ipv4 address
add backup local	create and store a backup file in /var/cpbackups/backups/( on open servers) or /var/log/cpbackup/backups/ ( on checkpoint appliances)
add backup scp ip value path value username value	adds backup to scp server
add backup tftp ip value [ interactive ]	adds backup to tftp server
add snapshot	create snapshots which backs up everything like os configuration, checkpoint configuration, versions, patch level), including the drivers
add syslog log-remote-address <ip address> level <emerg/alert/crit/err/warning/notice/info/debug/all>	specifies syslog parameters
add user <username> uid <user-id-value> homedir	creates a user
expert	executes system shell
halt	put system to halt
history	shows command history
lock database override	overrides the config-lock settings
quit	exits out of a shell
reboot	reboots a system
restore backup local [value]	restores local backup interactively
rollback	ends the transaction mode by reverting the changes made during transaction
save config	save the current configuration
set backup restore local <filename>	restores a local backup
set cluster member admin {down \| up}	initiating manual cluster failover
set core-dump <enable/disable>	enable/disable core dumps
set date yyyy-mm-dd	sets system date
set dhcp server enable	enable dhcp server
set dns primary <x.x.x.x>	sets primary dns ip address
set dns secondary <x.x.x.x>	sets secondary dns ip address
set expert-password	set or change password for entering into expert mode
set edition default <value>	set the default edition to 32-bit or 64-bit
set hostname <value>	sets system hostname
set inactivity-timeout <value>	sets the inactivity timeout
set interface ethx ipv4-address x.x.x.x mask-length 24	adds ip address to an interface
set ipv6-state on/off	sets ipv6 status as on or off
set kernel-routes on/off	sets kernel routes to on/off state
set management interface <interface name>	sets an interface as management interface
set message motd value	sets message of the day
set ntp active on/off	activates ntp on/off
set ntp server primary x.x.x.x version <1/2/3/4>	sets primary ntp server
set ntp server secondary x.x.x.x version <1/2/3/4>	sets secondary ntp server
set snapshot revert<filename>	revert the machine to the selected snapshot
set snmp agent on/off	sets the snmp agent daemon on/off
set snmp agent-version <value>	sets snmp agent version
set snmp community <value> read-only	sets snmp readonly community string
add snmp interface <interface name>	sets snmp agent interface
set snmp traps receiver <ip address> version v1 community value	specifies trap receiver
set snmp traps trap <value>	set snmp traps
set static-route x.x.x.x/xx nexthop gateway address x.x.x.x on set static-route x.x.x.x/xx comment "{comment}"	adds specific static route comment static route
*set static-route NETWORK_ADDRESS/MASK_LENGTH* nexthop gateway address GATEWAY_IP_ADDRESS off set static-route <Destination IP address> off set static-route default nexthop gateway address GATEWAY_IP_ADDRESS off**	Delete Routes
set time <value>	sets system time
set time zone <time-zone>	sets the time zone
set vsx off	sets vsx mode on
set vsx on	sets vsx mode off
set user <username> password	sets users password
set web session-timeout <value>	sets web configuration session time-out in minutes
set web ssl-port <value>	sets the web ssl-port for the system

Generic Commands

The commands below have to be used in expert mode and NOT in clish.

Action	Use on	Command
Show licenses	MGMT / GW	*cplic print -x* (-x print signatures)
Remove Evaluation License	GW	*cplic eval_disable* You have disabled Check Point evaluation period For activation you need to restart ALL Check Point modules (performing cpstop & cpstart)
Get licenses from management system on gateway	GW	*contract_util mgmt*
Show enabled blades Example: # enabled_blades fw ips ThreatEmulation Scrub	GW	enabled_blades
ClusterXL Switch over (disable ClusterXL state)	GW	clusterXL_admin down Note: The [-p] is an optional flag (stands for "permanent") - the Critical Device called "admin_down" will be automatically added to the $FWDIR/conf/cphaprob.conf file, so that this configuration survives the reboot.
Show Cluster status	GW	*cphaprob stat*
Debug to see all dropped connections	GW	fw ctl zdebug drop fw ctl zdebug -h (help)
Debug to see all NAT informations	GW	*fw ctl zdebug + xlat*
Debug to get a fast packet trace	GW	*fw ctl zdebug + packet \| grep -B 1 TCP \|grep -B 1 "(SYN)"*
See stats of number of connections	GW	*cpstat fw*
Connections load on the fw	GW	*fw tab -s -t connections*
Clear ALL connections on fw from the table (CAUTION!)	GW	fw tab -t connections -x
ClusterXL sync statistics to R80.10 (sk34476) ClusterXL sync statistics for R80.20 and higher (sk34475)	GW GW	*fw ctl pstat* CLISH: show cluster statistics sync Expert: cphaprob syncstat
Show connected SmartConsole clients	MGMT	*cpstat mg*
Manage the GUI clients that can use SmartConsoles to connect to the Security Management Server	MGMT	cp_conf client get # Get the GUI clients list cp_conf client add <GUI client> # Add one GUI Client cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new list.
Show sync details	GW	fw ha -f all
Shows packets accepted, dropped, peak connections, and top rule hits	GW	cpstat blades
Use CLI commands over SIC from MGMT without password, used as example for "last chance" configs.	MGMT	*cprid_util (--help)* `Example Reset admin password without access to GW: /sbin/grub-md5-crypt cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c \ 'set config-lock on override' # Ensure clish db is unlocked cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c \ 'set user admin password-hash <Password_Hash_from_Step_above>' # Set admin user pw hash cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c \'set expert-password-hash <Password_Hash_from_Step_above>' # change expert pw hash`
Show interfaces, ip-addresses and subnet mask, used for a very good interface-overview.	MGMT/GW	fw getifs
Show installed hotfixes and releases	GW	cpinfo -y all
Show statistics about accelerated traffic	GW	fwaccel stats -s
This command will list what interface is connected to what IRQ to what core.	GW	fw ctl affinity -l -v -r fw ctl affinity -s will subsequently allow you to set the values.
UNDOCUMENTED Show state and timeline of ClusterXL events in CLISH	GW	CLISH: show routed cluster-state detailed
Top 10 Source-IPs in connection table. You need to manual convert hex in ascii to get the ip, like so: 0a1f0af2 = 10.31.10.242. For the top 10 destinations, substitute $4 for $2 in the awk command.	GW	fw tab -u -t connections \| awk '{ print $2 }' \| sort -n \| uniq -c \| sort -nr \| head -10
Log Diagnostic Report It will analyze the logs and give you a brief output of your Current Logging and Daily Average Logging rates. It will also produce a detailed output at /tmp/sme-diag/results/detailed_diag_report.txt https://community.checkpoint.com/t5/Logging-and-Reporting/R80-xx-equivalent-of-CPLogInvestigator-for-Log-Volume-and/td-p/46792	LOG	$RTDIR/scripts/doctor_log.sh

VPN Commands

The commands below have to be used in expert mode and NOT in clish.

To view informations about VPN Tunnels

In R80+:

Open SmartConsole > Logs & Monitor.
Open the catalog (new tab).
Click Tunnel & User Monitoring.

Action	Use on	Command
VPN statistics	GW	cpstat -f all vpn
VPN Tunnel manipulation	GW	vpn tu Interactive usage (better): vpn shell
VPN Remote Access specific	GW	pep show user all
Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for kernel version	GW	*vpn ver [-k]*
Show, if any, overlapping VPN domains	GW	*vpn overlap_encdom*
VPN IKE Debugging (P1 and P2 Communication) The resulting $FWDIR/log/ike.elg and/or $FWDIR/log/ikev2.xml can be used in the "IKEView" Utility from Check Point, see here: sk30994	GW	vpn debug ikeon (enable IKE debug) vpn debug ikeoff (disable IKE debug)

VSX specific

The commands below have to be used in expert mode and NOT in clish

Action	Use on	Command
Show VSX status. Verbose with -v, interface list with -l or status of single VS with VS ID <id>.	VSX / VS	vsx stat [-v] [-l] [id]
Show connections stats Example: # vsx stat -v -l VSID: 0 VRID: 0 Type: VSX Gateway Name: fwvsx01 Security Policy: fwvsx01_VSX Installed at: 21Nov2019 10:30:11 SIC Status: Trust Connections number: 66 Connections peak: 765 Connections limit: 14900 VSID: 1 VRID: 1 Type: Virtual System Name: fw01p Security Policy: FW_01 Installed at: 25Nov2019 11:30:39 SIC Status: Trust Connections number: 30628 Connections peak: 90464 Connections limit: 119900	VSX	vsx stat -v -l
View current shell context.	VSX	vsenv
Set context to VS ID <id>	VSX	vsenv <id>
Reset SIC for VS	VSX	vsenv <id>; fw vsx sicreset
View state tables for virtual system <id>.	VSX	vsenv <id>; fw tab -t <table>
View traffic for virtual system with ID <id>. Attention: with fw monitor use -v instead of -vs.	VSX	fw monitor -v <id> -e 'accept;'
View HA state of all configured Virtual Systems.	VSX	cphaprob state
View HA state for Virtual System ID <id>.	VSX	*cphaprob -vs <id> state*
Show all bond interfaces and Cluster state	VSX	cphaprob show_bond -a
Check VS bit state	VSX	vs_bits -stat All VSs are at 64 bits (R80.20 default, R80.10 need upgrade)
Show virtual devices memory usage	VSX	cpstat -f memory vsx
Traffic statistic per virtual system See sk90860 More information: Check Point Useful SNMP OIDs (VSX)	VSX	snmpwalk -v 2c -c community 127.0.0.1 .1.3.6.1.4.1.2620.1.16.22.3 (vsxStatusMemoryUsage) SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.1.0 = INTEGER: 0 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.2.0 = INTEGER: 1 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.3.0 = INTEGER: 2 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.4.0 = INTEGER: 3 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.1.0 = STRING: "vs0" SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.2.0 = STRING: "vs1" SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.3.0 = STRING: "vs2" SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.4.0 = STRING: "vs3" SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.1.0 = Gauge32: 0 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.2.0 = Gauge32: 0 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.3.0 = Gauge32: 0 SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.4.0 = Gauge32: 0
To enable monitoring CPU per-VS with OID .1.3.6.1.4.1.2620.1.16.22.4	VSX	fw vsx resctrl monitor enable
To enable monitoring memory per-VS with OID .1.3.6.1.4.1.2620.1.16.22.3 Needs a reboot!	VSX	vsx mstat enable

API specific (mgmt_cli)

API Manual: https://sc1.checkpoint.com/documents/R80/APIs/index.html

The mgmt_cli tool is installed as part of Gaia on all R80 gateways and can be used in scripts running in expert mode.
The mgmt_cli.exe tool is installed as part of the R80 SmartConsole installation (typically under C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\) and can be copied to run on any Windows machine.

On Windows you cannot login with a certificate since the mgmt_cli_login is missing, you need to login with user/password or use the mgmt_cli tool on the management server.

To use the actual ssh login with mgmt_cli use the undocumented feature
mgmt_cli -r true

If your mgmt server is running on another port (ex. 8443) use
mgmt_cli --port 8443

Show api-settings

Check if clients are allowed to connect to the api and check all the api-settings.

mgmt_cli -r true --domain 'System Data' show api-settings


...
accepted-api-calls-from: "all ip addresses"
...

API Status

To confirm that the API is usable and available remotely, run the api status command. If Accessibility shows “Require all granted” it means that any system can access the API (on R80 this will show “Allow all”).

[Expert@awsmgmt:0]# api status

API Settings:
---------------------
Accessibility:                      Require all granted
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   14472
CPM       Started   14350     Check Point Security Management Server is running and ready
FWM       Started   13807

Port Details:
-------------------
JETTY Internal Port:      50276
APACHE Gaia Port:         443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

API Status Troubleshooting data

To create a <comment>.tgz file with troubleshooting data start

api status -s <comment>

logging in

First create a session into a file and reuse it:

mgmt_cli login user admin > id.txt

With read-only access:

mgmt_cli login user admin read-only true > id.txt

Search object in database

search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.

mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

Show access layers

mgmt_cli show access-layers limit 500 -s id.txt --format json | jq '."access-layers"[].name'

Output:
"Layer1"
"Layer2"
...

Show number of rules in policy

mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

Show access rule base

mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2020-01-01" hits-settings.to-date "2020-12-31T23:59" hits-settings.target "corporate-gw" --format json

Display rule with explicit uid

mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

Show unused objects in objects-db

mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" -s id.txt --format json

Show changes from who and when in objects-db

mgmt_cli show changes from-date "2019-04-11T08:20:50" to-date "2019-04-15" -s id.txt --format json

Run script on firewall

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.6%20

mgmt_cli run-script script-name "ifconfig" script "ifconfig" targets.1 "corporate-gateway" -s id.txt --format json

Show application-site URLs

mgmt_cli show application-site name "HTTPS Pass Through Global" details-level "standard" -s id.txt --version 1.2 --format json

Show VPN communities

mgmt_cli -r true show vpn-communities-star details-level full -s id.txt --format json

mgmt_cli -r true show vpn-communities-meshed details-level full -s id.txt --format json

Count and show access-layers (Inline Layers)

mgmt_cli show access-layers limit 500 --format json

Output:

.
.
 } ],
 "from" : 1,
 "to" : 260,
 "total" : 260
}

Links

http://sicuriconnoi.blogspot.com/2017/11/top-checkpoint-cli-commands.html

Check Point stattest Utility for OID Troubleshooting on GW
https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Content/Topics-CLIG/FWG/stattest.htm