Useful CLI commands
Cheatsheets
- FortiOS 6.2 Cheat Sheet (https://blog.boll.ch/cheatsheet-fortios-version-6-2/)
CLI Commands
To start a transaction in CLI use execute config-transaction start.
A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all changes are discarded
Commit config changes with execute config-transaction commit.
Abort with execute config-transaction abort.
Generic Commands
Default Device Information
admin / no password | Default login |
192.168.1.99 | Default IP on port1, internal or management port |
9600/8-N-1, hw flow control disabled | Default serial console settings |
General system commands
get system status | General system information |
exec tac support | Generates report for support |
tree | List all commands |
<command> ? / tab | Use ? or tab in CLI for help |
<command> | grep [filter] | Grep commands to filter output |
Fortigate most used ports
UDP/53, UDP/8888 | Fortiguard Queries |
TCP/389, UDP/389 | LDAP, PKI Authentication |
TCP/443 | Contract Validation, FortiToken, Firmware Updates |
TCP/443, TCP/8890 | AV and IPS Update |
UDP/500, ESP | IPSEC VPN |
UDP/500, UDP/4500 | IPSEC VPN with NAT-Traversal |
Set Commands
add allowed-client host any-host / add allowed-client host <ip address> | add any host to the allowed clients list/ add allowed client by ipv4 address |
add backup local | create and store a backup file in /var/cpbackups/backups/( on open servers) or /var/log/cpbackup/backups/ ( on checkpoint appliances) |
add backup scp ip value path value username value | adds backup to scp server |
add backup tftp ip value [ interactive ] | adds backup to tftp server |
add snapshot | create snapshots which backs up everything like os configuration, checkpoint configuration, versions, patch level), including the drivers |
add syslog log-remote-address <ip address> level <emerg/alert/crit/err/warning/notice/info/debug/all> | specifies syslog parameters |
add user <username> uid <user-id-value> homedir | creates a user |
expert | executes system shell |
halt | put system to halt |
history | shows command history |
lock database override | overrides the config-lock settings |
quit | exits out of a shell |
reboot | reboots a system |
restore backup local [value] | restores local backup interactively |
rollback | ends the transaction mode by reverting the changes made during transaction |
save config | save the current configuration |
set backup restore local <filename> | restores a local backup |
set cluster member admin {down | up} | initiating manual cluster failover |
set core-dump <enable/disable> | enable/disable core dumps |
set date yyyy-mm-dd | sets system date |
set dhcp server enable | enable dhcp server |
set dns primary <x.x.x.x> | sets primary dns ip address |
set dns secondary <x.x.x.x> | sets secondary dns ip address |
set expert-password | set or change password for entering into expert mode |
set edition default <value> | set the default edition to 32-bit or 64-bit |
set hostname <value> | sets system hostname |
set inactivity-timeout <value> | sets the inactivity timeout |
set interface ethx ipv4-address x.x.x.x mask-length 24 | adds ip address to an interface |
set ipv6-state on/off | sets ipv6 status as on or off |
set kernel-routes on/off | sets kernel routes to on/off state |
set management interface <interface name> | sets an interface as management interface |
set message motd value | sets message of the day |
set ntp active on/off | activates ntp on/off |
set ntp server primary x.x.x.x version <1/2/3/4> | sets primary ntp server |
set ntp server secondary x.x.x.x version <1/2/3/4> | sets secondary ntp server |
set snapshot revert<filename> | revert the machine to the selected snapshot |
set snmp agent on/off | sets the snmp agent daemon on/off |
set snmp agent-version <value> | sets snmp agent version |
set snmp community <value> read-only | sets snmp readonly community string |
add snmp interface <interface name> | sets snmp agent interface |
set snmp traps receiver <ip address> version v1 community value | specifies trap receiver |
set snmp traps trap <value> | set snmp traps |
set static-route x.x.x.x/xx nexthop gateway address x.x.x.x on set static-route x.x.x.x/xx comment "{comment}" |
adds specific static route comment static route |
set static-route NETWORK_ADDRESS/MASK_LENGTH nexthop gateway address GATEWAY_IP_ADDRESS off set static-route <Destination IP address> off set static-route default nexthop gateway address GATEWAY_IP_ADDRESS off |
Delete Routes |
set time <value> | sets system time |
set time zone <time-zone> | sets the time zone |
set vsx off | sets vsx mode on |
set vsx on | sets vsx mode off |
set user <username> password | sets users password |
set web session-timeout <value> | sets web configuration session time-out in minutes |
set web ssl-port <value> | sets the web ssl-port for the system |
Generic Commands
The commands below have to be used in expert mode and NOT in clish.
Action | Use on | Command |
---|---|---|
Show licenses | MGMT / GW | cplic print -x (-x print signatures) |
Remove Evaluation License | GW |
cplic eval_disable You have disabled Check Point evaluation period |
Get licenses from management system on gateway | GW | contract_util mgmt |
Show enabled blades Example: # enabled_blades
fw ips ThreatEmulation Scrub |
GW | enabled_blades |
ClusterXL Switch over (disable ClusterXL state) | GW |
clusterXL_admin down Note: The [-p] is an optional flag (stands for "permanent") - the Critical Device called "admin_down" will be automatically added to the $FWDIR/conf/cphaprob.conf file, so that this configuration survives the reboot. |
Show Cluster status | GW | cphaprob stat |
Debug to see all dropped connections | GW |
fw ctl zdebug drop fw ctl zdebug -h (help) |
Debug to see all NAT informations | GW | fw ctl zdebug + xlat |
Debug to get a fast packet trace | GW | fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)" |
See stats of number of connections | GW | cpstat fw |
Connections load on the fw | GW | fw tab -s -t connections |
Clear ALL connections on fw from the table (CAUTION!) | GW | fw tab -t connections -x |
ClusterXL sync statistics to R80.10 (sk34476) ClusterXL sync statistics for R80.20 and higher (sk34475) |
GW GW |
fw ctl pstat CLISH: show cluster statistics sync |
Show connected SmartConsole clients | MGMT | cpstat mg |
Manage the GUI clients that can use SmartConsoles to connect to the Security Management Server |
MGMT |
cp_conf client get # Get the GUI clients list cp_conf client add <GUI client> # Add one GUI Client cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new list. |
Show sync details | GW | fw ha -f all |
Shows packets accepted, dropped, peak connections, and top rule hits | GW | cpstat blades |
Use CLI commands over SIC from MGMT without password, used as example for "last chance" configs. | MGMT |
cprid_util (--help)
|
Show interfaces, ip-addresses and subnet mask, used for a very good interface-overview. | MGMT/GW | fw getifs |
Show installed hotfixes and releases | GW | cpinfo -y all |
Show statistics about accelerated traffic | GW |
fwaccel stats -s |
This command will list what interface is connected to what IRQ to what core. | GW |
fw ctl affinity -l -v -r fw ctl affinity -s will subsequently allow you to set the values. |
**UNDOCUMENTED** Show state and timeline of ClusterXL events in CLISH |
GW | CLISH: show routed cluster-state detailed |
Top 10 Source-IPs in connection table. You need to manual convert hex in ascii to get the ip, like so: 0a1f0af2 For the top 10 destinations, substitute $4 for $2 in the awk command. |
GW | fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10 |
Log Diagnostic Report It will also produce a detailed output at /tmp/sme-diag/results/detailed_diag_report.txt |
LOG | $RTDIR/scripts/doctor_log.sh |
VPN Commands
The commands below have to be used in expert mode and NOT in clish.
To view informations about VPN Tunnels
In R80+:
- Open SmartConsole > Logs & Monitor.
- Open the catalog (new tab).
- Click Tunnel & User Monitoring.
See also: Logging and Monitoring R80.10 (Part of Check Point Infinity)
Action | Use on | Command |
---|---|---|
VPN statistics | GW | cpstat -f all vpn |
VPN Tunnel manipulation | GW |
vpn tu Interactive usage (better): vpn shell |
VPN Remote Access specific | GW | pep show user all |
Check VPN-1 major and minor version as well as build number and latest hotfix. |
GW | vpn ver [-k] |
Show, if any, overlapping VPN domains | GW | vpn overlap_encdom |
VPN IKE Debugging (P1 and P2 Communication) The resulting $FWDIR/log/ike.elg and/or $FWDIR/log/ikev2.xml can be used in the "IKEView" Utility from Check Point, see here: sk30994 |
GW |
vpn debug ikeon (enable IKE debug) vpn debug ikeoff (disable IKE debug) |
VSX specific
The commands below have to be used in expert mode and NOT in clish
Action | Use on | Command |
---|---|---|
Show VSX status. |
VSX / VS | vsx stat [-v] [-l] [id] |
Show connections stats
|
VSX | vsx stat -v -l |
View current shell context. | VSX | vsenv |
Set context to VS ID <id> | VSX | vsenv <id> |
Reset SIC for VS | VSX | vsenv <id>; fw vsx sicreset |
View state tables for virtual system <id>. | VSX | vsenv <id>; fw tab -t <table> |
View traffic for virtual system with ID <id>. Attention: with fw monitor use -v instead of -vs. |
VSX | fw monitor -v <id> -e 'accept;' |
View HA state of all configured Virtual Systems. | VSX | cphaprob state |
View HA state for Virtual System ID <id>. | VSX | cphaprob -vs <id> state |
Show all bond interfaces and Cluster state | VSX | cphaprob show_bond -a |
Check VS bit state | VSX | vs_bits -stat All VSs are at 64 bits (R80.20 default, R80.10 need upgrade) |
Show virtual devices memory usage | VSX | cpstat -f memory vsx |
Traffic statistic per virtual system See sk90860 More information: Check Point Useful SNMP OIDs (VSX) |
VSX |
snmpwalk -v 2c -c community 127.0.0.1 .1.3.6.1.4.1.2620.1.16.22.3 (vsxStatusMemoryUsage) SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.1.0 = INTEGER: 0 |
To enable monitoring CPU per-VS with OID .1.3.6.1.4.1.2620.1.16.22.4 | VSX | fw vsx resctrl monitor enable |
To enable monitoring memory per-VS with OID .1.3.6.1.4.1.2620.1.16.22.3 Needs a reboot! |
VSX | vsx mstat enable |
API specific (mgmt_cli)
API Manual: https://sc1.checkpoint.com/documents/R80/APIs/index.html
The mgmt_cli tool is installed as part of Gaia on all R80 gateways and can be used in scripts running in expert mode.
The mgmt_cli.exe tool is installed as part of the R80 SmartConsole installation (typically under C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\) and can be copied to run on any Windows machine.
On Windows you cannot login with a certificate since the mgmt_cli_login is missing, you need to login with user/password or use the mgmt_cli tool on the management server.
To use the actual ssh login with mgmt_cli use the undocumented featuremgmt_cli -r true
If your mgmt server is running on another port (ex. 8443) usemgmt_cli --port 8443
Show api-settings
Check if clients are allowed to connect to the api and check all the api-settings.
mgmt_cli -r true --domain 'System Data' show api-settings
...
accepted-api-calls-from: "all ip addresses"
...
API Status
To confirm that the API is usable and available remotely, run the api status command. If Accessibility shows “Require all granted” it means that any system can access the API (on R80 this will show “Allow all”).
[Expert@awsmgmt:0]# api status
API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 14472
CPM Started 14350 Check Point Security Management Server is running and ready
FWM Started 13807
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
API Status Troubleshooting data
To create a <comment>.tgz file with troubleshooting data start
api status -s <comment>
logging in
First create a session into a file and reuse it:
mgmt_cli login user admin > id.txt
With read-only access:
mgmt_cli login user admin read-only true > id.txt
Search object in database
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'
Show access layers
mgmt_cli show access-layers limit 500 -s id.txt --format json | jq '."access-layers"[].name'
Output:
"Layer1"
"Layer2"
...
Show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'
Show access rule base
mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2020-01-01" hits-settings.to-date "2020-12-31T23:59" hits-settings.target "corporate-gw" --format json
Display rule with explicit uid
mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"
Show unused objects in objects-db
mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" -s id.txt --format json
Show changes from who and when in objects-db
mgmt_cli show changes from-date "2019-04-11T08:20:50" to-date "2019-04-15" -s id.txt --format json
Run script on firewall
https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.6%20
mgmt_cli run-script script-name "ifconfig" script "ifconfig" targets.1 "corporate-gateway" -s id.txt --format json
Show application-site URLs
mgmt_cli show application-site name "HTTPS Pass Through Global" details-level "standard" -s id.txt --version 1.2 --format json
Show VPN communities
mgmt_cli -r true show vpn-communities-star details-level full -s id.txt --format json
mgmt_cli -r true show vpn-communities-meshed details-level full -s id.txt --format json
Count and show access-layers (Inline Layers)
mgmt_cli show access-layers limit 500 --format json
Output:
.
.
} ],
"from" : 1,
"to" : 260,
"total" : 260
}
Links
http://sicuriconnoi.blogspot.com/2017/11/top-checkpoint-cli-commands.html
Check Point stattest Utility for OID Troubleshooting on GW
https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Content/Topics-CLIG/FWG/stattest.htm