Skip to main content

Useful CLI commands

Cheatsheets

CLI Commands

To start a transaction in CLI use execute config-transaction start.

A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all changes are discarded

Commit config changes with execute config-transaction commit.
Abort with execute config-transaction abort.

Generic Commands

Default Device Information
admin / no password Default login
192.168.1.99 Default IP on port1, internal or management port
9600/8-N-1, hw flow control disabled Default serial console settings
General system commands
get system status General system information
exec tac support Generates report for support
tree List all commands
<command> ? / tab Use ? or tab in CLI for help
<command> | grep [filter] Grep commands to filter output
Fortigate most used ports
UDP/53, UDP/8888 Fortiguard Queries
TCP/389, UDP/389 LDAP, PKI Authentication
TCP/443 Contract Validation, FortiToken, Firmware Updates
TCP/443, TCP/8890 AV and IPS Update
UDP/500, ESP IPSEC VPN
UDP/500, UDP/4500 IPSEC VPN with NAT-Traversal
 TCP/514  FortiManager, FortiAnalyzer
 TCP/1812, TCP/1813  RADIUS Auth & Accounting
 UDP/5246, UDP/5247  CAPWAP
 TCP/8001  FSSO
TCP/8013Compliance and Security Fabric
ETH Layer 0x8890, 0x8891 and 0x8893HA Heartbeat
For HA The virtual MAC address is determined based on following formula:
00-09-0f-09-<group-id_hex>-(<vcluster_integer> + <idx>)

SetNetwork Commandscommands

Interface information
abackupfile
adddiag allowed-client host any-host / add allowed-client host <ip address> list addList anyof hostIP toaddresses theon allowedFortiGate clients list/ add allowed client by ipv4 addressinterfaces
adddiag backupfirewall localiplist list createList of IP addresses on VIP and storeIP-Pools
in
Security Fabric
open
diag sys csf upstream /var/cpbackups/backups/( ondownstream List servers)of orup/downstream /var/log/cpbackup/backups/ ( on checkpoint appliances)devices
adddiag backupsys scpcsf ipneighbor value path value username valuelist addsMAC/IP backuplist toof scpconnected serverFG devices
adddiag backupautomation tftptest ip value [ interactive ]<stich_name> addsTest backupstitches toin tftpthe serverCLI
adddiag snapshottest appl csfd 1 ... createDisplay snapshotssecurity whichfabric backs up everything like os configuration, checkpoint configuration, versions, patch level), including the driversstatistics
adddiag syslogdebug log-remote-addressappl <ipcsfd address> level <emerg/alert/crit/err/warning/notice/info/debug/all>-1 specifiesReal-time syslog parametersdebugger
add
user
Switch <username>Controller
uid<user-id-value> homedir
creates a user

expertdiag switch-controller switch-info mac-table

executesManaged systemFortiSwitch shell
haltput system to halt
historyshows command history
lock database overrideoverrides the config-lock settings
quitexits out of a shell
rebootreboots a system
restore backup local [value]restores local backup interactively
rollbackends the transaction mode by reverting the changes made during transaction
save configsave the current configuration
set backup restore local <filename>restores a local backup
set cluster member admin {down | up}initiating manual cluster failover
set core-dump <enable/disable>enable/disable core dumps
set date yyyy-mm-ddsets system date
set dhcp server enableenable dhcp server
set dns primary <x.x.x.x>sets primary dns ip address
set dns secondary <x.x.x.x>sets secondary dns ip address
set expert-passwordset or change password for entering into expert mode
set edition default <value>set the default edition to 32-bit or 64-bit
set hostname <value>sets system hostname
set inactivity-timeout <value>sets the inactivity timeout
set interface ethipv4-address x.x.x.x mask-length 24adds ipMAC address to an interface
set ipv6-state on/offsets ipv6 status as on or off
set kernel-routes on/offsets kernel routes to on/off state
set management interface <interface name>sets an interface as management interface
set message motd valuesets message of the day
set ntp active on/offactivates ntp on/off
set ntp server primary x.x.x.x version <1/2/3/4>sets primary ntp server
set ntp server secondary x.x.x.x version <1/2/3/4>sets secondary ntp server
set snapshot revert<filename>revert the machine to the selected snapshot
set snmp agent on/offsets the snmp agent daemon on/off
set snmp agent-version <value>sets snmp agent version
set snmp community <value> read-onlysets snmp readonly community string
add snmp interface <interface name>sets snmp agent interface
set snmp traps receiver <ip address> version v1 community valuespecifies trap receiver
set snmp traps trap <value>set snmp trapslist

setdiag static-routeswitch-controller x.x.x.x/xx nexthopswitch-info gateway address x.x.x.x onport-stats

Managed FortiSwitch port statistics

setdiag static-routeswitch-controller x.x.x.x/xxswitch-info commenttrunk

"{comment}"
Trunk information

diag switch-controller switch-info mclag

Dumps MCLAG releated information from FortiSwitch

execute switch-controller get-conn-status

Get FortiSwitch connection status
execute switch-controller diagnose-connectionGet FortiSwitch connection diagnostics
SD-WAN
Traffic

diag sys virtual-wan-link member

Provide interface details
diag sys virtual-wan-link health-check <name>State of SLAs

diag sys virtual-wan-link service <rule-id>

addsSD-WAN specificrule static route

comment static routestate

setdiag static-route NETWORK_ADDRESS/MASK_LENGTH nexthopsys gatewayvirtual-wan-link address GATEWAY_IP_ADDRESS off

set static-routeintf-sla-log <Destination IP addressintf-name> off

set static-route default nexthop gateway address GATEWAY_IP_ADDRESS off

DeleteLink Routes
set time <value>sets system time
set time zone <time-zone>sets the time zone
set vsx offsets vsx mode on
set vsx onsets vsx mode off
set user <username> passwordsets users password
set web session-timeout <value>sets web configuration session time-out in minutes
set web ssl-port <value>sets the web ssl-port for the system

Generic Commands

The commands below have to be used in expert mode and NOT in clish.

link-
ActionUse onCommand
Show licensesMGMT / GWcplic print -x
(-x print signatures)
Remove Evaluation LicenseGW

cplic eval_disable

You have disabled Check Point evaluation period
For activation you need to restart ALL Check Point modules
(performing cpstop & cpstart)

Get licenses from management system on gatewayGWcontract_util mgmtHistory

Showdiag enabledsys bladesvirtual-wan-link sla-log <sla> <link_id>

Example:

# enabled_blades
fw ips ThreatEmulation Scrub
GWenabled_blades
ClusterXL Switch over (disable ClusterXL state)GW

clusterXL_admin down

Note: The [-p] is an optional flag (stands for "permanent")

- the Critical Device called "admin_down" will be automatically added to the $FWDIR/conf/cphaprob.conf file,

so that this configuration survives the reboot.

Show Cluster statusGWcphaprob stat
Debug to see all dropped connectionsGW

fw ctl zdebug drop

fw ctl zdebug -h (help)

Debug to see all NAT informationsGWfw ctl zdebug + xlat
Debug to get a fast packet traceGWfw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"
See stats of number of connectionsGWcpstat fw
Connections loadSLA-Log on thespecific fwGWfw tab -s -t connections
Clear ALL connections on fw from the table (CAUTION!)GWfw tab -t connections -xinterface

ClusterXLdiag synctest statisticsapplication tolnkmtd R80.10 (sk34476)

ClusterXL sync statistics for R80.20 and higher (sk34475)

GW

GW1/2/3

Statistics

fwof ctl pstat

CLISH: show cluster statistics sync
Expert: cphaprob syncstat

link-monitor
Showdiag connecteddebug SmartConsoleapplication clients MGMTmonitor -1 cpstatReal-time mg

Manage the GUI clients that can use SmartConsoles to connect to the Security Management Server

MGMT

cp_conf client get # Get the GUI clients list

cp_conf client add <GUI client> # Add one GUI Client

cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients

cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new list.

Show sync detailsGWfw ha -f all
Shows packets accepted, dropped, peak connections, and top rule hitsGWcpstat blades
Use CLI commands over SIC from MGMT without password, used as example for "last chance" configs.MGMT

cprid_util (--help)

 

Example Reset admin password without access to GW:

/sbin/grub-md5-crypt

cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c \
'set config-lock on override'  # Ensure clish db is unlocked

cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c \
'set user admin password-hash <Password_Hash_from_Step_above>' # Set admin user pw hash

cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c \
'set expert-password-hash <Password_Hash_from_Step_above>' # change expert pw hash
Show interfaces, ip-addresses and subnet mask, used for a very good interface-overview.MGMT/GWfw getifs
Show installed hotfixes and releasesGWcpinfo -y all
Show statistics about accelerated trafficGW

fwaccel stats -s

This command will list what interface is connected to what IRQ to what core.GW

fw ctl affinity -l -v -r

fw ctl affinity -s will subsequently allow you to set the values.

**UNDOCUMENTED**

Show state and timelinedebugger of ClusterXL events in CLISH 

GWCLISH:
show routed cluster-state detailed

Top 10 Source-IPs in connection table.

You need to manual convert hex in ascii to get the ip, like so: 0a1f0af2
= 10.31.10.242.

For the top 10 destinations, substitute $4 for $2 in the awk command.

GWfw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10

Log Diagnostic Report
It will analyze the logs and give you a brief output of your Current Logging and Daily Average Logging rates.

It will also produce a detailed output at /tmp/sme-diag/results/detailed_diag_report.txt

https://community.checkpoint.com/t5/Logging-and-Reporting/R80-xx-equivalent-of-CPLogInvestigator-for-Log-Volume-and/td-p/46792

LOG$RTDIR/scripts/doctor_log.shlink-monitor

VPN Commands

The commands below have to be used in expert mode and NOT in clish.

To view informations about VPN Tunnels

In R80+: 

  • Open SmartConsole > Logs & Monitor.
  • Open the catalog (new tab).
  • Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity) 

ActionUse onCommand
VPN statisticsGWcpstat -f all vpn
VPN Tunnel manipulationGW

vpn tu

Interactive usage (better):

vpn shell

VPN Remote Access specificGWpep show user all

Check VPN-1 major and minor version as well as build number and latest hotfix.
Use -k for kernel version

GWvpn ver [-k]
Show, if any, overlapping VPN domainsGWvpn overlap_encdom
VPN IKE Debugging (P1 and P2 Communication)
The resulting $FWDIR/log/ike.elg and/or $FWDIR/log/ikev2.xml can be used in the "IKEView" Utility from Check Point, see here: sk30994
GW

vpn debug ikeon (enable IKE debug)

vpn debug ikeoff (disable IKE debug)

VSX specific

The commands below have to be used in expert mode and NOT in clish

ActionUse onCommand

Show VSX status.
Verbose with -v, interface list with -l or status of single VS with VS ID <id>.

VSX / VSvsx stat [-v] [-l] [id]

Show connections stats

Example:

# vsx stat -v -l

VSID:            0
VRID:            0
Type:            VSX Gateway
Name:            fwvsx01
Security Policy: fwvsx01_VSX
Installed at:    21Nov2019 10:30:11
SIC Status:      Trust
Connections number: 66
Connections peak:   765
Connections limit:  14900

VSID:            1
VRID:            1
Type:            Virtual System
Name:            fw01p
Security Policy: FW_01
Installed at:    25Nov2019 11:30:39
SIC Status:      Trust
Connections number: 30628
Connections peak:   90464
Connections limit:  119900
VSXvsx stat -v -l
View current shell context.VSXvsenv
Set context to VS ID <id>VSXvsenv <id>
Reset SIC for VSVSXvsenv <id>; fw vsx sicreset
View state tables for virtual system <id>.VSXvsenv <id>; fw tab -t <table>
View traffic for virtual system with ID <id>.
Attention: with fw monitor use -v instead of -vs.
VSXfw monitor -v <id> -e 'accept;'
View HA state of all configured Virtual Systems.VSXcphaprob state
View HA state for Virtual System ID <id>.VSXcphaprob -vs <id> state
Show all bond interfaces and Cluster stateVSXcphaprob show_bond -a
Check VS bit stateVSXvs_bits -stat
All VSs are at 64 bits (R80.20 default, R80.10 need upgrade)
 
Show virtual devices memory usageVSXcpstat -f memory vsx

Traffic statistic per virtual system

See sk90860

More information: Check Point Useful SNMP OIDs (VSX)

VSX

snmpwalk -v 2c -c community 127.0.0.1 .1.3.6.1.4.1.2620.1.16.22.3 (vsxStatusMemoryUsage)

SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.2.0 = INTEGER: 1
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.3.0 = INTEGER: 2
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.1.4.0 = INTEGER: 3
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.1.0 = STRING: "vs0"
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.2.0 = STRING: "vs1"
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.3.0 = STRING: "vs2"
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.2.4.0 = STRING: "vs3"
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.1.0 = Gauge32: 0 help
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.2.0 = Gauge32: 0 help
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.3.0 = Gauge32: 0 help
SNMPv2-SMI::enterprises.2620.1.16.22.3.1.3.4.0 = Gauge32: 0 help
 

To enable monitoring CPU per-VS with OID .1.3.6.1.4.1.2620.1.16.22.4VSXfw vsx resctrl monitor enable

To enable monitoring memory per-VS with OID .1.3.6.1.4.1.2620.1.16.22.3

Needs a reboot!

VSXvsx mstat enable

API specific (mgmt_cli)

API Manual: https://sc1.checkpoint.com/documents/R80/APIs/index.html

The mgmt_cli tool is installed as part of Gaia on all R80 gateways and can be used in scripts running in expert mode.
The mgmt_cli.exe tool is installed as part of the R80 SmartConsole installation (typically under C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\) and can be copied to run on any Windows machine. 

On Windows you cannot login with a certificate since the mgmt_cli_login is missing, you need to login with user/password or use the mgmt_cli tool on the management server.

To use the actual ssh login with mgmt_cli use the undocumented feature
mgmt_cli -r true

If your mgmt server is running on another port (ex. 8443) use
mgmt_cli --port 8443

Show api-settings

Check if clients are allowed to connect to the api and check all the api-settings.

mgmt_cli -r true --domain 'System Data' show api-settings


...
accepted-api-calls-from: "all ip addresses"
...

API Status

To confirm that the API is usable and available remotely, run the api status command. If Accessibility shows “Require all granted” it means that any system can access the API (on R80 this will show “Allow all”).

[Expert@awsmgmt:0]# api status

API Settings:
---------------------
Accessibility:                      Require all granted
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   14472
CPM       Started   14350     Check Point Security Management Server is running and ready
FWM       Started   13807

Port Details:
-------------------
JETTY Internal Port:      50276
APACHE Gaia Port:         443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

API Status Troubleshooting data

To create a <comment>.tgz file with troubleshooting data start

api status -s <comment>

logging in

First create a session into a file and reuse it:

mgmt_cli login user admin > id.txt

With read-only access:

mgmt_cli login user admin read-only true > id.txt

Search object in database

search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.

mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

Show access layers

mgmt_cli show access-layers limit 500 -s id.txt --format json | jq '."access-layers"[].name'

Output:
"Layer1"
"Layer2"
...

Show number of rules in policy

mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

Show access rule base

mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2020-01-01" hits-settings.to-date "2020-12-31T23:59" hits-settings.target "corporate-gw" --format json

Display rule with explicit uid

mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

Show unused objects in objects-db

mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" -s id.txt --format json

Show changes from who and when in objects-db

mgmt_cli show changes from-date "2019-04-11T08:20:50" to-date "2019-04-15" -s id.txt --format json

Run script on firewall

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.6%20

mgmt_cli run-script script-name "ifconfig" script "ifconfig" targets.1 "corporate-gateway" -s id.txt --format json

Show application-site URLs

mgmt_cli show application-site name "HTTPS Pass Through Global" details-level "standard" -s id.txt --version 1.2 --format json

Show VPN communities

mgmt_cli -r true show vpn-communities-star details-level full -s id.txt --format json

mgmt_cli -r true show vpn-communities-meshed details-level full -s id.txt --format json

Count and show access-layers (Inline Layers)

mgmt_cli show access-layers limit 500 --format json

Output:

.
.
 } ],
 "from" : 1,
 "to" : 260,
 "total" : 260
}

http://sicuriconnoi.blogspot.com/2017/11/top-checkpoint-cli-commands.html

Check Point stattest Utility for OID Troubleshooting on GW
https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Content/Topics-CLIG/FWG/stattest.htm