clish -c 'show version all'            !! View the current OS and Product version
clish -s -c 'set edition default <32|64>-bit'           !! Modify the version - 64-bit will only show if the device has enough memory to support it

Documentation

[ # ]

clish
add dhcp server subnet <network-ip> netmask <cidr>
add dhcp server subnet <network-ip> include-ip-pool start <pool-start-ip> end <pool-end-ip>
set dhcp server subnet <network-ip> include-ip-pool <pool-start-ip>-<pool-end-ip> enable
set dhcp server subnet <network-ip> default-lease <default-lease-time>
set dhcp server subnet <network-ip> max-lease <max-lease-time>
set dhcp server subnet <network-ip> default-gateway <default-gw-ip>
set dhcp server subnet <network-ip> dns ‘<server1>, <server2>’
set dhcp server subnet <network-ip> domain <domain>
set dhcp server subnet <network-ip> enable
set dhcp server enable
save config

Documentation

[ # ]

fw ctl pstat

Notes

  • Aggressive aging causes idle connections to timeout much sooner (for instance, 60 seconds in stead of 60 minutes)
  • A device may enter Aggressive Aging when running low on memory.

The following log indicates agressive aging due to low memory:

Number:                              111111
Date:                                     1Jan2014
Time:                                     01:00:00
Origin:                                   CPDEVICE
Type:                                     Log
Action:                                   
Information:                      Memory consumption: <#>% - <#>MB out of <#>MB
                                                Capacity notification: Memory consumption has exceeded 80%
                                                Aggressive aging status: Active
                                                Connections table capacity: <#>% - <#> out of <#>

Attack Information:        Connections table's denial of service prevention mechanism
Product:                               IPS Software Blade

[ # ]

cp_conf client get        !! View configured GUI clients
cp_conf client add <ip>   !! Add a client to the current GUI clients list
cp_conf client del <ip> <ip> <etc>    !! Delete 1+ GUI clients
cp_conf client createlist <ip> <ip> <etc>     !! Create a new GUI list (will overwrite the old) and add 1+ GUI clients

cp_conf admin get         !! View configured administrators
cp_conf admin add <user> <pass> <a|w|r>   !! Add new admin user, a - read/write/manage admins, w - read/write, r - read only
cp_conf admin del <user> <user>     !! Delete 1+ admin users

cp_conf sic state         !! View current SIC status
cp_conf sic <key>         !! Initialize SIC state
cp_conf sic cert_pull <management-server> <object>      !! Pull the certificate of a DAIP object

cp_conf finger get        !! View the management server fingerprint

cp_conf lic get           !! View licenses
cp_conf lic add -f <file>   !! Add license from license file
cp_conf lic add -m <host> <date> <license-key> <SKU>      !! Add license manually
cp_conf lic del <signature-key>     !! Remove a lice

cp_conf ha <enable|disable> [norestart]   !! Enable/Disable HA. Add 'norestart' to command to keep device from preforming a cpstop;cpstart
cp_conf sxl <enable|disable>      !! Enable/Disable SecureXL

cp_conf snmp get        !! View current status of the SNMP module
cp_conf snmp <enable|disable>     !! Enabe/Disable SNMP

[ # ]

fw tab -s -t userc_users    !! Number of currently connected VPN users
fw tab -f -t userc_users    !! List of currently connected VPN users
fw tab -t vpn_enc_domain_valid -f -u    !! View encryption domains (may be very large)

!! The following are for clearing peers if 'vpn tu' cannot be accessed
vpn shell /show/tunnels/IKE/all
vpn shell /show/tunnels/ipsec/all
vpn shell /show/tunnels/ike/peer/<peer-ip>
vpn shell /show/tunnels/ipsec/peer/<peer-ip>

vpn shell /tunnels/delete/all
vpn shell /tunnels/delete/IKE/all
vpn shell /tunnels/delete/IKE/peer/<peer-ip>
vpn shell /tunnels/delete/IPsec/all
vpn shell /tunnels/delete/IPsec/peer/<peer-ip>

[ # ]

tcpdump -nni [interface] host [ip]
tcpdump -nni [interface] net [ip]/[cidr]
tcpdump -nni [interface] host [ip] and port [port]
tcpdump -nni [interface] vlan [vlan #] and host [ip]
tcpdump -w [file].cap -s 1514 -nni [interface] host [src] and host [dst]        !! captures entire packet into file
tcpdump -r [file].cap                    !! Replay the capture from the file
tcpdump -nni [interface] host [ip] &      !! & symbol puts capture in the background
tcpdump -nni [interface] \(host [ip] or host [ip]\) and \(host [ip] or host [ip]\)
tcpdump -nni [interface] ip proto 112

fw monitor -e 'accept src=[ip] or dst=[ip] ;'    !! net ip/CIDR ??
fw monitor -e "accept (src=192.168.11.1 and dst=10.10.10.1) or (src=10.10.10.1 and dst=192.168.11.1);"

[ # ]

vi $FWDIR/conf/objects_5_0.C
Change the following:
  :support_sofaware_profiles (false)
to
  :support_sofaware_profiles (true)
Restart Checkpoint Services

Notes:

  • With the above set to false, if you create the object via Network Objects Manager, upon verification, the following error may appear: "'s IP address is invalid (inside DAG_range)"

Documentation

[ # ]

echo <username> >> /etc/scpusers    !! Add the user to the allowed scpusers file
service sshd restart  !! Restart the SSH server for the change to take affect

[ # ]

config_system -t <file>     # Create a blank template file for editing
config_system -f <file>     # Load settings for first time configuration from file
config_system -s "install_security_gw=true&<etc>"  # Load settings via string instead of file

-- CONFIGURATION FILE --
# INSTALLATION OF THE SOFTWARE
install_security_gw=<true|false>     # $TAG_GW - Install security gateway?
install_ppak=<true|false>        # $TAG_PPAK - Install Performan Pack?
gateway_daip=<true|false>        # DAIP - Dynamic IP? This should be false if ClusterXL or this is a management server ($TAG_MGMT)
gateway_cluster_member=<true|false>    # ClusterXL - Enable ClusterXL?

# MANAGEMENT SERVER CONFIGURATIONS
install_security_managment=<true|false>        # $TAG_MGMT - Install management server?
install_mgmt_primary=<true|false>            # Optional Parameter - Primary Management Server? - Only this or the following can be true. Both cannot be true
install_mgmt_secondary=<true|false>            # Optional Parameter - Secondary Management Server? - Only this or the above can be true. Both cannot be true

# MDS PARAMETERS
install_mds_primary=<true|false>    # Primary MDS? - Only this or the following can be true. Both cannot be true
install_mds_secondary=<true|false>    # Secondary MDS? - Only this or the above can be true. Both cannot be true
install_mlm=<true|false>            # Install Multi-Customer Log Manager?
install_mds_interface=<interface>    # Define the MDS interface to use

# MANAGEMENT SERVER CONFIGURATIONS
mgmt_admin_name=<name>                # GUI Client Admin Name
mgmt_admin_passwd=<password>        # GUI Client Admin Password
mgmt_gui_clients_radio=<any|range|network|this>         # Choose "this" for a single IP address
mgmt_gui_clients_first_ip_field=<ip>                # If "range" chosen for mgmt_gui_clients_radio
mgmt_gui_clients_last_ip_field=<ip>                    # If "range" chosen for mgmt_gui_clients_radio
mgmt_gui_clients_ip_field=<ip>                        # If "network" chosen for mgmt_gui_clients_radio
mgmt_gui_clients_subnet_field=<0-32>                # If "network" chosen for mgmt_gui_clients_radio (this is the CIDR)
mgmt_gui_clients_hostname=<ip>                        # If "this" chose for mgmt_gui_clients_radio
ftw_sic_key=<blah>                                    # SIC password

# OS LEVEL CONFIGURATION
admin_hash=<hash>                    # Optional Parameter - Set the admin password hash (can be grabbed from the firewall by running 'grep admin /etc/shadow | cut -d: -f2')
iface=<interface>                    # Optional Parameter - Management interface name
ipaddr_v4=<ipv4>                    # Management interface IP address (if this is overriding current IP, the current IP will be kept as a secondary address so that we don't lost access. This IP will need to be deleted after configuration)
masklen_v4=<0-32>                    # Management interface netmask (CIDR)
default_gw_v4=<ipv4>
ipaddr_v6=<ipv6>                    # Managetment interface IPv6 address
masklen_v6=<ipv6>                    # Managetment interface IPv6 subnet
default_gw_v6=<ipv6>
hostname=<name>                        # Optional Parameter - Device Hostname
timezone='<ETC/GMT-5/etc>'            # Optional Parameter - Set the timezone
domainname=<example.com>            # Optional Parameter
ntp_primary=<ip>                    # Optional Parameter
ntp_primary_version=<version>        # Optional Parameter
ntp_secondary=<ip>                    # Optional Parameter
ntp_secondary_version=<version>        # Optional Parameter
primary=<ip>                        # Optional Parameter - DNS Server IP
secnondary=<ip>                        # Optional Parameter - DNS Server IP
tertiary=<ip>                        # Optional Parameter - DNS Server IP

Notes:

  • Add --dry-run to test configuration settings before implementation
  • A reboot will be required to complete the configuration

Documentation

[ # ]

clish -s -c "set selfpasswd oldpass <oldpass> newpass <newpass>"

Or for interactive menu

clish
set selfpasswd

[ # ]