clish -s -c "set static-route <ip>/<cidr> nexthop gateway address <gateway> on" clish -s -c "set static-route default nexthop gateway address <gateway> on"
$FWDIR/database/rules.C !! Contains rules $CPDIR/conf/cp.license !! License info $FWDIR/conf/masters !! CMA IP
cpprod_util FwIsActiveManagement !! View current status; 1 is Active, 0 is Standby cpprod_util FwSetActiveManagement 0 !! Set to Standby (failover) cpprod_util FwSetActiveManagement 1 !! Set to Active (failover)
swapinfo cpstat os -f cpu cpstat os -f memory fw tab -s -t connections netstat -i
!! Install cpinfo Package Via Clish From FTP For IPSO add package media ftp addr <IP Address> user <Username> password <Password> name cpinfo.tgz !! Install cpinfo Package Via Clish From Local File For IPSO add package media local name cpinfo.tgz cpinfo -z -n -o /var/tmp/$(uname -n).$(date).cpinfo !! Firewall or management server cpinfo -z -n -c <CMAName> -o /var/tmp/<name>.$(date).cpinfo !! CMA - Performed from the CMA environment
- cp_uploader is the new recommended method of generating and uploading cpinfo to Check Point
- Filename for installing CPinfo on IPSO must end in .tgz
- Package for local file installation on IPSO should be in /opt/packages
cd /var/tmp; /bin/./asset; cat /var/tmp/outfile; rm /var/tmp/outfile
- This command will display CPU, hard disk, memory, serial numbers, and chassis serial numbers (for some models) and delete the temporary output file after
- This likely will be replaced with 'show asset hardware' or a similar command within clish or iclid in the future
There are 2 primary method for resetting the admin password. Both methods require a reboot of the device and downtime if the device is not part of a cluster
Method 1: Use emergendisk This method requires a device with the same chassis model as the device that requires a password reset, running gaia, and a USB disk
- Insert a usb drive into the device that we do have access to
- Run the command 'emergendisk' to create the USB recovery disk
- After completion, plug the USB disk into the device that requires a password reset and reboot the device
- During reboot, a "Press any key" option will appear on screen. Press any key to enter the emergendisk menu
- Select the option that states 'Reset Admin Password'. This is usually the second option
You should receive the following once the reset is complete. On some devices, you may not receive this or an error message. You should wait 1-2 minutes after boot to ensure the script has finished.
Admin password successfully reset
Please remove disk or any other media and press enter to restart
- Remove the USB drive and reboot. The username/password should now be admin/admin. If not, you may need to follow Method 2.
Method 2: Use a live CD or live USB disk This method requires a live CD, such as Ubuntu, to boot from.
- Boot from the live CD or USB disk
On some distros (Ubuntu, for example), the system will automatically mount the Check Point partitions. In Ubuntu, this is mounted to /media/ubuntu/
. On one of these mount points, there you should be able to run the following to verify the correct mount point. Make sure to note this down as it will be required in the next steps.
ls -lh /media/ubuntu/<UUID>/config/db/initial_db
If the partitions are not mounted, you will need to locate the correct partition and mount it someplace. Below is an example:
sudo mount /dev/sda1 /mnt/checkpoint
Once you have located the correct partition, run the following to change the working root to Check Point's root
Example: sudo chroot /media/Ubuntu/2cbbf000-blah
Modify the sqlite database
Locate the current admin password by running the following. The last line is the current password hash.
SELECT * from revisions WHERE binding="passwd:admin:passwd";
Run the following to change the password to 'admin'. Replace '<old-pw-hash> with the last hash from step 5.
UPDATE revisions SET value="$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY." WHERE binding="passwd:admin:passwd" AND VALUE='<old-pw-hash>';
- Reboot the device and login with admin/admin. Make sure to change the password via clish once logged in
!! CONFIGURE PHYSICAL INTERFACE set interface <interface> ipv4-address <ip> mask-length <cidr> set interface <interface> state <on|off> auto-negotiation <on|off> link-speed <10M/half|10M/full|100M/half|100M/full|1000M/full> !! CONFIGURE VLAN add interface <physical-interface> vlan <vlan-id> set interface <physical-interface.vlan> ipv4-address <ip> mask-length <cidr> !! DELETE INTERFACES delete interface eth3 ipv4-address !! Delete IP from interface delete interface <interface> vlan <vlan-id> !! Delete VLAN interface
- All Performed via clish. DON'T FORGET TO SAVE