This chapter is from the book
This chapter is from the book
This chapter is from the book
Command-Line Utilities
A significant amount of administration can be done from the command line on both the SmartCenter Server and the FireWall-1 enforcement points. The command line provides a low-bandwidth and efficient way of getting information and performing emergency and maintenance actions.
Most commands are actually options to either the fw or the fwm executables—that is, they take the form of fw command options. The fw executable is for the FireWall-1 enforcement module, and fwm is for the SmartCenter Server.
Getting Basic Information
The first thing you want to know about a device is the version of software it is running. fw ver and fwm ver give this information:
C:\WINNT\FW1\R55\conf>fw ver This is Check Point VPN-1(TM) & FireWall-1(R) NG with _Application Intelligence (R55) HFA_04, Hotfix 093 - Build 003 C:\WINNT\FW1\R55\conf>fwm ver This is Check Point SmartCenter Server NG with _Application Intelligence (R55) HFA_04, Hotfix 093 - Build 001
As you can see, the major version (NG with Application Intelligence), the release (R55), and any hotfixes (Hotfix Accumulator 04 and Hotfix 093) are listed, along with the build number.
If you ever open a case with Check Point support, you will likely have to provide a cpinfo dump to them. Running cpinfo dumps an incredible amount of information, so redirecting it to a file (for example, cpinfo > Winnipeg.cpinfo) is suggested. With your file, support can view your entire policy, including rules and options, so be cautious about sending it out!
To get a snapshot of what policy is installed, and which interfaces are being protected, fw stat is used. With a policy loaded and active, you will see something like this:
C:\WINNT\FW1\R55\conf>fw stat HOST POLICY DATE localhost Standard 15Dec2004 22:10:41 : [>PCnet0] [<PCnet0] _[>PCnet2] [<PCnet2]
Here you can see that the Standard policy is loaded, and was installed at around 10 p.m. on December 15, 2004. Three interfaces are protected, with the arrows showing the direction of packets.
After the policy has been uninstalled, the output changes:
C:\WINNT\FW1\R55\conf>fw stat HOST POLICY DATE localhost - - : >PCnet0 <PCnet0 _>PCnet2 <PCnet2
There is no policy installed, and the interfaces are no longer protected.
To get a list of the interfaces on the gateway, use fw ctl iflist:
C:\WINNT\FW1\R55\conf>fw ctl iflist 0 : PCnet0 1 : PCnet1 2 : PCnet2 3 : NDISWANIP
fw stat does not show inactive interfaces by default (use the –inactive flag to show the inactive interfaces), but iflist shows all.
Managing Services
All the Check Point services on the machine can be managed through the command line. To completely restart all Check Point processes, except for CPRID (the remote installation daemon), use cprestart. Likewise, to only start or stop the services, use cpstart and cpstop.
If you just need to start and stop the basic services, such as the firewall daemon, management station, and SNMP, use the fwstart and fwstop commands. This leaves both CPRID and cpshared running.
To manage CPRID services, use cpridstop and cpridstart to stop and start the service.
Managing the Policy
Although you can’t easily edit the policy from the command line, you can push, pull, and unload a policy.
From the management station, you can push a policy to an enforcement point using fwm load. This command requires you to supply the name of a policy script (*.W, located in %FWDIR%\conf on Windows platforms, or $FWDIR/conf on Unix platforms) and optionally the name of an enforcement point to send it to. This operation compiles the script and sends it off to the enforcement point. In this example, the Standard policy is sent to the localhost:
C:\WINNT\FW1\R55\conf>fwm load Standard.W Standard.W: Security Policy Script generated into Standard.pf Standard: Compiled OK. Installing CPMAD Policy On: localhost CPMAD policy installed successfully on winnipeg... CPMAD policy installation complete CPMAD policy installation succeeded for: winnipeg Installing VPN-1/FireWall-1 policy on: localhost ... VPN-1/FireWall-1 policy installed successfully on winnipeg... VPN-1/FireWall-1 policy installation complete VPN-1/FireWall-1 policy installation succeeded for: winnipeg
The messages here show that the policy installed successfully on the combination SmartCenter Server/VPN-1 Gateway.
If you are on a gateway, and want to pull down a policy, you execute fw fetch master, where master is the SIC name of your management station:
C:\WINNT\FW1\R55\conf>fw fetch localhost Installing Security Policy Standard on all.all@winnipeg Fetching Security Policy from localhost succeeded
Here, the Standard policy was retrieved and installed.
Finally, to unload the policy, use fw unloadlocal:
C:\WINNT\FW1\R55\conf>fw unloadlocal Uninstalling Security Policy from all.all@winnipeg Done. C:\WINNT\FW1\R55\conf>fw stat HOST POLICY DATE localhost - - : >PCnet0 <PCnet0 _<PCnet1 >PCnet2 <PCnet2
Logs
Although SmartView Tracker is normally used to manage logs, it is possible to perform some actions at the command line. These commands are helpful for automating maintenance tasks or when scripting reports:
-
fw log –a—Shows the log of accounting data.
-
fw logswitch—Rotates the logs.
-
fwm logexport—Dumps the logs to the screen or a file.