0% found this document useful (0 votes)

105 views

CP R81.10 Multi-DomainSecurityManagement AdminGuide

CP_R81.10_Multi-DomainSecurityManagement_AdminGuide

Uploaded by

Newman Martin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

105 views

CP R81.10 Multi-DomainSecurityManagement AdminGuide

CP_R81.10_Multi-DomainSecurityManagement_AdminGuide

Uploaded by

Newman Martin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 622

10 April 2024

MULTI-DOMAIN
SECURITY
MANAGEMENT

R81.10

Administration Guide
Check Point Copyright Notice
© 2021 - 2024 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Check Point R81.10

For more about this release, see the R81.10 home page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

R81.10 Multi-Domain Security Management Administration Guide | 3

Important Information

Revision History

Date Description

09 April 2024 Updated "Configuring Implied Rules or Kernel Tables for Security
Gateways" on page 145

08 August 2023 Updated "Deploying a Domain Dedicated Log Server" on page 131

11 May 2023 Updated "Updating IPS Protections" on page 78

14 February Updated Configuring the Security Management Server and Security

2023 Gateways

09 December General Updates

2022

14 June 2022 In the HTML version, added glossary terms in the text

24 February Updated:
2022
n "Configuring Implied Rules or Kernel Tables for Security Gateways"
on page 145
l Corrected the paths for Security Gateways R81

l Added the Quantum Spark appliance models 1600 and 1800

1 November Updated:
2021
n "Cross-Domain Search" on page 55

24 September Updated:
2021
n "Failure Recovery" on page 117
n "Configuring Global VPN Communities" on page 101

05 July 2021 First release of this document

R81.10 Multi-Domain Security Management Administration Guide | 4

Table of Contents

Table of Contents
Introduction to Multi-Domain Management 18
About this Guide 18
Basic Multi-Domain Security Management Components 19
The Multi-Domain Server 19
Domain Management Servers 19
Domain Log Servers 20
SmartConsole 22
Multi-Domain View 22
Connecting to SmartConsole 24
Gateways & Servers View 25
Architecture and Processes 26
Check Point Registry 26
Server Processes 26
Multi-Domain Server Processes 26
Domain Management Server Processes 26
Automatic Start of Multi-Domain Server Processes 28
Environment Variables 29
Standard Check Point Environment Variables 29
Deploying Multi-Domain Security Management 31
Planning your Deployment 31
Multi-Site High Availability Deployment 31
Single Site Deployments 31
Platform & Performance Issues 33
Topology, IP Addresses and Routing 33
Using More than one Interface on a Multi-Domain Server 34
Changing the Leading Interface 34
Synchronizing Clocks 34

R81.10 Multi-Domain Security Management Administration Guide | 5

Table of Contents

Protecting the Multi-Domain Security Management Deployment 36

Security Gateway Managed by a Domain Management Server 37
Defining an Access Control Policy for Multi-Domain Server Components 37
Using External Authentication Servers 38
Configuring External Authentication 38
Managing Domains 40
Creating a New Domain 40
Assigning Trusted Clients to Domains 41
Configuring Automatic Domain IP Address Assignment 42
Changing an Existing Domain Configuration 44
Deleting a Domain Management Server or Domain 44
Connecting to a Domain Management Server 45
Working with Cross-Domain Management 46
Changing an Existing Multi-Domain Server 47
Setting the Domain Management Server Display Format 48
Backing Up and Restoring a Domain 49
Migrating a Domain Management Server between R81.10 Multi-Domain Servers 52
Database Revisions 54
Cross-Domain Search 55
Global Management 57
The Global Domain 57
Connecting to the Global Domain 57
Changing the Global Domain 57
Working with Global Objects 58
Working with Global Configuration Rules 59
Policy Presets 60
Sample Access Control Policy Layer 64
Sample Threat Prevention Policy Layer 65
Using Layers with the Global Domain 68
Upgrade Issues 68

R81.10 Multi-Domain Security Management Administration Guide | 6

Table of Contents

Policy Layers and Administrator Permissions 69

Dynamic Objects and Dynamic Global Objects 69
Defining Rules with Dynamic Objects 69
Applying Global Rules to Security Gateways by Function 70
Creating a Global Policy in the Global SmartConsole 72
Global Assignments 74
Configuring an Assignment 74
Reassigning 75
Handling Assignment Errors 76
Deleting a Global Assignment 76
Global Assignment Status 77
Updating IPS Protections 78
Updating the Application & URL Filtering Database 80
Exceptions 81
Exceptions Rules 81
Disabling a Protection on One Server 82
Blade Exceptions 83
Creating Exceptions from IPS Protections 84
Creating Exceptions from Logs or Events 84
Creating Exception Groups 85
Adding Exceptions to Exception Groups 86
Adding Exception Groups to the Rule Base 86
Creating Exception Groups 88
Adding Exceptions to Exception Groups 88
Adding Exception Groups to the Rule Base 89
Exceptions in a Multi-Domain Environment 89
Managing Administrators and Permissions 90
Configuring Administrators 90
Administrator - General 90
Contact Options 91

R81.10 Multi-Domain Security Management Administration Guide | 7

Table of Contents

Creating a Certificate for Logging in to SmartConsole 93

Working with Permission Profiles 94
Predefined Multi-Domain Permission Profiles 94
Working with Multi-Domain Permission Profiles 95
Multi-Domain Permission Profile Parameters 96
Creating Custom Domain Permissions 97
VPN and Multi-Domain Security Management 99
Global VPN Communities 99
VPN Connectivity 100
Configuring Global VPN Communities 101
Step 1 - Configuring a VPN Domain on each Security Gateway 101
Step 2 - Enabling Gateways for Global Use 101
Step 3 - Creating the VPN Global Community 102
Step 4 - Defining a Security Policy 102
Step 5 - Assigning the Global Configuration to the Local Domains 103
Reassigning the Global Configuration to One or More Local Domains 103
Working with High Availability 105
Overview of High Availability 105
Multi-Site High Availability Deployment Example 106
Creating a Secondary Multi-Domain Server 109
Domain Management Server High Availability and Load Sharing 110
Creating a Secondary Domain Management Server 110
Creating a High Availability Environment using a Security Management Server 112
Synchronization 114
How Synchronization Works 114
Initial Synchronization 114
Periodic Synchronization 115
Manual Synchronization 115
Manually Synchronizing a Multi-Domain Server 115
Manually Synchronizing Domain Management Servers 116

R81.10 Multi-Domain Security Management Administration Guide | 8

Table of Contents

Multi-Domain Server ICA Database Synchronization 116

Failure Recovery 117
Deleting a Secondary Multi-Domain Server or Multi-Domain Log Server 122
Re-Establishing SIC Trust for a Secondary Multi-Domain Server 123
Logging and Monitoring 124
Working with Log Servers 124
Configuring Logging 126
Creating a Multi-Domain Log Server with Domain Log Servers 126
Configuring Security Gateways to Send Logs to a Log Servers 127
Deleting a Domain Log Server 128
Configuring Log Settings 128
Log Server Deployment Scenarios 130
Deploying a Domain Dedicated Log Server 131
Introduction 131
Procedure for an R81.10 Multi-Domain Environment 131
Procedure for an R77.x Multi-Domain Environment 132
Using the Log View 136
Monitoring Multi-Domain Security Management 137
Monitoring Multi-Domain Server Status 137
Monitoring Domain Management Server Status 137
Monitoring Security Gateway Status 138
Creating and Changing an Administrator Account 139
Managing Security through API 142
API 142
API Tools 142
Configuring the API Server 143
Configuring Implied Rules or Kernel Tables for Security Gateways 145
Introduction 145
Configuration files 145
Configuration Procedure 147

R81.10 Multi-Domain Security Management Administration Guide | 9

Table of Contents

Location of 'user.def' Files on the Management Server 148

Location of 'table.def' Files on the Management Server 149
Location of 'crypt.def' Files on the Management Server 151
Location of 'vpn_table.def' Files on the Management Server 153
Location of 'communities.def' Files on the Management Server 155
Location of 'base.def' Files on the Management Server 157
Location of 'dhcp.def' Files on the Management Server 159
Location of 'gtp.def' Files on the Management Server 161
Location of 'implied_rules.def' Files on the Management Server 163
Command Line Reference 165
Syntax Legend 165
cma_migrate 167
contract_util 168
contract_util check 170
contract_util cpmacro 171
contract_util download 172
contract_util mgmt 174
contract_util print 175
contract_util summary 176
contract_util update 177
contract_util verify 178
cp_conf 179
cp_conf admin 181
cp_conf auto 184
cp_conf ca 185
cp_conf client 187
cp_conf finger 191
cp_conf lic 192
cp_log_export 195
cpca_client 217

R81.10 Multi-Domain Security Management Administration Guide | 10

Table of Contents

cpca_client create_cert 219

cpca_client double_sign 221
cpca_client get_crldp 223
cpca_client get_pubkey 225
cpca_client init_certs 226
cpca_client lscert 227
cpca_client revoke_cert 230
cpca_client revoke_non_exist_cert 233
cpca_client search 234
cpca_client set_ca_services 237
cpca_client set_cert_validity 239
cpca_client set_mgmt_tool 240
cpca_client set_sign_hash 245
cpca_create 247
cpinfo 248
cplic 249
cplic check 252
cplic contract 254
cplic db_add 256
cplic db_print 258
cplic db_rm 260
cplic del 261
cplic del <object name> 262
cplic get 263
cplic print 265
cplic put 267
cplic put <object name> 270
cplic upgrade 273
cppkg 276
cppkg add 278

R81.10 Multi-Domain Security Management Administration Guide | 11

Table of Contents

ppkg delete 279

cppkg get 281
cppkg getroot 282
cppkg print 283
cppkg setroot 284
cpprod_util 285
cpmiquerybin 290
cprid 292
cpstat 293
cprinstall 301
cprinstall boot 304
cprinstall cprestart 305
cprinstall cpstart 306
cprinstall cpstop 307
cprinstall delete 308
cprinstall get 309
cprinstall install 310
cprinstall revert 313
cprinstall show 314
cprinstall snapshot 315
cprinstall transfer 316
cprinstall uninstall 318
cprinstall verify 320
cpview 322
Overview of CPView 322
CPView User Interface 322
Using CPView 323
cpwd_admin 324
cpwd_admin config 327
cpwd_admin del 330

R81.10 Multi-Domain Security Management Administration Guide | 12

Table of Contents

cpwd_admin detach 331

cpwd_admin exist 332
cpwd_admin flist 333
cpwd_admin getpid 335
cpwd_admin kill 336
cpwd_admin list 337
cpwd_admin monitor_list 340
cpwd_admin start 341
cpwd_admin start_monitor 343
cpwd_admin stop 344
cpwd_admin stop_monitor 346
dbedit 347
fw 360
fw fetchlogs 362
fw hastat 364
fw kill 365
fw log 366
fw logswitch 376
fw lslogs 380
fw mergefiles 383
fw repairlog 386
fw sam 387
fw sam_policy 395
fw sam_policy add 398
fw sam_policy batch 411
fw sam_policy del 413
fw sam_policy get 416
fwm 422
fwm dbload 425
fwm exportcert 426

R81.10 Multi-Domain Security Management Administration Guide | 13

Table of Contents

fwm fetchfile 427

fwm fingerprint 429
fwm getpcap 431
fwm ikecrypt 433
fwm load 434
fwm logexport 435
fwm mds 440
fwm printcert 442
fwm sic_reset 448
fwm snmp_trap 449
fwm unload 452
fwm ver 456
fwm verify 457
inet_alert 458
ldapcmd 461
ldapcompare 463
ldapmemberconvert 467
ldapmodify 473
ldapsearch 475
mcd 478
mds_backup 481
mds_restore 484
mdscmd 485
mdsconfig 487
mdsenv 491
mdsquerydb 493
mdsstart 495
mdsstart_customer 499
mdsstat 500
mdsstop 502

R81.10 Multi-Domain Security Management Administration Guide | 14

Table of Contents

mdsstop_customer 506
mgmt_cli 507
migrate 508
migrate_server 512
migrate_global_policies 519
queryDB_util 520
rs_db_tool 521
sam_alert 523
stattest 527
threshold_config 530
$MDSVERUTIL 536
$MDSVERUTIL AllCMAs 547
$MDSVERUTIL AllVersions 548
$MDSVERUTIL CMAAddonDir 551
$MDSVERUTIL CMACompDir 552
$MDSVERUTIL CMAFgDir 553
$MDSVERUTIL CMAFw40Dir 554
$MDSVERUTIL CMAFw41Dir 555
$MDSVERUTIL CMAFwConfDir 556
$MDSVERUTIL CMAFwDir 557
$MDSVERUTIL CMAIp 558
$MDSVERUTIL CMAIp6 559
$MDSVERUTIL CMALogExporterDir 560
$MDSVERUTIL CMALogIndexerDir 561
$MDSVERUTIL CMANameByFwDir 562
$MDSVERUTIL CMANameByIp 563
$MDSVERUTIL CMARegistryDir 564
$MDSVERUTIL CMAReporterDir 565
$MDSVERUTIL CMASmartLogDir 566
$MDSVERUTIL CMASvnConfDir 567

R81.10 Multi-Domain Security Management Administration Guide | 15

Table of Contents

$MDSVERUTIL CMASvnDir 568

$MDSVERUTIL ConfDirVersion 569
$MDSVERUTIL CpdbUpParam 570
$MDSVERUTIL CPprofileDir 571
$MDSVERUTIL CPVer 572
$MDSVERUTIL CustomersBaseDir 573
$MDSVERUTIL DiskSpaceFactor 574
$MDSVERUTIL InstallationLogDir 575
$MDSVERUTIL IsIPv6Enabled 576
$MDSVERUTIL IsLegalVersion 577
$MDSVERUTIL IsOsSupportsIPv6 578
$MDSVERUTIL LatestVersion 579
$MDSVERUTIL MDSAddonDir 580
$MDSVERUTIL MDSCompDir 581
$MDSVERUTIL MDSDir 582
$MDSVERUTIL MDSFgDir 583
$MDSVERUTIL MDSFwbcDir 584
$MDSVERUTIL MDSFwDir 585
$MDSVERUTIL MDSIp 586
$MDSVERUTIL MDSIp6 587
$MDSVERUTIL MDSLogExporterDir 588
$MDSVERUTIL MDSLogIndexerDir 589
$MDSVERUTIL MDSPkgName 590
$MDSVERUTIL MDSRegistryDir 591
$MDSVERUTIL MDSReporterDir 592
$MDSVERUTIL MDSSmartLogDir 593
$MDSVERUTIL MDSSvnDir 594
$MDSVERUTIL MDSVarCompDir 595
$MDSVERUTIL MDSVarDir 596
$MDSVERUTIL MDSVarFwbcDir 597

R81.10 Multi-Domain Security Management Administration Guide | 16

Table of Contents

$MDSVERUTIL MDSVarFwDir 598

$MDSVERUTIL MDSVarSvnDir 599
$MDSVERUTIL MSP 600
$MDSVERUTIL OfficialName 601
$MDSVERUTIL OptionPack 602
$MDSVERUTIL ProductName 603
$MDSVERUTIL RegistryCurrentVer 604
$MDSVERUTIL ShortOfficialName 605
$MDSVERUTIL SmartCenterPuvUpgradeParam 606
$MDSVERUTIL SP 607
$MDSVERUTIL SVNPkgName 608
$MDSVERUTIL SvrDirectory 609
$MDSVERUTIL SvrParam 610
Creating a Domain Management Server with the 'mgmt_cli' Command 611
Glossary 612

R81.10 Multi-Domain Security Management Administration Guide | 17

Introduction to Multi-Domain Management

Introduction to Multi-Domain
Management
Check Point Multi-Domain Security Management is a centralized management solution for
large-scale, distributed environments with many discrete network segments, each with
different security requirements. This solution lets administrators create Domains based on
geography, business units or security functions to strengthen security and simplify
management.
Each Domain has its own Security Policies, network objects and other configuration settings.
You use the Global Domain for common security Policies that apply to all or to specified
Domains. The Global Domain also includes network objects and other configuration settings
that are common to all or to specified Domains.

About this Guide

This Administration Guide includes conceptual information and procedures for working with
Check Point Multi-Domain Security Management features only.
n To learn how to use SmartConsole to work with Security Policies, the Rule Base,
network objects, and security configuration, see the R81.10 Security Management
Administration Guide.
n To learn how to work with logs, monitoring, and reports, see the R81.10 Logging and
Monitoring Administration Guide.
n To learn how to work with Software Blades and their features, see the applicable
Administration Guides).

R81.10 Multi-Domain Security Management Administration Guide | 18

Basic Multi-Domain Security Management Components

Basic Multi-Domain Security Management

Components
This section is a brief introduction to the main components of the Multi-Domain Security
Management environment.

The Multi-Domain Server

A Multi-Domain Server is a physical server that contains the Domain Management Servers,
Security Policies, system data, and Multi-Domain Security Management system software. You
connect to a Multi-Domain Server to work with Multi-Domain Security Management features,
objects, and configuration settings. This includes:
n Domain Management Servers and their configuration settings
n Global Policies and objects
n Administrators and permission profiles
n Logs and monitoring features
n System configuration settings
You can create a High Availability and/or Load Sharing deployment with two or more,
synchronized Multi-Domain Servers.

Domain Management Servers

A Domain is a virtual object that defines a network or a collection of networks related to an
entity. You can define a Domain for a company, business unit, department, branch or
geographical location. For example, a cloud service provider typically has one Domain for
each customer. A bank can have one Domain for each geographical region, state, or country.
A Domain Management Server is the functional equivalent of a Security Management Server
in a single-domain environment. You connect directly to a Domain Management Server with
SmartConsole to manage a Domain and its components:
n Domain Security Gateways
n Domain Security Policies, rules, and other Domain level security settings
n Domain system objects, such as services, users, and VPN Communities.
n Domain Software Blades and their related configuration settings
To learn more about working with SmartConsole to manage Domains, see the R81.10 Security
Management Administration Guide.

R81.10 Multi-Domain Security Management Administration Guide | 19

Basic Multi-Domain Security Management Components

There can be more than one Domain Management Server for a Domain in a High Availability
deployment, each on a different Multi-Domain Server. One Domain Management Server is
Active, and the other, fully synchronized Domain Management Servers are Standby.

Domain Log Servers

A typical Multi-Domain Security Management deployment includes, at least one Multi-Domain
Log Server to hold log files generated by Domain Security Gateways. Each Domain can have
its own Domain Log Server on the Multi-Domain Log Server. This deployment strategy keeps
log traffic isolated from other network traffic for better throughput.
This illustration shows a sample deployment with two Multi-Domain Servers and two Domains.
The Multi-Domain Log Server contains two Domain Log Servers, one for each Domain.

Item Description

1 London Multi-Domain Server with an Active Domain Management Server for

London and a Standby Domain Management Server for Tokyo

2 Multi-Domain Log Server with Domain Log Servers for London and Tokyo

3 Tokyo Multi-Domain Server with an Active Domain Management Server for Tokyo
and a Standby Domain Management Server for London

4 Tokyo network

R81.10 Multi-Domain Security Management Administration Guide | 20

Basic Multi-Domain Security Management Components

Item Description

5 London network

6 Internet

Active Domain Management Server

Standby Domain Management Server

Domain Log Server

R81.10 Multi-Domain Security Management Administration Guide | 21

SmartConsole

SmartConsole
SmartConsole is the unified application of Check Point R80.x Security Management. The
SmartConsole provides a consolidated solution for everything that is necessary for the security
of your organization:
n Security Policy Management
n Log Analysis
n System Health Monitoring
n Multi-Domain Security Management
SmartConsole makes it easy to manage your Multi-Domain Security Management
environment. Before you start to configure your cyber security environment and Policies, we
recommend that you know the SmartConsole application.

Multi-Domain View
Use the Multi-Domain view to manage Multi-Domain Servers, Domains, system objects,
configuration settings and other features. You must log into a Multi-Domain Server to see the
Multi-Domain view.

For a guided tour of Multi-Domain view, click the What's New button at the bottom left of
the window. Click the < and > icons to scroll between the different What's New screens.

R81.10 Multi-Domain Security Management Administration Guide | 22

SmartConsole

Multi-Domain view elements

Item Description

1 View, as selected from the Navigation Toolbar and View tree

(This example shows the Multi-Domain > Domains view)

2 Navigation toolbar

3 Menu

4 View tree

5 Actions toolbar

6 Session Management toolbar

7 Validation tab

8 Logged in administrator

9 Server details area

10 Task information area

R81.10 Multi-Domain Security Management Administration Guide | 23

SmartConsole

Item Description

11 Management script commands and API

Connecting to SmartConsole
Use SmartConsole to connect to a Multi-Domain Server when you work with Multi-Domain
Security Management objects and settings. Use SmartConsole to connect to a Domain
Management Server when you work with Domain Security Policies, rules, objects and
configuration settings. You can also connect to Domains or specified Domain Management
Servers from within the Multi-Domain view.

To connect to a Multi-Domain Server:

1. Run SmartConsole.
2. Enter your user name and password.
3. Enter the Multi-Domain Server IP address, and then click Login.
4. In the Welcome screen, select MDS from the list, and then click Proceed.
SmartConsole opens in the Domains view.

To connect directly to a Domain:

1. Run SmartConsole.
2. Enter your user name and password.

3. Enter the Multi-Domain Server IP address, and then click Login.

4. In the Welcome screen, select a Domain from the list, and then click Proceed.

SmartConsole opens with the selected Domain Management Server.

To connect to a Domain Management Server from the SmartConsole Multi-Domain view:

1. Connect to a Multi-Domain Server with SmartConsole.
2. In the Multi-Domain > Domains view, right-click the required Domain Management
Server in the grid.
3. Select Connect to Domain Server.

Note - In a Management High Availability deployment, you can only make changes to
a Domain from the active Domain Management Server. The active Domain
Management Server shows with a black icon. If you connect to a standby Domain
Management Server (white icon), SmartConsole opens in the Read Only mode. See
"Working with High Availability" on page 105.

R81.10 Multi-Domain Security Management Administration Guide | 24

SmartConsole

Gateways & Servers View

The Gateways & Servers view shows all Security Gateway, Domain Management Server, and
Domain Log Server objects in the Multi-Domain Security Management environment. This
feature lets administrators, with applicable permissions, see and work with them in one
convenient location.
You can double-click an object in this view to open its configuration window in the Domain's
SmartConsole. For example, if you double-click, GW105 on the example below, the London_
Server Domain Management Server opens in SmartConsole and shows the GW105
configuration window.

The Gateways & Servers view

R81.10 Multi-Domain Security Management Administration Guide | 25

Architecture and Processes

This section is an overview of the new management architecture introduced in R80.

Check Point Registry

The Check Point registry, at $CPDIR/registry/HKLM_registry.data, contains
installation and version information for the different components of Check Point products.
Each Multi-Domain Server, Multi-Domain Log Server, Domain Management Server, and Log
Server has its own registry. The $CPDIR environment variable points to the registry location on
each platform or context.

Server Processes
Multi-Domain Server Processes
Each Multi-Domain Server Level process has one instance on every Multi-Domain
Server/Multi-Domain Log Server machine, when it is running. These processes run on the
Multi-Domain Server.

Process Description

cpd Check Point daemon - A generic process for many Check Point services, such
as installing and fetching policy, online updates, and pushing SIC certificates.

cpca The Certificate Authority management process

fwd Audit Log server process

fwm Legacy Check Point management server main process (R77.x and earlier)

For proper operation of the Multi-Domain Server, these processes must run together with CPM,
postgres, and solr. An exception to this rule is instances where cpca cannot run, such as
for Domain Log Servers. cpca must always run for Domain Management Servers.

Domain Management Server Processes

Each one of these processes runs a different instance for each Domain Management Server:

Process Description

cpd Check Point daemon - A generic process for many Check Point services,
such as installing and fetching policy, online updates, and pushing SIC
certificates.

R81.10 Multi-Domain Security Management Administration Guide | 26

Architecture and Processes

Process Description

cpca The Certificate Authority manager process (Domain Servers only)

fwd Log server process

fwm Legacy Check Point management server main process (R77.x and earlier)

status_ Status collection of SmartLSM Security Gateways

proxy

For proper operation of the Domain Management Server, cpca, fwd and fwm must always
run, except for specified configurations where cpca cannot run. Other processes are required
only as necessary for applicable functionality.

For more information, see sk97638: Check Point Processes and Daemons.

R81.10 Multi-Domain Security Management Administration Guide | 27

Automatic Start of Multi-Domain Server Processes

Automatic Start of Multi-Domain Server

Processes
The script for the automatic start of Multi-Domain Server processes upon boot is at
/etc/init.d. The name of the file is firewall1. A link to this file appears in /etc/rc3.d
directory under the name S95firewall1.

R81.10 Multi-Domain Security Management Administration Guide | 28

Environment Variables

Environment Variables
Different Multi-Domain Server processes require standard environment variables that:
n Point to the installation directories of different components
n Contain management IP addresses
n Hold data important for correct initialization and operation of the processes
Additionally, specific environment variables control certain parameters of different functions of
Multi-Domain Server.
Multi-Domain Server installation contains shell scripts for Bourne Shell and for C-Shell, which
define the necessary environment variables:
n The Bourne Shell version is:
/opt/CPshrd-R81.10/tmp/.CPprofile.sh
n The C-Shell version is:
/opt/CPshrd-R81.10/tmp/.CPprofile.csh

Calling these script files from other shell script files (using the "." command or the "source"
command) will define the environment necessary for the Multi-Domain Server processes to
run.

Standard Check Point Environment Variables

Variable Description

FWDIR Location of Check Point files

MSDIR
n In the Multi-Domain Server environment, this environment variable is
equal to $MDSDIR
n In Domain Management Server environment, it contains
/opt/CPmds-R81.10/customers/<Name of Domain
Management Server>/CPsuite-R81.10/fw1

PGDIR Location of the PostgreSQL database - $CPDIR/database/postgresql

MDS_ Location of log files and Java archives

TEMPLATE

CPDIR Location of Check Point SVN Foundation files that point to different
directories in Multi-Domain Server and Domain Management Server
environments

MDSDIR Location of the Multi-Domain Server installation (/opt/CPmds-R81.10)

R81.10 Multi-Domain Security Management Administration Guide | 29

Environment Variables

Variable Description

SUROOT Points to the location of SmartUpdate packages

R81.10 Multi-Domain Security Management Administration Guide | 30

Deploying Multi-Domain Security Management

Deploying Multi-Domain Security

Management
This chapter includes information to help you plan your deployment and gives a general
overview of the deployment process.

Planning your Deployment

This section includes best practices and other suggestions to help make your Multi-Domain
Security Management deployment work efficiently.

Multi-Site High Availability Deployment

Large enterprises use Multi-Domain Security Management in a multi-site, High Availability
deployment, with many Multi-Domain Servers located at remote sites, often in different
countries. Each Multi-Domain Server and Multi-Domain Log Server continuously synchronizes
with its remote peers.
The advantages of this type of deployment are:
n Full Multi-Domain Server, Multi-Domain Log Server, and Domain Management Server
redundancy
n Domain Management Server load sharing that can balance traffic based on geographic
location
n Many administrators can connect to different Multi-Domain Servers to manage Security
Policies and system configuration from different locations

Single Site Deployments

Small organizations, with moderate traffic volumes can use a single-site deployment, with one
Multi-Domain Server that manages a set of Domains.

Best Practice - For this type of deployment, use a backup solution that periodically
saves the system databases and settings to another device.

R81.10 Multi-Domain Security Management Administration Guide | 31

Deploying Multi-Domain Security Management

This example shows a single-site Multi-Domain Server deployment with three Domains at
remote locations. Each Domain has many Security Gateways to protect the internal networks
and resources. This example has only one Multi-Domain Server and does not use High
Availability.

Item Description

1 London Domain and networks

2 New York (Headquarters) Domain and networks

3 Tokyo Domain and networks

4 SmartConsole clients, typically at a network control center.

5 Multi-Domain Server

6 London Domain Management Server

7 New York Domain Management Server

8 Tokyo Domain Management Server

9 Internet

R81.10 Multi-Domain Security Management Administration Guide | 32

Deploying Multi-Domain Security Management

This illustration shows the configuration grid in the SmartConsole Multi Domain view for the
example deployment:

Note - The system automatically creates the Global Domain when you install Multi-
Domain Security Management.

Platform & Performance Issues

Make sure that your Multi-Domain Security Management system hardware is compliant with
the system requirements for this release. If your Multi-Domain Server has more than one
interface, make sure that the total traffic load complies with the performance load
recommendations for that Multi-Domain Server.

Topology, IP Addresses and Routing

All Multi-Domain Servers must have at least one interface with a routable IP address. You
must configure these Multi-Domain Servers to run DNS server queries and to resolve the IP
addresses and host names.

Configure your network routing for IP communication between:

n All Multi-Domain Servers, Domain Management Servers and Multi-Domain Log Servers
n Different Domains, if necessary
n Domain Management Servers, Domain Log Servers and Security Gateways in a Domain
n A Domain Management Server and its Domain High Availability peers
n SmartConsole and Multi-Domain Servers, Domain Management Servers and Domain
Log Servers
Make sure that IP addresses and routing configuration can handle special issues, such as
Multi-Domain Servers in different physical locations.

R81.10 Multi-Domain Security Management Administration Guide | 33

Deploying Multi-Domain Security Management

Using More than one Interface on a Multi-Domain Server

If there is more than one interface on a Multi-Domain Server, you must configure at least one
interface to be the leading interface. Multi-Domain Servers (Primary and Secondary) and
Multi-Domain Log Servers use the leading interface to communicate with each other for
database synchronization.
Make sure that all Multi-Domain Server interfaces are routable. Domain Management Servers
must be able to communicate with their Domain Security Gateways. Domain Log Servers must
be able to communicate with their Domain Security Gateways.

Changing the Leading Interface

You define the leading interface during the installation procedure, but you can change it later.
If you add a new interface to a Multi-Domain Server after installation, define the Leading
Interface manually.
To add a New Leading Interface

1. From the Multi-Domain Server command line, run: mdsconfig

2. Select Leading VIP Interfaces, and then select Add external IPv4 interface.
3. Enter the interface name and press Enter.

Changing the Leading Interface

1. From the Multi-Domain Server command line, run: mdsconfig

2. Do steps 2-3, in the above procedure, to add new interface.

3. Select Leading VIP Interfaces.
4. Select Remove External IPv4 interface.

5. Enter the interface name to remove and press Enter.

Synchronizing Clocks
All Multi-Domain Server system clocks must synchronize to approximately one second. Before
you create a new Multi-Domain Server or Multi-Domain Log Server, you must synchronize its
clock with other system components.
Clock synchronization is important for these reasons:
n SIC trust can fail if devices are not synchronized correctly
n SmartEvent Correlation Unit uses time stamps, which must be accurate
n Make sure that cron jobs run at the correct time
n Certificate validation is based on the correct time

R81.10 Multi-Domain Security Management Administration Guide | 34

Deploying Multi-Domain Security Management

Use these resources to synchronize component system clocks:

n Manually, using the Portal or the operating system CLI
n A third-party synchronization utility

R81.10 Multi-Domain Security Management Administration Guide | 35

Protecting the Multi-Domain Security Management Deployment

Protecting the Multi-Domain Security

Management Deployment
It is a security best practice to deploy a Check Point Security Gateway that protects the Multi-
Domain Servers, Multi-Domain Log Server and other components. You can manage this
Security Gateway with a Domain Management Server or a Security Management Server that
is not part of a Multi-Domain Security Management environment.
This simple use case shows a small High Availability deployment with a Security Gateway
protecting each Multi-Domain Server. One of the Domain Management Servers manages
these Security Gateways.

Item Description

1 Active Domain Management Servers

2 Standby Domain Management Servers

R81.10 Multi-Domain Security Management Administration Guide | 36

Protecting the Multi-Domain Security Management Deployment

Item Description

3 Primary Multi-Domain Server with Active and Standby Domain Management

Servers

4 Security Gateways

5 Internet

6 Secondary Multi-Domain Server with Active and Standby Domain Management

Servers

Security Gateway Managed by a Domain Management

Server
You can create a Domain and Domain Management Server to manage the Policies for
Security Gateways that protect Multi-Domain Servers in your environment.

Workflow for this scenario:

1. Run SmartConsole and log into the Multi-Domain Server.
2. Create a new Domain and Domain Management Server.
3. Connect to the new Domain SmartConsole and create a Security Gateway object.
4. Enable the Firewall and other Software Blades on this Security Gateway.

5. Create and install a Security Policy for the Security Gateway.

Defining an Access Control Policy for Multi-Domain Server

Components
communication between the different Multi-Domain Security Management components. You
can define these rules in global configurations or in local Domain Policies.
Use this table as a guideline to allow connections between specified components:

Activity Source Destination

Allow connections between SmartConsole and the SmartConsole Multi-Domain

Multi-Domain Server Multi-Domain Server
Server SmartConsole

Allow connections between Multi-Domain Servers Multi-Domain Multi-Domain

Servers Servers

R81.10 Multi-Domain Security Management Administration Guide | 37

Protecting the Multi-Domain Security Management Deployment

Activity Source Destination

Allow connections between Domain Management Domain Security

Servers and Security Gateways Management Gateway
Server Domain
Security Management
Gateway Server

Allow Domain Management Server status data and Domain Domain

certificate exchange between Domain Management Management Management
Server High Availability peers Server peer Server peer
Allow Domain Management Server synchronization
between peers

See the R81.10 Security Management Administration Guide to learn how to create a Security
Policy.

Using External Authentication Servers

Multi-Domain Security Management supports these external authentication solutions:
n RADIUS
n TACACS
n RSA SecurID Authentication Manager
When an administrator logs in, an authentication requests goes to the external authentication
server, which sends a reply to the Multi-Domain Server. TACACS and RADIUS use the Multi-
Domain Server as a proxy between the Domain Management Server and the external
authentication server. To make this work correctly, you must configure each Multi-Domain
Server on the authentication server.

Note - If the Multi-Domain Server is DOWN, the Domain Management Server cannot
authenticate administrators.

Configuring External Authentication

To configure External Authentication:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, select the Global Domain, and then click Connect.
3. Connect to the Global Domain with SmartConsole, and then create a host object for the
authentication server.

R81.10 Multi-Domain Security Management Administration Guide | 38

Protecting the Multi-Domain Security Management Deployment

4. Define the Multi-Domain Security Management administrators in the authentication

server.
5. In SmartConsole, select Administrators.
6. Select an existing administrator or click New.
7. In the General tab, select the applicable Authentication Scheme.
8. If the selected authentication server is RADIUS or TACACS, select the server that you
configured in the Global Domain SmartConsole.
9. If the authentication server is SecurID:
a. Close SmartConsole.
b. Generate the file sdconf.rec on the Authentication Manager, and configure the
user to use Tokencode only.
c. Copy sdconf.rec to /var/ace/ on each Multi-Domain Server.
d. Open /etc/services in a text editor and add the following lines:
securid 5500/udp
securidprop 5510/tcp

e. Reboot the Multi-Domain Server.

Note - The <authentication_server> parameter is required for TACACS and

RADIUS.

R81.10 Multi-Domain Security Management Administration Guide | 39

Managing Domains

Managing Domains
A Domain Management Server is the functional equivalent of a Security Management Server
in a single-Domain environment.
You connect with SmartConsole directly to a Domain Management Server to manage the
Domain and its components:
n Security Gateways managed by this Domain
n Domain Security Policies, rules, and other Domain-level security settings
n Domain system objects, such as services, users, and VPN Communities.
n Domain Software Blades and their related configuration settings
This chapter contains:
n Instructions to create and manage Domains and Domain Management Servers.
n Instructions to create and configuring a Secondary Multi-Domain Server.

Creating a New Domain

Use this procedure to create a new Domain together with the first Domain Management Server
for this Domain.

To create a New Domain

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Multi-Domain > Domains view, click New.

3. In the Domain window, enter a unique Domain name.

4. Click the + icon in the General > Domain Servers section.
In a Management High Availability deployment, you must select a Multi-Domain Server
from the list.
a. Enter a unique Domain Management Server name or accept the default name.
b. Enter the Domain Management Server IP address, or click Resolve IP to get the IP
Address from the Multi-Domain Server address pool.
c. Accept the default Domain Management Server type and click OK.

R81.10 Multi-Domain Security Management Administration Guide | 40

Managing Domains

d. Click Trusted Clients and select one or more trusted clients from the list that can
connect to this Domain Management Server.
e. Optional: Click Additional Information and enter contact information for the person
responsible for this Domain Management Server.
5. Click OK to save the new Domain and Domain Management Server.

Notes:
n When you create a new Domain, you must always create at least one new

Domain Management Server with it.

n You can also use this procedure to create Standby Domains and Domain

Management Servers for Domain Management Server for redundancy

and Load Sharing. To do this, there must be at least one Secondary Multi-
Domain Server in the deployment.
n To create a Log Server, you must have a Multi-Domain Log Server or a

Secondary Multi-Domain Server in your environment.

n To add a license for a Domain, go to the main Menu > Manage licenses

and packages.
n You cannot add additional information fields to the Domain object.

Assigning Trusted Clients to Domains

You must assign one or more trusted SmartConsole clients to Domains before you can
connect to them. If you do not do this, an error message shows when you try to connect.
Each Domain assignment identifies trusted SmartConsole clients based on one of these
criteria:
n An IP address
n A host name
n A range of IP addresses
n Net mask
n IP addresses with wildcard characters
n Any - All SmartConsole clients can connect
Assigning a new trusted client to a Domain

1. Connect to the Multi-Domain Server with SmartConsole

2. From the tree, click Multi-Domain.
3. From the tree, click Permissions & Administrators > Trusted Clients.
4. Click New.
5. In the New Trusted Client window, enter a unique name for this Domain assignment.

R81.10 Multi-Domain Security Management Administration Guide | 41

Managing Domains

6. Select an identification criterion from the Type list and enter the applicable
information.
7. In the Domains Assignment section, add one or more Domains.
8. Optional: Select Multi-Domain Server Trusted Client to apply this assignment to
Multi-Domain Servers in addition to the specified Domains.
9. Click OK.

Adding an existing trusted client to a Domain

1. Connect to the Multi-Domain Server with SmartConsole

2. From the tree, click Multi-Domain.

3. From the tree, click Permissions & Administrators > Trusted Clients.
4. Double-click the trusted client name.
5. In the Domains Assignment section, add one or more Domains.
6. Optional: Select Multi-Domain Server Trusted Client to apply this assignment to
Multi-Domain Servers in addition to the specified Domains.
7. Click OK.

Changing a Domain assignment

1. Connect to the Multi-Domain Server with SmartConsole

2. From the tree, click Multi-Domain.

3. From the tree, click Permissions & Administrators > Trusted Clients.
4. Double-click the trusted client name.

5. Select an identification criterion from the Type list and enter or change the applicable
information.
6. In the Domains Assignment section, add or delete one or more Domains.
7. Optional: Select Multi-Domain Server Trusted Client to apply this assignment to
Multi-Domain Servers in addition to the specified Domains.
8. Click OK.

Configuring Automatic Domain IP Address Assignment

You can configure a Multi-Domain Server to assign an IP address to Domain Management
Servers managed by this Multi-Domain Server from a predefined pool of IP addresses. This
makes sure that the assigned IP address is not in use by other Multi-Domain Servers or
Domain Management Servers.

R81.10 Multi-Domain Security Management Administration Guide | 42

Managing Domains

To configure a Multi-Domain Server to assign IP addresses to Domain Management

Servers
1. Connect to the Multi-Domain Server with SmartConsole
2. From the left tree, click Multi-Domain > Domains.
3. Right-click a Multi-Domain Server and select Edit.
The Multi-Domain Server window opens.
4. From the left tree, click Multi-Domain.
5. In the IP Range section, enter the first and last IP address in the range.
6. Click OK.

R81.10 Multi-Domain Security Management Administration Guide | 43

Changing an Existing Domain Configuration

1. Connect to the Multi-Domain Server with SmartConsole.
2. From the left tree, click Multi-Domain > Domains.
3. Right-click a Domain in the grid, and then select Edit.
The Domain window opens.
4. From the left tree, click General.
5. In the Domain Servers section, select the Domain Management Server and click the
pencil icon (Edit/View Domain Server).

Note - You cannot change the Domain name.

6. Add, delete, or change the other Domain definitions as necessary.

7. Click OK.

Deleting a Domain Management Server or Domain

Deleting a Domain Management Server

1. Connect with SmartConsole to the Multi-Domain Server.

2. From the left tree, click Multi-Domain > Domains.

3. Right-click a Domain Management Server in the grid, and then select Delete.

Deleting a Domain

1. Connect with SmartConsole to the Multi-Domain Server.

2. From the left tree, click Multi-Domain > Domains.
3. In the Domains column, right-click a Domain, and then select Delete.

Note - This action automatically deletes the Active and Secondary Domain
Management Servers, Domain Log Servers, and the Domain object.

R81.10 Multi-Domain Security Management Administration Guide | 44

Connecting to a Domain Management Server

Connecting directly to a Domain Management Server

1. Connect with SmartConsole to the Multi-Domain Server.

2. In the Welcome screen, select a Domain from the list, and then click Proceed.
3. SmartConsole opens with the active Domain Management Server in the Gateways &
Servers view.

Connecting from the SmartConsole Multi-Domain view

1. Connect with SmartConsole to the Multi-Domain Server.

2. From the left tree, click Multi-Domain > Domains.

3. Right-click the Active Domain Management Server in the grid, and then select
Connect to Domain Server.

Note - In a Management High Availability deployment, you can only make changes
to a Domain from the active Domain Management Server. The active Domain
Management Server shows with a black icon. If you connect to a standby Domain
Management Server (white icon), SmartConsole opens in the Read Only mode.

R81.10 Multi-Domain Security Management Administration Guide | 45

Working with Cross-Domain Management

The Multi-Domain Security Management Gateways & Servers view lets administrators see
and work with Domain Management Servers, Security Gateways, and other objects for all
Domains in one convenient window.
You must have the applicable permissions to see and work with these objects.

To open the Gateways & Servers view

1. Connect with SmartConsole to the Multi-Domain Server.
2. From the left tree, click Gateways & Servers.

This view shows all Security Gateways and Clusters managed by all Domain
Management Servers.
Example:

To work with a Security Gateway, double-click the Security Gateway object. A SmartConsole
instance for the applicable Domain Management Server opens and automatically shows the
Gateway window for the selected Security Gateway. In a Management High Availability
environment, SmartConsole opens for the Active Domain Management Server.
To work with a Domain, double-click its Domain Management Server object. A SmartConsole
instance for the applicable opens and automatically shows the Host window for the selected
Domain Management Server. In a Management High Availability environment, make sure that
you select the Active Domain Management Server, which opens in the Read/Write mode.
Standby Domain Management Servers open as Read-Only, and you cannot make any
changes to Domain objects.

R81.10 Multi-Domain Security Management Administration Guide | 46

Changing an Existing Multi-Domain Server

You can change the settings for an existing Multi-Domain Server or Multi-Domain Log Server.

To change the settings for an existing Multi-Domain Server:

1. Connect with SmartConsole to the Multi-Domain Server.
2. From the left tree, click Multi-Domain > Domains.
3. In the top row of the Domains grid, double-click the Multi-Domain Server or Multi-
Domain Log Server object.
4. In the Multi-Domain Server window, change the parameters in these views:
n General
n Configuring Automatic Domain IP Address Assignment

Note - You cannot change the name of the Multi-Domain Server object.

R81.10 Multi-Domain Security Management Administration Guide | 47

Setting the Domain Management Server Display Format

Setting the Domain Management Server

Display Format
You can change how Domain Management Servers show in the Domains grid.

To set the Domain Management Servers display format

1. Connect with SmartConsole to the Multi-Domain Server.
2. From the left tree, click Multi-Domain > Preferences.
3. Select a Domain Server Display Format:
n Domain Server Name and IP (default)
n Domain Server IP
n Domain Server Name

R81.10 Multi-Domain Security Management Administration Guide | 48

Backing Up and Restoring a Domain

You can back up a Domain and later restore it on the same Multi-Domain Server.

Important:
n You can restore a Domain only on the same Multi-Domain Server, on which you
backed it up.
n You can restore a Domain, to which a Global Policy is assigned, only if during
the Domain backup you did not purge the assigned Global Domain Revision.

Backing Up a Domain

Run this API:

backup-domain

For API documentation, see the Check Point Management API Reference - search for
backup-domain.

Restoring a Domain

1. Make sure it is possible to restore the Domain

Before you can restore a Domain, you must delete the current Domain.
Before you delete the current Domain, make sure it is possible to restore it.

Run this API with the "verify-only" flag:

restore-domain

For API documentation, see the Check Point Management API Reference - search
for restore-domain.

2. Delete the current Domain

Before you can restore a Domain, you must delete the current Domain.
You can perform this step in one of these ways:
n In SmartConsole connected to the MDS context
n With the API delete domain (see the Check Point Management API
Reference)

3. Restore the Active Domain Management Server

Run this API:

R81.10 Multi-Domain Security Management Administration Guide | 49

Backing Up and Restoring a Domain

restore-domain

For API documentation, see the Check Point Management API Reference - search
for restore-domain.

4. Restore the Standby Domain Management Servers and Domain Log Servers

When you restore the Standby Domain Management Servers and Domain Log
Servers, they must have the same IP addresses that were used when you collected
the Domain backup.
For API documentation, see the Check Point Management API Reference - search
for set domain
For each Standby Domain Management Server, run this API:

set-domain name <Name or UID of Domain> servers.add.ip-

address <IP Address of Domain Management Server>
servers.add.name <Name of Domain Management Server>
servers.add.multi-domain-server <Name of Multi-Domain
Server> servers.add.backup-file-path <Full Path to Domain
Backup File>.tgz --format json

For each Domain Log Server, run this API:

set-domain name <Name or UID of Domain> servers.add.ip-

address <IP Address of Domain Log Server> servers.add.name
<Name of Domain Log Server> servers.add.multi-domain-
server <Name of Multi-Domain Server> servers.add.backup-
file-path <Full Path to Domain Backup File>.tgz --format
json servers.add.type "log server"

5. Configure and assign the Administrators and GUI clients

You must again configure the Multi-Domain Server Administrators and GUI clients
and assign them to the Domains.
a. Configure the Multi-Domain Server Administrators and GUI clients:
i. Run the mdsconfig command
ii. Configure the Administrators
iii. Configure the GUI clients

R81.10 Multi-Domain Security Management Administration Guide | 50

Backing Up and Restoring a Domain

b. Assign the Administrators and GUI clients to the Domains:

See "Backing Up and Restoring a Domain" on page 49 and "Backing Up and
Restoring a Domain" on page 49.

6. Install policy on all managed Security Gateways and Clusters

a. Connect with SmartConsole to the restored Active Domain.

b. Install the applicable policies on all managed Security Gateways and
Clusters.

R81.10 Multi-Domain Security Management Administration Guide | 51

Migrating a Domain Management Server between R81.10 Multi-Domain Servers

Migrating a Domain Management Server

between R81.10 Multi-Domain Servers
This procedure lets you export the entire management database from a Domain Management
Server on one R81.10 Multi-Domain Server and import it on another R81.10 Multi-Domain
Server.
For the list of known limitations, see sk156072.

Procedure:
1. On the source Multi-Domain Server, export the Domain Management Server

a. Run this API:

migrate-export-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-export-domain.
b. Calculate the MD5 of the export file:

md5sum <Full Path to Export File>

2. Transfer the export file to the target Multi-Domain Server

a. Transfer the export file from the source Multi-Domain Server to the target Multi-
Domain Server, to some directory.

Note - Make sure to transfer the file in the binary mode.

b. Make sure the transferred file is not corrupted.

Calculate the MD5 for the transferred file and compare it to the MD5 that you
calculated on the source Multi-Domain Server:

md5sum <Full Path to Export File>

3. On the target Multi-Domain Server, import the Domain Management Server

R81.10 Multi-Domain Security Management Administration Guide | 52

Migrating a Domain Management Server between R81.10 Multi-Domain Servers

a. Run this API:

migrate-import-domain

For API documentation, see the Check Point Management API Reference -
search for migrate-import-domain.
b. Make sure that all the required daemons (FWM, FWD, CPD, and CPCA) are in
the state "up" and show their PID (the "pnd" state is also acceptable):

mdsstat

If some of the required daemons on a Domain Management Server are in the

state "down", then wait for 5-10 minutes, restart that Domain Management
Server and check again. Run these three commands:

mdsstop_customer <IP Address or Name of Domain

Management Server>
mdsstart_customer <IP Address or Name of Domain
Management Server>
mdsstat

4. Configure and assign the Administrators and GUI clients

You must again configure the Multi-Domain Server Administrators and GUI clients and
assign them to the Domains.
a. Configure the Multi-Domain Server Administrators and GUI clients:

i. Run the mdsconfig command

ii. Configure the Administrators

iii. Configure the GUI clients

iv. Exit the mdsconfig menu
b. Assign the Administrators and GUI clients to the Domains:
See "Migrating a Domain Management Server between R81.10 Multi-Domain
Servers" on the previous page and "Migrating a Domain Management Server
between R81.10 Multi-Domain Servers" on the previous page.

5. Install policy on all managed Security Gateways and Clusters

a. Connect with SmartConsole to the Active Domain (to which this Domain
Management Server belongs).
b. Install the applicable policies on all managed Security Gateways and Clusters.

R81.10 Multi-Domain Security Management Administration Guide | 53

Database Revisions

Database Revisions
You can revert to previous versions of the database on your domains. Revert to revision is
supported on the Global and Local Domains but not on the Multi-Domain Management Server
view. Note that the Global Domain supports revisions only if the corresponding revision was
not purged. For more information on how to use the database revision feature, see the R81.10
Security Management Administration Guide

R81.10 Multi-Domain Security Management Administration Guide | 54

Cross-Domain Search

Cross-Domain Search
Starting from R81, you can do these actions from the Multi-Domain view across all Domains,
without logging into each Domain:
n Search an object
n View unused objects
n See where an object is used
For information on how to do these actions in a specific domain, see the R81.10 Security
Management Administration Guide.

To do a cross-domain search:
1. In the Multi-Domain view, click the drop-down arrow in the main menu and select Open
Global Object Explorer.

The Global Object Explorer window opens.

2. In the search box, enter what you are searching. A list appears which shows all the
applicable objects which fit your search in all the Domains.

R81.10 Multi-Domain Security Management Administration Guide | 55

Cross-Domain Search

You can select to see all search results or only results of unused objects.

To view unused objects:

1. In the Multi-Domain view, click the drop-down arrow in the main menu and select
Open Global Object Explorer.
The Global Object Explorer window opens.

2. In the upper left corner, select Unused Objects.

A list appears with all the unused object in all the Domains..

To see where an object is used

1. In the Multi-Domain view, click the drop-down arrow in the main menu and select
Open Global Object Explorer.
The Global Object Explorer window opens.
2. Navigate to the applicable object.
3. Right-click the object and select Where Used.

A list appears with all the places where the object appears in all the Domains.

Notes:
n Cross-Domain Search is supported only on Domains defined on a Multi-Domain
Server, to which the user is connected with SmartConsole.
n Cross-Domain Search is supported only on Domains, for which the connected
user has Read or Read/Write permissions.

R81.10 Multi-Domain Security Management Administration Guide | 56

Global Management

Global Management
This section describes how to connect to the Global Domain, create a Global Policy, create
Global Assignments, update IPS Protections and the Application & URL Filtering Database.

The Global Domain

The Global Domain is a collection of rules, objects and settings shared with all Domains or
with specific Domains. The system automatically creates the Global Domain when you install
Multi-Domain Security Management. You cannot delete the Global Domain.
You organize global rules, objects and settings into global configurations. Each global
configuration can include one or more of these components:
n One Global Access Control Policy - Global rules that control access to network
resources. This includes rules for Firewall, Application Control, URL Filtering, and IPsec
VPN. The Network Policy Layer is created automatically after installation or upgrade.
You can manually create an Application or other Global Policy Layers as necessary.
n One Global Threat Prevention Policy - Global rules that prevent malware, intrusions
and other threats. This includes rules for IPS, Anti-Bot, Anti-Virus, and other Threat
Prevention features. The Threat Prevention Policy Layer is created automatically after
installation or upgrade.
n Global Objects - System objects and configuration settings that are common to all or to
specific Domains. Connect to the Global Domain with SmartConsole to create and
configure global objects.

Connecting to the Global Domain

To connect to the Global Domain:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.
A SmartConsole instance opens for the Global Domain.

Changing the Global Domain

This section includes basic procedures for working the contents of the Global Domain.
When connected to the Global Domain you can:

R81.10 Multi-Domain Security Management Administration Guide | 57

Global Management

n Create, delete or change Global Access Control and Threat Prevention Policies.
n Create, delete or change rules in Global Policies.
n Create, delete or change global objects.
These activities are not supported in this release:
n Create a new Global Domain.
n Define Security Gateways as installation targets in global configuration rules. You must
use local Policies to do this.

Working with Global Objects

Use global objects in global configuration rules. Global objects work much in the same way as
objects in local Policy rules.
The Global Domain includes many, predefined global objects for your convenience. These
default global objects are visible (read only), in the Global Domain. You cannot delete or
change them.
You can create, change or delete user-defined global objects in the Global Domain only.
Global objects are visible in local Domains in the read-only mode.

Important - Before you delete a global object, make sure that no global or local policy
rules use this global object. This can cause errors when you reassign global
configurations.

To add a new global object:

1. Connect to the Global Domain with SmartConsole.

2. Click the Objects menu, and then select an object type from the menu.

You can also create a new global object with the Object Explorer.
3. Configure the required parameters.
4. Click OK to save the new object.
To change a user-defined global object, select it in the Object Explorer, and then change the
applicable settings.
To delete a user-defined object, select it in the Object Explorer and click Delete.

Important - After you complete the global object task, assign or reassign the global
configuration to the applicable Domains. This action automatically:
n Publishes the changes that were done on the Multi-Domain Server
n Updates the local Domain and its Rule Base

R81.10 Multi-Domain Security Management Administration Guide | 58

Global Management

Working with Global Configuration Rules

This section is a general overview of the procedure for defining rules in the Global Policies. To
learn more about Policy rules and their configuration procedures, see the R81.10 Security
Management Administration Guide.
Global Policy Layers have one placeholder for local Domain rules. You can create global rules
above and below this placeholder. In the local Domain Policy Layer, you define local rules in
the placeholder. If there are no local Domain rules, the placeholder can be empty.
The position of rules in Domain Policy Layers defines the order in which they are enforced. It is
important to put rules in the correct sequence. Global Policy Layers do not have implied rules,
but implied rules can be inherited from global properties in local Domains.

Best Practice - Define a global cleanup rule in each Policy Layer.

There is no NAT Rule Base in the Global Domain and you cannot define NAT settings there.
You must define NAT rules manually in Domain Policy Layers.

Workflow for global Domain Policy Layers:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the Global Domain, and then click Connect to Domain.
A SmartConsole instance opens for the Global Domain.
3. Select Access Control and Threat Prevention Policy Layers and configure their rules.

4. Publish the SmartConsole session.

5. Go to Multi-Domain > Global Assignments, and assign the configuration to the local
Domains. If you assigned the configuration before, and made changes to the Global
Domain Policy, reassign the global domain configuration to the local Domains.
The system creates a task, during which these actions occur:
n Makes sure that all Global and local Domain Layer rules are consistent and work
together correctly. For example, it makes sure that new local Policy Layers are
connected to existing local Domain Policy Layers.
n Updates the local Domain and its Rule Base.
n Publishes the changes again.
n Changes the assignment status to Up to Date.
6. Install Policies on the local Domains.

R81.10 Multi-Domain Security Management Administration Guide | 59

Global Management

Policy Presets
SmartConsole lets you create Policy Presets for better policy installation planning. A Policy
Preset is a collection of Security Gateways or Policy Packages for policy installation purposes.
After you define a Preset, you can install policy on all the items which are included in the
Preset at the same time. You also have the option to define a policy installation schedule for a
specific Preset. In a large deployment Multi-Domain Server environment, Policy Presets help
you save time and manage the policy installation process more efficiently.
You can create 2 types of Policy Presets:
n By Gateways - Policies are installed on all Security Gateways in the Preset. The
applicable policy is installed on each Security Gateway in the Preset. A Preset can
include Security Gateways from different Domains, from the same Domain, Security
Gateways with different policies or identical policies.
n By Policy Packages - All Policy Packages included in the Preset are installed on the
Security Gateways that enforce it at the same time.

Note - A Preset by Policy Packages installs policy only on Security Gateways which
enforce the selected Policy Packages included in the Preset. It does not necessarily
install policy on all Security Gateways in a Domain.

You can use Presets for policy installation only after you installed policy on the installation
targets for the first time. Security Gateways with no policy installed on them are skipped during
the installation process.

To create a Policy Preset:

1. In the Multi-Domain view, go to Multi-Domain > Install Policy Presets > New.
2. In Installation Targets, select one of these options:
n By Gateways - This Policy preset is installed on the Security Gateways that you
select.
n By Policy Packages - This Policy preset is installed on the Security Gateways
which enforce the selected Policy Packages.
3. In Scheduling:
You can schedule the policy installation to specific days and hours.
The hour of the policy installation is set to the time zone of:
n The SmartConsole client - for a one-time installation.
n The Multi-Domain Management Server - for a recurring installation.

R81.10 Multi-Domain Security Management Administration Guide | 60

Global Management

Use Case - Time Set for a Recurring Installation

Recurrence > Configure > Days in week > Saturday

n You want to schedule a recurring installation on Saturday 2 PM New York time
(14:00):
In your SmartConsole client > New Install Policy Preset > Scheduling, select:
Install policy at 21:00
Recurrence > Configure > Days in week > Saturday
Example 2:
Your SmartConsole client is in Israel, and your Multi-Domain Server is in New York.
n You want to schedule a recurring installation on Saturday 6 PM Israel time
(18:00):
In your SmartConsole client > New Install Policy Preset > Scheduling, select:

Install policy at 18:00

Recurrence > Configure > Days in week > Saturday
n You want to schedule a recurring installation on Saturday 6 PM New York time
(18:00):
In your SmartConsole client > New Install Policy Preset > Scheduling, select:
Install policy at 01:00
Recurrence > Configure > Days in week > Sunday

Note - The hour of the policy installation is set to the time zone of:
n The SmartConsole client - for a one-time installation.
n The Multi-Domain Management Server - for a recurring

installation.

4. Publish the SmartConsole session.

R81.10 Multi-Domain Security Management Administration Guide | 61

Global Management

You can see the next policy installation schedule in the Next Run column:

At any time, you can select a Preset and click Install Policy, regardless of the preset schedule.
The audit logs of your Preset activity show at the bottom of the Install Policy Presets page and
in the Logs & Monitor view.

Note - The policy preset is installed on the Multi-Domain Server with the active global
Domain. If a domain has no domain server on the Multi-Domain Server with the active
global Domain, then the policy preset is not installed on this Domain.

Use Case - Installation on multiple Multi-Domain Servers

In this example, the Global policy will not be installed on Domain 2, because Domain 2 has
no server in Multi-Domain Server2.

Servers Multi-Domain Server 1 Multi-Domain Server 2

Domains

Domain1 Domain1_Server (Active) Domain1_Server_2 (Standby)

Domain2 Domain2_Server (Active) No Server

Global Standby Active

R81.10 Multi-Domain Security Management Administration Guide | 62

Global Management

Use Case - Time Set for a Recurring Installation

In a one time installation, the installation time is according to the SmartConsole client. In a
recurring installation, the installation time is according to the Multi-Domain Server. This
affects how you set both the hour and the day on your local SmartConsole client.
Example 1:
Your SmartConsole client is in Israel, and your Multi-Domain Server is in New York.
n You want to schedule a recurring installation on Saturday 2 PM Israel time (14:00):
In your SmartConsole client > New Install Policy Preset> Scheduling, select:
Install policy at 14:00
Recurrence > Configure > Days in week > Saturday
n You want to schedule a recurring installation on Saturday 2 PM New York time
(14:00):
In your SmartConsole client > New Install Policy Preset > Scheduling, select: Install
policy at 21:00
Recurrence > Configure > Days in week > Saturday
Example 2:
Your SmartConsole client is in Israel, and your Multi-Domain Server is in New York.
n You want to schedule a recurring installation on Saturday 6 PM Israel time (18:00):

In your SmartConsole client > New Install Policy Preset > Scheduling, select:
Install policy at 18:00
Recurrence > Configure > Days in week > Saturday
n You want to schedule a recurring installation on Saturday 6 PM New York time
(18:00):
In your SmartConsole client > New Install Policy Preset > Scheduling, select: Install
policy at 01:00
Recurrence > Configure > Days in week > Sunday
Use Case - Mail Security Servers

You are the administrator for a corporation that has five branches, each branch in a
different city. You manage the Security Gateways from a Multi-Domain console. In the
Multi-Domain console, each branch is represented by a Domain. Each Domain has a
mail security server. When there is a mail-related update, you must update the policy on
all mail security servers (no update is required for the other Security Gateways in each
Domain). How can you make the policy installation process more efficient?

R81.10 Multi-Domain Security Management Administration Guide | 63

Global Management

Create a Preset which includes the mail security server in each Domain. After you create
this Preset, each time it is necessary to update the Policy on the mail security servers,
you can select this preset for installation. This way, you do not need to search and filter
for each mail security server separately.
You can also schedule the policy installation for specific days and hours, for example, in
the evening hours, when there are fewer employees at work.

Sample Access Control Policy Layer

Global Access Control rules use a placeholder for local Domain rules. The position of this
placeholder in the Rule Base controls the order that Security Gateways handle global and local
Policy rules. For simplicity of presentation, this example shows one Global Policy Layer that
has both Network and Application rules. In the real world, there are different Policy Layers for
these two rule types.

Sample Global Policy Layer

Services &
No. Name Source Destination VPN Action
Applications

1 Traffic from Security Management Any Any Accept

Management Gateway Server
Server to objects
Security Security
Gateway Management Gateway
Server objects

2 FB & Twitter Internal Net Any Any Facebook Drop

Twitter

3 Placeholder for Domain Rules Domain

Layer

4 DMZ Notify Internal Net DMZ Net Any Any Inform

5 Cleanup Any Any Any Any Drop

In this example, the placeholder for local Domain rules is rule number 3. Global Domain rules 1
and 2 run before the local Domain rules. Global rule 4 and the cleanup rule run after the local
Domain rules.
Each local Domain Policy includes both Global Domain Policy rules and local Domain rules
that apply to its Security Gateways. Local Domain Policy rules show in a Domain Layer under
a parent rule.

R81.10 Multi-Domain Security Management Administration Guide | 64

Global Management

Sample Domain Policy Layer with Global and Local Domain Rules

Services &
No. Name Source Destination VPN Action
Applications

1 Traffic from Security Management Any Any Accept

Management Gateway Server
Server to objects
Security Security
Gateway Management Gateway
Server objects

2 FB & Twitter Internal Net Any Any Facebook Drop

Twitter

3 Parent Rule for Local Domain Policy

3.1 External to External Net Host_ Any Any Accept

SD server 10.10.10.11

3.2 Finance Finance Finance Dept Any Any Accept

Top Mgmt.

3.3 File Sharing Any Any Any Dropbox Accept

Allowed Google Docs
CP Threat
Cloud

4 DMZ Notify Internal Net DMZ Net Any Any Inform

5 Cleanup Any Any Any Any Drop

In this example, the Security Gateways handle the global configuration rules (1 and 2) and
then the local Domain rules. If there is still no match in the local rules, the Security Gateways
handle the last two global rules, including the cleanup rule..
Although a local Domain can define implied rules, it is a best practice to put critical global rules
at the beginning of the Rule Base. Put the global cleanup rule at the end. This overrides the
implicit cleanup rule and gives you flexibility to define an effective sequence for local Domain
rules. .

Sample Threat Prevention Policy Layer

Global Threat Prevention rules use a placeholder for local Domain rules. The position of this
placeholder in the Rule Base controls the order that Security Gateways handle global and local
Policy rules. The first rule that matches traffic generates the specified action.

R81.10 Multi-Domain Security Management Administration Guide | 65

Global Management

Sample global Policy Rule Base

Protected Protection Install

No. Name Action Track
Scope Site On

1 Max Portal N/A Strict Alert Policy

Security Server Packet Targets
Finance Capture
Server

Global Exceptions (No Rules)

E-1.1 MS Office Any MS Word Detect Log Policy

False MS Packet Targets
Positives Publisher Capture
MS Excel

2 Printers & Peripheral N/A Basic Log Policy

Other Net Packet Targets
Devices Capture

Global Exceptions (No Rules)

3 Parent Rule for Domain Policy Domain Layer

4 Cleanup Any N/A Optimized Log Policy

Packet Targets
Capture

Global Exceptions (No Rules)

R81.10 Multi-Domain Security Management Administration Guide | 66

Global Management

In this example, the local Domain placeholder is rule number 3. Global Domain rules 1 and 2
run before the local Domain rules. Global Domain rule 4 is the default rule that runs after the
local Domain rules.
Each Domain Policy includes both global rules and local rules that apply to its Security
Gateways. Local Domain Policy rules show in a local Domain Layer under a parent rule.

Sample Domain Rule Base with global and local Domain Rules

Protected Protection Install

No. Name Action Track
Scope Site On

1 Max Security Portal Server N/A Strict Alert Policy

Finance Packet Targets
Server Capture

Global Exceptions (No Rules)

E- MS Office Any MS Word Detect Facebook Policy

1.1 False MS Twitter Targets
Positives Publisher
MS Excel

2 Printers & Peripheral N/A Basic Log Policy

Other Net Packet Targets
Devices Capture

Global Exceptions (No Rules)

3 Placeholder for Domain Policy Domain Layer

3.1 Management Management N/A Optimized Log Policy

Threats Packet Targets
Capture

3.2 Guests Guest N/A Strict Log Policy

Packet Targets
Capture

4 Cleanup Any N/A Optimized Log Policy

Packet Targets
Capture

This example shows Policy Layer with Global Domain rules together with the local Domain
rules.

R81.10 Multi-Domain Security Management Administration Guide | 67

Global Management

Using Layers with the Global Domain

n You create Global Access Control and Threat Prevention Policy Layers in the Global
Domain. You configure Local Domain Policy Layers in the applicable local Domains.
n The Global Network Policy Layer is created automatically, but you can manually create a
Global Application Layer. The Global Threat Prevention Layer is created automatically.
If your policy installation targets contain Security Gateways R77.30 or lower, the Network
and Application layers are the only supported layers. Do not create more Policy Layers.
n In each Policy Layer, the position of the local Domain Policy Layer is defined by the
position of its placeholder in the Rule Base. You can add global rules above or below the
placeholder. You can define Threat Prevention rule exceptions for Global and local
Domain Policy Layers.
n You can temporarily disable the local Domain Policy Layer.
In SmartConsole for the applicable local Domain, right-click in the No column of the
placeholder, and then select Disable. The Domain Policy shows as grayed-out.
To re-enable it, right-click the same cell, and select Disable again. Publish the
SmartConsole session.

Note - You cannot disable local Policy Layers in the Global Domain. This option
is not available.
n To delete the rules from a local Domain Layer, click the pencil icon in the Action column,
and select No domain rules in the local Domain. Publish the SmartConsole session.
n To use a different Domain Policy Layer, click the pencil icon in the Action column, and
select a different Domain Policy Layer from the list. Publish the SmartConsole session.

Upgrade Issues
When you upgrade an R77.X or earlier Multi-Domain Server, existing Policies are converted in
this manner:
n If a pre-R80.x Policy has a Global Access Control Policy with no defined rules
(placeholder only), its mode is automatically set to no global Policy after an upgrade to
R80.x. You can change the mode as necessary for both R80.x and pre-R80.x Policies.
n The Firewall Policy is converted into an R80.10 Network Policy Layer. Its implicit
cleanup rule is set to Drop.
n The Application & URL Filtering Policy is converted to the Application Policy Layer. The
implicit cleanup rule for it is set to Accept.
n If a Domain contains IPS rules, an IPS Layer is automatically created in the R80.x Threat
Prevention Policy for the applicable Domain.

R81.10 Multi-Domain Security Management Administration Guide | 68

Global Management

Policy Layers and Administrator Permissions

The use of Policy Layers lets you define granular permissions for different aspects of security
management. In a typical organization, only administrators with Global Management or
Superuser privileges can work with Global Policy Layers. Domain Managers or Domain
Level Only administrators typically have permissions to work with specified Policy Layers in
their local Domains.

Dynamic Objects and Dynamic Global Objects

Dynamic objects are "logical" network objects for which IP addresses or address ranges are
not explicitly defined. You define dynamic objects in the Global Domain and use them in global
configuration rules. The dynamic objects are resolved to local objects when you assign the
global policy to the local Domains.

You can create dynamic objects for most object types, including Security Gateways, hosts,
services, networks and groups. Use the standard global objects available in SmartConsole or
create your own global objects. All dynamic objects must have the _global suffix, which
identifies the objects as global.
There are two types of dynamic objects:
n Dynamic Global Network Objects - In each Domain, you define a host object with the
same name as the global dynamic object. During the assignment of the global policy, the
references to the global dynamic object in different rules are replaced by the reference to
the local host object with the same name. The _global syntax triggers the reference
replacement mechanism.
n Dynamic Objects - The dynamic object is assigned an IP at the Security Gateway level,
when you assign the global configuration to a Domain and install Policies on the Security
Gateways. There is no need to create a corresponding local object.
The use of dynamic objects makes it possible to create global rules with no specified network
objects. This lets you create rules that are templates.

Defining Rules with Dynamic Objects

To create a new global dynamic object:

1. Connect to Global Domain SmartConsole.
2. In the Object Explorer, select New > Network Objects > Dynamic Object.
3. Select:
n Dynamic Global Network Object - The dynamic global object is replaced by a
matching Domain object,
Or

R81.10 Multi-Domain Security Management Administration Guide | 69

Global Management

n Dynamic Object -The dynamic object is assigned an IP at the Security Gateway

level.
4. In the New Dynamic Object window, enter a name.
For the Dynamic Global Network Object, the name must have the suffix _global. For
example, FTP_Server_global.
5. Drag the dynamic object to the applicable cells in the global Rule Base.
6. Publish the SmartConsole session.
7. Assign the Global Policy to all the applicable Domains.

To use a dynamic global network object in a local Domain rule:

1. Connect to SmartConsole for each applicable Domain.

2. In each Domain, create a local object with the same name as the Dynamic Global
Network Object, with the _global suffix.
The local object must include the applicable local parameters, such as the IP address.
When you assign the global policy to the local Domain, the local object replaces this Dynamic
Global Network Object.
For Dynamic Objects, there is no need to create an equivalent local object.

Applying Global Rules to Security Gateways by Function

You can create Security Rules in Global Domain that are installed on some Security Gateways
or groups of Security Gateways and not others. This way, Security Gateways with different
functions on one Domain can receive different security rules for a specified function or
environment. When you install global policy to a number of similarly configured Domains, the
related global rules are installed to all of the related Security Gateways on each Domain.
This feature is particularly useful for enterprise deployments of Multi-Domain Security
Management, where Domains typically represent geographic subdivisions of an enterprise.
For example, an enterprise deployment may have Domains for business units in New York,
Boston, and London, and each Domain is similarly configured, with a Security Gateway (or
Security Gateways) to protect a DMZ, and others to protect the perimeter. This capability lets
you configure the global policy so that some global security rules are installed to DMZ Security
Gateways, and different rules are installed to the perimeter Security Gateways.

Note - Global security rules can be installed on Security Gateways, and Open
Security Extension (OSE) devices.

R81.10 Multi-Domain Security Management Administration Guide | 70

Global Management

To install a specified security rule on a specified Security Gateway or types of Security

Gateways:
1. Connect to the Global Domain for the related Global Policy.
2. In the Objects Categories tree, go to New > Network Object > Dynamic Objects and
select Dynamic Global Network Object.
3. Name the dynamic object, and add the suffix _global to the end of the name.
4. Create rules to be installed on Security Gateways with this function, and drag the
dynamic object you created into the Install On column for each rule.
5. Launch SmartConsole for each related Domain.
6. Create a group object with the name of the dynamic object you created, including the
suffix _global.
Best Practice - While you can give a Security Gateway a name of the global dynamic
object, we recommend to create a group to preserve future scalability (for instance, to
include another Security Gateway with this function). We do not recommend changing
the name of an existing Security Gateway to the dynamic object name.
7. Add to the group all the Security Gateways on the Domain that you want to receive these
global security rules.
8. From the Multi-Domain Security Management view, re-assign the global policy to the
related Domains.

R81.10 Multi-Domain Security Management Administration Guide | 71

Creating a Global Policy in the Global SmartConsole

Creating a Global Policy in the Global

SmartConsole
You create Global Policies in the Global SmartConsole. You create Domain policies in the
SmartConsole launched using the Domain Management Server. Let us consider an MSP that
wants to implement a rule which blocks unwanted services at Domain sites. The Multi-Domain
Security Management Superuser, Carol, wants to set up a rule which lets the Domain
administrators decide which computers are allowed to access the Internet.

Source Destination VPN Service Action

MyRule Any Any Any Accept

After she created a Global Policy which includes this rule, she assigns and installs it to specific
Domains and their Security Gateways. Each Domain administrator must create a group object
with the same name as in the Domain Management Server database. This is done in
SmartConsole. This way, local administrators translate the dynamic global object into sets of
network object from the local database.
For details about how to use the SmartConsole, see the R81.10 Security Management
Administration Guide.

R81.10 Multi-Domain Security Management Administration Guide | 72

Creating a Global Policy in the Global SmartConsole

These are the differences between the Domain SmartConsole and the Global SmartConsole:

Feature Domain SmartConsole Global SmartConsole

Rule Base Local, applying to the Domain Global, applying to multiple networks
network only. of all Domains assigned this Global
Policy.

Domain Security Rules and Global Global Rules and a place holder for
Rules (in Read Only mode) if the Domain rules.
Global Policy is assigned to the
Domain.

Not associated with the Domain Automatically added to all of the

other security policies. assigned security policies of
Domains.

Each Domain policy is All the assigned Domain policies

independent, with its own rules. share the global rules.

Network Local to this network only. Global to multiple networks of all

Objects Domains assigned this Global Policy.

Global Enabled. Disabled (manipulations is through

Properties the Domain SmartConsole).

Saving a Adds the security policy to the list Adds the Global Policy to the Global
Security of Domain security policies. Policies database (and displays it in
Policy the Global Policies Tree of
SmartConsole).
Note - You cannot use the Global SmartConsole to create Security Gateway objects.
Instead, use a SmartConsole connected to a specific Domain Management Server to
create these objects.

R81.10 Multi-Domain Security Management Administration Guide | 73

Global Assignments

Global Assignments
A global assignment is a Multi-Domain Security Management system object that assigns a
global configuration to one specified Domain. You create global assignments to assign
different combinations of Global Access Control Policies, Global Threat Prevention Policies,
and global object definitions to different Domains.
When you create a new global assignment, it automatically assigns the specified global
configuration to the specified Domain. It also publishes the assignment and updates local
Domain Policies.

Best Practice - When you create a new Domain, create a global assignment for that
Domain at the same time.

When you do one or more of these actions, you must publish the Global Domain session and
reassign the global configuration:
n Add, delete, or change rules in a global configuration
n Add, delete, or change user-defined objects in a global configuration
n Define the SmartEvent object in the global database
n Change the definition of a global assignment
The assign/reassign action does not automatically install Policies.

Best Practice - Install Policies after you assign or reassign a global assignment.

Configuring an Assignment

To create a new global assignment:

1. Connect to the Multi-Domain Server with SmartConsole.
2. Go to Multi-Domain > Global Assignments.
3. Click Assign > New Assignment.
4. In the New Assignment window, select a Local Domain.
5. Optional: Select a Global Access Control Policy for this local Domain.
You can click Advanced to open the Advanced Assignment window to assign the
selected Policy:
n Only to the specified, local Domain Policies
n To all local Domain Policies, except for those explicitly specified
6. Optional: Select a Global Threat Prevention Policy for this local Domain.

R81.10 Multi-Domain Security Management Administration Guide | 74

Global Assignments

You can click Advanced to open the Advanced Assignment window to assign the
selected Policy:
n Only to the specified, local Domain Policies
n To all local Domain Policies, except for those explicitly specified
7. Optional: Enable Manage protection actions.
This option lets you change IPS protection actions for Security Gateways on the local
Domain.
8. Click Assign.
9. In the confirmation window, click Publish & Assign.
The system creates a task, which:
n Updates the local Domain and its Rule Base
n Publishes the changes
n Changes the assignment status to Up to Date

To change an existing global assignment:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Global Assignments view, double-click a Domain.
3. In the Assignment window, follow steps 4-6 above.

4. Click Assign.
5. In the confirmation window, click Publish & Assign.

The system creates a task which:

n Updates the local Domain and its Rule Base
n Publish the changes
n Changes the assignment status to Up to Date

Important - You can create a global assignment that does not include a Global
Access Control and Threat Prevention Policy. To do this, select the None value to
both Policy types. The global configuration assigns only the defined global objects
and settings to Domains.

Reassigning
When you make changes to the global configuration items, the assignment status changes to
Not up to date. The assignment status does not change if you make changes to the local
Domain Policies.

R81.10 Multi-Domain Security Management Administration Guide | 75

Global Assignments

To reassign global configurations:

1. Connect to the Multi-Domain Server with SmartConsole, and then click Global
Assignments.
2. In the Global Assignments window, right-click one or more Domains.
You can reassign to more than one Domain at the same time.
3. Click Reassign.
The system creates a task which:
n Updates the local Domain and its Rule Base
n Publishes the changes
n Changes the assignment status to Up to Date.

Handling Assignment Errors

Global assignments run as a task that you can monitor while you work on other tasks.

To monitor assignment/reassignment tasks:

1. In the Multi-Domain view, click the task information area.
The Recent Tasks window opens.
2. Find the assignment task.

If your task does not show, click Show More.

3. Click Details.

The Assignment Task Details window shows the task progress and details.
4. If the task fails and returns an error message, correct the error, and then try to
assign/reassign the global configuration again.
Some common errors include:
n Global objects with duplicate or illegal names
n Deleted global objects used in a rule
n Global rule validation errors

Deleting a Global Assignment

When you delete a global assignment, the global configuration rules and objects no longer
apply to its Domain.

R81.10 Multi-Domain Security Management Administration Guide | 76

Global Assignments

Best Practice - Immediately create a new global assignment so that Domain Security
Gateways continue to enforce global configuration rules.

Important - You must remove global objects from all local Domain rules before you
can delete a global assignment. If there is a rule that uses a global object when you
try to delete a global assignment, the delete operation fails.

To delete a global assignment:

1. In the Global Assignments view, select a Domain.
2. Click the Delete icon on the Actions toolbar.
3. In the Remove window, select an assignment, and then click Remove.

Global Assignment Status

You can see the global assignment status in the Assignment Up to Date column, in the Multi-
Domain > Global Assignments view. For each Domain, the date of the last assignment shows
together with a status icon:

Assignment is up to date - no action necessary.

The global configuration is not assigned or the assignment is not up to date. Assign or update
the global configuration as soon as possible.

R81.10 Multi-Domain Security Management Administration Guide | 77

Updating IPS Protections

Check Point continuously develops and improves its protections against emerging threats.
You can manually update the database with latest IPS protections. You must also configure
the Global Domain to automatically download contracts and other important data.

Note - Security Gateways with IPS enabled only get the updates after you install Policy.

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection
package.

To manually update the IPS protections:

1. Connect to the Global Domain with SmartConsole.

5. Reassign the global configuration.

To revert to an earlier protection package:

1. Connect to the Global Domain with SmartConsole.

2. Go to Security Policies > Threat Prevention >
n Custom Policy > Custom Policy Tools
or
n Autonomous Policy > Autonomous Policy Tools (depending on your Threat
Prevention policy)
3. Go to Updates > IPS > Update Now, click the drop-down menu and select Switch to
version
4. In the window that opens, select an IPS Package Version, and click Switch.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Reassign the global configuration.

R81.10 Multi-Domain Security Management Administration Guide | 78

Updating IPS Protections

To make sure that Contract Downloads is enabled:

1. In each Domain, go to the main menu > Global Properties.
2. From the navigation tree, select Security Management.
3. Make sure that Automatically download contracts and other important data is
selected.
This parameter is enabled by default. If it is not enabled, select it.

R81.10 Multi-Domain Security Management Administration Guide | 79

Updating the Application & URL Filtering Database

Updating the Application & URL Filtering

Database
Check Point constantly develops and improves its protections against the latest threats. You
can manually update the Application & URL Filtering database with the latest applications and
URLs.

To manually update the Application & URL Filtering protections:

1. Connect to the Global Domain with SmartConsole.
2. Click Security Policies > Access Control.

3. In the Related Tools section, click Updates.

4. In the Application & URL Filtering section, click Update Now.
5. Connect to the Multi-Domain Server with SmartConsole.
6. Assign or reassign the global configuration.

R81.10 Multi-Domain Security Management Administration Guide | 80

Updating the Application & URL Filtering Database

Exceptions
This chapter explains exceptions and exception groups, how to create them, and the
difference between global exceptions and local exceptions.

Exceptions Rules
If necessary, you can add an exception directly to a rule. An exception sets a different Action
to an object in the Protected Scope from the Action specified Threat Prevention rule. In
general, exceptions are designed to give you the option to reduce the level of enforcement of a
specific protection and not to increase it.
For example

The Research and Development (R&D) network protections are included in a profile with
the Prevent action. You can define an exception which sets the specific R&D network to
Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are
stricter than the profile action.

You can add one or more exceptions to a rule. The exception is added as a shaded row below
the rule in the Rule Base. It is identified in the No column with the rule's number plus the letter
E and a digit that represents the exception number. For example, if you add two exceptions to
rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.
You can use exception groups to group exceptions that you want to use in more than one rule.
See the Exceptions Groups Pane.

You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to
the rule number in the No. column.
To add an exception to a rule

Step Instructions

1 In the Policy pane, select the rule to which you want to add an exception.

2 Click Add Exception.

3 Select the Above, Below, or Bottom option according to where you want to
place the exception.

4 Enter values for the columns. Including these:

n Protected Scope - Change it to reflect the relevant objects.
n Protection - Click the plus sign in the cell to open the Protections viewer.
Select the protection(s). Click OK.

R81.10 Multi-Domain Security Management Administration Guide | 81

Updating the Application & URL Filtering Database

Step Instructions

5 Install Policy.

Note - You cannot set an exception rule to an inactive protection or an inactive blade.

Disabling a Protection on One Server

Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers.
How can I change this protection todetectfor one server only?
In this example, create this Threat Prevention rule, and install the Threat Prevention policy:

Protected Install
Name Protection/Site Action Track
Scope On

Monitor * Any - N/A A profile Log Policy

Bot based on Targets
Activity the
Optimized
profile.
Edit this
profile > go
to the
General
Policy
pane> in the
Activation
Mode
section, set
every
Confidence
to Prevent.

Exclude Server_1 Backdoor.Win32.Agent. Detect Log Server_

AH 1

To add an exception to a rule

Step Instructions

1 In SmartConsole, go to Security Policies > Threat Prevention > Custom

Policy.

2 Click the rule that contains the scope of Server_1.

R81.10 Multi-Domain Security Management Administration Guide | 82

Updating the Application & URL Filtering Database

Step Instructions

4 Right-click the rule and select New Exception.

5 Configure these settings

n Name - Give the exception a name such as Exclude.

n Protected Scope - Change it to Server_1 so that it applies to all
detections on the server.
n Protection/Site - Click + in the cell. From the drop-down menu, click
the category and select one or more of the items to exclude.
Note - To add EICAR files as exceptions, you must add them as
Whitelist Files. . When you add EICAR files through Exceptions in
Policy rules, the gateway still blocks them, if archive scanning is
enabled.
n Action - Keep it as Detect.
n Track - Keep it as Log.
n Install On - Keep it as Policy Targets or select specified gateways, on
which to install the rule.

6 In SmartConsole, install the policy.

Blade Exceptions
You can configure an exception for an entire blade.
To configure a blade exception

Step Instructions

1 In the Policy, select the Layer rule to which you want to add an exception.

2 Click Add Exception.

3 Select the Above, Below, or Bottom option according to where you want to
place the exception.

4 In the Protection/Site column, select Blades from the drop-down menu.

5 Select the blade you want to exclude.

6 Install the Threat Prevention Policy.

R81.10 Multi-Domain Security Management Administration Guide | 83

Updating the Application & URL Filtering Database

Creating Exceptions from IPS Protections

To create an exception from an IPS protection

Step Instructions

1 Go to Security Policies > Threat Prevention > Custom Policy > IPS
Protections.

2 Right-click a protection and select Add Exception.

3 Configure the exception rule.

4 Click OK.

5 Install the Threat Prevention Policy.

Creating Exceptions from Logs or Events

In some cases, after evaluating a log or an event in the Logs & Monitor view, it may be
necessary to update a rule exception in the SmartConsoleRule Base. You can do this directly
from within the Logs & Monitor view. You can apply the exception to a specified rule or apply
the exception to all rules that show under Global Exceptions.
To update a rule exception or global exception from a log

Step Instructions

1 Click Logs & Monitor > Logs tab.

2 Right-click the log and select Add Exception.

3 Configure the settings for the exception.

4 Configure the settings for the exception.

5 In the New Exception Rule window:

n To show the exception in the policy, click
Go to.
n Otherwise, click Close.

6 Install the Threat Prevention Policy.

An exception group is a container for one or more exceptions. You can attach an exception
group to all rules or only to some rules. With exception groups, you can manage your
exceptions more easily, because you can attach the same exception group to multiple rules,
instead of manually define exceptions for each rule.

R81.10 Multi-Domain Security Management Administration Guide | 84

Updating the Application & URL Filtering Database

The Exception Groups pane shows a list of exception groups that were created, the rules that
use them, and any comments related to the defined group.
The Exceptions Groups pane contains these options

Option Meaning

New Creates a new exception group.

Edit Modifies an existing exception group.

Delete Deletes an exception group.

Search Search for an exception group.

Global Exceptions
The system comes with a predefined group named Global Exceptions. Exceptions that you
define in the Global Exceptions group are automatically added to every rule in the Rule Base.
For other exception groups, you can decide to which rules to add them.

Exception Groups in the Rule Base

Global exceptions and other exception groups are added as shaded rows below the rule in the
Rule Base. Each exception group is labeled with a tab that shows the exception group's name.
The exceptions within a group are identified in the No column using the syntax:
E - <rule number>.<exception number>, where E identifies the line as an exception.
For example

If there is a Global Exceptions group that contains two exceptions, all rules show the
exception rows in the Rule BaseNo column as E-1.1 and E-1.2. Note - that the numbering of
exception varies when you move the exceptions within a rule.

To view exception groups in the Rule Base:

Click the plus or minus sign next to the rule number in the No. column to expand or collapse
the rule exceptions and exception groups.

Creating Exception Groups

When you create an exception group, you create a container for one or more exceptions. After
you create the group, add exceptions to them. You can then add the group to rules that require
the exception group in the Threat PreventionRule Base.

R81.10 Multi-Domain Security Management Administration Guide | 85

Updating the Application & URL Filtering Database

To create an exception group

Step Instructions

1 In SmartConsole, select Security Policies > Threat Prevention > Exceptions.

2 In the Exceptions section, click New.

3 In Apply On, configure how the exception group is used in the Threat Prevention
policy.

n Manually attach to a rule - This exception group applies only when you
add it to Threat Prevention rules.
n Automatically attached to each rule with profile - This exception group
applies to all Threat Prevention rules in the specified profile.
n Automatically attached to all rules - This exception group applies to all
Threat Prevention rules.

4 Click OK.

5 Install the Threat Prevention policy.

Adding Exceptions to Exception Groups

To use exception groups, you must add exception rules to them.
To add exceptions to an exception group

Step Instructions

1 In SmartConsole, select Security Policies > Threat Prevention > Exceptions.

2 In the Exceptions section, click the exception group to which you want to add
an exception.

3 Click Add Exception Rule.

4 Configure the settings for the new exception rule.

5 Install the Threat Prevention policy.

Adding Exception Groups to the Rule Base

You can add exception groups to Threat Prevention rules. This only applies to exception
groups that are configured to Manually attach to a rule.

R81.10 Multi-Domain Security Management Administration Guide | 86

Updating the Application & URL Filtering Database

To add an exception group to the Rule Base

Step Instructions

1 Click Security Policies > Threat Prevention > Custom Policy.

2 Right-click the rule and select Add Exception Group > <group name>.

3 Install the Threat Prevention policy.

The Exception Groups pane shows a list of exception groups that were created, the rules that
use them, and any comments related to the defined group.
The Exceptions Groups pane contains these options

Option Meaning

New Creates a new exception group.

Edit Modifies an existing exception group.

Delete Deletes an exception group.

Search Search for an exception group.

Global Exceptions

The system comes with a predefined group named Global Exceptions. Exceptions that you
define in the Global Exceptions group are automatically added to every rule in the Rule Base.
For other exception groups, you can decide to which rules to add them.

Exception Groups in the Rule Base

R81.10 Multi-Domain Security Management Administration Guide | 87

Updating the Application & URL Filtering Database

For example

To view exception groups in the Rule Base:

Click the plus or minus sign next to the rule number in the No. column to expand or collapse
the rule exceptions and exception groups.

Creating Exception Groups

Step Instructions

1 In SmartConsole, select Security Policies > Threat Prevention > Exceptions.

2 In the Exceptions section, click New.

3 In Apply On, configure how the exception group is used in the Threat Prevention
policy.

4 Click OK.

5 Install the Threat Prevention policy.

Adding Exceptions to Exception Groups

To use exception groups, you must add exception rules to them, (see Parts of the Rules).

R81.10 Multi-Domain Security Management Administration Guide | 88

Updating the Application & URL Filtering Database

To add exceptions to an exception group

Step Instructions

1 In SmartConsole, select Security Policies > Threat Prevention > Exceptions.

2 In the Exceptions section, click the exception group to which you want to add
an exception.

3 Click Add Exception Rule.

4 Configure the settings for the new exception rule.

5 Install the Threat Prevention policy.

Adding Exception Groups to the Rule Base

You can add exception groups to Threat Prevention rules. This only applies to exception
groups that are configured to Manually attach to a rule.
To add an exception group to the Rule Base

Step Instructions

1 Click Security Policies > Threat Prevention > Custom Policy.

2 Right-click the rule and select Add Exception Group > <group name>.

3 Install the Threat Prevention policy.

Exceptions in a Multi-Domain Environment

In a Multi-Domain environment, there are 2 types of Global Exceptions:
n Global exceptions for the Global Domain
n Global Exceptions for each Local Domain
A Global Exception group for Threat Prevention is created automatically on the Global Domain
and on each local Domain. You cannot delete these exception groups. The Global Exception
group is empty by default and you can manually create exceptions for it. If you need additional
Global Exception groups, you can create them manually.
In the DomainRule Base for Threat Prevention, the Global Exceptions for the Global Domain
appear under the Global rules, and the Global exception for the local Domain appear under the
local rules.

R81.10 Multi-Domain Security Management Administration Guide | 89

Managing Administrators and Permissions

Managing Administrators and

Permissions
In a Multi-Domain Security Management environment, administrators manage system objects
and settings, such as:
n Multi-Domain Servers and Multi-Domain Log Servers
n Domains and Domain Management Servers
n High Availability configuration and synchronization
n Domain Security Gateways, networks and other objects
n Domain Security Policies and rules
n Global Domain
Permission profiles let you assign permissions to Multi-Domain Security Management
administrators, based on their area of responsibility. You can assign granular permissions to
administrators that manage different elements of the Multi-Domain Security Management
environment.

Configuring Administrators
To configure an administrator:
1. Connect to the Multi-Domain Server with SmartConsole, and go to Permissions &
Administrators > Administrators.

2. Click New, or select an existing administrator and then click Edit.

3. In the Administrator view, configure the settings described in the next sections.

Note - You cannot add additional information fields to the Administrator object.

Administrator - General
Authentication

n Name - Enter a unique administrator name.

n Authentication Method - Select an authentication method and enter other
authentication parameters as necessary. To learn more about the various
authentication methods, see the R81.10 Security Management Administration Guide.

R81.10 Multi-Domain Security Management Administration Guide | 90

Managing Administrators and Permissions

To set a default value for this parameter, go to Permissions & Administrators >
Advanced > Administrator Settings > Authentication Default Values. Select a
default authentication from the list.
n Certificate Information - Optional: Click Create to generate a new certificate.
l You can use a certificate with or without an authentication method.
l For an existing administrator definition, you can revoke an existing certificate
and create a new one.

Permissions

n Multi-Domain Permission Profile - Select a Multi-Domain permission profile from the

list.

Accept the default permission profile or select a different one. You can also create a
new permission profile to assign. For an existing administrator, the currently selected
permission profile shows.
Click the View icon to see details of the currently assigned permission profile.
If the Edit icon shows, you have permissions to see and change the currently selected
permission profile. Click the Edit icon to change the settings.
Permission Profiles per Domain -Select one or more Domains, and then select a
Domain permission profile for each one.
+ - Click to select a Domain to add to the profile.
X - Click to remove the selected Domain from the profile.

Note - The Permission Profiles per Domain Section does not show for
Superusers, because Read/Write Domain permission profiles are assigned
automatically to all Domains.
n Expiration -Define when this administrator account expires.
l Never - The administrator account does not expire.
l Expire at - Select an expiration date for this administrator.
To set a default value for this parameter, go to Permissions & Administrators >
Advanced > Administrator Settings > Default Expiration Values.

Contact Options
n Email - Enter the administrator email address.
n Contact Details - Enter additional contact information.
n Phone - Enter the administrator telephone number.

R81.10 Multi-Domain Security Management Administration Guide | 91

Managing Administrators and Permissions

Note - If you upgraded from an earlier release, the system copies these values into
the new release.

R81.10 Multi-Domain Security Management Administration Guide | 92

Creating a Certificate for Logging in to SmartConsole

Creating a Certificate for Logging in to

SmartConsole
When you define an administrator, you must configure the authentication credentials for the
administrator.
The authentication credentials for the administrator can be one of the supported authentication
methods, or a certificate, or the two of them.
You can create a certificate file in SmartConsole. The administrator can use this file to log in to
SmartConsole using the Certificate File option. The administrator must provide the password
for the certificate file.

You can import the certificate file to the CryptoAPI (CAPI) certificate repository on the
Microsoft Windows SmartConsole computer. The administrator can use this stored certificate
to log in to SmartConsole using the CAPI Certificate option. The SmartConsole administrator
does not need to provide a password.

To create a certificate file

1. In the New Administrator window, in the Certificate Information section, click Create.
2. Enter a password.
3. Click OK.
4. Save the certificate file to a secure location on the SmartConsole computer.

The certificate file is in the PKCS #12 format, and has a .p12 extension.

Note - Give the certificate file and the password to the SmartConsole administrators.
The administrator must provide this password when logging in to SmartConsole with
the Certificate File option.

To Import the certificate file to the CAPI repository

1. On the Microsoft Windows SmartConsole computer, double-click the certificate file.
2. Follow the instructions.

R81.10 Multi-Domain Security Management Administration Guide | 93

Working with Permission Profiles

A permission profile is a predefined set of permissions that you assign to administrators in a
Multi-Domain Security Management environment. This lets you manage complex, granular
permissions for many different administrators with one definition.
There are two types of permission profiles:
n Multi-Domain permission profiles - Defines administrator permissions for the full Multi-
Domain Security Management environment.
n Domain permission profiles - Defines the permission set per Domain

Predefined Multi-Domain Permission Profiles

Multi-Domain Security Management includes predefined Multi-Domain and Domain
permission profiles that are ready to use. You cannot delete or change these profiles. You can
create custom permission profiles as necessary for your environment.
These are the predefined Multi-Domain permission profiles available in this release. In the
Permissions Profile view, double-click each profile to see the permissions it includes:

Permission
Permissions
Profile

Multi-Domain Manage all elements of the Multi-Domain Security Management

Superuser environment, including: Multi-Domain Servers, Multi-Domain Log Servers,
Domains, Domain Management Servers, Global Policies, administrators
and permission profiles. Multi-Domain Superusers manage all Domain
objects, including Security Gateways, Policies, rules, networks and other
objects.

Domain Manage all Domains, Domain Management Servers, Domain networks,

Superuser global objects, and global configurations. They manage Domain objects,
including Security Gateways, Policies, rules, networks and other objects.
Domain Superusers can create and manage other administrators, manage
other administrators' sessions, and manage permission profiles at the
same or lower levels. Domain Superusers cannot create or change the
settings for Multi-Domain Servers or Multi-Domain Log Servers.

Global Manage Global Domains, global configurations, global rules, and global
Manager assignments. Global Managers can manage Domains, but not add or
delete domains or manage Multi-Domain Servers. Global managers can
manage administrators with equal or lower permissions.
Global Managers can create new global assignments and can assign
Global Policies to Domains that they have permissions to manage.
Domain-Level permissions are based on the assigned Domain permission
profile.

R81.10 Multi-Domain Security Management Administration Guide | 94

Working with Permission Profiles

Permission
Permissions
Profile

Domain Manage Domain Policies, networks and objects based on their permission
Manager profile. Domain Managers can manage administrators with equal or lower
permissions.
Domain Managers can reassign Global Policies to Domains that they have
permissions to manage. They cannot create new global assignments.
Domain-Level permissions are based on the assigned Domain permission
profile.

Domain Manage Domain Policies, networks and objects based on their permission
Level Only profile. These administrators cannot manage the Multi-Domain Security
Management system or its configuration settings, or login to the Multi-
Domain Servers.
Domain-Level permissions are based on the assigned Domain permission
profile.

Pre-Defined Domain Permission Profiles

When you assign an administrator to Domain, you must also assign a Domain Permission
Profile. You can assign a predefined Permission Profile or a custom Permission Profile for this
administrator.

Permission
Permissions
Profile

Read/Write Read and write permissions for all Domain settings and data without
session management or DLP confidential data. The Read/Write option
lets the administrator see and configure an item.

Read Only Read only permissions for all Domain data. Read Only lets the
administrator see an item, but not change it.

Working with Multi-Domain Permission Profiles

Use this procedure to create or change customized Multi-Domain permission profiles. Only
administrators with Superuser permissions can do this.
To create a custom permission profile

1. Connect to the Multi-Domain Server with SmartConsole, and go to Permissions &

Administrators > Permission Profiles.
2. In the Permission Profile page, click New.
3. Select New Multi-Domain Permission Profile.

R81.10 Multi-Domain Security Management Administration Guide | 95

Working with Permission Profiles

4. In the New Multi-Domain Permission Profile window, select an administrator role

and configure the permission settings. The next section explains the available settings
and parameters.

To change an existing Multi-Domain permission profile

1. Select a permission profile on the Permission Profiles page.

2. Click Edit and change the administrator role and permission settings as necessary.

To delete an existing Multi-Domain permission profile

1. Select a permission profile on the Permission Profiles page.

2. Click Delete.

Multi-Domain Permission Profile Parameters

Multi-Domain Levels

Select an administrator role:

n Superuser - Manage all aspects of the Multi-Domain Security Management
environment.
n Manager - Manage Domains as specified in the Permissions section of Administrator
definition.
n Domain Level Only - Same as Manager, but with no Multi-Domain permissions..

The selected role affects the permissions that you can configure in the next parts: Multi
Domain Management, Global Management, and Domain Management. For example,
Superusers always have Domain Management permissions.

Multi-Domain Security Management Activities

Enable or disable permissions for these activities:

n MDS Provisioning - Create and manage Multi-Domain Servers and Multi-Domain Log
Servers. Only Superusers can select this option.
n Manage All Domains - Create and manage all Domains and Global Domains. This
option is enabled by default for Superusers. Managers can select it.
n Manage Administrators - Create and manage Multi-Domain Security Management
administrators with the same or lower permission level. For example, a Domain
manager cannot create Superusers or global managers. This option is enabled
automatically for Superusers. Managers can select it.

R81.10 Multi-Domain Security Management Administration Guide | 96

Working with Permission Profiles

n Manage Sessions - Connect/disconnect Domain sessions, publish changes, and

delete other administrator sessions.
n Management API login - Lets an administrator log in to the Security Management
Server and run API commands using these tools
l mgmt_cli (Linux and Windows binaries)
l Gaia CLI (Gaia Clish)
l Web Services (REST)
n Global VPN Management - Lets the administrator select Enable global use for a
Security Gateway shown in the MDS Gateways & Servers view. (To see the option,
right-click on the Security Gateway object).

Global Management Activities

All options are enabled automatically for Superusers. Managers can select them.
n Manage Global Assignments - Create, update and delete global assignments.
n Default profile for all Global Domains - Change the default permission profile for all
global Domains.
n View global objects in Domains - Lets an administrator with no global objects
permissions view the global objects in the domain. This option is required for valid
domain management.

Domain Management

This profile defines the default Domain permissions that automatically apply when you
create a new administrator account. After you create the administrator account, you can
change its Domain profile as necessary.

Select a default profile from the list. This option is enabled automatically for Superusers,
and Managers can optionally select it.

Creating Custom Domain Permissions

Customized Domain permission profiles are a set of granular permissions for Domain level
activities in SmartConsole.

To configure custom permission profiles:

1. In the Permission Profiles window, click New Domain Permission Profile.
The New Domain Permission Profile window opens.
2. Configure read/write permissions for each Software Blade, feature, resource, and the
API in these categories as necessary:

R81.10 Multi-Domain Security Management Administration Guide | 97

Working with Permission Profiles

n Overview -Select default or custom permission options

n Gateways -Work with Security Gateway management tasks and VSX provisioning
n Access Control - Work with Access Control rules and install Access Control
Policies
n Threat Prevention - Work with Threat Prevention rules, profiles, and protections.
Install Threat Prevention Policies
n Others -Work with different features not in other categories
n Monitoring and Logging -See and manage logs, monitoring features and related
reports
n Events and Reports -Work with SmartEvent events, policy and reports
n Management -Manage sessions and High Availability options
To prevent administrators from working with an item, clear its option.

Notes:
n You cannot prevent administrators from seeing some resources. You cannot
change their options.
n Some resources do not have Read or Write options. You can only select or
clear them.

R81.10 Multi-Domain Security Management Administration Guide | 98

VPN and Multi-Domain Security Management

VPN and Multi-Domain Security

Management
This chapter describes how to configure and work with the Global VPN communities,

Global VPN Communities

Large enterprises often have branches in different cities or countries. With each branch
managed by a different Domain, the enterprise can use a central management system to
centrally manage all the various Domains. When connectivity is established, the connections
must be secure and have high levels of privacy, authentication, and integrity.

A Global VPN Community connects the enterprise's Security Gateways through VPN and lets
the enterprise manage them under one network. You define the Global VPN Community in the
Global Domain. The Multi-Domain Server utilizes its knowledge about the different Domain
Management Server environments to create a VPN community which can manage them.

Item Description

A Domain A on Multi-Domain Server

B Domain B on Multi-Domain Server

C Global VPN Community

1 VPN tunnel

R81.10 Multi-Domain Security Management Administration Guide | 99

VPN and Multi-Domain Security Management

Item Description

2 Security Gateway configured in Domain A

3 Security Gateway configured in Domain B

4 VPN Domain of Security Gateway 2

5 VPN Domain of Security Gateway 3

To learn more about VPN communities, see the R81.10 Site to Site VPN Administration Guide.

VPN Connectivity
When you establish a Global VPN Community, it replaces part of the configuration of
Externally Managed Security Gateways and automates the exchange of certificates for each
Domain Management Server.
These trusted entities create VPN trust in a Multi-Domain Security Management deployment:
n Certificates issued by a Domain Management Server Internal Certificate Authority (ICA).
n External third party Certificate Authority servers (using OPSEC connectivity).
n Pre-shared secrets.
The ICA of the Domain Management Server issues certificates used by Domain Security
Gateways to create SIC trust. Each Security Gateway supports certificates issued by the CAs
of the other Domains.

For more information on VPN with Externally Managed Gateways, see the R81.10 Site to Site
VPN Administration Guide.

R81.10 Multi-Domain Security Management Administration Guide | 100

Configuring Global VPN Communities

This is the workflow for Creating a Global VPN Community.

To create a Global VPN Community:

1. Configure a VPN Domain on each participating Security Gateway.
2. Enable each participating Security Gateway for global use.
3. In the Global Domain, define a VPN Community, and add the Global Security Gateway
objects to the Global VPN Community. The Global Security Gateway objects represent
the participating Domain Security Gateways.

4. Define a Security Policy - You can create a Global policy and assign it to the Local
Domains, or you can create the Security Policy rules only in the Local Domains.
5. Assign the Global configuration to the applicable Domains. After assignment, you must
also install the policy on the participating Security Gateways.

Step 1 - Configuring a VPN Domain on each Security

Gateway
You define the Domain Security Gateways in the Domain SmartConsole.

To define a VPN Domain on a Security Gateway:

In the Security Gateway editor:

1. In General Properties, enable IPSec VPN.
2. In Network Management > VPN Domain, configure the settings for the VPN Domain.
You must define a VPN Domain and specify if the VPN Domain is based on the network
topology or a specific IP address range.
For information on configuration of a VPN Domain, see the R81.10 Site to Site VPN
Administration Guide
Multi-Domain Server holds these IP address ranges used by the Security Gateways. During
the assignment of the Global configuration, the Multi-Domain Server transfers this information
to all the Domains with participating Security Gateways in the Global VPN Community.

Step 2 - Enabling Gateways for Global Use

Repeat this step for all Security Gateways that are to participate in the Global VPN
Community:
In the Multi-Domain Server SmartConsole > Gateways & Servers view, right-click a Security
Gateway and select Enable Global Use.

R81.10 Multi-Domain Security Management Administration Guide | 101

Configuring Global VPN Communities

A global Security Gateway object and a VPN Domain object are created for the Security
Gateway in the Global Domain. Different Domains can coincidentally contain Security
Gateways with the same name. Because each global Security Gateway object must have its
own unique Global Name, the Global Names Template automatically assigns a unique name
for each global Security Gateway.
The default global name format is:
<Name of Security Gateway>_of_<Name of Domain>.
For example:
n Security Gateway name = MyGateway
n Domain name = MyDomain
n Global name = MyGateway_of_MyDomain

Note - When the local Domain that manages the gateway to be used globally has the
active server on a standby Multi-Domain Server, you cannot use the gateway
globally.

Enabling clusters for global use

You can enable a cluster for global use in the same way that you enable a Security Gateway. A
global cluster object and a VPN Domain object will be created for the cluster in the Global
Domain.

Step 3 - Creating the VPN Global Community

After you enabled VPN on the Security Gateways, and enabled the Security Gateways for
global use, you can create the Global VPN Community.

To create a Global VPN Community:

1. In the Global Domain, go to Security Policies > Access Control > Access Tools > VPN
Communities > New.
2. Add the global Security Gateway objects, defined in step 1, as participating Security
Gateways in the community.
To learn more about VPN communities, see the R81.10 Site to Site VPN Administration Guide.

Step 4 - Defining a Security Policy

The configuration of Security Gateways into a Global VPN Community does not automatically
let the Security Gateways access each other. For the Security Gateways to communicate with
each other you must define an Access Control Security Policy.
You can define the Access Control Security Policy in the Global Domain or in the Local
Domains or both.

R81.10 Multi-Domain Security Management Administration Guide | 102

Configuring Global VPN Communities

To define a Global Security Policy, see "Global Management" on page 57. To learn more
about the Access Control Security Policy Rule Base, see the R81.10 Security Management
Administration Guide.

Step 5 - Assigning the Global Configuration to the Local

Domains
After you create the Global VPN Community, and in some case, also the Global Policy, you
must assign the Global configuration to the Local Domains. After assignment, install policy on
the Local Domains.

To assign the global configuration to the Local Domains:

1. Make sure you published all the changes made in the Global Domain.

2. In the Multi-Domain Server SmartConsole > Multi-Domain view > Global Assignments,
assign the Global objects to the Local Domains (see "Global Assignments" on page 74)
3. Install policy on the Security Gateways.

Note - All Security Gateways which participate in the Global VPN Community must
use a Simplified VPN Policy.

For each Domain with Security Gateways in the Global VPN Community, a global CA Server
object is created in the Global Domain. During the assignment process, the Multi-Domain
Server automatically exports relevant Domain ICA information (such as the CA certificate) to
all the Domain Management Servers with Security Gateways that participate in the
community. This way, all the Security Gateways in the community can trust the others' ICAs.

After the assignment, the Global VPN Community object shows in each Domain with Security
Gateways in the community. If you assign a Global Policy to a Domain that has no Security
Gateways in the community, this Domain does not show the community object and the
community Security Gateway objects.

Reassigning the Global Configuration to One or More Local Domains

If you make changes to the global configuration, reassign the configuration to the Domains.

To reassign the Global configuration to the Local Domains:

1. In the Multi-Domain Server SmartConsole > Multi-Domain view > Global Assignments,
select the Domains that have Security Gateways which participate in the Global VPN
Community and click reassign.
2. In the Reassign window, select Install policy on successful assignment. This installs
the Global Policy on the Security Gateways which participate in the Global VPN
Community.

R81.10 Multi-Domain Security Management Administration Guide | 103

Configuring Global VPN Communities

Note - This operation assigns the Policy to all selected Domains, and
then installs the Policy on all Domain Security Gateways, in one step.
It does not let you select specific Security Gateways on which to
install the Policy. The selected Policy is installed on all Security
Gateways in the selected Domains. Assigning the Policy to many
Domains and all their Security Gateways can take some time. Use
this option with caution.

R81.10 Multi-Domain Security Management Administration Guide | 104

Working with High Availability

High Availability is redundancy and database backup for management servers. Synchronized
servers have the same policies, rules, user definitions, network objects, and system
configuration settings.

Overview of High Availability

Multi-Domain Security Management implements High Availability at these levels:
n Multi-Domain Server High Availability is an Active/Active redundancy solution that uses
two or more fully synchronized Multi-Domain Servers for continuous redundancy. All
Multi-Domain Servers are Active. You can log into and work with the primary or
secondary Multi-Domain Servers.
n Domain Management Server High Availability is both a redundancy and a Load
Sharing solution for Domains. You create a Domain Management Server on two or more
Multi-Domain Servers. These Domain Management Servers synchronize fully for
continuous redundancy.
One Domain Management Server is Active and the others are Standby. Each Multi-
Domain Server can have both Active and Standby Domain Servers. You can configure
the Active Domain Management Server on different Multi-Domain Servers for effective
load sharing.
All High Availability deployments include one Primary Multi-Domain Server and one or more
Secondary servers. Synchronization occurs automatically when administrators publish
sessions with changes to Policies, objects or configuration settings.

Primary and Secondary Multi-Domain Servers

The order in which you install Multi-Domain Servers is significant. You must define the first
physical server as a Primary Multi-Domain Server in the First Time Wizard. You must define all
other Multi-Domain Servers as Secondary in the First Time Wizard.

Active and Standby Domain Management Servers

You can only use the Active Domain Management Server to manage Domain Security
Gateways, networks, Security Policies objects and system configuration. Standby Domain
Management Servers synchronize fully for redundancy. You can connect to a Standby Domain
Management Server in the Read Only mode to look at current object configurations and Rule
Base.

R81.10 Multi-Domain Security Management Administration Guide | 105

Working with High Availability

In the standard configuration, there is only one Active Domain Management Server for each
Domain. All others are Standby Domain Management Servers. If the Active Domain
Management Server fails, you must manually change a Standby Domain Management Server
to Active.

On-premises and cloud:

You can configure Check Point Management High Availability between on-premises
Management Servers and Management Servers in a cloud.
You must make sure the required Check Point traffic can flow between the on-premises
servers and the servers in the cloud.

Important notes about backing up and restoring in Management High Availability

environment:
n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R81.10 Gaia Administration
Guide.
n About the "migrate export" and "migrate import" commands, see the
R81.10 CLI Reference Guide.
n About the "mds_backup" and "mds_restore" commands, see the R81.10 CLI
Reference Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Multi-Site High Availability Deployment Example

This example shows a Multi-Site, High Availability deployment with two Multi-Domain Servers
and one Multi-Domain Log Server. A real-life deployment will have many more assets.
Each Multi-Domain Server has two Domains configured for Load Sharing, where a different
Domain Management Server is Active at each location. Administrators can connect to all Multi-
Domain Servers. For best performance, connect to the Multi-Domain Server nearest to your
geographical location.

R81.10 Multi-Domain Security Management Administration Guide | 106

Working with High Availability

Item Description

1 London Multi-Domain Server with an Active Domain Management Server for

London and a Standby Domain Management Server for Tokyo

2 Multi-Domain Log Server with Domain Log Servers for London and Tokyo

3 Tokyo Multi-Domain Server with an Active Domain Management Server for Tokyo
and a Standby Domain Management Server for London

4 Tokyo network

5 London network

6 Internet

Active Domain Management Server

Standby Domain Management Server

Domain Log Server

R81.10 Multi-Domain Security Management Administration Guide | 107

Working with High Availability

This illustration shows the configuration grid in the SmartConsole Multi Domain view for the
example deployment:
The system automatically creates the Global Domain when you install Multi-Domain Security
Management.

R81.10 Multi-Domain Security Management Administration Guide | 108

Creating a Secondary Multi-Domain Server

This section shows you how to create a new secondary Multi-Domain Server.

Important - Before you start this procedure, make sure to define the physical server
as the correct server type (Secondary Multi-Domain Server, or Multi-Domain Log
Server) during installation. An incorrect definition can cause deployment failure.

To create a new, Secondary Multi-Domain Server:

1. If you did not do so, install a new Secondary Multi-Domain Server.
Follow the procedures in the R81.10 Installation and Upgrade Guide. Make sure to
define this server as a secondary Multi-Domain Server in the First Time Wizard. Connect
to the Primary Multi-Domain Server with SmartConsole and go the Multi-Domain >
Domains view.
2. In the Multi-Domain navigation toolbar, click New > Multi-Domain Server.
3. Enter a unique name for this Multi-Domain Server.
To get the IP address automatically, the name must be in the DNS.
4. Enter the IPv4 address or click Resolve IP to get the IP address from the DNS.
5. Select the platform operating system, software version, and hardware type.
6. Click Connect to establish SIC trust.

The new Multi-Domain Server automatically synchronizes with all existing Multi-Domain
Servers and Multi-Domain Log Servers. The synchronization operation can take some time to
complete, during which a notification indicator shows in the task information area.

Notes:
n To add a license for a Multi-Domain Server, go to the main Menu > Manage
licenses and packages.
n Private sessions are not synchronized between Multi-Domain Servers.You
cannot see a session that is open on one Multi-Domain Server on another Multi-
Domain Server or moved it to another Multi-Domain Server.
n You cannot manage the same object ((an object that is editable in the Multi-
Domain view, for example: an administrator, a domain, a permission profile, a
trusted client or a Multi-Domain Server) from multiple Multi-Domain
SmartConsoles. It can create synchronization failures between the Multi-
Domain servers. If there is a synchronization failure, make sure sessions on a
different Multi-Domain SmartConsoles do not lock the same object.

R81.10 Multi-Domain Security Management Administration Guide | 109

Domain Management Server High Availability and Load Sharing

Domain Management Server High Availability

and Load Sharing
This section includes procedures for configuring the Multi-Domain Security Management
environment for secondary Multi-Domain Servers and a Multi-Domain Log Server.
When you install Multi-Domain Security Management for the first time, select Primary Multi-
Domain Server in the First Time Wizard
For High Availability and Load Sharing, select Secondary Multi-Domain Server in the First
Time Wizard.
Each Domain has one Active and one or more Standby Domain Management Servers. For
example, if a deployment has three Multi-Domain Servers, each Domain can have one Active
and two Standby Domain Management Servers. This lets the Domains load be shared
between several physical Multi-Domain Servers.

Example of Domain Management Server High Availability with Load Sharing:

By default, the Primary Domain Management Server is Active. All other Domain Management
Servers for that Domain are Standbys. You can change a Standby Domain Management
Server to Active as necessary.

All Domain management operations, such as working with Security Policies, users, networks
and other objects, occur on the Active Domain Management Server. Standby Domain
Management Servers automatically synchronize with the Active Domain Management Server.
Security Gateways can get a Security Policy and a Certificate Revocation List (CRL) from
either the Active or Standby Domain Management Servers.

Creating a Secondary Domain Management Server

When you first create a Domain, you also define the Primary Domain Management Server.
Use this procedure to create Secondary Domain Management Servers for existing Domains.

R81.10 Multi-Domain Security Management Administration Guide | 110

Domain Management Server High Availability and Load Sharing

To create a secondary Domain Management Server:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, right-click the empty cell at the intersection of the applicable Multi-
Domain Server and Domain in the grid.
3. Select New Domain Server.
4. In the Domain Server window, configure the Domain Management Server name and IP
address.
Domain Management Server synchronization starts automatically and can take some time to
complete.

Notes:
n You cannot change settings for an existing Domain Management Server. You
must first delete the Domain Management Server and then create a new one.
n Creation of a Security Gateway object on the Domain Management Server that
is active on the Secondary Management Server fails. To resolve this issue, run
mdsstop; mdsstart on the secondary Multi-Domain Server.

To delete a secondary Domain Management Server configuration, right-click the applicable

cell and select Delete.

R81.10 Multi-Domain Security Management Administration Guide | 111

Creating a High Availability Environment using a Security Management Server

Creating a High Availability Environment using

a Security Management Server
You can use a Security Management Server to create a High Availability environment with a
Domain Management Server. The Security Management Server can operate as an Active or
Standby management.
For example:
n The Security Management Server is the Standby Management Server and the Domain
Management Server is the Active Management Server.
If the Domain Management Server is unavailable, the user must activate the Security
Management Server so it becomes the Active Management Server.
n The Domain Management Server is the Standby Management Server and the Security
Management Server is the Active Management Server.
If the Security Management Server is unavailable, the Domain Management Server
becomes the Active Management Server.
In both cases, the Domain Management Server must be Active to assign a Global Policy.
To create a High Availability environment with multiple Domain Management Servers, you
must use a different Security Management Server per each Domain Management Server.
You must define GUI clients and administrators locally on the Security Management Server.
The synchronization process cannot export this data from a Domain Management Server to a
Security Management Server.
To create a High Availability environment using a Security Management Server

1. Do a Clean Install of a Security Management Server, and define the Security

Management Server as a Secondary Security Management Server.
2. Connect to the command line on the Security Management Server.
3. Run: cpconfig
4. Configure these items:
a. Secure Internal Communication - Define an Activation Key to establish SIC trust
between the Security Management Server and the Domain Management
Server.
b. Define administrators.
c. Define GUI clients.

R81.10 Multi-Domain Security Management Administration Guide | 112

Creating a High Availability Environment using a Security Management Server

5. In SmartConsole of the Domain Management Server, create a network object of the

type Check Point Host, which represents the Secondary Security Management
Server. Go to the Object Explorer, and click New > More > Network Object >
Gateways & Servers > Check Point Host. The Check Point Host window opens.
In the General Properties page:
a. Enter the object name and IPv4 address.
b. In the Management tab at the bottom of the page, select Network Policy
Management. The Secondary Server is then automatically selected.
In the Secure Internal Communication field, click Communication to establish
SIC trust between the Security Management Server.
c. In the Management tab at the bottom of the page, select Network Policy
Management. The Secondary Server is then automatically selected.
d. Click OK.
6. Publish the session. Initialization and synchronization between the Domain
Management Server and the Security Management Server starts. Wait for the task list
to show that a full synchronization completed.

To see the High Availability status of both servers, go to the main Menu and click High
Availability Status. In this window you can see which server is active and which is standby
and the synchronization status.

R81.10 Multi-Domain Security Management Administration Guide | 113

Synchronization

Synchronization
In a multi-domain environment, the Multi-Domain Servers work in active-active mode. All Multi-
Domain Servers are active and synchronize each other.
The Domains managed by the Multi-Domain Server work in active-standby mode, where the
Active Domain Server synchronizes all the standby Domain Servers.
The system automatically synchronizes periodically and when an administrator publishes
changes to the configuration.

How Synchronization Works

During synchronization, the system performs these steps without user intervention:

On periodic synchronization:
1. The Active exports the delta data between the Active server and the Standby server to
compressed files.
2. The compressed files are transferred to the Standby server.
3. The Standby Server replays the delta data from the uncompressed files.
On manual synchronization:
1. The Active Server exports the public data to compressed files.
2. The compressed files are transferred to the Standby Server.

3. The Standby server overrides the existing data with the uncompressed files.
The data that is transferred during synchronization includes:
n Postgres database
n Solr
n ICA database
n Configuration files
n Domain licenses and contracts. Multi-Domain server licenses and contracts are not
transferred.

Initial Synchronization
Initial synchronization occurs automatically when you create a secondary Multi-Domain
Server, Multi-Domain Log Server, or Domain Management Server. The system generates a
task to copy all databases and system information from the connected server to the new
server.

R81.10 Multi-Domain Security Management Administration Guide | 114

Synchronization

Multi-Domain Server and Multi-Domain Log Server synchronization tasks show in the Task
Information area, in the Multi-Domain Server SmartConsole. Domain synchronization tasks
show in the Domain SmartConsole.

Periodic Synchronization
Multi-Domain Servers synchronize with all other peers and Multi-Domain Log Servers.
Periodic synchronization occurs automatically, and when an administrator publishes a
session. Private (non-published) sessions do not synchronize.
Periodic synchronizations are incremental. Only database changes synchronize with peers.
Active Domain Management Servers synchronize to the standby Domain Management
Servers.

Manual Synchronization
Manual synchronization is a full synchronization that overwrites all data on the peers. It
disconnects all connected clients and overrides active sessions and running tasks.
When changes made in a session are published on the Active server (made public), the
changes are synchronized to the Standby server. Unpublished, private sessions are not
synchronized.

Best Practice - Use this option with caution, and only in cases of synchronization
error. We recommend that you publish changes before initiating full sync.

For Domain Management Servers, you can only run a manual synchronization from the active
Domain Management Server to the standby peers.

Manually Synchronizing a Multi-Domain Server

You can manually synchronize the connected Multi-Domain Server with a peer Multi-Domain
Server.

To manually synchronize Multi-Domain Servers:

1. Click the Synchronization Status area at the bottom of the SmartConsole window.
2. In the High Availability Status window, select a peer Multi-Domain Server to
synchronize.
3. Click Sync Peer.
Synchronization starts immediately and the status shows in the window. The synchronization
operation can take many minutes to complete.

Warning - Use manual synchronization with caution. This can overwrite all data on
the peer Multi-Domain Server if they do not synchronize correctly.

R81.10 Multi-Domain Security Management Administration Guide | 115

Synchronization

Manually Synchronizing Domain Management Servers

You can manually synchronization a Standby Domain Management Server with the Active
Domain Management Server on a different Multi-Domain Server.

To manually synchronize Domain Management Servers for a Domain:

1. Open SmartConsole for the active Domain Management Server.
2. Click Menu > High Availability.
3. In the High Availability Status window, click Actions > Sync Peer..
Synchronization starts immediately and the status shows in the window. The synchronization
operation can take many minutes to complete.

Multi-Domain Server ICA Database Synchronization

When you create a new secondary Multi-Domain Server, the Internal Certificate Authority
(ICA) on the Primary Multi-Domain Server generates a certificate when you establish SIC trust.
The ICA can generate a certificate for a new administrator, if required by the authentication
method. In a High Availability deployment with more than one Multi-Domain Server, the
system synchronizes the ICA databases as necessary.

R81.10 Multi-Domain Security Management Administration Guide | 116

Failure Recovery

Failure Recovery
In many cases, you can recover a failed Primary Multi-Domain Server in a Management High
Availability deployment.

Action Plan:
1. Promote an existing Secondary Multi-Domain Server to become the Multi-Domain
Server Primary.
2. Promote each Secondary Domain Management Server to become the Primary Domain
Management Server.
3. Install and configure a new Secondary Multi-Domain Server.

Important - Use Domain Management Server promotion only to recover a failed Multi-
Domain Server. Do not use this procedure to change the Primary and Secondary
roles on working servers.

Procedure:

Notes:
n The procedure below assumes that the Primary Multi-Domain Server failed, and
the Secondary Multi-Domain Server keeps working.
n There are environments, where a Domain Management Server is primary on a
Secondary Multi-Domain Server.
If the primary Domain Management Server was on the failed Multi-Domain
Server, then promote the secondary Domain Management Server.

R81.10 Multi-Domain Security Management Administration Guide | 117

Failure Recovery

1. Promote the Global Domain Management Server on the Secondary Multi-Domain Server

Step Instruction

1 Make sure that all functional, Secondary Multi-Domain Servers and Multi-
Domain Log Servers are up and running.

2 Connect with SmartConsole one of the Secondary Multi-Domain Servers

you need to promote.

3 If the Global Domain Management Server is not Active, change it to

Active:
a. In the Domains view, right-click the Global Domain, and then click
Connect to Domain.
A SmartConsole instance opens for the Global Domain.
b. Go to Menu > Management High Availability.
c. In the High Availability Status window, click Actions > Set Active
for this Global Domain.

4 Close all SmartConsole windows.

2. Promote the Secondary Multi-Domain Server to Primary

This procedure is necessary because there are no automatic steps to promote a

Secondary Multi-Domain Server when the Primary Multi-Domain Server fails.

Step Instruction

1 Connect to the command line on the Secondary Multi-Domain Server you

need to promote.

2 Log in to the Expert mode.

3 Run these commands in the order they appear below:

cpprod_util FwSetPrimary 1
cpprod_util CPPROD_SetValue PROVIDER-1 Primary 4 1
1
cpprod_util CPPROD_SetValue SIC ICAState 4 3 1
ckp_regedit -d //SOFTWARE//CheckPoint//SIC OTP
ckp_regedit -d //SOFTWARE//CheckPoint//SIC ICAip
These commands update the required parameters in the Check Point
Registry on the Secondary Multi-Domain Server.

R81.10 Multi-Domain Security Management Administration Guide | 118

Failure Recovery

3. Delete the object of the failed Primary Multi-Domain Server

Step Instruction

1 Connect with the Database Tool (GuiDBEdit Tool) to the Secondary

Multi-Domain Server you need to promote.
Important - You must start this tool with the "/mds" flag.

2 In the top left panel, click Tables > Other > mdss.

3 In the top right panel, locate the object of the failed Primary Multi-Domain
Server > right-click this object > click Delete.
Important - The Database Tool (GuiDBEdit Tool) deletes this object
without asking to confirm.

4 In the top right panel, select the object of the Secondary Multi-Domain
Server you promoted.

5 In the bottom panel, double-click the primary attribute.

6 Select the value true > click OK.

7 Save the changes:

Click the File menu > click Save All.

8 Close the Database Tool (GuiDBEdit Tool).

9 Connect with SmartConsole one of the Secondary Multi-Domain Servers

you promoted.

10 From the left navigation panel, click Multi Domain.

11 In the middle panel, click Domains.

12 In the right panel, from the top toolbar, right-click the object of the failed
Primary Multi-Domain Server > click Delete.

4. Promote all the Secondary Domains to Primary

Follow these instructions for each Domain on the Secondary Multi-Domain Server.

R81.10 Multi-Domain Security Management Administration Guide | 119

Failure Recovery

Important:
n To use this procedure, there must be at least one Active Domain

Management Server on a different Multi-Domain Server.

n To make Domain Management Server Active when there is no

corresponding peer and the High Availability Status window is not

available, run these commands:
mdsenv <IP Address or Name of Domain Management
Server>
mgmt_cli make-server-active force true --domain
<Name of Domain Management Server> --user <User
Name> --password <Password>
These commands set the Domain Management Server to the Active
state. Do this for all Domain Management Servers that do not have a
High Availability peer.

Step Instruction

1 In SmartConsole Domains view, in the left column, select a Secondary

Domain to promote to Primary.

2 If the selected Domain Management Server is Standby, change it to

Active:
a. Right-click the selected Domain Management Server, and then
click Connect to Domain.
A SmartConsole instance opens for the Domain.
b. Go to Menu > Management High Availability.
c. In the High Availability Status window, click Actions > Set Active.
d. Close SmartConsole

3 Run these commands on the Multi-Domain Server you promoted to

Primary:
mdsenv <IP Address or Name of Domain Management
Server>
promote_util

4 Connect with SmartConsole to the Domain Management Server you

promoted:
Right-click the selected Domain Management Server, and then click
Connect to Domain Server.

5 From the left navigation panel, click Gateways & Servers.

R81.10 Multi-Domain Security Management Administration Guide | 120

Failure Recovery

Step Instruction

6 Right-click the object of the Domain Management Server that failed >
click Where Used.

7 Delete all instances of the failed Domain Management Server, including

the failed Domain Management Server itself.

8 Delete the object of the failed Domain Management Server.

9 Publish the SmartConsole session.

10 Manually synchronize the Domain Management Servers.

11 Close the SmartConsole connected to this Domain Management Server.

12 Assign Global Policies and install Policies on all managed Security

Gateways.

13 If the promoted Domain Management Server is using a High Availability

Domain Management Server license, replace it with a standard Domain
Management Server license.

5. Restart Check Point Services on the Multi-Domain Server you promoted

Run these commands:

mdsstop
mdsstart

6. Install and configure a new Secondary Multi-Domain Server

See the R81.10 Installation and Upgrade Guide.

R81.10 Multi-Domain Security Management Administration Guide | 121

Deleting a Secondary Multi-Domain Server or Multi-Domain Log Server

Deleting a Secondary Multi-Domain Server or

Multi-Domain Log Server
To delete a secondary Multi-Domain Server:
1. Move each Active Domain Management Server on the secondary Multi-Domain Server
to another Domain Management Server.
2. Connect to the command line on the Multi-Domain Server to be deleted and run:
mdsstop

3. In SmartConsole, right-click the secondary Multi-Domain Server, and then select Delete
Multi-Domain Server.
4. Confirm the action and click OK.
5. Publish the SmartConsole session.

Note - This procedure deletes all standby and non-primary Domain Management
Servers on the Secondary Multi-Domain Server. You cannot delete the Primary or
Active Domain Management Server.

R81.10 Multi-Domain Security Management Administration Guide | 122

Re-Establishing SIC Trust for a Secondary Multi-Domain Server

Re-Establishing SIC Trust for a Secondary

Multi-Domain Server
Important - You can only re-establish SIC trust on a Secondary Multi-Domain Server
or Multi-Domain Log Servers. There is no option to establish SIC trust on the Primary
Multi-Domain Server.

It is occasionally necessary to re-establish trust between a Primary and secondary Multi-

Domain Server or Multi-Domain Log Server. This can occur for many reasons, including:
n Changes to the IP address of the Primary Multi-Domain Server, Secondary Multi-Domain
Server or Multi-Domain Log Server
n Failure and recovery of the Primary Multi-Domain Server
n Promotion of a Secondary Multi-Domain Server to Primary Multi-Domain Server
n Internal Certificate Authority (ICA) failure on the Primary Multi-Domain Server

To re-establish SIC trust:

1. Open a command line interface to the Secondary Multi-Domain Server or Multi-Domain
Log Server.
2. Log in and run: mdsconfig
3. Enter the number for Secure Internal Communication, and then press Enter.

4. Enter y to confirm.
5. Enter and confirm the activation key.

6. Enter the number for Exit.

7. Wait for Check Point processes to stop and automatically restart.
8. In the SmartConsole Multi-Domain view, double-click a Secondary Multi-Domain Server
or Multi-Domain Log Server object.
9. In the Multi-Domain Server window, click Connect.
10. In the Initialize SIC window, enter activation key that you entered in step 5 above.
If successful, the Certificate State field shows Trust established.

R81.10 Multi-Domain Security Management Administration Guide | 123

Logging and Monitoring

This chapter includes information that is directly related to Multi-Domain Security
Management, with some general background information and basic procedures. See the
R81.10 Logging and Monitoring Administration Guide for the full set of conceptual information
and procedures.
With R80, logging, event management, reporting, and monitoring, are more tightly integrated
than ever before. Security data and trends are easy to understand at a glance, with Widgets
and chart templates that optimize visual display. Logs are now tightly integrated with the Policy
rules so that you can access all logs associated with a specific rule by simply clicking on that
rule. Free-text search also lets you enter specific search terms to retrieve results from millions
of logs in seconds.

One-click exploration makes it easy to move from high-level overview to specific event details
such as type of attack, timeline, application type and source. After you investigate an event, it
is easy to act on it. Depending on the severity of the event, you can choose to ignore it, act on it
later, or block it immediately. You can also easily toggle over to the rules associated with the
event to refine your Policy. Send reports to your manager or auditors that show only the
content that is relevant to each stakeholder.
In R80.x, SmartReporter and SmartEvent functionality is integrated into SmartConsole.
Using rich and customizable views and reports, R80 introduces a new experience for log and
event monitoring.
The new views are available from two locations:
n SmartConsole > Logs & Monitor
n SmartView Web Application. Browse to: https://<Server IP Address>/smartview/

Where Server IP Address is IP address of the Multi-Domain Server or Multi-Domain Log

Server.

Note - Include the final backward slash: /

Working with Log Servers

A Domain Log Server is a dedicated host for Domain log files. A Multi-Domain Log Server is a
dedicated container for Domain Log Servers. Domain Log Servers also handle these log
management activities:
n Automatically start a new log file when an existing log file is larger than the specified
maximum size
n Log file backup and restoration

R81.10 Multi-Domain Security Management Administration Guide | 124

Logging and Monitoring

n Export and import log files

n Index logs for faster log queries.
It is a best practice to use Multi-Domain Log Servers and Domain Log Servers to handle logs
for a Multi-Domain Security Management environment because of the large volume of logs.
To see the logs for a Domain and its Security Gateways, click Logs & Monitor in
SmartConsole for that Domain. To see logs for all Domains in one view, click Logs & Monitor
in the Multi-Domain Server SmartConsole. You can filter the logs for specified Security
Gateways, Domain Management Servers, or Domain Log Servers.

R81.10 Multi-Domain Security Management Administration Guide | 125

Configuring Logging

Configuring Logging
Creating a Multi-Domain Log Server with Domain Log
Servers
This section shows you how to create a new Multi-Domain Log Server and its related Domain
Log Servers.

Important - Before you start this procedure, make sure that you define the physical
servers as the correct server type (Secondary Multi-Domain Server or Multi-Domain
Log Server) during installation. An incorrect definition can cause deployment failure.

To create a new Multi-Domain Log Server:

1. If you did not do so, install a new Multi-Domain Log Server.
Follow the procedures in the R81.10 Installation and Upgrade Guide.
Make sure to define this server as a Multi-Domain Log Server in the First Time
Configuration Wizard.
2. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.
3. From the left navigation panel, click Multi-Domain > Domains.
4. From the top toolbar, click New > Multi-Domain Log Server.
5. Enter a unique name for this Multi-Domain Log Server.

6. Enter the IPv4 address or click Resolve IP to get the IP address from the DHCP Server.
7. Click Connect to establish SIC trust.

Enter the same Activation Key you entered during the First Time Configuration Wizard of
the Multi-Domain Log Server.
8. In the Platform section:
n In the OS field, select Gaia
n In the Version field, select the correct version
n In the Hardware field, select the applicable option
9. Click OK.

Note - To add a license for a Multi-Domain Log Server, go to the main Menu >
Manage licenses and packages.

R81.10 Multi-Domain Security Management Administration Guide | 126

Configuring Logging

To create Domain Log Servers:

1. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.
2. From the left navigation panel, click Multi-Domain > Domains.
3. In the Multi-Domain Log Server column, right-click the Domain Log Server cell for each
Domain and click New Domain Server.
4. Accept the default name or enter a different, unique name.
5. Enter the IPv4 address or click Resolve IP to automatically assign the IPv4 address.
6. Click OK.
Wait for the cell to show the new Domain Log Server.

7. Configure the Security Gateway in each Domain to the send its logs to the new Domain
Log Server on the Multi-Domain Log Server (see "Configuring Security Gateways to
Send Logs to a Log Servers" below).
The Domain Log Servers synchronize automatically.
The new Multi-Domain Log Server automatically synchronizes with all existing Multi-Domain
Servers. The synchronization operation can take many minutes to complete, during which a
notification indicator shows in the task information area.

Note - To add a license for a Domain Log Server, go to the main Menu > Manage
licenses and packages.

Configuring Security Gateways to Send Logs to a Log

Servers
Logs are not automatically forwarded to a Log Server. You must manually configure each
relevant Security Gateway to send its logs to the new Domain Log Server.

To configure Domain Security Gateways to send logs to a Log Server:

1. Connect to the applicable Domain Management Server with SmartConsole, and then
double-click the applicable Security Gateway.
2. In the Logs section, select the new Log Server from the list.
You can delete or ignore other Log Servers in the list as necessary.
3. Click OK.
4. Configure other log settings as applicable.
5. Install Policy on the applicable Security Gateways.
6. Install the database on the Log Servers.

R81.10 Multi-Domain Security Management Administration Guide | 127

Configuring Logging

Deleting a Domain Log Server

To delete a Domain Log Server in SmartConsole:

Configuring Log Settings

Disk cleanup deletes the oldest log files when the available disk space is less than a specified
value. Disk cleanup settings are controlled at the Multi-Domain Server level and apply to all
Domains and Domain Management Servers. Disk cleanup settings configured at the Domain
Management Server level are ignored.
These other log management activities, when configured on a Multi-Domain Server, apply only
to that Multi-Domain Server:
n Run script before cleanup
n Alerts
n Stop logging
n Create new log file
Configure these activities individually for each Domain Management Server and Log Server.

To configure log settings for a Multi-Domain Server:

1. In SmartConsole, go to Multi-Domain > Domains.

2. Double-click the applicable Multi-Domain Server.
3. Click Log Settings.
4. In the General view, configure these settings:
n Cleanup when free disk space is below - Start the disk cleanup procedure when
available disk space is less than the specified quantity. Select to enable (default) or
clear to disable. Enter the minimum disk space and unit of measure (Default = 5
GB).
This parameter applies to the Multi-Domain Server and its Domain Management
Servers.

R81.10 Multi-Domain Security Management Administration Guide | 128

Configuring Logging

n Run the following script before cleanup - Enter a predefined script to run before
the cleanup starts.
n Send Alert when free disk space is below - Send an alert when available disk
space is less that the specified quantity. Select to enable (default). Clear to disable.
Enter the minimum disk space and unit of measure (Default = 3 GB).
5. In the Advanced view, configure these settings:
n Accept Syslog messages - Include syslog messages in the log files.
n Stop Logging - Stop all logging activity when the available disk space is less than
the specified quantity.
Enter the minimum disk space and unit of measure (Default = 100 MB).
n Create a new log file - Close and save the active log file when the active log file is
larger than the specified size. The log file has an extension that is a sequential
number. You can move these saved log files to external storage or export them to
an external database.
Enter the maximum log file size. (Default = 1 GB).

R81.10 Multi-Domain Security Management Administration Guide | 129

Log Server Deployment Scenarios

Security Gateways generate logs. The Security Policy on each Security Gateway controls
which rules generate log entries. In a Multi-Domain Security Management environment, the
Security Gateways send logs to a Domain Management Server or to Domain Log Servers.
Domain Management Servers and Multi-Domain Servers also generate audit logs. The system
typically saves audit logs on a Multi-Domain Server, which automatically synchronizes to other
Multi-Domain Servers in a High Availability deployment.
You can use one of these strategies to deploy Domain Log Servers in a Multi-Domain Security
Management environment:
1. Each Domain has one Domain Log Server on a Multi-Domain Server (default).

2. Each Domain keeps its Domain Log Servers on one or more Multi-Domain Log Servers.
If this Domain has more than one Domain Log Server, you must install each one on a
different Multi-Domain Log Server.

Best Practice - Use this strategy in large, geographically distributed environments.

3. Each Domain Security Gateway works as the Log Server for its own logs. This is known
as local logging.
For additional information, see "Deploying a Domain Dedicated Log Server" on page 131.

R81.10 Multi-Domain Security Management Administration Guide | 130

Deploying a Domain Dedicated Log Server

Introduction
In a Multi-Domain Security Management environment, the Security Gateways send logs to the
Domain Management Server and dedicated Domain Log Servers.
The Multi-Domain Server unifies logs, and they can be stored on the Multi-Domain Server or
on a dedicated Multi-Domain Log Server.
Starting in R81, Multi-Domain Server supports a dedicated Log Server (installed on a separate
computer) for a Domain.
You can configure a Domain Dedicated Log Server to receive logs only from a specified
Domain, and no other Domains can access these logs.
This allows you to locate the dedicated Log Server in a separate network from the Multi-
Domain Security Management environment to comply with special regulatory requirements.
Logs reported to the Domain Dedicated Log Server can be viewed from any SmartConsole
that has permissions for this Domain.
The Domain Dedicated Log Server communicates directly only with the associated Domain
Server. No other Domain can access its log data.

Note - Connecting with SmartConsole to the Domain Dedicated Log Server to see
Security Policies is not supported.

Procedure for an R81.10 Multi-Domain Environment

1. Install an R81.10 Multi-Domain Server.

See the R81.10 Installation and Upgrade Guide > Chapter "Installing a Multi-Domain
Server".
2. Install a regular dedicated R81.10 Log Server.
See the R81.10 Installation and Upgrade Guide > Chapter "Installing a Dedicated Log
Server or SmartEvent Server".
3. Connect with SmartConsole to the specific Domain.
See the R81.10 Multi-Domain Security Management Administration Guide.
4. Add a regular Log Server object for the dedicated R81.10 Log Server you installed in
Step 2.
Requirement post upgrade to R81.10:
For any environment, which uses SmartEvent Server or a Domain Dedicated Log Server, this
is a required step to complete post upgrade to R81.10 from any source version:

R81.10 Multi-Domain Security Management Administration Guide | 131

Deploying a Domain Dedicated Log Server

After you upgrade the SmartEvent Server or Domain Dedicated Log Server, run this command
in the Expert mode on each Multi-Domain Security Management Server:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

Procedure for an R77.x Multi-Domain Environment

Upgrade with CPUSE

1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).

This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain
Dedicated Log Servers, and SmartEvent Servers.
a. Follow the instructions in the R80.40 Installation and Upgrade Guide.

Important - Stop after the CPUSE Verifier shows the upgrade / installation is
allowed.
n For Multi-Domain Servers:
See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log
Servers" > select the applicable section to upgrade "from R80.10 and
lower" > select the applicable section to upgrade "with CPUSE".
n For Log Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated Log Server from R80.10 and
lower" > select the applicable section to upgrade "with CPUSE".
n For SmartEvent Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated SmartEvent Server from
R80.10 and lower" > select the applicable section to upgrade "with
CPUSE".
b. Fix all the errors, except the one specified for Log Servers on a Domain
Management Server:

Log Servers on the Domain Management Server level are

not yet supported in R80.x

R81.10 Multi-Domain Security Management Administration Guide | 132

Deploying a Domain Dedicated Log Server

c. On each Multi-Domain Security Management Server, modify the Pre-Upgrade

Verifier to treat the upgrade errors as warnings:
i. Connect to the command line on the Multi-Domain Server.
ii. Log in to the Expert mode.
iii. Enter these commands as they appear below (after each command, press
the Enter key):

cp -v $CPDIR/tmp/.CPprofile.sh{,_BKP}
cat >> $CPDIR/tmp/.CPprofile.sh << EOF
> export PUV_ERRORS_AS_WARNINGS=1
> EOF

d. Restart the CPUSE daemon:

DAClient stop ; DAClient start

e. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade
all the servers "with CPUSE".
2. Upgrade all Multi-Domain Servers to R81.10.
See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Multi-Domain
Servers and Multi-Domain Log Servers" > select the applicable section to upgrade
"from R80.20 and higher" > select the applicable section to upgrade "with CPUSE".

3. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/configureCrlDp.sh

4. Reboot each Multi-Domain Security Management Server:

reboot

5. Upgrade all Log Servers and SmartEvent Servers to R81.10.

See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Security
Management Servers and Log Servers" > section "Upgrading a Security Management
Servers or Log Server from R80.20 and higher" > section "Upgrading a Security
Management Server or Log Server from R80.20 and higher with CPUSE".

Note - To install an R81.10 Log Server or an R81.10 SmartEvent Server, see

the chapter "Installing a Dedicated Log Server or SmartEvent Server".

R81.10 Multi-Domain Security Management Administration Guide | 133

Deploying a Domain Dedicated Log Server

6. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all -sd

7. Reboot all the Domain Dedicated Log Servers and the SmartEvent Servers:

reboot

Advanced Upgrade

1. Upgrade all servers from R77.x to R80.20 (or R80.30 or R80.40).

This applies to all Multi-Domain Servers, Multi-Domain Log Servers, Domain
Dedicated Log Servers, and SmartEvent Servers.
a. Run the Pre-Upgrade Verifier, as detailed in the R80.40 Installation and
Upgrade Guide.
n For Multi-Domain Servers:
See the chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log
Servers" > select the applicable section to upgrade "from R80.10 and
lower" > select the applicable section to upgrade "with Advanced
Upgrade".
n For Log Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated Log Server from R80.10 and
lower" > select the applicable section to upgrade "with Advanced
Upgrade".
n For SmartEvent Servers:
See the chapter "Upgrade of Security Management Servers and Log
Servers" > section "Upgrading a Dedicated SmartEvent Server from
R80.10 and lower" > select the applicable section to upgrade "with
Advanced Upgrade".
b. Fix all the errors, except the one specified for Log Servers on a Domain
Management Server:

Log Servers on Domain Management Server level are not

yet supported in R80.x

c. In your active shell window, run this command in the Expert mode:

export PUV_ERRORS_AS_WARNINGS=1

R81.10 Multi-Domain Security Management Administration Guide | 134

Deploying a Domain Dedicated Log Server

d. Follow the instructions in the R80.40 Installation and Upgrade Guide to upgrade
all the servers "with Advanced Upgrade".
2. Upgrade all Multi-Domain Servers to R81.10.
See the R81.10 Installation and Upgrade Guide > chapter "Upgrade of Multi-Domain
Servers and Multi-Domain Log Servers" > select the applicable section to upgrade
"from R80.10 and lower" > select the applicable section to upgrade "with Advanced
Upgrade".
3. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/configureCrlDp.sh

4. Reboot each Multi-Domain Security Management Server:

reboot

5. Upgrade all Log Servers and SmartEvent Servers to R81.10.

Note - To install an R81.10 Log Server or an R81.10 SmartEvent Server, see

the chapter "Installing a Dedicated Log Server or SmartEvent Server".

6. On each Multi-Domain Security Management Server, run this script in the Expert
mode:

$MDS_FWDIR/scripts/cpm.sh -tm -op reset -d all –sd

7. Reboot all the Domain Dedicated Log Servers and SmartEvent Servers:

reboot

R81.10 Multi-Domain Security Management Administration Guide | 135

Using the Log View

This is an example of the Log view.

Item Description

1 Queries - Predefined and favorite search queries.

2 Time Period - Search with predefined custom time periods.

3 Query search bar - Define custom queries in this field. You can use the GUI tools
or manually enter query criteria. Shows the query definition for the most recent
query.

4 Log statistics pane (Tab hidden) - Top results of the most recent log query.

5 Log Servers - All Multi-Domain Log Servers, Domain Log Servers, and other Log
Server objects in the Multi-Domain Security Management deployment. Select one
or more Log Servers from this list to include in a query.

6 Results pane - All log entries for the most recent query.

R81.10 Multi-Domain Security Management Administration Guide | 136

Monitoring Multi-Domain Security Management

R80.x includes many powerful, integrated features that let monitor your Multi-Domain Security
Management environment directly in SmartConsole. Additionally, you can use the SmartView
Monitor client application to work with advanced monitor features, such as:
n Custom queries to filter monitor data
n Custom monitor views
n Monitor Cooperative enforcement
n Monitor users and user activity

Monitoring Multi-Domain Server Status

To see status and general information for Multi-Domain Servers or Multi-Domain Log Servers,
select Multi-Domain in the SmartConsole Multi-Domain Security Management window. This
information shows in the System Information area:
n Multi-Domain Server/Multi-Domain Log Servers IP address
n Server type
n SIC trust status
n Last change date and the administrator who worked on it
You can use SmartView Monitor to see other, detailed status information, such as:
n Errors
n CPU, Disk, and Memory utilization
n Active events
n Alert destination

Monitoring Domain Management Server Status

Use the SmartConsole Logs & Monitor view to see Domain and Domain Management Server
status. You can also show the combined statistics, in real time, for all Security Gateways in the
Domain:
n Device Status - Shows Security Gateway device and Software Blade status information
n License Status - Shows license status for Software Blades and features
n System Counters - Shows operational and performance statistics
You can apply filters and show different types of graphical displays. You can also save the
results to your local computer in these formats:

R81.10 Multi-Domain Security Management Administration Guide | 137

Monitoring Multi-Domain Security Management

n HTML
n JPG
n CSV file (compatible with Microsoft Excel)
n Plain text file

To see Security Gateway status and monitoring information

1. Open the Domain SmartConsole.
2. Select a Security Gateway.
3. Click Monitor on the Actions toolbar.

The Monitor Information window opens.

4. Use the toolbar to filter data and change the graph type.

Monitoring Security Gateway Status

You can use the SmartConsole Logs & Monitor view to see Security Gateway status and
show operational statistics in real time:
n Device Status - Shows Security Gateway device and Software Blade status information
n License Status - Shows license status for Software Blades and features
n System Counters - Shows operational and performance statistics
n Traffic information - Shows traffic, throughput, and other related statistics
You can apply filters and show different types of graphical presentation. You can also save the
results to your local computer in these formats:
n HTML
n JPG
n CSV file (compatible with Microsoft Excel)
n Plain text file

To see Security Gateway status and monitoring information

1. Open the Domain SmartConsole.
2. Select a Security Gateway.
3. Click Monitor on the Actions toolbar.
The Monitor Information window opens.
4. Use the toolbar to filter data and change the graph type.

R81.10 Multi-Domain Security Management Administration Guide | 138

Creating and Changing an Administrator Account

Creating and Changing an

Administrator Account
To successfully manage security for a large network, we recommend that you first set up your
administrative team, and delegate tasks.
We recommend that you create administrator accounts in SmartConsole, with the procedure
below or with the First Time Configuration Wizard.
If you create it through the SmartConsole, you can choose one of these authentication
methods:
n Check Point Password

Check Point password is a static password that is configured in SmartConsole. For

administrators, the password is stored in the local database on the Management
Server. For users, it is stored on the local database on the Security Gateway. No
additional software is required.

n OS Password

OS Password is stored on the operating system of the computer on which the Security
Gateway (for users) or Security Management Server (for administrators) is installed.
You can also use passwords that are stored in a Windows domain. No additional
software is required.

n RADIUS

Remote Authentication Dial-In User Service (RADIUS) is an external authentication

method that provides security and scalability by separating the authentication function
from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote
users to the RADIUS server. For administrators, the Security Management Server
forwards the authentication requests. The RADIUS server, which stores user account
information, does the authentication.
The RADIUS protocol uses UDP to communicate with the Security Gateway or the
Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.

n SecurID

R81.10 Multi-Domain Security Management Administration Guide | 139

Creating and Changing an Administrator Account

SecurID requires users to both possess a token authenticator and to supply a PIN or
password. Token authenticators generate one-time passwords that are synchronized
to an RSA Authentication Manager and may come in the form of hardware or software.
Hardware tokens are key-ring or credit card-sized devices, while software tokens
reside on the PC or device from which the user wants to authenticate. All tokens
generate a random, one-time use access code that changes approximately every
minute. When a user attempts to authenticate to a protected resource, the one-time
use code must be validated by the Authentication Manager.
Using SecurID, the Security Gateway forwards authentication requests by remote
users to the Authentication Manager. For administrators, it is the Security
Management Server that forwards the requests. The Authentication Manager
manages the database of RSA users and their assigned hard or soft tokens. The
Security Gateway or the Security Management Server act as an Authentication
Manager agent and direct all access requests to the RSA Authentication Manager for
authentication. For additional information on agent configuration, refer to RSA
Authentication Manager documentation.
There are no specific parameters required for the SecurID authentication method.

n TACACS

Terminal Access Controller Access Control System (TACACS) provides access

control for routers, network access servers and other networked devices through one
or more centralized servers.
TACACS is an external authentication method that provides verification services.
Using TACACS, the Security Gateway forwards authentication requests by remote
users to the TACACS server. For administrators, it is the Security Management Server
that forwards the requests. The TACACS server, which stores user account
information, authenticates users. The system supports physical card key devices or
token cards and Kerberos secret key authentication. TACACS encrypts the user
name, password, authentication services and accounting information of all
authentication requests to ensure secure communication.

If you create an administrator through mdsconfig, the Check Point configuration tool, Check
Point password is automatically configured

To create an administrator account using SmartConsole:

1. Click Manage & Settings > Permissions & Administrators.
The Administrators pane shows by default.
2. Click New Administrator.
The New Administrators window opens.
3. Enter a unique name for the administrator account.

R81.10 Multi-Domain Security Management Administration Guide | 140

Creating and Changing an Administrator Account

Note - This parameter is case-sensitive.

4. Set the Authentication Method, or create a certificate, or the two of them.

Note - If you do not do this, the administrator will not be able to log in to
SmartConsole.

To define an Authentication Method:

In the Authentication Method section, select a method and follow the instructions in
Configuring Authentication Methods for Administrators.

To create a Certificate - If you want to use a certificate to log in:

In the Certificate Information section, click Create, and follow the instructions in
"Creating a Certificate for Logging in to SmartConsole" on page 93.
5. Select a Permissions profile for this administrator, or create a new one.
6. Set the account Expiration date:
n For a permanent administrator - select Never
n For a temporary administrator - select an Expire At date from the calendar
The default expiration date shows, as defined in the Default Expiration Settings. After the
expiration date, the account is no longer authorized to access network resources and
applications.

7. Optional: Configure Additional Info - Contact Details, Email and Phone Number of the
administrator.
8. Click OK.

To change an existing administrator account:

1. Click Manage & Settings > Permissions & Administrators.
2. Double-click an administrator account.
The Administrators properties window opens.

R81.10 Multi-Domain Security Management Administration Guide | 141

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the
API Server that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions
with third party systems, such as virtualization servers, ticketing systems, and change
management systems.

To learn more about the management APIs, to see code samples, and to take advantage of
user forums, see:
n The API Documentation:
l Online - Check Point Management API Reference
l Local - https://<Server IP Address>/api_docs
By default, access to the local API Documentation is disabled. Follow the
instructions in sk174606.

Note - On a Standalone server (a server which runs both a Security

Management Server and a Security Gateway), the API Documentation
web portal (https://<Server IP Address>/api_docs) stops
working when you open SmartView Web Application
(https://<Server IP Address>/smartview).
n The Developers Network section of Check Point CheckMates Community.

API Tools
You can use these tools to work with the API Server on the Management Server:
n Standalone management tool, included with Gaia operating system:
mgmt_cli
n Standalone management tool, included with SmartConsole:
mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other computers that
run Windows operating system.

R81.10 Multi-Domain Security Management Administration Guide | 142

Managing Security through API

n Web Services APIs that allow communication and data exchange between the clients
and the Management Server over the HTTP protocol.
These APIs also let other Check Point processes communicate with the Management
Server over the HTTPS protocol.
https://<IP Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:
1. Connect with SmartConsole to the Security Management Server or applicable Domain
Management Server.

2. From the left navigation panel, click Manage & Settings.

3. In the upper left section, click Blades.
4. In the Management API section, click Advanced Settings.
The Management API Settings window opens.
5. Configure the Startup Settings and the Access Settings.
Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

Start option is deactivated.

R81.10 Multi-Domain Security Management Administration Guide | 143

Managing Security through API

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only - Only the Management Server itself can connect to
the API Server. This option only lets you use the mgmt_cli utility on the
Management Server to send API requests. You cannot use SmartConsole or
Web services to send API requests.
n All IP addresses that can be used for GUI clients - You can send API requests
from all IP addresses that are defined as Trusted Clients in SmartConsole. This
includes requests from SmartConsole, Web services, and the mgmt_cli utility
on the Management Server.
n All IP addresses - You can send API requests from all IP addresses. This
includes requests from SmartConsole, Web services, and the mgmt_cli utility
on the Management Server.

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

api restart
Note - On a Multi-Domain Server, you must run this command in the context of
the applicable Domain Management Server.

R81.10 Multi-Domain Security Management Administration Guide | 144

Configuring Implied Rules or Kernel Tables for Security Gateways

Configuring Implied Rules or

Kernel Tables for Security
Gateways
Introduction
An administrator configures Security Policy and other inspection settings in SmartConsole.
During a policy installation, the Management Server creates the applicable files and transfers
them to the target Security Gateways.

The Management Server creates these files based on:

n Security Policy in SmartConsole
n Global properties in SmartConsole
n Security Gateway properties
n Multiple configuration files on the Management Server that control the inspection of
various network protocols
It is possible to modify these configuration files on the Management Server to fine-tune the
inspection in your network (in Check Point INSPECT language).

There are two main categories of these configuration files:

n Files for Security Gateways that have the same software version as the Management
Server.
n Files for Security Gateways that have the a lower software version than the Management
Server. This category is called "Backward Compatibility".

Configuration files
File Name Controls Location

user.def User-defined implied rules. See "Location of

'user.def' Files on the
Management Server"
on page 148

R81.10 Multi-Domain Security Management Administration Guide | 145

Configuring Implied Rules or Kernel Tables for Security Gateways

File Name Controls Location

implied_ Default implied rules. See "Location of

rules.def 'implied_rules.def'
Files on the
Management Server"
on page 163

table.def Definitions of various kernel tables. See "Location of

'table.def' Files on the
Management Server"
on page 149

crypt.def VPN encryption macros. See "Location of

'crypt.def' Files on the
Management Server"
on page 151

vpn_table.def Definitions for various kernel tables that See "Location of

hold VPN data. 'vpn_table.def' Files
For example, VPN timeouts, number of on the Management
VPN tunnels, whether a specific kernel Server" on page 153
table should be synchronized between
cluster members, and others.

communities.def VPN encryption macros for X11 server See "Location of

(X Window System) traffic. 'communities.def'
Files on the
Management Server"
on page 155

base.def Definitions of packet inspection for See "Location of

various network protocols. 'base.def' Files on the
Management Server"
on page 157

dhcp.def Definitions of packet inspection for See "Location of

DHCP traffic - DHCP Request, DHCP 'dhcp.def' Files on the
Reply, and DHCP Relay. Management Server"
on page 159

gtp.def Definitions of packet inspection for GTP See "Location of

(GPRS Tunnelling Protocol) traffic. 'gtp.def' Files on the
Management Server"
on page 161

R81.10 Multi-Domain Security Management Administration Guide | 146

Configuring Implied Rules or Kernel Tables for Security Gateways

Configuration Procedure
1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode.
3. Go to the context of the applicable Domain Management Server:

mdsenv <IP Address or name of Domain Management Server>

4. Back up the current file:

cp -v /<Full Path to File>/<File Name>{,_BKP}

Example:

cp -v $FWDIR/conf/user.def.FW1{,_BKP}

5. Edit the current file:

vi /<Full Path to File>/<File Name>

Example:

vi $FWDIR/conf/user.def.FW1

6. Make the applicable changes as described in the applicable SK article, or as instructed

by Check Point Support.
7. Save the changes in the file and exit the editor.

8. Connect with SmartConsole to the applicable Domain Management Server.

9. In SmartConsole, install the Access Control Policy on the applicable Security Gateway or
Cluster object.

R81.10 Multi-Domain Security Management Administration Guide | 147

Location of 'user.def' Files on the Management Server

Location of 'user.def' Files on the Management

Server
The 'user.def' files contain the user-defined implied rules.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security Gateway Location of the File

R81.10 $FWDIR/conf/user.def.FW1

R81.10.x on Quantum Spark Appliances $FWDIR/conf/user.def.SFWR81CMP

1500 / 1600 / 1800

R81 $FWDIR/conf/user.def.FW1

R80.40 $FWDIR/conf/user.def.R8040CMP

R80.30SP on Maestro $FWDIR/conf/user.def.R8040CMP

R80.30 $FWDIR/conf/user.def.R8040CMP

R80.20SP on Maestro, or Scalable Chassis $FWDIR/conf/user.def.R8040CMP

R80.20 $FWDIR/conf/user.def.R8040CMP

R80.20.x on Quantum Spark Appliances $FWDIR/conf/user.def.SFWR80CMP

1500 / 1600 / 1800

R80.10 $FWDIR/conf/user.def.R8040CMP

R77.30 $FWDIR/conf/user.def.R77CMP

R77.20.x on SMB Appliances 1100 / 1200R / $FWDIR/conf/user.def.SFWR77CMP

1400

Important - If the required file does not exist, create a copy of the
$FWDIR/conf/user.def.FW1 file, rename it, and edit it.

R81.10 Multi-Domain Security Management Administration Guide | 148

Location of 'table.def' Files on the Management Server

Location of 'table.def' Files on the Management

Server
The 'table.def' files contain definitions of various kernel tables for Security Gateways.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security

Location of the File
Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-
R81.10/fw1/lib/table.def

R81.10.x on Quantum Spark /opt/CPSFWR81CMP-R81.10/lib/table.def

Appliances 1500 / 1600 / 1800 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-
R81.10/fw1/lib/table.def

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-
R81.10/fw1/lib/table.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/table.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/table.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/table.def

R80.20SP on Maestro, or Scalable $MDSDIR/customers/<Name_of_

Chassis Domain>/CPR8040CMP-R81.10/lib/table.def

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/table.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPSFWR80CMP-
R81.10/lib/table.def

R81.10 Multi-Domain Security Management Administration Guide | 149

Location of 'table.def' Files on the Management Server

Version of the Target Security

Location of the File
Gateway

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/table.def

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/table.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-
R81.10/lib/table.def

R81.10 Multi-Domain Security Management Administration Guide | 150

Location of 'crypt.def' Files on the Management Server

Location of 'crypt.def' Files on the Management

Server
The 'crypt.def' files contain VPN encryption macros.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security

Location of the File
Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/crypt.def

R81.10.x on Quantum Spark /opt/CPmds-R81.10/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPsuite-R81.10/fw1/lib/crypt.def

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/crypt.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/crypt.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/crypt.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/crypt.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-R81.10/lib/crypt.def

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/crypt.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPSFWR80CMP-R81.10/lib/crypt.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/crypt.def

R81.10 Multi-Domain Security Management Administration Guide | 151

Location of 'crypt.def' Files on the Management Server

Version of the Target Security

Location of the File
Gateway

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/crypt.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-R81.10/lib/crypt.def

R81.10 Multi-Domain Security Management Administration Guide | 152

Location of 'vpn_table.def' Files on the Management Server

Location of 'vpn_table.def' Files on the

Management Server
The 'vpn_table.def' files contain definitions for various kernel tables that hold VPN data.
For example, VPN timeouts, number of VPN tunnels, whether a specific kernel table should be
synchronized between cluster members, and others.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security

Location of the File
Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/vpn_
table.def

R81.10.x on Quantum Spark /opt/CPmds-R81.10/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPsuite-R81.10/fw1/lib/crypt.def

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/vpn_
table.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/vpn_
table.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/vpn_
table.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/vpn_
table.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-R81.10/lib/vpn_
table.def

R81.10 Multi-Domain Security Management Administration Guide | 153

Location of 'vpn_table.def' Files on the Management Server

Version of the Target Security

Location of the File
Gateway

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/vpn_
table.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPSFWR80CMP-R81.10/lib/vpn_
table.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/vpn_
table.def

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/vpn_table.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-R81.10/lib/vpn_
table.def

R81.10 Multi-Domain Security Management Administration Guide | 154

Location of 'communities.def' Files on the Management Server

Location of 'communities.def' Files on the

Management Server
The 'communities.def' files contain VPN encryption macros for X11 server (X Window
System) traffic.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target

Location of the File
Security Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-
R81.10/fw1/lib/communities.def

R81.10.x on Quantum Spark /opt/CPmds-R81.10/customers/<Name_of_

Appliances 1500 / 1600 / Domain>/CPsuite-
1800 R81.10/fw1/lib/communities.def

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-
R81.10/fw1/lib/communities.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-
R81.10/lib/communities.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-
R81.10/lib/communities.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-
R81.10/lib/communities.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-
R81.10/lib/communities.def

R81.10 Multi-Domain Security Management Administration Guide | 155

Location of 'communities.def' Files on the Management Server

Version of the Target

Location of the File
Security Gateway

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-
R81.10/lib/communities.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / Domain>/CPSFWR80CMP-
1800 R81.10/lib/communities.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-
R81.10/lib/communities.def

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-
R81.10/lib/communities.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-
R81.10/lib/communities.def

R81.10 Multi-Domain Security Management Administration Guide | 156

Location of 'base.def' Files on the Management Server

Location of 'base.def' Files on the Management

Server
The 'base.def' files contain definitions of packet inspection for various network protocols.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security

Location of the File
Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/base.def

R81.10.x on Quantum Spark /opt/CPmds-R81.10/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPsuite-R81.10/fw1/lib/base.def

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/base.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/base.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/base.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/base.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-R81.10/lib/base.def

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/base.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPSFWR80CMP-R81.10/lib/base.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/base.def

R81.10 Multi-Domain Security Management Administration Guide | 157

Location of 'base.def' Files on the Management Server

Version of the Target Security

Location of the File
Gateway

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/base.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-R81.10/lib/base.def

R81.10 Multi-Domain Security Management Administration Guide | 158

Location of 'dhcp.def' Files on the Management Server

Location of 'dhcp.def' Files on the Management

Server
The 'dhcp.def' files contain definitions of packet inspection for DHCP traffic - DHCP
Request, DHCP Reply, and DHCP Relay.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security

Location of the File
Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/dhcp.def

R81.10.x on Quantum Spark /opt/CPmds-R81.10/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPsuite-R81.10/fw1/lib/dhcp.def

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/dhcp.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/dhcp.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/dhcp.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/dhcp.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-R81.10/lib/dhcp.def

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/dhcp.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPSFWR80CMP-R81.10/lib/dhcp.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/dhcp.def

R81.10 Multi-Domain Security Management Administration Guide | 159

Location of 'dhcp.def' Files on the Management Server

Version of the Target Security

Location of the File
Gateway

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/dhcp.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-R81.10/lib/dhcp.def

R81.10 Multi-Domain Security Management Administration Guide | 160

Location of 'gtp.def' Files on the Management Server

Location of 'gtp.def' Files on the Management

Server
The 'gtp.def' files contain definitions of packet inspection for GTP (GPRS Tunneling
Protocol) traffic.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target Security

Location of the File
Gateway

R81.10 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/gtp.def

R81.10.x on Quantum /opt/CPmds-R81.10/customers/<Name_of_

SparkAppliances1500 / 1600 / Domain>/CPSFWR81CMP-R81.10/fw1/lib/gtp.def
1800

R81 $MDSDIR/customers/<Name_of_
Domain>/CPsuite-R81.10/fw1/lib/gtp.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/gtp.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/gtp.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/gtp.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-R81.10/lib/gtp.def

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/gtp.def

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / 1800 Domain>/CPSFWR80CMP-R81.10/lib/gtp.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/gtp.def

R81.10 Multi-Domain Security Management Administration Guide | 161

Location of 'gtp.def' Files on the Management Server

Version of the Target Security

Location of the File
Gateway

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/gtp.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-R81.10/lib/gtp.def

R81.10 Multi-Domain Security Management Administration Guide | 162

Location of 'implied_rules.def' Files on the Management Server

Location of 'implied_rules.def' Files on the

Management Server
The 'implied_rules.def' files contain the default implied rules.

Important - You must edit the file in the context of the applicable Domain
Management Server. To go to the required context, use the command "mdsenv <IP
Address or Name of Domain Management Server>".

Location of files on an R81.10 Domain Management Server:

Version of the Target

Location of the File
Security Gateway

R81.10 $MDSDIR/customers/<Name_of_Domain>/CPsuite-
R81.10/fw1/lib/implied_rules.def

R81.10.x on Quantum Spark /opt/CPmds-R81.10/customers/<Name_of_

Appliances 1500 / 1600 / Domain>/CPsuite-R81.10/fw1/lib/implied_
1800 rules.def

R81 $MDSDIR/customers/<Name_of_Domain>/CPsuite-
R81.10/fw1/lib/implied_rules.def

R80.40 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/implied_
rules.def

R80.30SP on Maestro $MDSDIR/customers/<Name_of_

Domain>/CPR8040CMP-R81.10/lib/implied_
rules.def

R80.30 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/implied_
rules.def

R80.20SP on Maestro, or $MDSDIR/customers/<Name_of_

Scalable Chassis Domain>/CPR8040CMP-R81.10/lib/implied_
rules.def

R80.20 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/implied_
rules.def

R81.10 Multi-Domain Security Management Administration Guide | 163

Location of 'implied_rules.def' Files on the Management Server

Version of the Target

Location of the File
Security Gateway

R80.20.x on Quantum Spark $MDSDIR/customers/<Name_of_

Appliances 1500 / 1600 / Domain>/CPSFWR80CMP-R81.10/lib/implied_
1800 rules.def

R80.10 $MDSDIR/customers/<Name_of_
Domain>/CPR8040CMP-R81.10/lib/implied_
rules.def

R77.30 $MDSDIR/customers/<Name_of_
Domain>/CPR77CMP-R81.10/lib/implied_
rules.def

R77.20.x on SMB Appliances $MDSDIR/customers/<Name_of_

1100 / 1200R / 1400 Domain>/CPSFWR77CMP-R81.10/lib/implied_
rules.def

R81.10 Multi-Domain Security Management Administration Guide | 164

Command Line Reference

See the R81.10 CLI Reference Guide.
Below is a limited list of applicable commands.

Syntax Legend
Whenever possible, this guide lists commands, parameters and options in the alphabetical
order.
This guide uses this convention in the Command Line Interface (CLI) syntax:

R81.10 Multi-Domain Security Management Administration Guide | 165

Command Line Reference

Character Description

TAB Shows the available nested subcommands:

main command
→ nested subcommand 1
→ → nested subsubcommand 1-1
→ → nested subsubcommand 1-2
→ nested subcommand 2
Example:
cpwd_admin
config
-a <options>
-d <options>
-p
-r
del <options>
Meaning, you can run only one of these commands:
n This command:
cpwd_admin config -a <options>
n Or this command:
cpwd_admin config -d <options>
n Or this command:
cpwd_admin config -p
n Or this command:
cpwd_admin config -r
n Or this command:
cpwd_admin del <options>

Curly brackets or Enclose a list of available commands or parameters, separated by

braces the vertical bar |.
{} User can enter only one of the available commands or parameters.

Angle brackets Enclose a variable.

<> User must explicitly specify a supported value.

Square brackets or Enclose an optional command or parameter, which user can also
brackets enter.
[]

R81.10 Multi-Domain Security Management Administration Guide | 166

cma_migrate

cma_migrate
Description
On the applicable target Domain Management Server, imports the management database that
was exported from an R7x Domain Management Server.

Note - This command updates the database schema before it imports. First, the
command runs pre-upgrade verification. If no errors are found, migration continues. If
there are errors, you must fix them on the source R7x Domain Management Server
according to instructions in the error messages. Then do this procedure again.

For the complete procedure, see the R81.10 Installation and Upgrade Guide.

Syntax

cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz

/<Full Path>/<$FWDIR Directory of the New Domain Management
Server>/

Example

[[email protected]_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz

/opt/CPmds-R81.10/customers/MyDomain3/CPsuite-R81.10/fw1/

R81.10 Multi-Domain Security Management Administration Guide | 167

contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

cpmacro Overwrites the current cp.macro file with the specified cp.macro file.
<options>

download Downloads all associated Check Point Service Contracts from the User
<options> Center, or from a local file.

mgmt Delivers the Service Contract information from the Management Server to
the managed Security Gateways.

print Shows all the installed licenses and whether the Service Contract covers
<options> these license, which entitles them for upgrade or not.

summary Shows post-installation summary.

update Updates Check Point Service Contracts from your User Center account.
<options>

R81.10 Multi-Domain Security Management Administration Guide | 168

contract_util

Parameter Description

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful
message.

R81.10 Multi-Domain Security Management Administration Guide | 169

contract_util check

Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher
Hotfix Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Major version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Minor version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

R81.10 Multi-Domain Security Management Administration Guide | 170

contract_util cpmacro

Description
Overwrites the current cp.macro file with the specified cp.macro file, if the specified is
newer than the current file.
For more information about the cp.macro file, see sk96217: What is a cp.macro file?

Syntax

contract_util cpmacro /<path_to>/cp.macro

This command shows one of these messages:

Message Description

CntrctUtils_ The contract_util cpmacro command failed:

Write_cp_macro
returned -1
n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_ The contract_util cpmacro command was able to

Write_cp_macro overwrite the current file with the specified file, because the
returned 0 specified file is newer.

CntrctUtils_ The contract_util cpmacro command did not overwrite the

Write_cp_macro current file, because it is newer than the specified file.
returned 1

R81.10 Multi-Domain Security Management Administration Guide | 171

contract_util download

Description
Downloads all associated Check Point Service Contracts from User Center, or from a local file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util download
{-h | -help}
local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service
Contract File>
uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}]
<Username> <Password> [<Proxy Server> [<Proxy Username>:<Proxy
Password>]]

R81.10 Multi-Domain Security Management Administration Guide | 172

contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local

file.
This is equivalent to the "cplic contract put"
command (see "cplic contract" on page 254).

uc Specifies to download the Service Contract from the User

Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Proxy Server> [<Proxy Specifies that the connection to the User Center goes
Username>:<Proxy through the proxy server.
Password>]
n <Proxy Server> - IP address of resolvable
hostname of the proxy server
n <Proxy Username> - Username for the proxy
server.
n <Proxy Password> - Password for the proxy
server.
Note - If you do not specify the proxy server explicitly, the
command uses the proxy server configured in the
management database.

<Service Contract Path to and the name of the Service Contract file.
File> First, you must download the Service Contract file from
your User Center account.

R81.10 Multi-Domain Security Management Administration Guide | 173

contract_util mgmt

Description
Delivers the Service Contract information from the Management Server to the managed
Security Gateways.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util mgmt

R81.10 Multi-Domain Security Management Administration Guide | 174

contract_util print

Description
Shows all the installed licenses and whether the Service Contract covers these license, which
entitles them for upgrade or not.
This command can show which licenses are not recognized by the Service Contract file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d] print

{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R81.10 Multi-Domain Security Management Administration Guide | 175

contract_util summary

Description
Shows post-installation summary and whether this Check Point computer is eligible for
upgrades.

Syntax

contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R81.10 Multi-Domain Security Management Administration Guide | 176

contract_util update

Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-

installed licenses) from your User Center account.

-proxy <Proxy Specifies that the connection to the User Center goes through
Server>:<Proxy the proxy server:
Port>
n <Proxy Server> - IP address of resolvable hostname
of the proxy server.
n <Proxy Port> - The applicable port on the proxy
server.
Note - If you do not specify the proxy explicitly, the
command uses the proxy configured in the management
database.

-ca_path <Path to Specifies the path to the Certificate Authority Bundle file (ca-
ca-bundle.crt File> bundle.crt).
Note - If you do not specify the path explicitly, the
command uses the default path.

R81.10 Multi-Domain Security Management Administration Guide | 177

contract_util verify

Description
Checks whether the Security Gateway is eligible for an upgrade.
This command is the same as the command, but it also interprets the return values and shows
a meaningful message.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util verify

R81.10 Multi-Domain Security Management Administration Guide | 178

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 181.

auto Shows and configures the automatic start of Check Point products during
<options> boot.
See "cp_conf auto" on page 184.

ca n Configures the Certificate Authority's (CA) Fully Qualified Domain

<options> Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 185.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 187.

R81.10 Multi-Domain Security Management Administration Guide | 179

cp_conf

Parameter Description

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 191.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 192.

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R81.10 Gaia Administration Guide - Chapter
System Management - Section SNMP.

R81.10 Multi-Domain Security Management Administration Guide | 180

cp_conf admin

Description
Configures Check Point system administrators for the Security Management Server.

Notes:
n Multi-Domain Server does not support this command.
n Only one administrator can be defined in the menu.
To define additional administrators, use SmartConsole.
n This command corresponds to the option Administrator in the
menu.

Syntax

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

R81.10 Multi-Domain Security Management Administration Guide | 181

cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> Adds a Check Point system administrator:

<Password> {a | w | r}]
n <UserName> - Specifies the administrator's
username
n <Password> - Specifies the administrator's
password
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

add -gaia [{a | w | r}] Adds the Gaia administrator user admin:
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

del <UserName1> Deletes the specified system administrators.

<UserName2> ...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the

Gaia administrator user admin.

R81.10 Multi-Domain Security Management Administration Guide | 182

cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 183

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Note - On a Multi-Domain Server, use the option Automatic Start of Multi-Domain

Server in the "mdsconfig" on page 487menu.

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

R81.10 Multi-Domain Security Management Administration Guide | 184

cp_conf ca

Description
This command changes the settings of the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_conf ca
-h
fqdn <FQDN Name>
init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

fqdn <FQDN Configures the Fully Qualified Domain Name (FQDN) for the Internal
Name> Certificate Authority (ICA).
The "<FQDN Name>" is the text string in this format:
hostname.domainname
Notes:
n The existing certificates for configured objects are not
revoked.
n The existing ICA certificate is not changed.
n The Management Server uses the specified "<FQDN Name>"
to configure the Certificate Revocation List Distribution Point
(CRL DP) property in all certificates that the ICA generates.
Refer to this command: "cpca_client get_crldp" on page 223

init Initializes the Internal Certificate Authority (ICA).

R81.10 Multi-Domain Security Management Administration Guide | 185

cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 186

cp_conf client

Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security
Management Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the
menu.

Syntax

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

R81.10 Multi-Domain Security Management Administration Guide | 187

cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

n One IPv4 address (for example,
192.168.10.20), or
one IPv6 address (for example,
3731:54:65fe:2::a7)
n One hostname (for example, MyComputer)
n "Any" - To denote all IPv4 and IPv6
addresses without restriction
n A range of IPv4 addresses (for example,
192.168.10.0/255.255.255.0), or
a range of IPv6 addresses (for example,
2001::1/128)
n IPv4 address wildcard (for example,
192.168.10.*)

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates
<GUI Client 2> ... a new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples
Example 1 - Configure one IPv4 address
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 188

cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 189

cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

Example 6 - Delete the current list and create a new list of allowed GUI clients
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0 172.30.40.55

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 190

cp_conf finger

Description
Shows the Internal Certificate Authority's Fingerprint.
This fingerprint is a text string derived from the ICA certificate on the Security Management
Server, Multi-Domain Server, or Domain Management Server.
This fingerprint verifies the identity of the Security Management Server, Multi-Domain Server,
or Domain Management Server when you connect to it with SmartConsole.

Note - On a Multi-Domain Server:

n To see the fingerprint of the Multi-Domain Server, this command corresponds to
the option Certificate's Fingerprint in the "mdsconfig" on page 487 menu.
n You can run this command in these contexts:
l To see the fingerprint of the Multi-Domain Server, run it in the context of

the Multi-Domain Server:

mdsenv
l To see the fingerprint of a Domain Management Server, run it in the
context of the applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management
Server>

Syntax

cp_conf finger
-h
get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 191

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax on a Management Server in Gaia Clish or the Expert mode

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R81.10 Multi-Domain Security Management Administration Guide | 192

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to Adds a license from the specified Check Point
License File> license file.
You get this license file in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 256.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 256.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 261.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 265.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 193

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 194

cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R81.10 Logging and Monitoring Administration
Guide.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_log_export
cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

R81.10 Multi-Domain Security Management Administration Guide | 195

cp_log_export

Internal Commands

Name Description

add Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-
Server> target-port <Target-Server-Port> protocol
{udp | tcp} [Optional Arguments]

delete Removes an existing Log Exporter.

cp_log_export delete name <Name>

reconf Applies the Log Exporter configuration to all existing exporters.

cp_log_export reconf [name <Name>]

reexport Resets the current log position and exports all logs again based on the
configuration.
cp_log_export reexport name <Name> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Last Exported Log> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Gap Start> end-position <Position of
Gap End> --apply-now

restart Restarts a Log Exporter process.

cp_log_export restart name <Name>

set Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start Starts an existing Log Exporter process.

cp_log_export start name <Name>

status Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

R81.10 Multi-Domain Security Management Administration Guide | 196

cp_log_export

Name Description

stop Stops an existing Log Exporter process.

cp_log_export stop name <Name>

R81.10 Multi-Domain Security Management Administration Guide | 197

cp_log_export

Internal Command Arguments

Req
uired
for
"rest
Req art",
Requ Requ
Requ Requ uired "sho
ired ired
ired ired for w",
for for
for for "rec "stat
Name Description "dele "reex
"add" "set" onf" us",
te" port"
com com com "star
com com
mand mand man t",
mand mand
d "sto
p"
com
man
d

--apply-now Applies immediately Optio Optio Man N/A N/A Man

any change that was nal nal dator dator
done with the "add", y y
"set", "delete", or
"reexport"
command.

ca-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the CA nal nal
certificate file
*.pem.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R81.10 Multi-Domain Security Management Administration Guide | 198

cp_log_export

client-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the client nal nal
certificate *.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- Specifies the Optio Optio N/A N/A N/A N/A

secret challenge phrase nal nal
<Phrase> used to create the
client certificate
*.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R81.10 Multi-Domain Security Management Administration Guide | 199

cp_log_export

domain- On a Multi-Domain Man Man Man N/A Opti Man

server {mds Server, specifies the dator dator dator onal dator
| all} applicable Domain y y y y
Management Server
context.
On a Multi-Domain
Log Server,
specifies the
applicable Domain
Log Server context.
Important:
n "mds" (in
small
letters) -
Exports
all logs
from only
the main
MDS
level.
n "all" (in
small
letters) -
Exports
all logs
from all
Domains.

R81.10 Multi-Domain Security Management Administration Guide | 200

cp_log_export

enabled Default: true Optio Optio N/A N/A N/A N/A

{true | nal nal
false}

encrypted Specifies whether to Optio Optio N/A N/A N/A N/A

{true | use TSL (SSL) nal nal
false} encryption to send
the logs.
Default: false

end-position Specifies the end N/A N/A N/A N/A N/A Optio
<Position> position, up to which nal
to export the logs.

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
ids {true | exported logs that
false} represents the ID of
log's attachment (if
exists).
Default: false

R81.10 Multi-Domain Security Management Administration Guide | 201

cp_log_export

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
link {true | exported logs that
false} represents a link to
SmartView that
shows the log card
and automatically
opens the
attachment.
Default: false

export-link Specifies whether to Optio Optio N/A N/A N/A N/A

{true | add a field to the nal nal
false} exported logs that
represents a link to
SmartView that
shows the log card.
Default: false

R81.10 Multi-Domain Security Management Administration Guide | 202

cp_log_export

export-link- Specifies whether to Optio Optio N/A N/A N/A N/A

ip {true | make the links to nal nal
false} SmartView use a
custom IP address
(for example, for a
Log Server behind
NAT).
Important -
Applicable only
when the value
of the
"export-
link"
argument is
"true", or the
value of the
"export-
attachment-
link"
argument is
"true".
Default: false

export-log- Specifies whether to Optio Optio N/A N/A N/A N/A

position export the log's nal nal
{true | position.
false} Default: false

R81.10 Multi-Domain Security Management Administration Guide | 203

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

action-in export all logs that nal nal
{"Action1"," contain a specific
Action2",... value in the "Action"
| false} field.
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Monitor view
and open the
Logs tab.
2. In the top
query field,
enter action:
and a letter.
Examples of values:

R81.10 Multi-Domain Security Management Administration Guide | 204

cp_log_export

n Accept
n Block
n Bypass
n Detect
n Drop
n HTTPS
Bypass
n HTTPS
Inspect
n Prevent
n Reject

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R81.10 Multi-Domain Security Management Administration Guide | 205

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

blade-in export all logs that nal nal
{"Blade1","B contain a specific
lade2",... | value in the "Blade"
false} field (the object
name of the
Software Blade that
generated these
logs).
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Monitor view
and open the
Logs tab.

R81.10 Multi-Domain Security Management Administration Guide | 206

cp_log_export

2. In the top
query field,
enter blade:
and a letter.
Examples of values:
n Anti-Bot
n Firewall
n HTTPS
Inspection
n Identity
Awareness
n IPS
Valid Software
Blade families:
n Access
n TP
n Endpoint
n Mobile

R81.10 Multi-Domain Security Management Administration Guide | 207

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R81.10 Multi-Domain Security Management Administration Guide | 208

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

origin-in export all logs that nal nal
{"Origin1"," contain a specific
Origin2",... value in the "Origin"
| false} field (the object
name of the Security
Gateway / Cluster
Member that
generated these
logs).
Each origin value
must be surrounded
by double quotes
("").
Multiple values are
supported and must
be separated by a
comma without
spaces.

R81.10 Multi-Domain Security Management Administration Guide | 209

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

format Specifies the format, Optio Optio N/A N/A N/A N/A
{generic | in which the logs are nal nal
cef | json | exported.
leef | Default: syslog
logrhythm |
rsa | splunk
| syslog}

R81.10 Multi-Domain Security Management Administration Guide | 210

cp_log_export

name Specifies the unique Man Man Man Opti Opti Man
"<Name>" name of the Log dator dator dator onal. onal. dator
Exporter y y y By By y
configuration. defa defa
ult, ult,
appli appli
es to es to
all. all.

R81.10 Multi-Domain Security Management Administration Guide | 211

cp_log_export

Notes:
n Allowed
characters
are: Latin
letters, digits
("0-9"),
minus ("-"),
underscore
("_"), and
period (".").
n Must start
with a letter.
n The minimum
length is two
characters.
n The "add"
command
creates a new
target
directory with
the specified
unique name
in the
$EXPORTERD
IR/target
s/ directory.

R81.10 Multi-Domain Security Management Administration Guide | 212

cp_log_export

protocol Specifies the Layer Man Optio N/A N/A N/A N/A
{tcp | udp} 4 Transport protocol dator nal
to use (TCP or y
UDP).
There is no default
value.

R81.10 Multi-Domain Security Management Administration Guide | 213

cp_log_export

read-mode Specifies the mode, Optio Optio N/A N/A N/A N/A
{raw | semi- in which to read the nal nal
unified} log files.
n raw -
Specifies to
export log
records
without any
unification.
n semi-
unified -
Specifies to
export log
records with
step-by-step
unification.
That is, for
each log
record, export
a record that
unifies this
record with all
previously-
encountered
records with
the same ID.

R81.10 Multi-Domain Security Management Administration Guide | 214

cp_log_export

Default: semi-
unified
Default: raw

reconnect- Specifies the Optio Optio N/A N/A N/A N/A

interval interval (in minutes) nal nal
{<Number> | after which the Log
default} Exporter must
connect again to the
target server after
the connection is
lost.‎
To disable, enter the
value "default".
There is no default
value.

start- Specifies the start N/A N/A N/A N/A N/A Optio
position position, from which nal
<Position> to export the logs.

target-port Specifies the Man Optio N/A N/A N/A N/A

<Target- listening port on the dator nal
Server-Port> target server, to y
which you export the
logs.

R81.10 Multi-Domain Security Management Administration Guide | 215

cp_log_export

target- Specifies the IP Man Optio N/A N/A N/A N/A

server address or FQDN of dator nal
<Target- the target server, to y
Server> which you export the
logs.

time-in- Specifies whether to Optio Optio N/A N/A N/A N/A

milli {true export logs with the nal nal
| false} time resolution in
milliseconds.
Requires Security
Gateways R81 and
higher.
Default: false

R81.10 Multi-Domain Security Management Administration Guide | 216

cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d]
create_cert <options>
double_sign <options>
get_crldp <options>
get_pubkey <options>
init_certs <options>
lscert <options>
revoke_cert <options>
revoke_non_exist_cert <options>
search <options>
set_ca_services <options>
set_cert_validity <options>
set_mgmt_tool <options>
set_sign_hash <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to save
the entire CLI session.

create_cert Issues a SIC certificate for the Security Management Server

<options> or Domain Management Server.
See "cpca_client create_cert" on page 219.

R81.10 Multi-Domain Security Management Administration Guide | 217

cpca_client

Parameter Description

double_sign Creates a second signature for a certificate.

<options> See "cpca_client double_sign" on page 221.

get_crldp <options> Shows how to access a CRL file from a CRL Distribution
Point.
See "cpca_client get_crldp" on page 223.

get_pubkey <options> Saves the encoding of the public key of the ICA's certificate
to a file.
See "cpca_client get_pubkey" on page 225.

init_certs <options> Imports a list of DNs for users and creates a file with
registration keys for each user.
See "cpca_client init_certs" on page 226.

lscert <options> Shows all certificates issued by the ICA.

See "cpca_client lscert" on page 227.

revoke_cert Revokes a certificate issued by the ICA.

<options> See "cpca_client revoke_cert" on page 230.

revoke_non_exist_ Revokes a non-existent certificate issued by the ICA.

cert <options> See "cpca_client revoke_non_exist_cert" on page 233.

search <options> Searches for certificates in the ICA.

See "cpca_client search" on page 234.

set_ca_services Controls the Certificate Authority Services Portal.

<options> See "cpca_client set_ca_services" on page 237.

set_cert_validity Configures the default certificate validity period for new

<options> certificates.
See "cpca_client set_cert_validity" on page 239.

set_mgmt_tool Controls the ICA Management Tool.

<options> See "cpca_client set_mgmt_tool" on page 240.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options> See "cpca_client set_sign_hash" on page 245.

R81.10 Multi-Domain Security Management Administration Guide | 218

cpca_client create_cert

Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC |
USER | IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

R81.10 Multi-Domain Security Management Administration Guide | 219

cpca_client create_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the
Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path Specifies the PKCS12 file, which stores the certificate and keys.
to PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER Optional. Specifies the certificate kind.

| IKE | ADMIN_
PKG}

-c "<Comment Optional. Specifies the certificate comment (must enclose in double

for quotes).
Certificate>"

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

R81.10 Multi-Domain Security Management Administration Guide | 220

cpca_client double_sign

Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management
number> Server or Domain Management Server, which is used to connect to
the Certificate Authority.
The default TCP port number is 18209.

-i Imports the specified certificate (only in PEM format).

-o <Full Path Optional. Saves the certificate into the specified file.
to Output
File>

R81.10 Multi-Domain Security Management Administration Guide | 221

cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("[email protected],CN=http://www.example.com/,OU=exampleOU Class 2
Policy Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 222

cpca_client get_crldp

Description
Shows the Fully Qualified Domain Name (FQDN) configured for the Internal Certificate
Authority (ICA) with the ""cp_conf ca" on page 185" command.
The Management Server uses this FQDN:
1. To configure the Certificate Revocation List Distribution Point (CRL DP) property in all
certificates that the ICA generates.
2. To create the URL for accessing the CRL.
Example: http://MyMGMT.checkpoint.com:18264/ICA_CRL1.crl

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_crldp [-p <ICA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <ICA Optional.
port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18264.

R81.10 Multi-Domain Security Management Administration Guide | 223

cpca_client get_crldp

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cpca_client get_crldp

MyMGMT.checkpoint.com
[Expert@MyMGMT:0]

R81.10 Multi-Domain Security Management Administration Guide | 224

cpca_client get_pubkey

Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to

Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt[Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 225

cpca_client init_certs

Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for
each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Full Imports the specified file.

Path to Make sure to use the full path.
Input File> Make sure that there is an empty line between each DN in the specified
file.
Example:
...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o <Full Saves the registration keys to the specified file.

Path to This command saves the error messages in the <Name of Output
Output File> File>.failures file in the same directory.

R81.10 Multi-Domain Security Management Administration Guide | 226

cpca_client lscert

Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid

| Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}]
[-ser <Certificate Serial Number>] [-dp <Certificate Distribution
Point>]

R81.10 Multi-Domain Security Management Administration Guide | 227

cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN

that matches the specified <SubString>.
This command does not support multiple values.

-stat {Pending | Valid | Optional. Filters the search results to those with
Revoked | Expired | certificate status that matches the specified status.
Renewed} This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with
LDAP} certificate kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with
Number> certificate serial number that matches the specified
serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

R81.10 Multi-Domain Security Management Administration Guide | 228

cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 229

cpca_client revoke_cert

Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

R81.10 Multi-Domain Security Management Administration Guide | 230

cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-n Specifies the certificate CN.

"CN=<Common To get the CN, run the "cpca_client lscert" on page 227 command and
Name>" examine the text that you see between the "Subject =" and the
",O=...".
Example
From this output:
Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02
2023

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate To see the serial number, run the "cpca_client lscert" on page 227
Serial command.
Number> Note - You can use the parameter "-s" only, or together with the
parameter "-n".

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 231

cpca_client revoke_cert

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 232

cpca_client revoke_non_exist_cert

Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input

File>

Parameters

Paramet
Description
er

-d Runs the cpca_client command under debug.

-i Specifies the file that contains the list of the certificate to revoke.
<Full You must create this file in the same format as the "cpca_client lscert" on
Path page 227 command prints its output.
to
Input Example
File> Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri
Apr 7 19:40:12 2023
<Empty Line>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri
Apr 7 19:40:13 2023

Note - This command saves the error messages in the <Name of Input
File>.failures file.

R81.10 Multi-Domain Security Management Administration Guide | 233

cpca_client search

Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-
max <Maximal Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the
command itself.
Best Practice - If you use this
parameter, then redirect the output
to a file, or use the script
command to save the entire CLI
session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that
does not contain spaces.

R81.10 Multi-Domain Security Management Administration Guide | 234

cpca_client search

Parameter Description

-where {dn | comment | serial | Optional. Specifies the certificate's field,

device_type | device_id | device_ in which to search for the string:
name}
n dn - Certificate DN
n comment - Certificate comment
n serial - Certificate serial
number
n device_type - Device type
n device_id - Device ID
n device_name - Device Name
The default is to search in all fields.

-kind {SIC | IKE | User | LDAP} Optional. Specifies the certificate kind
to search.
You can enter multiple values in this
format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.

-stat {Pending | Valid | Revoked | Optional. Specifies the certificate status

Expired | Renewed} to search.
You can enter multiple values in this
format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.

-max <Maximal Number of Results> Optional. Specifies the maximal number

of results to show.
n Range: 1 and greater
n Default: 200

-showfp {y | n} Optional. Specifies whether to show the

certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint
and thumbprint

R81.10 Multi-Domain Security Management Administration Guide | 235

cpca_client search

Example 1

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending
Valid Renewed

Example 2

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dnOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

Example 3

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 236

cpca_client set_ca_services

Description
This command enables and disables the Certificate Authority Services Portal on the
Management Server on the TCP port 18268.
From this portal, you can download the applicable Internal Certificate Authority certificates.
For trust purposes, you can install this certificate on the applicable Security Gateways,
externally managed Site to Site VPN peer gateways, Remote Access VPN clients, clients that
use Clientless VPN, and so on.

Note - In R81.10, the TCP port 18264 on the Management Server is available only for
the retrieval of the CRL (Certificate Revocation List).

Syntax

cpca_client set_ca_services {on | off}

Parameters

Parameter Description

on Enables the Certificate Authority Services Portal

off Disables the Certificate Authority Services Portal

Procedure for a Security Management Server

Enabling the Certificate Authority Services Portal

1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.
3. Enable the Certificate Authority Services Portal:

cpca_client set_ca_services on

4. With a web browser, connect to:

http://<IP Address of Security Management Server>:18268

5. Download the required certificate.

6. Install this certificate on the applicable computers.

R81.10 Multi-Domain Security Management Administration Guide | 237

cpca_client set_ca_services

Disabling the Certificate Authority Services Portal

1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.
3. Disable the Certificate Authority Services Portal:

cpca_client set_ca_services off

Procedure for a Domain Management Server

Enabling the Certificate Authority Services Portal

1. Connect to the command line on the Multi-Domain Server.

2. Log in to the Expert mode.

3. Go to the context of the Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

4. Enable the Certificate Authority Services Portal:

cpca_client set_ca_services on

5. With a web browser, connect to:

http://<IP Address of Domain Management Server>:18268

6. Download the required certificate.

7. Install this certificate on the applicable computers.

Disabling the Certificate Authority Services Portal

1. Connect to the command line on the Multi-Domain Server.

2. Log in to the Expert mode.
3. Go to the context of the Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

4. Disable the Certificate Authority Services Portal:

cpca_client set_ca_services off

R81.10 Multi-Domain Security Management Administration Guide | 238

cpca_client set_cert_validity

Description
This command configures the default certificate validity period for new certificates.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n The new certificate validity period applies only to certificate you create after this
change.

Syntax

cpca_client set_cert_validity -k {SIC | IKE | USER} [-y <Number of

Years>] [-d <Number of Days>] [-h <Number of Hours>] [-s <Number
of Seconds>]

Parameters

Parameter Description

-k {SIC | IKE | USER} Specifies the certificate type.

-y <Number of Years> Specifies the validity period in years.

-d <Number of Days> Specifies the validity period in days.

-h <Number of Hours> Specifies the validity period in hours.

-s <Number of Seconds> Specifies the validity period in seconds.

Example

[Expert@MGMT:0]# cpca_client set_cert_validity -k IKE -y 3

cert validity period was changed successfully.
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 239

cpca_client set_mgmt_tool

Description
Controls the ICA Management Tool.
This tool is disabled by default.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

See sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] [{-a <Administrator DN> | -u <User
DN> | -c <Custom User DN>}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are

permitted to use the ICA Management Tool.

print Shows the configured administrators, users, or custom users that

are permitted to use the ICA Management Tool.

R81.10 Multi-Domain Security Management Administration Guide | 240

cpca_client set_mgmt_tool

Parameter Description

-a Optional. Specifies the DN of the administrator that is permitted to

<Administrator use the ICA Management Tool.
DN> Must specify the full DN as appears in SmartConsole
Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:
-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the
ICA Management Tool.
Must specify the full DN as appears in SmartConsole:
Procedure

1. Open Object Explorer > Users

Example:
-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

R81.10 Multi-Domain Security Management Administration Guide | 241

cpca_client set_mgmt_tool

Parameter Description

-c <Custom Optional. Specifies the DN for the custom user that is permitted to
User DN> use the ICA Management Tool.
Must specify the full DN as appears in SmartConsole.
Procedure

1. Open Object Explorer > Users

Example:
-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

R81.10 Multi-Domain Security Management Administration Guide | 242

cpca_client set_mgmt_tool

To connect to the ICA Management Tool

1. In SmartConsole, configure the required administrator and user objects.
You must create a certificate for these administrators and users.
You use this certificate to configure the permitted users in the ICA Management Tool and
in the client web browsers.
2. In the command line on the Management Server, add the required administrators and
users that are permitted to use the ICA Management Tool.

cpca_client set_mgmt_tool add ...

3. In the command line on the Management Server, start the ICA Management Tool.

cpca_client set_mgmt_tool on

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

5. Import the administrator's / user's certificate into the Windows Certificate Store:.
a. Right-click the *.p12 file you saved when you created the required administrator /
user, and click Install PFX.
The Certificate Import Wizard opens.

b. In the Store Location section, select the applicable option:

n Current User (this is the default)
n Local Machine

c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator / user certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.
g. Click Next.
h. Select Place all certificates in the following store > click Browse > select
Personal > click OK.
i. Click Next.
j. Click Finish.

R81.10 Multi-Domain Security Management Administration Guide | 243

cpca_client set_mgmt_tool

6. In a web browser, connect to the ICA Management Tool:

https://<IP Address of the Management Server>:18265

Important - The fact that the TCP port 18265 is open is not a vulnerability. The
ICA Management Tool Portal is secured and protected by SSL. In addition, only
authorized administrators and users are allowed to access it using a certificate.

7. A dialog box with this message appears:

Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R81.10 Multi-Domain Security Management Administration Guide | 244

cpca_client set_sign_hash

Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Important - After this change, you must restart the Check Point services with these
commands:
n On Security Management Server, run:
1. cpstop
2. cpstart
n On a Multi-Domain Server, run:
1. mdsstop_customer <Name or IP Address of Domain
Management Server>
2. mdsstart_customer <Name or IP Address of Domain
Management Server>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the
sha512} file hash.
The default algorithm is SHA-256.

R81.10 Multi-Domain Security Management Administration Guide | 245

cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this has no security
implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart

R81.10 Multi-Domain Security Management Administration Guide | 246

cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to
save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

R81.10 Multi-Domain Security Management Administration Guide | 247

cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on
your Check Point server.
For more information, see sk92739.

R81.10 Multi-Domain Security Management Administration Guide | 248

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management You execute these commands locally on the

commands Servers, Check Point computers.
Security Gateways
and Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management
commands Server.
These changes affect the managed Security
Gateways and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management
commands Server.
These changes affect the licenses stored in the
local license repository.

For more about managing licenses, see the R81.10 Security Management Administration
Guide.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R81.10 Multi-Domain Security Management Administration Guide | 249

cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security
<options> Gateway or Management Server.
See "cplic check" on page 252.

contract Manages (deletes and installs) the Check Point Service Contract on
<options> the local Check Point computer.
See "cplic contract" on page 254.

db_add Applies only to a Management Server.

<options> Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 256.

R81.10 Multi-Domain Security Management Administration Guide | 250

cplic

Parameter Description

db_print Applies only to a Management Server.

<options> Shows the details of Check Point licenses stored in the license
repository on the Management Server.
See "cplic db_print" on page 258.

db_rm Applies only to a Management Server.

<options> Removes a license from the license repository on the Management
Server.
See "cplic db_rm" on page 260.

del <options> Deletes a Check Point license on a host, including unwanted

evaluation, expired, and other licenses.
See "cplic del" on page 261.

del <Object Detaches a Central license from a remote managed Security Gateway
Name> or Cluster Member.
<options> See "cplic del <object name>" on page 262.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster
Members into the license repository on the Management Server.
See "cplic get" on page 263.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 265.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 267.

put <Object Attaches one or more Central or Local licenses to a remote managed
Name> Security Gateways and Cluster Members.
<options> See "cplic put <object name>" on page 270.

upgrade Applies only to a Management Server.

<options> Upgrades licenses in the license repository with licenses in the
specified license file.
See "cplic upgrade" on page 273.

R81.10 Multi-Domain Security Management Administration Guide | 251

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product> Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member
/ Security Group (all Software Blades), or Management Server (all
Software Blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

R81.10 Multi-Domain Security Management Administration Guide | 252

cplic check

Parameter Description

{-c | - Outputs the number of licenses connected to this feature.

count}

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1 fw1:6.0:rt
fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit fw1:6.0:prov
fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes
fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades
fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

R81.10 Multi-Domain Security Management Administration Guide | 253

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member / Scalable Platform Security Group, you must update the license
repository on the applicable Management Server - either with the "cplic get" on
page 263 command, or in SmartUpdate.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

R81.10 Multi-Domain Security Management Administration Guide | 254

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/cp.contract file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/cp.contract

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R81.10 Multi-Domain Security Management Administration Guide | 255

cplic db_add

Description
Adds licenses to the license repository on the Management Server.
When you add Local licenses to the license repository, Management Server automatically
attaches them to the managed Security Gateway / Cluster Member with the matching IP
address.
When you add Central licenses, you must manually attach them.

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

R81.10 Multi-Domain Security Management Administration Guide | 256

cplic db_add

Parameter Description

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file 192.0.2.11.lic contains one or more licenses, the command "cplic db_add -
l 192.0.2.11.lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

R81.10 Multi-Domain Security Management Administration Guide | 257

cplic db_print

Description
Shows the details of Check Point licenses stored in the license repository on the Management
Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x]
[{-t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name> <Object Name> is the name of the Security Gateway / Cluster Member
object as defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached} Useful, if the parameter "-all" is specified.

R81.10 Multi-Domain Security Management Administration Guide | 258

cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 259

cplic db_rm

Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the
"cplic del" on page 261 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 265
command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

R81.10 Multi-Domain Security Management Administration Guide | 260

cplic del

Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other
licenses.
This command can delete a license on both local computer, and on remote managed
computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 265
command.

<Object The name of the Security Gateway / Cluster Member object as

Name> configured in SmartConsole.

R81.10 Multi-Domain Security Management Administration Guide | 261

cplic del <object name>

Description
Detaches a Central license from a remote managed Security Gateway or Cluster Member.
When you run this command, it automatically updates the license repository.
The Central license remains in the license repository as an unattached license.

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the
Address> specified IP address.
Note - If this parameter is used, then object name must be a
DAIP Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on
page 265 command.

R81.10 Multi-Domain Security Management Administration Guide | 262

cplic get

Description
Retrieves all licenses from managed Security Gateways and Cluster Members into the license
repository on the Management Server.
This command helps synchronize the license repository with the managed Security Gateways
and Cluster Members.
When you run this command, it updates the license repository with all local changes.

Syntax

cplic get {-h | -help}

cplic [-d] get
-all
<IP Address>
<Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the
managed network.

<IP The IP address of the Security Gateway / Cluster Member, from which
Address> licenses are to be retrieved.

<Host The name of the Security Gateway / Cluster Member object as defined in
Name> SmartConsole, from which licenses are to be retrieved.

R81.10 Multi-Domain Security Management Administration Guide | 263

cplic get

Example
If the Security Gateway with the object name MyGW contains four Local licenses, and the
license repository contains two other Local licenses, the command "cplic get MyGW"
produces output similar to this:

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 264

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point computer.

Note - On a Security Gateway / Cluster Member / Scalable Platform Security Group,

this command prints all installed licenses (both Local and Central).

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses with no header.

-x Prints licenses with their signature.

{-t | -type] Prints licenses showing their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

{-p | -preatures} Prints licenses resolved to primitive features.

-D On a Multi-Domain Server, prints only Domain licenses.

R81.10 Multi-Domain Security Management Administration Guide | 265

cplic print

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

Example 2

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 266

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -
select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-
only}] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member / Scalable Platform Security

overwrite} Group, this command erases only the local licenses, but not central
licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

R81.10 Multi-Domain Security Management Administration Guide | 267

cplic put

Parameter Description

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member /

Scalable Platform Security Group for a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R81.10 Multi-Domain Security Management Administration Guide | 268

cplic put

Example

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 269

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and
Cluster Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F
<Output File>] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Feature>]

R81.10 Multi-Domain Security Management Administration Guide | 270

cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object, as
defined in SmartConsole.

-ip <Dynamic Installs the license on the Security Gateway with the specified IP
IP Address> address.
This parameter is used to install a license on a Security Gateway with
dynamically assigned IP address (DAIP).
Note - If you use this parameter, then the object name must be
that of a DAIP Security Gateway.

-F <Output Saves the command output to the specified file.

File>

-l <License Installs the licenses from the <License file>.

File>

<Host> Hostname or IP address of the Security Management Server /

Domain Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the
license.
For example: CPSUITE-EVAL-3DES-vNG

R81.10 Multi-Domain Security Management Administration Guide | 271

cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R81.10 Multi-Domain Security Management Administration Guide | 272

cplic upgrade

Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l <Input Upgrades the licenses in the license repository and Check Point Security
File> Gateways / Cluster Members to match the licenses in the specified file.

Example
This example explains the procedure to upgrade the licenses in the license repository.
There are two Software Blade licenses in the input file:
n One license does not match any license on a remote managed Security Gateway.
n The other license matches an NGX-version license on a managed Security Gateway that
has to be upgraded.
Workflow in this example:
1. Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the
Security Gateways with the previous product versions.
2. Import all licenses into the license repository.
You can also do this after you upgrade the products on the remote Security Gateways.
3. Run this command:

R81.10 Multi-Domain Security Management Administration Guide | 273

cplic upgrade

cplic get -all

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

5. In the Check Point User Center, view the licenses for the products that were upgraded
from version NGX to a Software Blades license.
You can also create new upgraded licenses.
6. Download a file containing the upgraded licenses.
Only download licenses for the products that were upgraded from version NGX to
Software Blades.
7. If you did not import the version NGX licenses into the repository, import the version NGX
licenses now.

Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

n The licenses in the downloaded license file and in the license repository are
compared.
n If the certificate keys and features match, the old licenses in the repository and in
the remote Security Gateways are updated with the new licenses.
n A report of the results of the license upgrade is printed.

R81.10 Multi-Domain Security Management Administration Guide | 274

cplic upgrade

For more about managing licenses, see the R81.10 Security Management Administration
Guide.

R81.10 Multi-Domain Security Management Administration Guide | 275

cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management
Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

cppkg
add <options>
{del | delete} <options>
get
getroot
print
setroot <options>
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run mdsenv).

R81.10 Multi-Domain Security Management Administration Guide | 276

cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 278.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options> See "ppkg delete" on page 279.

get Updates the list of the SmartUpdate software packages in the

repository.
See "cppkg get" on page 281.

getroot Shows the path to the root directory of the repository (the value of
the environment variable $SUROOT).
See "cppkg getroot" on page 282.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 283.

setroot Configures the path to the root directory of the repository.

<options> See "cppkg setroot" on page 284.

R81.10 Multi-Domain Security Management Administration Guide | 277

cppkg add

Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n This command does not overwrite existing packages. To overwrite an existing
package, you must first delete the existing package.
n You get the SmartUpdate software packages from the Check Point Support
Center.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 278

ppkg delete

Description
Deletes SmartUpdate software packages from the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]
cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>"
"<Minor Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the
delete interactive mode. The command shows the menu with applicable options.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

"< Specifies the product name. Enclose in double quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double quotes.

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 283
command.
n You must specify all optional parameters, or no parameters.

R81.10 Multi-Domain Security Management Administration Guide | 279

ppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 280

cppkg get

Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software
packages repository based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 281

cppkg getroot

Description
Shows the path to the root directory of the SmartUpdate software packages repository (the
value of the environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to :
/var/log/cpupgrade/suroot
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 282

cppkg print

Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 283

cppkg setroot

Description
Configures the path to the root directory of the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n The default path is: /var/log/cpupgrade/suroot
n When changing repository root directory:
l This command copies the software packages from the old repository to

the new repository. A package in the new location is overwritten by a

package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT in

the Check Point Profile shell scripts ($CPDIR/tmp/.CPprofile.sh and

$CPDIR/tmp/.CPprofile.csh).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 284

cpprod_util

cpprod_util
Description
This utility works with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point
computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R81.10 Multi-Domain Security Management Administration Guide | 285

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of the Check Point Registry

($CPDIR/registry/HKLM_registry.data) in the current working
directory.
The name of the output file is RegDump.

R81.10 Multi-Domain Security Management Administration Guide | 286

cpprod_util

Notes
n On a Multi-Domain Server, you must run this command in the context of the relevant
Domain Management Server.
n If you run the "cpprod_util" command without parameters, it prints:
l The list of all available products and features (for example,
"FwIsFirewallMgmt", "FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the "cpprod_util" command, it is necessary to redirect the
stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples
Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 287

cpprod_util

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 288

cpprod_util

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 289

cpmiquerybin

cpmiquerybin
Description
The cpmiquerybin utility connects to a specified database, runs a user-defined query and
shows the query results.
The results can be a collection of Security Gateway sets or a tab-delimited list of specified
fields from each retrieved object.
The default database of the query tool is based on the shell environment settings.
To connect to a Domain Management Server database, run "mdsenv" on page 491 and define
the necessary environment variables.

Use the Domain Management Server name or IP address as the first parameter.

Notes:
n You can see complete documentation of the cpmiquerybin utility, with the full
query syntax, examples, and a list of common attributes in sk65181.
n The MISSING_ATTR string shows when you use an attribute name that does
not exist in the objects in query result.

Syntax

cpmiquerybin <query_result_type> <database> <table> <query> [-a

<attributes_list>]

R81.10 Multi-Domain Security Management Administration Guide | 290

cpmiquerybin

Parameters

Parameter Description

<query_ Query result in one of these formats:

result_type>
n attr - Returns values from one or more specified fields for each
object. Use the "-a" parameter followed by a comma separated
list of fields.
n object - Shows Security Gateway sets containing data of each
retrieved object.

<database> Name of the database file in quotes. For example, "mdsdb".

Use empty double quotes "" to run the query on the default database.

<table> Name of the database table that contains the data.

<query> One or more query strings in a comma separated list.

Use empty double quotes ("") to return all objects in the database
table.
You can use the asterisk character (*) as a wildcard replacement for
one or more matching characters in your query string.

-a If you use the "query_result_type" parameter, you must specify

<attributes_ one or more attributes in a comma-delimited list (without spaces) of
list> object fields.
You can return all object names with the special string: __name__

Return Values
n 0 - Query returns data successfully
n 1 - Query does not return data or there is a query syntax error

Example - Viewing the names of the currently defined network objects

[Expert@HostName:0]# cpmiquerybin attr "" network_objects "" -a name

DMZZone
WirelessZone
ExternalZone
InternalZone
AuxiliaryNet
LocalMachine_All_Interfaces
CPDShield
InternalNet
LocalMachine
DMZNet
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 291

cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the
managed Security Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

R81.10 Multi-Domain Security Management Administration Guide | 292

cpstat

cpstat
Description
Shows the status and statistics information for Check Point applications.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-h <Host> Optional.
When you run this command on a Management Server, this parameter
specifies the managed Security Gateway / ClusterXL object.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object
name.
The default is localhost.
Note - On a Multi-Domain Server, you must run this command in
the context of the applicable Domain Management Server:mdsenv
<IP Address or Name of Domain Management Server>.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R81.10 Multi-Domain Security Management Administration Guide | 293

cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor
in the <Application Flag>. To see all flavors, run the cpstat
command without any parameters.

-o <Polling Optional.
Interval> Specifies the polling interval (in seconds) - how frequently the
command collects and shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this
is the default value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the
loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the
"-e <Period>" parameter.
Example:
cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results
before it stops.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling
Interval> and then stops.
Example:
cpstat os -f perf -o 2 -c 2

R81.10 Multi-Domain Security Management Administration Guide | 294

cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the
statistics.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
You can use this parameter together with the "-c <Count>"
parameter.
Example:
cpstat os -f perf -o 2 -c 2 -e 60

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway / ClusterXL, and some flags are supported only
by a Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

System routing6, memory, old_memory, cpu,
disk, perf, multi_cpu, multi_disk,
raidInfo, sensors, power_supply,
hw_info, all, average_cpu,
average_memory, statistics,
updates, licensing, connectivity,
vsx

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R81.10 Multi-Domain Security Management Administration Guide | 295

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R81.10 Multi-Domain Security Management Administration Guide | 296

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

emulation status, scanned_files, malware_
detected, scanned_on_cloud,
malware_on_cloud, average_process_
time, emulated_file_size, queue_
size, peak_size, file_type_stat_
file_scanned, file_type_stat_
malware_detected, file_type_stat_
cloud_scanned, file_type_stat_
cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_
type_stat_cache_hit_rate, file_
type_stat_error_count, file_type_
stat_no_resource_count, contract,
downloads_information_current,
downloading_file_information,
queue_table, history_te_incidents,
history_te_comp_hosts

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R81.10 Multi-Domain Security Management Administration Guide | 297

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

contxt_delete_info, contxt_update_
info, contxt_path_mng_info, GXSA_
GPDU_info, contxt_initiate_info,
gtpv2_create_info, gtpv2_delete_
info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the
"threshold_
config"
command

Historical status persistency product, TableConfig, SourceConfig

values

Examples

R81.10 Multi-Domain Security Management Administration Guide | 298

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 299

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 300

cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote
managed Security Gateways.

Important - Installing software packages with this command is not supported for
Security Gateways that run on Gaia OS.
Notes:
n This command requires a license for SmartUpdate.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On the remote Security Gateways these are required:
l SIC Trust must be established between the Security Management Server

and the Security Gateway.

l The cpd daemon must run.

l The cprid daemon must run.

Syntax

cprinstall
boot <options>
cprestart <options>
cpstart <options>
cpstop <options>
delete <options>
get <options>
install <options>
revert <options>
show <options>
snapshot <options>
transfer <options>
uninstall <options>
verify <options>

R81.10 Multi-Domain Security Management Administration Guide | 301

cprinstall

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options> See "cprinstall boot" on page 304.

cprestart Runs the cprestart command on the managed Security Gateway.

<options> See "cprinstall cprestart" on page 305.

cpstart Runs the cpstart command on the managed Security Gateway.

<options> See "cprinstall cpstart" on page 306.

cpstop Runs the cpstop command on the managed Security Gateway.

<options> See "cprinstall cpstop" on page 307.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options> See "cprinstall delete" on page 308.

get n Gets details of the products and the operating system installed on
<options> the managed Security Gateway.
n Updates the management database on the Security Management
Server.
See "cprinstall get" on page 309.

install Installs Check Point products on the managed Security Gateway.

<options> See "cprinstall install" on page 310.

revert Restores the managed Security Gateway that runs on SecurePlatform OS

<options> from a snapshot saved on that Security Gateway.
See "cprinstall revert" on page 313.

show Displays all snapshot (backup) files on the managed Security Gateway
<options> that runs on SecurePlatform OS.
See "cprinstall show" on page 314.

snapshot Creates a snapshot on the managed Security Gateway that runs on

<options> SecurePlatform OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 315.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 316.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options> See "cprinstall uninstall" on page 318.

R81.10 Multi-Domain Security Management Administration Guide | 302

cprinstall

Parameter Description

verify Confirms these operations were successful:

<options>
n If a specific product can be installed on the managed Security
Gateway.
n That the operating system and currently installed products the
managed Security Gateway are appropriate for the software
package.
n That there is enough disk space to install the product the managed
Security Gateway.
n That there is a CPRID connection with the managed Security
Gateway.
See "cprinstall verify" on page 320.

R81.10 Multi-Domain Security Management Administration Guide | 303

cprinstall boot

Description
Reboots the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

R81.10 Multi-Domain Security Management Administration Guide | 304

cprinstall cprestart

Description
Runs the cprestart command on the managed Security Gateway.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

R81.10 Multi-Domain Security Management Administration Guide | 305

cprinstall cpstart

Description
Runs the cpstart command on the managed Security Gateway.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

R81.10 Multi-Domain Security Management Administration Guide | 306

cprinstall cpstop

Description
Runs the cpstop command on the managed Security Gateway.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-proc Kills the Check Point daemons and Security Servers, while it maintains the
active Security Policy running in the Check Point kernel.
Rules with generic Allow, Drop or Reject action based on services, continue
to work.

-nopolicy Kills the Check Point daemons and Security Servers and unloads the
Security Policy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

R81.10 Multi-Domain Security Management Administration Guide | 307

cprinstall delete

Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

<Snapshot Specifies the name of the snapshot (backup) on SecurePlatform OS.

File>

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

R81.10 Multi-Domain Security Management Administration Guide | 308

cprinstall get

Description
n Gets details of the products and the operating system installed on the managed Security
Gateway.
n Updates the management database on the Security Management Server.

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20 R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20
[Expert@MGMT]#

R81.10 Multi-Domain Security Management Administration Guide | 309

cprinstall install

Description
Installs Check Point products on the managed Security Gateway.

Important - Installing software packages with this command is not supported for
Security Gateways that run Gaia OS.
Notes:
n Before transferring the software package, this command runs the "cprinstall
verify" on page 320 command.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n To see the values for the package attributes, run the "cppkg print" on page 283
command.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object

Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

R81.10 Multi-Domain Security Management Administration Guide | 310

cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is
canceled in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing

the package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

R81.10 Multi-Domain Security Management Administration Guide | 311

cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#

R81.10 Multi-Domain Security Management Administration Guide | 312

cprinstall revert

Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot
saved on that Security Gateway.

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 314 command.

R81.10 Multi-Domain Security Management Administration Guide | 313

cprinstall show

Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

R81.10 Multi-Domain Security Management Administration Guide | 314

cprinstall snapshot

Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and
saves it on that Security Gateway.

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 314 command.

R81.10 Multi-Domain Security Management Administration Guide | 315

cprinstall transfer

Description
Transfers a software package from the repository to the managed Security Gateway without
installing the package.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

R81.10 Multi-Domain Security Management Administration Guide | 316

cprinstall transfer

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R81.10 Multi-Domain Security Management Administration Guide | 317

cprinstall uninstall

Description
Uninstalls Check Point products on the managed Security Gateway.

Important - Uninstalling software packages with this command is not supported for
Security Gateways running on Gaia OS.
Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n Before uninstalling product packages, this command runs the "cprinstall verify"
on page 320 command.
n After uninstalling a product package, you must run the "cprinstall get" on
page 309 command.
n To see the values for the package attributes, run the "cppkg print" on page 283
command.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

R81.10 Multi-Domain Security Management Administration Guide | 318

cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the

package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

Example
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get

R81.10 Multi-Domain Security Management Administration Guide | 319

cprinstall verify

Description
Confirms these operations were successful:
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed Security
Gateway are appropriate for the software package.
n That there is enough disk space to install the product the managed Security Gateway.
n That there is a CPRID connection with the managed Security Gateway.

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

R81.10 Multi-Domain Security Management Administration Guide | 320

cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>" This parameter is optional.

Example 1 - Verification succeeds

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Example 2 - Verification fails

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R75 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.

R81.10 Multi-Domain Security Management Administration Guide | 321

cpview

cpview
Overview of CPView

Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU,
Memory, Disk space) and information for different Software Blades (only on a Security
Gateway / ClusterXL / Scalable Platform Security Group).
The CPView continuously updates the data in easy to access views.

On a Security Gateway / ClusterXL / Scalable Platform Security Group, you can use this
statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R81.10 Multi-Domain Security Management Administration Guide | 322

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R81.10 Multi-Domain Security Management Administration Guide | 323

cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes
such as Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products
and Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/cpwd.elg log
file.

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning
(not stuck on deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows
Y for actively monitored processes.
The list of actively monitored processes is predefined by Check Point.
Users cannot change or configure it.

R81.10 Multi-Domain Security Management Administration Guide | 324

cpwd_admin

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 327.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 330.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 331.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 332.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 333.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 335.

R81.10 Multi-Domain Security Management Administration Guide | 325

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 336.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 337.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 340.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 341.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 343.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 344.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 346.

R81.10 Multi-Domain Security Management Administration Guide | 326

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the "cpstop" and "cpstart" commands (which restart
all Check Point processes).

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

1> <Configuration_Parameter_2>=<Value_ parameters.
2> ... <Configuration_Parameter_ Note - Spaces are not allowed
N>=<Value_N> between the name of the
configuration parameter, the
equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R81.10 Multi-Domain Security Management Administration Guide | 327

cpwd_admin config

Configuration Accepted
Description
Parameter Values

no_limit n Range: -1, If rerun_mode=1, specifies the maximal number of

0, >0 times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximal number of processes

- 2000 managed by the WatchDog.
n Default:
2000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

reset_ n Range: > 0 Configures the time (in seconds) the WatchDog
startups n Default: waits after the process starts and before the
3600 WatchDog resets the process's startup_counter
to 0.
To see the process's startup counter, in the output of
the cpwd_admin list command, refer to the
#START column.

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

R81.10 Multi-Domain Security Management Administration Guide | 328

cpwd_admin config

Configuration Accepted
Description
Parameter Values

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 329

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 337 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"mdsstart_customer" on page 499 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin del -name <Application Name>

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 337 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 330

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 337 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"mdsstart_customer" on page 499 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin detach -name <Application Name>

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 337 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 331

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 332

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin flist [-full]

Parameters

Parameter Description

-full Shows the verbose output.

Output

Column Description

APP Shows the WatchDog name of the monitored process.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 327).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 324):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

R81.10 Multi-Domain Security Management Administration Guide | 333

cpwd_admin flist

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R81.10/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 334

cpwd_admin getpid

Description
Shows the PID of a WatchDog monitored process.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin getpid -name <Application Name>

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 337 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 335

cpwd_admin kill

Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"mdsstop_customer" on page 506 and "mdsstart_customer" on page 499 commands.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin kill

R81.10 Multi-Domain Security Management Administration Guide | 336

cpwd_admin list

Description
Prints the status of all WatchDog monitored processes on the screen.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin list [-full]

Parameters

Parameter Description

-full Shows the verbose output.

Output

Column Description

APP Shows the WatchDog name of the monitored process.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 327).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 324):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

R81.10 Multi-Domain Security Management Administration Guide | 337

cpwd_admin list

Examples
Example - Default output on a Management Server
[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-
R81.10/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R81.10/log_indexer/log_
indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-
R81.10/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 338

cpwd_admin list

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R81.10/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R81.10/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R81.10/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R81.10/bin/java_solr
COMMAND = java_solr /opt/CPrt-R81.10/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R81.10/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R81.10/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R81.10/log_indexer/log_indexer
COMMAND = /opt/CPrt-R81.10/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R81.10/smartlog_server
COMMAND = /opt/CPSmartLog-R81.10/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R81.10/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R81.10/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 339

cpwd_admin monitor_list

Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 324.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 340

cpwd_admin start

Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Parameters

Parameter Description

-name Name, under which the cpwd_admin list command shows the
<Application monitored process in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-path "<Full The full path (with or without Check Point environment variables)
Path to to the executable including the executable name.
Executable>" Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R81.10/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-
R81.10/fw1/scripts/cpm.sh"
n For SICTUNNEL: "/opt/CPshrd-R81.10/bin/cptnl"

R81.10 Multi-Domain Security Management Administration Guide | 341

cpwd_admin start

Parameter Description

-command The command and its arguments to run.

"<Command Must enclose in double quotes.
Syntax>" Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-
R81.10/fw1/scripts/cpm.sh -s"
n For SICTUNNEL: "/opt/CPshrd-R81.10/bin/cptnl -
c "/opt/CPuepm-R81.10/engine/conf/cptnl_
srv.conf""

-env {inherit | Configures whether to inherit the environment variables from the
<Env_ shell.
Var>=<Value>}
n inherit - Inherits all the environment variables (WatchDog
supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout"

<Timeout> configuration parameter.
See "cpwd_admin config" on page 327.

-retry_limit Configures the value of the "retry_limit" configuration

{<Limit> | u} parameter.
See "cpwd_admin config" on page 327.
n <Limit> - Tries to restart the process the specified number
of times
n u - Tries to restart the process unlimited number of times

Example
For the list of process and the applicable syntax, see sk97638.

R81.10 Multi-Domain Security Management Administration Guide | 342

cpwd_admin start_monitor

Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes
actively.
See the explanation for the "cpwd_admin" on page 324 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 343

cpwd_admin stop

Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows
Name> the monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-path "<Full Path The full path (with or without Check Point environment
to Executable>" variables) to the executable including the executable name.
Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R81.10/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

R81.10 Multi-Domain Security Management Administration Guide | 344

cpwd_admin stop

Parameter Description

-env {inherit | Configures whether to inherit the environment variables from

<Env_Var>=<Value>} the shell.
n inherit - Inherits all the environment variables
(WatchDog supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to
the specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

R81.10 Multi-Domain Security Management Administration Guide | 345

cpwd_admin stop_monitor

Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 324 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 346

dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

dbedit -help
dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u
<Username> | -c <Certificate>}] [-p <Password>] [-f <File_Name>
[ignore_script_failure] [-continue_updating]] [-r "<Open_Reason_
Text>"] [-d <Database_Name>] [-listen] [-readonly] [-session]
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-help Prints the general help.

-globallock When you work with the dbedit utility, it partially locks the management
database. If a user configures objects in SmartConsole at the same
time, it causes problems in the management database.
This option does not let SmartConsole, or a dbedit user to make
changes in the management database.
When you specify this option, the dbedit commands run on a copy of
the management database. After you make the changes with the
dbedit commands and run the savedb command, the dbedit utility
saves and commits your changes to the actual management database.

-local Connects to the localhost (127.0.0.1) without using

username/password.
If you do not specify this parameter, the dbedit utility asks how to
connect.

R81.10 Multi-Domain Security Management Administration Guide | 347

dbedit

Parameter Description

-s Specifies the Security Management Server - by IP address or

<Management_ HostName.
Server> If you do not specify this parameter, the dbedit utility asks how to
connect.

-u Specifies the username, with which the dbedit utility connects to the
<Username> Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-c Specifies the user's certificate file, with which the dbedit utility connects
< to the Security Management Server.
Certificate> Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-p Specifies the user's password, with which the dbedit utility connects to
<Password> the Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" and "-u <Username>" parameters.

-f <File_ Specifies the file that contains the applicable dbedit internal commands
Name> (see the section "dbedit Internal Commands" below):
n create <object_type> <object_name>
n modify <table_name> <object_name> <field_name>
<value>
n update <table_name> <object_name>
n delete <table_name> <object_name>
n print <table_name> <object_name>
n quit

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and
script_ ignores errors.
failure You can use it when you specify the "-f <File_Name>" parameter.

-continue_ Continues to update the modified objects, even if the operation fails for
updating some of the objects (ignores the errors and runs the update_all
command at the end of the script).
You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode
Reason_ (default mode).
Text>"

R81.10 Multi-Domain Security Management Administration Guide | 348

dbedit

Parameter Description

-d Specifies the name of the database, to which the dbedit utility should
<Database_ connect (for example, mdsdb).
Name>

-listen The dbedit utility "listens" for changes (use this mode for advanced
troubleshooting with the assistance of Check Point Support).
The dbedit utility prints its internal messages when a change occurs in
the management database.

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with Database Tool (GuiDBEdit Tool) (see sk13009).

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:
dbedit> -h

-q Description:
Quits from dbedit.
quit Syntax:
dbedit> -q
dbedit> quit [-update_all | -noupdate]
Examples:
n Exit the utility and commit the remaining modified objects
(interactive mode):
dbedit> quit
n Exit the utility and update all the remaining modified objects:
dbedit> quit -update_all
n Exit the utility and discard all modifications:
dbedit> quit -no_update

R81.10 Multi-Domain Security Management Administration Guide | 349

dbedit

Command Description, Syntax, Examples

update Description:
Saves the specified object in the specified table (for example,
"network_objects", "services", "users").
Syntax:
dbedit> update <table_name> <object_name>
Example:
Save the object My_Service in the table services:
dbedit> update services My_Service

update_all Description:
Saves all the modified objects.
Syntax:
dbedit> update_all

_print_set Description:
Prints the specified object from the specified table (for example,
"network_objects", "services", "users") as it appears in the
$FWDIR/conf/objects_5_0.C file (sets of attributes).
Syntax:
dbedit> _print_set <table_name> <object_name>
Example:
Print the object My_Obj from the table network_objects:
dbedit> print network_objects My_Obj

print Description:
Prints the list of attributes of the specified object from the specified
table (for example, "network_objects", "properties",
"services", "users").
Syntax:
dbedit> print <table_name> <object_name>
Examples:
n Print the object My_Obj from the table network_objects (in
"Network Objects"):
dbedit> print network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> print properties firewall_properties

R81.10 Multi-Domain Security Management Administration Guide | 350

dbedit

Command Description, Syntax, Examples

printxml Description:
Prints in XML format the list of attributes of the specified object from the
specified table (for example, "network_objects", "properties",
"services", "users").
You can export the settings from a Management Server to an XML file
that you can use later with external automation systems.
Syntax:
dbedit> printxml <table_name> [<object_name>]
Examples:
n Print the object My_Obj from the table network_objects:
dbedit> printxml network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> printxml properties firewall_
properties

printbyuid Description:
Prints the attributes of the object specified by its UID (appears in the
$FWDIR/conf/objects_5_0.C file at the beginning of the object as
"chkpf_uid ({...})").
Syntax:
dbedit> printbyuid {object_id}
Example:
Print the attributes of the object with the specified UID:
dbedit> printbyuid {D3833F1D-0A58-AA42-865F-
39BFE3C126F1}

R81.10 Multi-Domain Security Management Administration Guide | 351

dbedit

Command Description, Syntax, Examples

query Description:
Prints all the objects in the specified table.
Optionally, you can query for objects with specific attribute and value -
query is separated by a comma after "query <table_name>"
(spaces are not allowed between the <attribute> and '<value>').
Syntax:
dbedit> query <table_name> [ ,
<attribute>='<value>' ]
Examples:
n Print all objects in the table users:
dbedit> query users
n Print all objects in the table network_objects that are defined as
Management Servers:
dbedit> query network_objects,
management='true'
n Print all objects in the table services with the name ssh:
command_sdbedit> query services, name='ssh'
n Print all objects in the table services with the port 22:
dbedit> query services, port='22'
n Print all objects with the IP address 10.10.10.10:
dbedit> query network_objects,
ipaddr='10.10.10.10'

whereused Description:
Checks where the specified object used in the database.
Prints the number of places, where this object is used and relevant
information about each such place.
Syntax:
dbedit> whereused <table_name> <object_name>
Example:
Check where the object My_Obj is used:
dbedit> whereused network_objects My_Obj

R81.10 Multi-Domain Security Management Administration Guide | 352

dbedit

Command Description, Syntax, Examples

create Description:
Creates an object of specified type (with its default values) in the
database.
Restrictions apply to the object's name:
n Object names can have a maximum of 100 characters.
n Objects names can contain only ASCII letters, numbers, and
dashes.
n Reserved words will be blocked by the Management Server (refer
to sk40179).
Syntax:
dbedit> create <object_type> <object_name>
Example:
Create the service object My_Service of the type tcp_service (with its
default values):
dbedit> create tcp_service my_service

delete Description:
Deletes an object from the specified table.
Syntax:
dbedit> delete <table_name> <object_name>
Example:
Delete the service object My_Service from the table services:
dbedit> delete services my_service

R81.10 Multi-Domain Security Management Administration Guide | 353

dbedit

Command Description, Syntax, Examples

modify Description:
Modifies the value of specified attribute in the specified object in the
specified table (for example, "network_objects", "services",
"users") in the management database.
Syntax:
dbedit> modify <table_name> <object_name> <field_
name> <value>
Examples:
n Modify the color to red in the object My_Service in the table
services:
dbedit> modify services My_Service color red
n Add a comment to the object MyObj:
dbedit> modify network_objects MyObj comments
"Created by fwadmin with dbedit"
n Set the value of the global property ike_use_largest_possible_
subnets in the table properties to false:
dbedit> modify properties firewall_properties
ike_use_largest_possible_subnets false
n Create a new interface on the Security Gateway My_FW and
modify its attributes - set the IP address / Mask and enable Anti-
Spoofing on interface with "Element Index"=3 (check the
attributes of the object My_FW in Database Tool (GuiDBEdit
Tool) (see sk13009)):

R81.10 Multi-Domain Security Management Administration Guide | 354

dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW

interfaces interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW
interfaces:3:ipaddr IP_ADDRESS
dbedit> modify network_objects My_FW
interfaces:3:netmask NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access
specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed
network_objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_
spoofing true
dbedit> modify network_objects MyObj FieldA
LINKSYS
n In the Owned Object MyObj change the value of FieldB to
NewVal:
dbedit> modify network_objects MyObj
FieldA:FieldB NewVal
n In the Linked Object MyObj change the value of FieldA from B to
C:
dbedit> modify network_objects MyObj FieldA
B:C

R81.10 Multi-Domain Security Management Administration Guide | 355

dbedit

Command Description, Syntax, Examples

lock Description:
Locks the specified object (by administrator) in the specified table (for
example, "network_objects", "services", "users") from being
modified by other users.
For example, if you connect from a remote computer to this
Management Server with admin1 and lock an object, you are be able to
connect with admin2, but are not able to modify the locked object, until
admin1 releases the lock.
Syntax:
dbedit> lock <table_name> <object_name>
Example:
Lock the object My_Service_Obj in the table services in the database:
dbedit> lock services My_Service_Obj

addelement Description:
Adds a specified multiple field / container (with specified value) to a
specified object in specified table.
Syntax:
dbedit> addelement <table_name> <object_name>
<field_name> <value>
Examples:
n Add the element BranchObjectClass with the value Organization
to a multiple field Read in the object My_Obj in the table ldap:
dbedit> addelement ldap My_Obj
Read:BranchObjectClass Organization
n Add the service MyService to the group of services
MyServicesGroup in the table services:
dbedit> addelement services MyServicesGroup
'' services:MyService
n Add the network MyNetwork to the group of networks
MyNetworksGroup in the table network_objects:
dbedit> addelement network_objects
MyNetworksGroup '' network_objects:MyNetwork

R81.10 Multi-Domain Security Management Administration Guide | 356

dbedit

Command Description, Syntax, Examples

rmelement Description:
Removes a specified multiple field / container (with specified value)
from a specified object in specified table.
Syntax:
dbedit> rmelement <table_name> <object_name>
<field_name> <value>
Examples:
n Remove the service MyService from the group of services
MyServicesGroup from the table services:
dbedit> rmelement services MyServicesGroup ''
services:MyService
n Remove the network MyNetwork from the group of networks
MyNetworksGroup from the table network_objects:
dbedit> rmelement network_objects
MyNetworksGroup '' network_objects:MyNetwork
n Remove the element BranchObjectClass with the value
Organization from the multiple field Read in the object My_Obj in
the table ldap:
dbedit> rmelement ldap my_obj
Read:BranchObjectClass Organization

rename Description:
Renames the specified object in specified table.
Syntax:
dbedit> rename <table_name> <object_name> <new_
object_name>
Example:
Rename the network object london to chicago in the table network_
objects:
dbedit> rename network_objects london chicago

R81.10 Multi-Domain Security Management Administration Guide | 357

dbedit

Command Description, Syntax, Examples

rmbyindex Description:
Removes an element from a container by element's index.
Syntax:
dbedit> rmbyindex <table_name> <object_name>
<field_name> <index_number>
Example:
Remove the element backup_log_servers from the container log_
servers by element index 1 in the table network_objects:
dbedit> rmbyindex network_objects g log_
servers:backup_log_servers 1

add_owned_ Description:
remove_name Adds an owned object (and removes its name) to a specified owned
object field (or container).
Syntax:
dbedit> add_owned_remove_name <table_name>
<object_name> <field_name> <value>
Example:
Add the owned object My_Gateway (and remove its name) to the
owned object field (or container) my_external_products:
dbedit> add_owned_remove_name network_objects My_
Gateway additional_products owned:my_external_
products

is_delete_ Description:
allowed Checks if the specified object can be deleted from the specified table
(object cannot be deleted if it is used by other objects).
Syntax:
dbedit> is_delete_allowed <table_name> <object_
name>
Example:
dbedit> is_delete_allowed network_objects MyObj
Check if the object MyObj can be deleted from the table network_
objects:

R81.10 Multi-Domain Security Management Administration Guide | 358

dbedit

Command Description, Syntax, Examples

set_pass Description:
Sets specified password for specified user.
Notes:
n The password must contain at least 4 characters and no more
than 50 characters.
n This command cannot change the administrator's password.
Syntax:
dbedit> set_pass <Username> <Password>
Example:
Set the password 1234 for the user abcd:
dbedit> set_pass abcd 1234

savedb Description:
Saves the database. You can run this command only when the
database is locked globally (when you start the dbedit utility with the
"dbedit -globallock" command).
Syntax:
dbedit> savedb

savesession Description:
Saves the session. You can run this command only when you start the
dbedit utility in session mode (with the "dbedit -session"
command).
Syntax:
dbedit> savesession

R81.10 Multi-Domain Security Management Administration Guide | 359

fw
Description
n Performs various operations on Security or Audit log files.
n Kills the specified Check Point processes.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.

Syntax

fw [-d]
fetchlogs <options>
hastat <options>
kill <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security

<options> ($FWDIR/log/*.log*) or Audit ($FWDIR/log/*.adtlog*), from the
specified Check Point computer.
See "fw fetchlogs" on page 362.

hastat Shows information about Check Point computers in High Availability

<options> configuration and their states.
See "fw hastat" on page 364.

R81.10 Multi-Domain Security Management Administration Guide | 360

Parameter Description

kill Kills the specified Check Point process.

<options> See "fw kill" on page 365.

log Shows the content of Check Point log files - Security

<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 366.

logswitch Switches the current active Check Point log file - Security
<options> ($FWDIR/log/fw.log) or Audit ($FWDIR/log/fw.adtlog).
See "fw logswitch" on page 376.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/.log)

<options> or Audit ($FWDIR/log/*.adtlog*), located on the local computer or a
remote computer.
See "fw lslogs" on page 380.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log)

<options> or Audit ($FWDIR/log/*.adtlog), into a single log file.
See "fw mergefiles" on page 383.

repairlog Rebuilds pointer files for Check Point log files - Security
<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw repairlog" on page 386.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options> See "fw sam" on page 387.

sam_policy Manages the Suspicious Activity Policy editor that works with these type
<options> of rules:
or n Suspicious Activity Monitoring (SAM) rules.
samp
<options>
n Rate Limiting rules.
See "fw sam_policy" on page 395.

R81.10 Multi-Domain Security Management Administration Guide | 361

fw fetchlogs

Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point computer.

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log Notes:
File N>
n If you do not specify the log file name explicitly, the command
transfers all Security log files ($FWDIR/log/*.log*) and all Audit
log files ($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for
example, 2017-0?-*.log).
If you enter a wildcard, you must enclose it in double quotes or single
quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or Domain
Management Server, then <Target> is the applicable object's name
or main IP address of the Check Point Computer as configured in
SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

R81.10 Multi-Domain Security Management Administration Guide | 362

fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the
specified Check Point computer. Meaning, it deletes the specified log files on the
specified Check Point computer after it copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local
Check Point computer, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog.
To fetch these active log files:
1. Perform log switch on the applicable Check Point computer:

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point computer:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point computer.
The new log file name is the concatenation of the Check Point computer's name (as
configured in SmartConsole), two underscore (_) characters, and the original log file
name (for example: MyGW__2019-06-01_000000.log).

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R81.10/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 363

fw hastat

Description
Shows information about Check Point computers in High Availability configuration and their
states.

Note - This command is outdated. On Management Servers, run the "cpstat" on

page 293 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ... If you run this command on the Management Server, you can enter the
<TargetN> applicable IP address, or the resolvable HostName of the managed
Security Gateway or Cluster Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 364

fw kill

Description
Kills the specified Check Point processes.

Important - Make sure the killed process is restarted, or restart it manually. See sk97638.

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-t <Signal Specifies which signal to send to the Check Point process.

Number> For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the
kill and signal.
If you do not specify the signal explicitly, the command sends Signal
15 (SIGTERM).
Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

R81.10 Multi-Domain Security Management Administration Guide | 365

fw log

Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c
<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert
Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q]
[-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"] [-u
<Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End
Entry Number>] [-z] [-#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters
described in this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-a Shows only Account log entries.

R81.10 Multi-Domain Security Management Administration Guide | 366

fw log

Parameter Description

-b "<Start Shows only entries that were logged between the specified start and
Timestamp>" end times.
"<End
Timestamp>"
n The <Start Timestamp> and <End Timestamp> may be a
date, a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End
Timestamp> in single or double quotes (-b 'XX' 'YY", or -b
"XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-
e" parameters.
n See the date and time format below.

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>" Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b"
parameter.
n See the date and time format below.

R81.10 Multi-Domain Security Management Administration Guide | 367

fw log

Parameter Description

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with
the specified IP address or object name (as configured in
SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert
type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries,
and then specify the time for each log entry.

R81.10 Multi-Domain Security Management Administration Guide | 368

fw log

Parameter Description

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command
shows one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not
show any updates, but shows only entries that relate to the start
of new connections. To shows updates, use the semi
parameter.
n semi - Step-by-step unification of log entries. For each log
entry, the output shows an entry that unifies this entry with all
previously encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log
entry.

-p Does not perform resolution of the port numbers in the log file (this is
the default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>" Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current
date.
n Enclose the <Start Timestamp> in single or double quotes
(-s '...', or -s "...").
n You cannot use the "-s" parameter together with the "-b"
parameter.
n See the date and time format below.

R81.10 Multi-Domain Security Management Administration Guide | 369

fw log

Parameter Description

-t This parameter:
1. Does not show the saved entries that match the specified
conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the
"nature" of the log - for example, control, audit, accounting,
complementary, and so on).

-x <Start Shows only entries from the specified log entry number and below,
Entry Number> counting from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from
Number> the beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show

log entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/fw.log log file.
You can specify a switched log file.

R81.10 Multi-Domain Security Management Administration Guide | 370

fw log

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes
the current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum

Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log <max_null>, or empty

Key

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc00000

00)

SequenceNum Log Sequence 1

Number

R81.10 Multi-Domain Security Management Administration Guide | 371

fw log

Field Header Description Example

Flags Internal flags 428292

that specify the
"nature" of the
log - for
example,
control, audit,
accounting,
complementary,
and so on

Action Action n accept

performed on n dropreject
this connection n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of MyGW

the Security
Gateway that
generated this
log

IfDir Traffic direction n <

through n >
interface:
n <-
Outbound
(sent by a
Security
Gateway)
n >-
Inbound
(received
by a
Security
Gateway)

R81.10 Multi-Domain Security Management Administration Guide | 372

fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security n daemon
Gateway n N/A
interface, on
which this traffic
was logged
If a Security
Gateway
performed some
internal action
(for example,
log switch), then
the log entry
shows daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security Server.checkpoint.com.s6t98x
Gateway that
generated this
log

inzone Inbound Local

Security Zone

outzone Outbound External

Security Zone

service_id Name of the ftp

service used to
inspect this
connection

R81.10 Multi-Domain Security Management Administration Guide | 373

fw log

Field Header Description Example

src Object name or MyHost

IP address of
the connection's
source
computer

dst Object name or MyFTPServer

IP address of
the connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of 64933

the connection

ProductName Name of the n VPN-1 & FireWall-1

Check Point n Application Control
product that n FloodGate-1
generated this
log

ProductFamily Name of the Network

Check Point
product family
that generated
this log

Examples
Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

R81.10 Multi-Domain Security Management Administration Guide | 374

fw log

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity: 2;
status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action:
drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

R81.10 Multi-Domain Security Management Administration Guide | 375

fw logswitch

Description
Switches the current active log file:
1. Closes the current active log file
2. Renames the current active log file
3. Creates a new active log file with the default name

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/fw.log
n You can specify to switch the active Audit log file - $FWDIR/log/fw.adtlog

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/fw.adtlog).

You can use this parameter only on a Management Server.

-h Specifies the remote computer, on which to switch the log.

<Target> Notes:
n The local and the remote computers must have established SIC trust.
n The remote computer can be a Security Gateway, a Log Server, or a
Security Management Server in High Availability deployment.
n You can specify the remote managed computer by its main IP
address or Object Name as configured in SmartConsole.

R81.10 Multi-Domain Security Management Administration Guide | 376

fw logswitch

Parameter Description

<Name of Specifies the name of the switched log file.

Switched Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
switch log file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched
log matches the name of an existing log file.
n The maximal length of the specified name of the switched log file is
230 characters.

+ Specifies to copy the active log from the remote computer to the local
computer.
Notes:
n If you specify the name of the switched log file, you must write it
immediately after this + (plus) parameter.
n The command copies the active log from the remote computer and
saves it in the $FWDIR/log/ directory on the local computer.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote computer, it
compresses the file.

R81.10 Multi-Domain Security Management Administration Guide | 377

fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote computer to the local
computer.
Notes:
n The command saves the copied active log file in the $FWDIR/log/
directory on the local computer and then deletes the switched log file
on the remote computer.
n If you specify the name of the switched log file, you must write it
immediately after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote computer, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 362
command.

Compression
When this command transfers the log files from the remote computer, it compresses the file
with the gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation
of LZ77 method. The compression ratio varies with the content of the log file and is difficult to
predict. Binary data are not compressed. Text data, such as user names and URLs, are
compressed.
Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 378

fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying the
switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R81.10/fw1/log/fw.log
/opt/CPsuite-R81.10/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R81.10/fw1/log/fw.log
/opt/CPsuite-R81.10/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

R81.10 Multi-Domain Security Management Administration Guide | 379

fw lslogs

Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) residing on the local computer or a remote computer.

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]
... [-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime |
etime}] [<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to show. Need to specify name only.
of Log Notes:
File>
n If the log file name is not specified explicitly, the command shows all
Security log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example, 2019-
0?-*). If you enter a wildcard, you must enclose it in double quotes or
single quotes.
n You can specify multiple log files in one command. You must use the
"-f" parameter for each log file name pattern:
-f <Name of Log File 1> -f <Name of Log File 2>
... -f <Name of Log File N>

-e Shows an extended file list. It includes the following information for each log
file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

R81.10 Multi-Domain Security Management Administration Guide | 380

fw lslogs

Parameter Description

-s {name | Specifies the sort order of the log files using one of the following sort
size | options:
stime |
etime}
n name - The file name
n size - The file size
n stime - The time the log file was created (this is the default option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point computer, with which this local Check
Point computer has established SIC trust.
n If you run this command on a Security Management Server or
Domain Management Server, then <Target> is the applicable
object's name or main IP address of the Check Point Computer as
configured in SmartConsole.
n If you run this command on a Security Gateway or Cluster Member,
then <Target> is the main IP address of the applicable object as
configured in SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB fw.log
[Expert@HostName:0]#

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 381

fw lslogs

Example 4 - Showing only log files specified by the patterns and their extended
information

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse
order

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security
Gateway with main IP address 192.168.3.53

[Expert@MGMT:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' 192.168.3.53

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 382

fw mergefiles

Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/fw.log with other Security
switched log files.
Switch the active Security file $FWDIR/log/fw.log (with the "fw logswitch" on
page 376 command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/fw.adtlog with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/fw.adtlog (with the "fw logswitch"
on page 376 command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:
Warning: The size of the files you have chosen to merge
is greater than 2GB. The merge will produce two or more
files.
The names of merged files are:
l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...

l <Name of Merged Log File>_N.log

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of
Log File 1> <Name of Log File 2> ... <Name of Log File N> <Name of
Merged Log File>

R81.10 Multi-Domain Security Management Administration Guide | 383

fw mergefiles

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion Specifies a full path and name of a file that instructs this
File> command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:
<IP Address of Log Server #1> <Signed
Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...
Notes
n You must specify the absolute path and the file
name.
n The name of the time conversion file cannot
exceed 230 characters.

<Name of Log File 1> Specifies the log files to merge.

... <Name of Log File Notes:
N>
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

R81.10 Multi-Domain Security Management Administration Guide | 384

fw mergefiles

Parameter Description

<Name of Merged Log Specifies the output merged log file.

File> Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/2019-Sep-Merged.log
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/2019-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2019-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2019-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2019-Sep-Merged.logptr
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 385

fw repairlog

Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) are databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this
command can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/.log .logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/.adtlog .adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

R81.10 Multi-Domain Security Management Administration Guide | 386

fw sam

Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block
connections to and from IP addresses without the need to change or reinstall the Security
Policy. For more information, see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam_policy" on page 395 and "sam_alert" on page 523 commands.
n SAM rules consume some CPU resources on Security Gateway.
Best Practice - The SAM Policy rules consume some CPU resources on
Security Gateway. Set an expiration for rules that gives you time to
investigate, but does not affect performance. Keep only the required SAM
Policy rules. If you confirm that an activity is risky, edit the Security Policy,
educate users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/sam.dat file.
By design, the file is purged when the number of stored entries reaches
100,000.
This data log file contains the records in one of these formats:
<type>,<actions>,<expire>,<ipaddr>

<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>
n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security
Gateway in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM.
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

R81.10 Multi-Domain Security Management Administration Guide | 387

fw sam

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log
Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q}
<Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security
Gateway, on which the command is enforced. These messages show
whether the command was successful or not.

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of
Server> the Security Gateway that enforces the command.
The default is localhost.

R81.10 Multi-Domain Security Management Administration Guide | 388

fw sam

Parameter Description

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected
Name of that the SAM server has this SIC name, otherwise the connection fails.
SAM Notes:
Server>
n If you do not explicitly specify the SIC name, the connection
continues without SIC names comparison.
n For more information about enabling SIC, refer to the OPSEC
API Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command
to show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security <Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n localhost - Specifies to enforce the action on this local Check Point
computer (on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as
Security Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Security Gateway object - Specifies to enforce the action on
this specific Security Gateway object.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Group object - Specifies to enforce the action on all specific
Security Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.
Notes:
n To "uninhibit" the inhibited connections, run the fw sam
command with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

R81.10 Multi-Domain Security Management Administration Guide | 389

fw sam

Parameter Description

-C Cancels the fw sam command to inhibit connections with the specified

parameters.
Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+ Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match
the specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

R81.10 Multi-Domain Security Management Administration Guide | 390

fw sam

Parameter Description

-I Inhibits (drops or rejects) new connections with the specified parameters,

and closes all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all
existing connections with the specified parameters.
Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following
parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

R81.10 Multi-Domain Security Management Administration Guide | 391

fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Src IP> <Src Netmask> <Dest IP> <Dest
Netmask> <Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port>
<Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the

connection.

any <IP> Matches either the Source IP address or the

Destination IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the

connections according to the netmask.

R81.10 Multi-Domain Security Management Administration Guide | 392

fw sam

Parameter Description

subany <IP> <Netmask> Matches either the Source IP address or

Destination IP address of connections according to
the netmask.

srv <Src IP> <Dest IP> Matches the specific Source IP address,
<Port> <Protocol> Destination IP address, Service (port number) and
Protocol.

subsrv <Src IP> <Netmask> Matches the specific Source IP address,

<Dest IP> <Netmask> <Port> Destination IP address, Service (port number) and
<Protocol> Protocol.
Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Matches the specific Source IP address, source
Netmask> <Dest IP> <Port> netmask, destination netmask, Service (port
<Protocol> number) and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination
<Dest Netmask> <Port> IP, destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service

<Protocol> (port number) and Protocol.

subdstsrv <Dest IP> Matches specific Destination IP address, Service

<Netmask> <Port> <Protocol> (port number) and Protocol.
Destination IP address is assigned according to
the netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to
the netmask.

R81.10 Multi-Domain Security Management Administration Guide | 393

fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the

specified keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

R81.10 Multi-Domain Security Management Administration Guide | 394

fw sam_policy

Description
Manages the Suspicious Activity Policy editor that works with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 387
n "sam_alert" on page 523

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n VSX mode does not support Suspicious Activity Policy configured in SmartView
Monitor. See sk79700.
n In VSX mode, you must go to the context of an applicable Virtual System.
l In Gaia Clish, run: set virtual-system <VSID>

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

R81.10 Multi-Domain Security Management Administration Guide | 395

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R81.10 Multi-Domain Security Management Administration Guide | 396

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 398.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 411.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 413.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 416.

R81.10 Multi-Domain Security Management Administration Guide | 397

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R81.10 Multi-Domain Security Management Administration Guide | 398

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b} Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against
the policy rules.
Note - Rules with action set to Bypass cannot have a log or limit
specification. Bypassed packets and connections do not count
towards overall number of packets and connection for limit
enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R81.10 Multi-Domain Security Management Administration Guide | 399

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate
Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be
enforced on all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the
rule should be enforced only on this Security Gateway or Cluster
object (the object name must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be
enforced on all Security Gateways that are members of this Group
object (the object name must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>" Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ rule\ name\ with\ a\ backslash\
\\"

-c "<Rule Optional.
Comment>" Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ comment\ with\ a\ backslash\ \\"

R81.10 Multi-Domain Security Management Administration Guide | 400

fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator Specifies the name of the originator for this rule.
>" Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter Configures the Suspicious Activity Monitoring (SAM) rule.
Arguments> Specifies the IP Filter Arguments for the SAM rule (you must use at least
one of these options):
[-C] [-s <Source IP>] [-m <Source Mask>] [-d
<Destination IP>] [-M <Destination Mask>] [-p
<Port>] [-r <Protocol>]
See the explanations below.

R81.10 Multi-Domain Security Management Administration Guide | 401

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota Configures the Rate Limiting rule.
Filter Specifies the Quota Filter Arguments for the Rate Limiting rule (see the
Arguments> explanations below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service
<Protocol and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name>
<Limit2 Value>] ...[<LimitN Name> <LimitN
Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from
the SAM policy database immediately, add "flush true" in
the fw samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general),
when a rule's limit is violated, the Security Gateway also drops
all packets that match the rule.
The Security Gateway computes new connection rates on a
per-second basis.
At the start of the 1-second timer, the Security Gateway allows
all packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too
many new connections, then the Security Gateway blocks all
remaining packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are
reset, and the process starts over - the Security Gateway
allows packets to pass again up to the point, where the rule’s
limit is violated.

R81.10 Multi-Domain Security Management Administration Guide | 402

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R81.10 Multi-Domain Security Management Administration Guide | 403

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
source IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that
are assigned to this organization, based on
the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

R81.10 Multi-Domain Security Management Administration Guide | 404

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

| false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses
that are assigned to this organization, based
on the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the
specified type

R81.10 Multi-Domain Security Management Administration Guide | 405

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

false}] service <Protocol Numbers) and Port number (see IANA Service
and Port numbers> Name and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port
End>
IP protocol number and range of TCP/UDP
port numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process
all traffic except the traffic with the specified
protocols and ports

R81.10 Multi-Domain Security Management Administration Guide | 406

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

Value>] [<Limit 2 Name> Note - Separate multiple quota limits with spaces.
<Limit 2 Value>] ...
n concurrent-conns <Value>
[<Limit N Name> <Limit N
Value>] Specifies the maximal number of concurrent
active connections that match this rule.
n concurrent-conns-ratio <Value>
Specifies the maximal ratio of the
concurrent-conns value to the total number
of active connections through the Security
Gateway, expressed in parts per 65536
(formula: N / 65536).
n pkt-rate <Value>
Specifies the maximum number of packets
per second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate
value to the rate of all connections through
the Security Gateway, expressed in parts per
65536 (formula: N / 65536).
n byte-rate <Value>
Specifies the maximal total number of bytes
per second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate
value to the bytes per second rate of all
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n new-conn-rate <Value>
Specifies the maximal number of
connections per second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-
rate value to the rate of all connections per
second through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).

R81.10 Multi-Domain Security Management Administration Guide | 407

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not
cumulatively for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific
IP protocol and destination port, and not
cumulatively for this rule.

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this
rule, including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second
(new-conn-rate 5) for any traffic (service any) from the source IP addresses in
the range 172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-
172.16.7.13).

Note - The limit of the total number of log entries per second is configured with the
fwaccel dos config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the
Suspicious Activity Monitoring (SAM) policy database immediately, because this rule
includes the "flush true" parameter.

R81.10 Multi-Domain Security Management Administration Guide | 408

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this
rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all packets except (service-negated true) the packets with
IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-
51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the
country with specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP
protocol number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the Autonomous System number 64500
(asn:AS64500).
n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120
(cidr:[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:

R81.10 Multi-Domain Security Management Administration Guide | 409

fw sam_policy add

n This rule bypasses (-a b) all packets that match this rule.
Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).
n This rule applies to packets sent to TCP port 80 (service 6/80).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP
addresses that are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximal number of concurrent active connections to
655/65536=~1% (concurrent-conns-ratio 655) for any traffic (service any)
except (service-negated true) the connections from the source IP addresses
that are assigned to the country with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that
match this rule, and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

R81.10 Multi-Domain Security Management Administration Guide | 410

fw sam_policy batch

Description
The "fw sam_policy batch" and "fw6 sam_policy batch" commands:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R81.10 Multi-Domain Security Management Administration Guide | 411

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

necessary.
Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l "fw sam_policy add" on page 398
l "fw sam_policy del" on page 413
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press
Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
[Expert@HostName]#

R81.10 Multi-Domain Security Management Administration Guide | 412

fw sam_policy del

Description
The "fw sam_policy del" and "fw6 sam_policy del" commands:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R81.10 Multi-Domain Security Management Administration Guide | 413

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n See "fw sam_policy get" on
page 416.

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ 1.1.1.1
originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

R81.10 Multi-Domain Security Management Administration Guide | 414

fw sam_policy del

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The "fw samp del" and "fw6 samp del" commands only remove a rule from the
persistent database. The Security Gateway continues to enforce the deleted rule until
the next time you compiled and load a policy. To force the rule deletion immediately,
you must enter a flush-only rule right after the "fw samp del" and "fw6 samp del"
command. This flush-only rule immediately deletes the rule you specified in the
previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R81.10 Multi-Domain Security Management Administration Guide | 415

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

l In the Expert mode, run: vsenv <VSID>

n In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R81.10 Multi-Domain Security Management Administration Guide | 416

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on
a separate line.
n In the list format (with "-l"), the output shows each parameter of a
rule on a separate line.
n See "fw sam_policy add" on page 398.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R81.10 Multi-Domain Security Management Administration Guide | 417

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify
log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

R81.10 Multi-Domain Security Management Administration Guide | 418

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R81.10 Multi-Domain Security Management Administration Guide | 419

fw sam_policy get

[Expert@HostName:0]# fw samp get

no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated
true source cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service
6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop
log=log service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_
type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite

R81.10 Multi-Domain Security Management Administration Guide | 420

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R81.10 Multi-Domain Security Management Administration Guide | 421

fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

fwm [-d]
dbload <options>
exportcert <options>
fetchfile <options>
fingerprint <options>
getpcap <options>
ikecrypt <options>
load [<options>]
logexport <options>
mds <options>
printcert <options>
sic_reset
snmp_trap <options>
unload [<options>]
ver [<options>]
verify <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

R81.10 Multi-Domain Security Management Administration Guide | 422

fwm

Parameter Description

dbload Downloads the user database and network objects information to the
<options> specified targets
See "fwm dbload" on page 425.

exportcert Export a SIC certificate of the specified object to file.

<options> See "fwm exportcert" on page 426.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 427.

fingerprint Shows the Check Point fingerprint.

<options> See "fwm fingerprint" on page 429.

getpcap Fetches the IPS packet capture data from the specified Security
<options> Gateway.
See "fwm getpcap" on page 431.

ikecrypt Encrypts a secret with a key.

<options> See "fwm ikecrypt" on page 433.

load This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 507 command to load a policy to a
managed Security Gateway.
See "fwm load" on page 434.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.
See "fwm logexport" on page 435.

mds <options> Shows information and performs various operations on Multi-Domain

Server.
See "fwm mds" on page 440.

printcert Shows a SIC certificate's details.

<options> See "fwm printcert" on page 442.

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 448.

snmp_trap Sends an SNMP Trap to the specified host.

<options> See "fwm snmp_trap" on page 449.

unload Unloads the policy from the specified managed Security Gateways.
<options> See "fwm unload" on page 452.

R81.10 Multi-Domain Security Management Administration Guide | 423

fwm

Parameter Description

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 456.

verify This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 507 command to verify a policy.
See "fwm verify" on page 457.

R81.10 Multi-Domain Security Management Administration Guide | 424

fwm dbload

Description
Copies the user database and network objects information to specified managed servers with
one or more Management Software Blades enabled.

Important - This command is obsolete for R80 and higher.

Use the API command "install-database" to install the database on the
applicable servers.
See the Check Point Management API Reference.

R81.10 Multi-Domain Security Management Administration Guide | 425

fwm exportcert

Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

<Name of Specifies the name of the managed object, whose certificate you wish
Object> to export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish
to export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

R81.10 Multi-Domain Security Management Administration Guide | 426

fwm fetchfile

Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the fwopsec.conf or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/fwopsec.conf
n conf/fwopsec.v4x

-d <Local Specifies the local directory to save the fetched file.

Path>

<Source> Specifies the managed remote source computer, from which to fetch
the file.
Note - The local and the remote source computers must have
established SIC trust.

R81.10 Multi-Domain Security Management Administration Guide | 427

fwm fetchfile

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 428

fwm fingerprint

Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.
The debug options are:
n fwm -d
Runs the complete debug of all fwm actions.
For complete debug instructions, see the description of the
fwm process in sk97638.
n fingerprint -d
Runs the debug only for the fingerprint actions.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

R81.10 Multi-Domain Security Management Administration Guide | 429

fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.51,L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.52,L=Locality Name (eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 430

fwm getpcap

Description
Fetches the IPS packet capture data from the specified Security Gateway.
This command only works with IPS packet captures stored on the Security Gateway in the
$FWDIR/log/captures_repository/ directory.
This command does not work with other Software Blades, such as Anti-Bot and Anti-Virus that
store packet captures in the $FWDIR/log/blob/ directory on the Security Gateway.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p

Parameters

Parameter Description

-d Runs the command in debug mode.

-g Specifies the main IP address or Name of Security Gateway object as

-u ' Specifies the Unique ID of the packet capture file.

{<Capture To see the Unique ID of the packet capture file, open the applicable log
UID>}' file in SmartConsole > Logs & Monitor > Logs.

-p <Local Specifies the local path to save the specified packet capture file.
Path> If you do not specify the local directory explicitly, the command saves the
packet capture file in the current working directory.

R81.10 Multi-Domain Security Management Administration Guide | 431

fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}'

/var/log/
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 432

fwm ikecrypt

Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must
then be stored in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties
window on the Encryption tab.

<Password> Specifies the password for the Endpoint VPN Client user.

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 433

fwm load

Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and higher.

Use the API command "install-policy" to load a policy on a managed Security
Gateway.
See the Check Point Management API Reference.

R81.10 Multi-Domain Security Management Administration Guide | 434

fwm logexport

Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog)
to an ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h
fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>]
[-i <Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry
Number>] [-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u
<Unification Scheme File>] [-m {initial | semi | raw}]

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

-d Specifies the output delimiter between fields of log entries:

<Delimiter>
| -s
n -d <Delimiter> - Uses the specified delimiter.
n -s - Uses the ASCII character #255 (non-breaking space) as the
delimiter.
Note - If you do not specify the delimiter explicitly, the default is a
semicolon (;).

R81.10 Multi-Domain Security Management Administration Guide | 435

fwm logexport

Parameter Description

-t <Table Specifies the output delimiter inside table field.

Delimiter> Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a
comma (,).

-i <Input Specifies the name of the input log file.

File> Notes:
n This command supports only Security log file
($FWDIR/log/*.log) and Audit log file
($FWDIR/log/*.adtlog)
n If you do not specify the input log file explicitly, the command
processes the active Security log file $FWDIR/log/fw.log

-o <Output Specifies the name of the output file.

File> Note - If you do not specify the output log file explicitly, the command
prints its output on the screen.

-f After reaching the end of the currently opened log file, specifies to
continue to monitor the log file indefinitely and export the new entries as
well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-e After reaching the end of the currently opened log file, continue to
monitor the log file indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/fw.log or
$FWDIR/log/fw.adtlog

-x <Start Starts exporting the log entries from the specified log entry number and
Entry below, counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number,
Entry counting from the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to

continue the export of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log

file (this is the default behavior).
This significantly speeds up the log processing.

R81.10 Multi-Domain Security Management Administration Guide | 436

fwm logexport

Parameter Description

-p Specifies to not to perform resolution of the port numbers in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

| semi |
raw}
n initial - Complete unification of log entries. The command
exports one unified log entry for each ID. This is the default.
If you also specify the "-f" parameter, then the output does not
export any updates, but exports only entries that relate to the start
of new connections. To export updates as well, use the "semi"
parameter.
n semi - Step-by-step unification of log entries. For each log entry,
exports entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. Exports all log entries.

R81.10 Multi-Domain Security Management Administration Guide | 437

fwm logexport

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.
Each of the next rows consists of a single log entry, whose fields are sorted in the same order
as the first row.
If a log entry has no information in a specific field, this field remains empty (as indicated by two
successive semi-colons ";;").
You can control which log fields appear in the output of the command output:

Step Instructions

1 Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2 Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

3 To include or exclude the log fields from the output, add these lines in the
configuration file:
[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_
FIELDS>,field100
excluded_fields = field10,field11
Where:
n You can specify only the included_fields parameter, only the
excluded_fields parameter, or both.
n The num field must always appear first. You cannot manipulate this field.
n The <REST_OF_FIELDS> is an optional reserved token that refers to a list of
fields.
l If you specify the "-f" parameter, then the <REST_OF_FIELDS> is

based on a list of fields from the $FWDIR/conf/logexport_

default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS>

is based on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

R81.10 Multi-Domain Security Management Administration Guide | 438

fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file
has been switched to: MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host
Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 439

fwm mds

Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN
Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

R81.10 Multi-Domain Security Management Administration Guide | 440

fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R81.10 -
Build 11
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 441

fwm printcert

Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-
verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

R81.10 Multi-Domain Security Management Administration Guide | 442

fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

-obj <Name of Object> Specifies the name of the managed object, for which to
show the SIC certificate information.

-cert <Certificate Specifies the certificate nick name.

Nick Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

R81.10 Multi-Domain Security Management Administration Guide | 443

fwm printcert

Examples
Example 1 - Showing the SIC certificate of a Management Server
[Expert@MGMT:0]# fwm printcert -ca internal_ca
Subject: O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 444

fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed. Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45
f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be
db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2 a5 e0 a8 ab
45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c d2 dc 3d 36
ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2 30 a5 32 c7
46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d bc b3 f2 ae
f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57 54 79 d0 0f
0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90 08 ba 63 85
b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e 95 8b 2f 48
5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34 be b8 00 ae
ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b 43 3f f7 36
5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50
01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 445

fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.3.244
CRL distribution points:
http://192.168.3.240:18264/ICA_CRL2.crl
CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 446

fwm printcert

Example 4 - Showing the SIC certificate of a managed Cluster object in verbose mode
[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed. Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af c1 fd 20 0a
3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73 77 fa db 86
0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93 c5 4b 01 f4
3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d 23 74 5c d9
00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7 df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: 192.168.3.244
Basic Constraint:
not CA
CRL distribution Points:
URI: http://192.168.3.240:18264/ICA_CRL2.crl
DN: CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 447

fwm sic_reset

Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Warning:
n Before you run this command, take a Gaia Snapshot and a full backup of the
Management Server.
This command resets SIC between the Management Server and all its
managed objects.
n This operation breaks trust in all Internal CA certificates and SIC trust
across the managed environment.
Therefore, we do not recommend it at all, except for real disaster recovery.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

R81.10 Multi-Domain Security Management Administration Guide | 448

fwm snmp_trap

Description
Sends an SNMPv1 Trap to the specified host.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On a Multi-Domain Server, the SNMP Trap packet is sent from the IP address of
the Leading Interface.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

R81.10 Multi-Domain Security Management Administration Guide | 449

fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

Number> One of these values:
n 0 - For coldStart trap
n 1 - For warmStart trap
n 2 - For linkDown trap
n 3 - For linkUp trap
n 4 - For authenticationFailure trap
n 5 - For egpNeighborLoss trap
n 6 - For enterpriseSpecific trap (this is the default
value)

-s <Specific Trap Specifies the unique trap type.

Number> Valid only of generic trap value is 6 (for
enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap
packets.

-c <SNMP Specifies the SNMP community.

Community>

<Target> Specifies the managed target host, to which to send the SNMP
Trap packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

R81.10 Multi-Domain Security Management Administration Guide | 450

fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on
the Security Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host 192.168.3.51

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 103)
192.168.3.51.53450 > MyGW_192.168.3.52.snmptrap: [udp sum ok] { SNMPv1 { Trap(58) E:2620.1.1
192.168.3.240 linkDown 1486440 E:2620.1.1.11.0="My Trap Message" } }
Pressed CTRL+C
[Expert@MyGW_192.168.3.52:0]#

R81.10 Multi-Domain Security Management Administration Guide | 451

fwm unload

Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

Warning:
1. The fwm unload command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the specified Security Gateway (Cluster Member).
2. The fwm unload command removes all policies from the specified Security
Gateway (Cluster Member).
This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection
enabled.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n If it is necessary to remove the current policy, but keep the Security Gateway
(Cluster Member) protected, then run the "comp_init_policy" command on
the Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of
these commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch"

l "cpstart"

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

R81.10 Multi-Domain Security Management Administration Guide | 452

fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or
... <GWN> Object Name as configured in SmartConsole.

R81.10 Multi-Domain Security Management Administration Guide | 453

fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 454

fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#

R81.10 Multi-Domain Security Management Administration Guide | 455

fwm ver

Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R81.10 - Build 11
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 456

fwm verify

fwm verify
Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 507 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 457

inet_alert

inet_alert
Description
Notifies an Internet Service Provider (ISP) when a company's corporate network is under
attack. This command forwards log messages generated by the alert daemon on your Check
Point Security Gateway to an external Management Station. This external Management
Station is usually located at the ISP site. The ISP can then analyze the alert and react
accordingly.
This command uses the Event Logging API (ELA) protocol to send the alerts. The
Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must
be performed between the external Management Station running the ELA Proxy at the ISP site
and the Check Point Security Gateway generating the alert.

Procedure

Step Instructions

1 Connect with SmartConsole to the applicable Security Management Server or

Domain Management Server, which manages the applicable Security Gateway
that should forward log messages to an external Management Station.

2 From the top left Menu, click Global properties.

3 Click on the [+] near the Log and Alert and click Alerts.

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Control Policy on the applicable Security Gateway.

R81.10 Multi-Domain Security Management Administration Guide | 458

inet_alert

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f
<Token> <Value>] [-m <Alert Type>]
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some
command> | inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

Type> One of these values:
n ssl_opsec - The connection is authenticated and encrypted (this is
the default).
n auth_opsec - The connection is authenticated.
n clear - The connection is neither authenticated, nor encrypted.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair

<Value> as follows:
n <Token> - The name of the field to be added to the log. Cannot
contain spaces.
n <Value> - The field's value. Cannot contain spaces.
This option can be used multiple times to add multiple <Token>
<Value> pairs to the log.

R81.10 Multi-Domain Security Management Administration Guide | 459

inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

Type> This alert overrides the alert specified in the log message generated by the
alert daemon.
The response to the alert is handled according to the actions specified in
the ISP Security Policy:
These alerts execute the OS commands:
n alert - Popup alert command
n mail - Mail alert command
n snmptrap - SNMP trap alert command
n spoofalert - Anti-Spoof alert command

These NetQuota and ServerQuota alerts execute the OS commands

specified in the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

n Establish a clear connection with the ELA Proxy located at IP address 10.0.2.4
n Send a log message to the specified ELA Proxy. Set the product field of this log message
to cads
n Trigger the OS command specified in the SmartConsole > Menu > Global properties >
Log and Alert > Popup Alert Command field.

R81.10 Multi-Domain Security Management Administration Guide | 460

ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing
debug information.

Statistics LDAP search statistics, such as:

n All user searches
n Pending lookups (when two or more lookups are identical)
n Total lookup time (the total search time for a specific lookup)
n Cache statistics such as hits and misses
These statistics are saved in the $FWDIR/log/ldap_pid_<Process
PID>.stats file.

Logging View the alert and warning logs.

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

R81.10 Multi-Domain Security Management Administration Guide | 461

ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check

Name> | all} Point processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Clears cache for all objects

l UserCacheObject - Clears cache for user objects

l TemplateCacheObject - Clears cache for template

objects
l TemplateExtGrpCacheObject - Clears cache for

external template group objects

n cachetrace {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Traces cache for all objects

l UserCacheObject - Traces cache for user objects

l TemplateCacheObject - Traces cache for template

objects
l TemplateExtGrpCacheObject - Traces cache for

external template group objects

n log {on | off}
l on - Creates LDAP logs

l off - Does not create LDAP logs

n stat {<Print Interval in Sec> | 0}

l <Print Interval in Sec> - How frequently to

collect the statistics

l 0 - Stops collecting the statistics

R81.10 Multi-Domain Security Management Administration Guide | 462

ldapcompare

ldapcompare
Description
This is an LDAP utility that performs compare queries and prints a message whether the result
returned a match or not.
This utility opens a connection to an LDAP directory server, binds, and performs the
comparison specified on the command line or from a specified file.

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute>

<Value> | <Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

R81.10 Multi-Domain Security Management Administration Guide | 463

ldapcompare

Compare options

Option Description

-E [!]<Extension> Specifies the compare extensions.

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version
is 3.

-z Enables the quiet mode.

The command does not print anything. You can use
the command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

R81.10 Multi-Domain Security Management Administration Guide | 464

ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
n [!]assert=<Filter>
RFC 4528; an RFC 4515 filter string
n [!]authzid=<Authorization ID>
RFC 4370; either "dn:<DN>", or
"u:<Username>"
n [!]chaining[=<Resolve Behavior>
[/<Continuation Behavior>]]
One of these:
l "chainingPreferred"

l "chainingRequired"

l "referralsPreferred"

l "referralsRequired"

n [!]manageDSAit
RFC 3296
n [!]noop
n ppolicy
n [!]postread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]preread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]relax
n abandon
SIGINT sends the abandon signal; if critical,
does not wait for SIGINT. Not really controls.
n cancel
SIGINT sends the cancel signal; if critical, does
not wait for SIGINT. Not really controls.
n ignore
SIGINT ignores the response; if critical, does not
wait for SIGINT. Not really controls.

-h <LDAP Server> Specifies the LDAP Server computer by its IP address

or resolvable hostname.

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier

(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not

actually do it.

R81.10 Multi-Domain Security Management Administration Guide | 465

ldapcompare

Option Description

-N Specifies not to use the reverse DNS to canonicalize

SASL host name.

-o <Option>[=<Option Specifies the general options:

Parameter>] nettimeout={<Timeout in Sec> | none |
max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to

stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Specifies the SASL authorization identity (either

Identity> "dn:<DN>", or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator

password from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

R81.10 Multi-Domain Security Management Administration Guide | 466

ldapmemberconvert

ldapmemberconvert
Description
This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to
the "MemberOf" attribute values in LDAP member (User or Template) entries.
This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both"
mode. The utility searches through all specified group or template entries that hold one or
more "Member" attribute values and modifies each value. The utility searches through all
specified group/template entries and fetches their "Member" attribute values.
Each value is the DN of a member entry. The entry identified by this DN is added to the
"MemberOf" attribute value of the group/template DN at hand. In addition, the utility delete
those "Member" attribute values from the group/template, unless you run the command in the
"Both" mode.
When your run the command, it creates a log file ldapmemberconvert.log in the current
working directory. The command logs all modifications done and errors encountered in that log
file.

Important - Back up the LDAP server database before you run this conversion utility.

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP

Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m
<Member Attribute Name> -o <MemberOf Attribute Name> -c <Member
ObjectClass Value> [-B] [-f <File> | -g <Group DN>] [-L <LDAP
Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T <LDAP
Client Timeout>] [-Z]

R81.10 Multi-Domain Security Management Administration Guide | 467

ldapmemberconvert

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly)
Attribute Name> deleting a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP

Attribute Name> "MemberOf" attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines,

ObjectClass which type of member to modify.
Value> You can specify multiple attribute values with this syntax:
-c <Member Object Class 1> -c <Member Object
Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a
new line:
<Group DN 1>
<Group DN 2>
...
<Group DN N>
Length of each line is limited to 256 characters.

R81.10 Multi-Domain Security Management Administration Guide | 468

ldapmemberconvert

Parameter Description

-g <Group DN> Specifies the Group or Template Distinguished Name, on which

to perform the conversion.
You can specify multiple Group DNs with this syntax:
-g <Group DN 1> -g <Group DN 2> ... -g
<Group DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-M <Number of Specifies the maximal number of simultaneous member LDAP

Updates> updates.
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in
number of entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups

For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for
their groups, then this conversion has to be applied on LDAP defined templates for their
groups.

R81.10 Multi-Domain Security Management Administration Guide | 469

ldapmemberconvert

Troubleshooting
Symptom:
A command fails with an error message stating the connection stopped unexpectedly when
you run it with the parameter -M <Number of Updates>.
Root Cause:
The LDAP server could not handle that many LDAP requests simultaneously and closed the
connection.
Solution:
Run the command again with a lower value for the "-M" parameter. The default value should
be adequate, but can also cause a connection failure in extreme situations. Continue to reduce
the value until the command runs normally. Each time you run the command with the same set
of groups, the command continues from where it left off.

R81.10 Multi-Domain Security Management Administration Guide | 470

ldapmemberconvert

Examples
Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these

attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o memberof -c
fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the
group entry is not modified.

R81.10 Multi-Domain Security Management Administration Guide | 471

ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the
parameter "-c fw1Person", but the object class of "template1" is "fw1Template".

R81.10 Multi-Domain Security Management Administration Guide | 472

ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF
format.

Syntax

ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b]
[-c] [-F] [-k] [-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f
<Input File> .ldif | < <Entry>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

R81.10 Multi-Domain Security Management Administration Guide | 473

ldapmodify

Parameter Description

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually

perform them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data
you enter on the screen).

R81.10 Multi-Domain Security Management Administration Guide | 474

ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Syntax

ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>]
[-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b
<Base DN>] [-F <Separator>] [-l <LDAP Server Timeout>] [-s
<Scope>] [-S <Sort Attribute>] [-t] [-T <LDAP Client Timeout>] [-
u] [-z <Number of Search Entries>] [-Z] <Filter> [<Attributes>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified
TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximal level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

R81.10 Multi-Domain Security Management Administration Guide | 475

ldapsearch

Parameter Description

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

-F <Separator> Specifies the print separator character between attribute names

and their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Specifies to sort the results by the values of this attribute.

Attribute>

-t Specifies to write values to files in the /tmp/ directory.

Writes each <attribute>-<value> pair to a separate file named:
/tmp/ldapsearch-<Attribute>-<Value>
For example, for the fw1color attribute with the value a00188,
the command writes to the file named:
/tmp/ldapsearch-fw1color-a00188

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximal number of entries to search on the LDAP

Search Entries> Server.

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

R81.10 Multi-Domain Security Management Administration Guide | 476

ldapsearch

Parameter Description

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command
retrieves all attributes.

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.

2. Connects to the LDAP Server with Base DN "cn=omi".

3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

R81.10 Multi-Domain Security Management Administration Guide | 477

mcd

mcd
Description
This command changes current working directory to the specified directory in the $FWDIR
directory in the context of a Domain Management Server.

Syntax

mdsenv <IP Address or Name of Domain Management Server>

mcd <Name of Directory in $FWDIR>

R81.10 Multi-Domain Security Management Administration Guide | 478

mcd

Example

[Expert@MDS:0]# mdsstat
+-----------------------------------------------------------------------------------------------
------+
| Processes status checking
|
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| Type | Name | IP address | FWM | FWD | CPD | CPCA
|
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| MDS | - | 192.168.3.51 | up 15312 | up 15310 | up 10227 | up
15475 |
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| CMA | MyDomain_Server | 192.168.3.240 | up 17225 | up 17208 | up 17101 | up
18402 |
+------+--------------------+-----------------+-------------+-------------+-------------+-------
------+
| Total Domain Management Servers checked: 1 1 up 0 down
|
| Tip: Run mdsstat -h for legend
|
+-----------------------------------------------------------------------------------------------
------+
[Expert@MDS:0]#
[Expert@MDS:0]#
[Expert@MDS:0]# mdsenv MyDomain_Server
[Expert@MDS:0]#
[Expert@MDS:0]# mcd
changing to /opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/
[Expert@MDS:0]#
[Expert@MDS:0]# pwd
/opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1
[Expert@MDS:0]#
[Expert@MDS:0]# ls -1
av
bin
conf
cpm-server
database
doc
hash
lib
libsw
log
scripts
state
tmp
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 479

mcd

[Expert@MDS:0]# mcd av
changing to /opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/av
[Expert@MDS:0]#
[Expert@MDS:0]# mcd bin
changing to /opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/bin
[Expert@MDS:0]#
[Expert@MDS:0]# mcd conf
changing to /opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/conf
[Expert@MDS:0]#
[Expert@MDS:0]# mcd log
changing to /opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/log
[Expert@MDS:0]#
[Expert@MDS:0]# mcd scripts
changing to /opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/scripts
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 480

mds_backup

mds_backup
Description
The mds_backup command backs up binaries and data from a Multi-Domain Server to a user
specified working directory.
You then copy the backup files from the working directory to external storage.
This command requires Multi-Domain Superuser privileges.
The mds_backup command runs the gtar and dump commands to back up all databases.
The collected information is stored in one *.tar file. The file name is a combination of the
backup date and time and is saved in the current working directory. For example:
13Sep2015-141437.mdsbk.tar

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R81.10 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

R81.10 Multi-Domain Security Management Administration Guide | 481

mds_backup

Notes:
n Do not create or delete Domains or Domain Management Servers until the
backup operation completes.
n It is important not to run the mds_backup command from directories that are
not backed up.
For example, when you back up a Multi-Domain Server, do not run the mds_
backup command from the /opt/CPmds-<Current_Release>/ directory,
because it is a circular reference (backup of directory, in which it is necessary to
write files).
Run the mds_backup command from a location outside the product directory
tree to be backed up. This becomes the working directory.
n The mds_backup command does not collect the active Security log file
(*.log) and Audit log file (*.adtlog).
This is necessary to prevent inconsistencies during the read-write operations.
Best Practice - Perform a log switch before you start the backup
procedure.
n You can back up the Multi-Domain Server configuration without the log files.
This backup is typically significantly smaller than a full backup with logs.
To back up without log files, add this line to the file $MDSDIR/conf/mds_
exclude.dat configuration file:
log/*
n After the backup completes, copy the backup *.tar file, together with the mds_
restore, and gtar binary files, to your external backup location.

Syntax

mds_backup -h
mds_backup [-b] [-d <Target Directory>] [-ds] [-l] [-s] [-v] [-x]

R81.10 Multi-Domain Security Management Administration Guide | 482

mds_backup

Parameters

Parameter Description

-h Shows help text.

-b Batch mode - executes without asking anything.

-d <Target Specifies the output directory.

Directory> If not specified explicitly, the backup file is saved to the current
directory.
You cannot save the backup file to the root directory.

-ds Disconnects all current sessions and discards their unpublished

changes before the backup starts.

-l Excludes logs from the backup.

-s Stops Multi-Domain processes before the backup starts.

-v "Dry run" - Shows all files to be backed up, but does not perform the
backup operation.

-x Excludes binary files from the backup.

The binary files are listed in the $MDSDIR/conf/mds_binaries_
exclude.dat file.

R81.10 Multi-Domain Security Management Administration Guide | 483

mds_restore

mds_restore
Description
Use the mds_restore command to restore a Multi-Domain Server / Multi-Domain Log Server
that was backed up with the "mds_backup" on page 481 command.

Important - You must restore on the server that runs same software version, from
which you collected this backup.
Example: If you collected a backup on a server with version "XX" and Jumbo Hotfix
Accumulator Take "YY", then you must restore on a server with version "XX" and
Jumbo Hotfix Accumulator Take "YY".
Best Practice - If the Multi-Domain Security Management environment has multiple
Multi-Domain Servers, restore all Multi-Domain Servers at the same time.
Backing up and restoring in Management High Availability environment:
n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R81.10 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

To restore a Multi-Domain Server:

1. Connect to the command line on the Multi-Domain Server.

2. Log in to the Expert mode.
3. Go to the directory where the backup file is located.
4. Run:

./mds_restore <backup_file>

5. If you restore on a Multi-Domain Server with a new IP address, configure the new
IP address.

R81.10 Multi-Domain Security Management Administration Guide | 484

mdscmd

mdscmd
Description
In versions lower than R80, this utility executed various commands on the Multi-Domain
Server.
Starting from R80, this command is obsolete.
You must use other commands. If there is no alternative command, then perform the
applicable action in SmartConsole.

Alternative command in R80 and

MDSCMD command in pre-R80 versions
above

mdscmd addadministrator <options> None

mdscmd adddomain <options> mgmt_cli add-domain

See "mgmt_cli" on page 507.

mdscmd addlogserver <options> mgmt_cli add-domain

See "mgmt_cli" on page 507.

mdscmd addmanagement <options> mgmt_cli add-domain

See "mgmt_cli" on page 507.

mdscmd assign-globalpolicy <options> mgmt_cli set global-

assignment
See "mgmt_cli" on page 507.

mdscmd assignadmin <options> mgmt_cli set-administrator

See "mgmt_cli" on page 507.

mdscmd assignguiclient <options> None

mdscmd deleteadministrator <options> None

mdscmd deletedomain <options> mgmt_cli delete-domain

See "mgmt_cli" on page 507.

mdscmd deletelogserver <options> None

R81.10 Multi-Domain Security Management Administration Guide | 485

mdscmd

Alternative command in R80 and

MDSCMD command in pre-R80 versions
above

mdscmd deletemanagement <options> mgmt_cli delete-domain

See "mgmt_cli" on page 507.

mdscmd disableglobaluse <options> None

mdscmd enableglobaluse <options> None

mdscmd install-globalpolicy mgmt_cli assign-global-

<options> assignment
See "mgmt_cli" on page 507.

mdscmd migratemanagement <options> None

mdscmd mirrormanagement <options> None

mdscmd reassign-globalpolicy mgmt_cli set global-

<options> assignment
mgmt_cli assign-global-
assignment
See "mgmt_cli" on page 507.

mdscmd remove-globalpolicy <options> mgmt_cli delete global-

assignment
See "mgmt_cli" on page 507.

mdscmd removeadmin <options> mgmt_cli set-administrator

See "mgmt_cli" on page 507.

mdscmd removeguiclient <options> None

mdscmd runcrossdomainquery <options> None

mdscmd startmanagement <options> mdsstart_customer

See "mdsstart_customer" on page 499.

mdscmd stopmanagement <options> mdsstop_customer

See "mdsstop_customer" on page 506.

R81.10 Multi-Domain Security Management Administration Guide | 486

mdsconfig

mdsconfig
Description
This command starts the Multi-Domain Server Configuration Program. This tool configures
specific settings for the installed Check Point products.

For the complete procedure, see the R81.10 Installation and Upgrade Guide.

Syntax

mdsconfig

R81.10 Multi-Domain Security Management Administration Guide | 487

mdsconfig

Menu Options

R81.10 Multi-Domain Security Management Administration Guide | 488

mdsconfig

Menu Option Description

Leading VIP Interfaces The Leading VIP Interfaces are real interfaces connected
to an external network.
These interfaces are used when you configure virtual IP
addresses for Domain Management Servers.

Licenses Manages Check Point licenses and contracts on this

server.

Random Pool Configures the RSA keys, to be used by Gaia Operating

System.

Groups Usually, the Multi-Domain Server is given group permission

for access and execution.
You may now name such a group or instruct the installation
procedure to give no group permissions to the server.
In the latter case, only the Super-User is able to access and
execute commands on the server.

Certificate's Fingerprint Shows the ICA's Fingerprint.

This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you
connect to it with SmartConsole.

Administrators Configures Check Point system administrators for this

server.

GUI Clients Configures the GUI clients that can use SmartConsole to
connect to this server.

Automatic Start of Multi- Shows and controls if Multi-Domain Server starts

Domain Server automatically during boot.

P1Shell Obsolete. Do not use this option anymore.

Important - This option and the p1shell command
are not supported (Known Limitation PMTR-45085).

Start Multi-Domain Server Configures a password to control the start of the Multi-
Password Domain Server.

IPv6 Support for Multi- Enables or disables the IPv6 Support on the Multi-Domain
Domain Server Server.
Important - Multi-Domain Server does not support
IPv6 at all (Known Limitation PMTR-14989).

R81.10 Multi-Domain Security Management Administration Guide | 489

mdsconfig

Menu Option Description

IPv6 Support for Existing Enables or disables the IPv6 Support on the Domain
Domain Management Management Servers.
Servers Important - Multi-Domain Server does not support
IPv6 at all (Known Limitation PMTR-14989).

Exit Exits from the Multi-Domain Server Configuration Program.

Example - Menu on a Multi-Domain Server

[Expert@MyMDS:0]# mdsconfig

Welcome to Multi-Domain Server Configuration Program

=================================================================
This program will let you re-configure your Multi-Domain Server configuration.

Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13):

R81.10 Multi-Domain Security Management Administration Guide | 490

mdsenv

mdsenv
Description
Use the mdsenv command to set shell environment variables to run commands on a specified
Domain Management Server.
When run without an argument, the command sets the shell for Multi-Domain Server level
commands ("mdsstat" on page 500, "mdsstop" on page 502, and so on).

Syntax

mdsenv [<Name or IP address of Domain Management Server>]

Parameters

Parameter Description

<Name or IP address of Domain Specifies the Domain Management Server by

Management Server> its name or IPv4 address.

R81.10 Multi-Domain Security Management Administration Guide | 491

mdsenv

Example

[Expert@MyMDS:0]# mdsstat
+-----------------------------------------------------------------
------------------------------------+
| Processes status checking
|
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| Type | Name | IP address | FWM | FWD
| CPD | CPCA |
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| MDS | - | 192.168.3.51 | up 10086 | up
11422 | up 5427 | up 11440 |
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| CMA | MyDomain_Server | 192.168.3.240 | up 10891 | up
8199 | up 7670 | up 9536 |
+------+--------------------+-----------------+-------------+-----
--------+-------------+-------------+
| Total Domain Management Servers checked: 1 1 up 0 down
|
| Tip: Run mdsstat -h for legend
|
+-----------------------------------------------------------------
------------------------------------+
[Expert@MyMDS:0]#
[Expert@MyMDS:0]# mdsenv MyDomain_Server
[Expert@MyMDS:0]#
[Expert@MyMDS:0]# echo $FWDIR
/opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1
[Expert@MyMDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 492

mdsquerydb

mdsquerydb
Description
The mdsquerydb is an advanced database query tool that administrators can use to run shell
scripts to get information from the Multi-Domain Security Management databases.
Use this command to get information from the Multi-Domain Server, Domain Management
Server, and Global databases.

Note - The system comes with pre-defined queries, defined in the

$MDSDIR/confqueries.conf configuration file. Do not change or delete these
queries.

Syntax

mdsquerydb <key_name> [-f <output_file_name>]

Parameters

Parameter Description

<key_name> Query key, which must be defined in the pre-defined queries

configuration file.

-f <output_ Send the query results to the specified file name. If this parameter is not
file_name> specified, the data is sent to the standard output.

Pre-Defined Query Keys

Keys for Multi-Domain environment:

----------------------------------
GlobalNetworkObjects Get name and type of all global network objects
NetworkObjects Get all Domains' internal Check Point installed network objects
Domains Get names of all Domains Irit B comment from QA Draft
Administrators Get names of all Administrators
MDSs Get names and IPs of all MDSs
DomainManagementServers Get names of all Domain Servers
GuiClients Get names and IPs of all gui clients
CMAs Backwards Compatibility (DomainManagementServers)
Customers Backwards Compatibility (Domains)
Keys for Domain environment:
----------------------------
NetworkObjects Get name and type of all network objects
Gateways Get names and IPs of all gateways

Example 1 - Retrieve list of all defined keys

[Expert@MDS:0]# mdsquerydb

R81.10 Multi-Domain Security Management Administration Guide | 493

mdsquerydb

Example 2 - Send a list of Domains in the Multi-Domain Server database to the standard
output

[Expert@MDS:0]# mdsenv
[Expert@MDS:0]# mdsquerydb Domains

Example 3 - Send a list of network objects in the global database to the /tmp/gateways.txt
file

[Expert@MDS:0]# mdsenv
[Expert@MDS:0]# mdsquerydb NetworkObjects -f /tmp/gateways.txt

Example 4 - Get a list of gateway objects in the Domain Management Server "DServer1"

[Expert@MDS:0]# mdsenv My_Domain_Server

[Expert@MDS:0]# mdsquerydb Gateways -f /tmp/gateways.txt

R81.10 Multi-Domain Security Management Administration Guide | 494

mdsstart

mdsstart
Description
Starts the Multi-Domain Server and all Domain Management Servers.
To start a specific Domain Management Server, see the "mdsstart_customer" on page 499
command.

Syntax

mdsstart [-m | -s]

Parameters

Parameter Description

-m Optional: Starts only the Multi-Domain Server and not the Domain
Management Servers.

-s Optional: Starts all the Domain Management Servers sequentially.

The command waits for each Domain Management Server to come up,
before it starts the next one.

Controlling the number of Domain Management Servers to start sequentially

By default, the system attempts to start up to 10 Domain Management Servers at the same
time.

You can decrease the amount of time it takes to start the Multi-Domain Server when there are
many Domain Management Servers.
To do this, set the value of the environment variable NUM_EXEC_SIMUL to the number of
Domain Management Servers that start at the same time.

R81.10 Multi-Domain Security Management Administration Guide | 495

mdsstart

Setting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Set the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=<Number of Domain
Management Servers>
Example:
[Expert@MDS:0]# export NUM_EXEC_SIMUL=5

4 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

Unsetting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Parameter Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Unset the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# unset NUM_EXEC_SIMUL

4 Make sure the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R81.10 Multi-Domain Security Management Administration Guide | 496

mdsstart

Setting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Add this line at the bottom of the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

Important - After this line, you must press Enter to add a new line.

Example:
export NUM_EXEC_SIMUL=5

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

R81.10 Multi-Domain Security Management Administration Guide | 497

mdsstart

Unsetting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP_with_
NUM_EXEC_SIMUL}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Remove this line from the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is not
set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R81.10 Multi-Domain Security Management Administration Guide | 498

mdsstart_customer

mdsstart_customer
Description
Starts the specified Domain Management Server, if it was stopped with the "mdsstop_
customer" on page 506 command.
To start the entire Multi-Domain Server, see the "mdsstart" on page 495 command.

Syntax

mdsstart_customer <IP address or Name of Domain Management Server>

Note - If the name of the Domain Management Server includes spaces, you must
surround it with quotes ("Name of Domain Management Server").

R81.10 Multi-Domain Security Management Administration Guide | 499

mdsstat

mdsstat
Description
This command shows the status of specific processes on the Multi-Domain Server and
Domain Management Servers.

Syntax

mdsstat [-h] [-m] [<Name or IP Address of Domain Management

Server>]

Parameters

Parameter Description

-h Displays help message.

-m Test status for Multi-Domain Server only.

<Name or IP address of Domain Specifies the Domain Management Server by

Management Server> its name or IPv4 address.

Possible Statuses of Processes

Status Description

up The process is up.

down The process is down.

pnd The process is pending initialization.

init The process is initializing.

N/A The process's PID is not yet available.

N/R The process is not relevant for this Multi-Domain Server.

R81.10 Multi-Domain Security Management Administration Guide | 500

mdsstat

Example

[Expert@MDS:0]# mdsstat
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS | - | 192.168.3.101 | up 17284 | up 17266 | up 17251 | up 17753 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA |DOM211_Server | 192.168.3.211 | up 32227 | up 32212 | up 25725 | up 32482 |
| CMA |DOM212_Server | 192.168.3.212 | up 4248 | up 4184 | up 4094 | up 4441 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 2 2 up 0 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 501

mdsstop

mdsstop
Description
Stops the Multi-Domain Server and all Domain Management Servers.
To stop a specific Domain Management Server, see the "mdsstop_customer" on page 506
command.

Syntax

mdsstop [-m | -s]

Parameters

Parameter Description

-m Optional: Stops only the Multi-Domain Server and not the Domain
Management Servers.

-s Optional: Stops all the Domain Management Servers sequentially.

The command waits for each Domain Management Server to stop, before it
stops the next one.

Controlling the number of Domain Management Servers to stop sequentially

By default, the system attempts to stop up to 10 Domain Management Servers at the same
time.

You can decrease the amount of time it takes to stop the Multi-Domain Server when there are
many Domain Management Servers.
To do this, set the value of the environment variable NUM_EXEC_SIMUL to the number of
Domain Management Servers that stop at the same time.

R81.10 Multi-Domain Security Management Administration Guide | 502

mdsstop

Setting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Set the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# export NUM_EXEC_SIMUL=<Number of Domain
Management Servers>
Example:
[Expert@MDS:0]# export NUM_EXEC_SIMUL=5

4 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

Unsetting the environment variable 'NUM_EXEC_SIMUL' temporarily

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL in the current shell (does not survive reboot):

Parameter Description

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Unset the value of the environment variable NUM_EXEC_SIMUL:

[Expert@MDS:0]# unset NUM_EXEC_SIMUL

4 Make sure the environment variable NUM_EXEC_SIMUL is not set:

[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R81.10 Multi-Domain Security Management Administration Guide | 503

mdsstop

Setting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure configures the specified value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Add this line at the bottom of the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

Important - After this line, you must press Enter to add a new line.

Example:
export NUM_EXEC_SIMUL=5

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must show the configured value.

R81.10 Multi-Domain Security Management Administration Guide | 504

mdsstop

Unsetting the environment variable 'NUM_EXEC_SIMUL' permanently

This procedure removes the configured value for the environment variable NUM_EXEC_
SIMUL for all shells (survives reboot):

Step Instructions

1 Connect to the command line on the Multi-Domain Server.

2 Log in to the Expert mode.

3 Back up the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# cp -v /etc/rc.d/rc.local{,_BKP_with_
NUM_EXEC_SIMUL}

4 Edit the current /etc/rc.d/rc.local file:

[Expert@MDS:0]# vi /etc/rc.d/rc.local

5 Remove this line from the file:

export NUM_EXEC_SIMUL=<Number of Domain Management
Servers>

6 Save the changes in the file and exit the Vi editor.

7 Reboot.

8 Make sure the new value of the environment variable NUM_EXEC_SIMUL is not
set:
[Expert@MDS:0]# echo $NUM_EXEC_SIMUL
Output must be empty.

R81.10 Multi-Domain Security Management Administration Guide | 505

mdsstop_customer

mdsstop_customer
Description
Stops the specified Domain Management Server.
To stop the entire Multi-Domain Server, see the "mdsstop" on page 502 command.

Syntax

mdsstop_customer <IP address or Name of Domain Management Server>

Notes:
n If the name of the Domain Management Server includes spaces, you must
surround it with quotes ("Name of Domain Management Server").
n To start the specified Domain Management Server, run the "mdsstart_
customer" on page 499 command.

R81.10 Multi-Domain Security Management Administration Guide | 506

mgmt_cli

mgmt_cli
Description
The mgmt_cli tool works directly with the management database on your Management
Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles
(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe)
command and press Enter.
n For more information, see the Check Point Management API Reference.

R81.10 Multi-Domain Security Management Administration Guide | 507

migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R81.10 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/bin/upgrade_tools/
directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate utility from the
migration tools package created specifically for that higher software version.
See the Installation and Upgrade Guide for that higher software version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R81.10/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R81.10/migrate-2019.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R81.10/log/migrate-2019.06.14_11.21.39.log

R81.10 Multi-Domain Security Management Administration Guide | 508

migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File> &

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File>.tgz &

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

./migrate ...
& 1. Sends the "yes" input to the interactive "migrate" command
through the pipeline.
2. The "nohup" forces the "migrate" command to ignore the
hangup signals from the shell.
3. The "&" forces the command to run in the background.
As a result, when the CLI session closes, the command continues to
run in the background.
See:
n sk133312
n https://linux.die.net/man/1/bash
n https://linux.die.net/man/1/nohup

export Exports the management database and applicable Check Point

configuration.

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.

R81.10 Multi-Domain Security Management Administration Guide | 509

migrate

Parameter Description

-l Exports and imports the Check Point logs without log indexes in the
$FWDIR/log/ directory.
Important:
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs).

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and
Log Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs and
indexes).

-n Runs silently (non-interactive mode) and uses the default options for
each setting.
Important:
n If you export a management database in this mode and the
specified name of the exported file matches the name of an
existing file, the command overwrites the existing file
without prompting.
n If you import a management database in this mode, the
"migrate import" command runs the "cpstop"
command automatically.

--exclude- n During the export operation, does not back up the PostgreSQL
uepm- database from the Endpoint Security Management Server.
postgres-db n During the import operation, does not restore the PostgreSQL
database on the Endpoint Security Management Server.

--include- n During the export operation, backs up the MSI files from the
uepm-msi- Endpoint Security Management Server.
files n During the import operation, restores the MSI files on the
Endpoint Security Management Server.

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

R81.10 Multi-Domain Security Management Administration Guide | 510

migrate

Parameter Description

<Name of n During the export operation, specifies the name of the output
Exported file.
File> The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported
file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R81.10/migrate-2019.06.14_11.03.46.log
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R81.10/log/migrate-2019.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 511

migrate_server

migrate_server
Important - This command is used to migrate the management database from
R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.
For more information, see:
n sk135172 - Upgrade Tools
n The R81.10 Installation and Upgrade Guide

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R81.10/migrate-<YYYY.MM.DD_
HH.MM.SS>.log
For example: /var/log/opt/CPshrd-R81.10/migrate-2021.06.14_11.03.46.log
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log
For example: /opt/CPshrd-R81.10/log/migrate-2021 - 2024.06.14_11.21.39.log

R81.10 Multi-Domain Security Management Administration Guide | 512

migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R81.10 [-skip_
upgrade_tools_check]

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R81.10 [-skip_
upgrade_tools_check] [-l | -x] [--include-uepm-msi-files] [--
exclude-uepm-postgres-db] [--ignore_warnings] /<Full
Path>/<Name of Exported File>

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R81.10 [-skip_
upgrade_tools_check] [-l | -x] [/var/log/mdss.json] [--
include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full
Path>/<Name of Exported File>.tgz

n To import the Domain Management Server database and configuration on a Security

Management Server:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server migrate_import_domain -v
R81.10 [-skip_upgrade_tools_check] [-l | -x]
[/var/log/mdss.json] [--include-uepm-msi-files] [--exclude-
uepm-postgres-db] /<Full Path>/<Name of Exported File>.tgz

Parameters

Parameter Description

-h Shows the built-in help.

R81.10 Multi-Domain Security Management Administration Guide | 513

migrate_server

Parameter Description

export Exports the management database and applicable Check Point

configuration.

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.
Important:
n This command automatically restarts Check Point services (runs
the "cpstop" and "cpstart" commands).
n This note applies to a Multi-Domain Security Management
environment, if at least one of the servers changes its IPv4 address
comparing to the source server, from which you exported its
database.
You must do these steps before you start the upgrade and import:
1. You must create a special JSON configuration file with the
new IPv4 address(es).
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","new
IpAddress4":"172.30.40.51"},
{"name":"MySecondaryMultiDomainServer","ne
wIpAddress4":"172.30.40.52"}]
2. You must call this file: mdss.json
3. You must put this file on all servers in this directory: /var/log/

migrate_ On a Security Management Server, imports the management database

import_ and applicable Check Point configuration that were exported from a
domain Domain Management Server.
Important - This command automatically restarts Check Point
services (runs the "cpstop" and "cpstart" commands).

verify Verifies the management database and applicable Check Point

configuration that were exported from another Management Server.

-v R81.10 Specifies the version, to which you plan to migrate / upgrade.

R81.10 Multi-Domain Security Management Administration Guide | 514

migrate_server

Parameter Description

-skip_ Does not try to connect to Check Point Cloud to check for a more recent
upgrade_ version of the Upgrade Tools.
tools_check Best Practice - Use this parameter on the Management Server that
is not connected to the Internet.

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n Before you use this parameter, it is necessary to make sure all
log indexes are closed and saved.
Run this command in the Expert mode and wait for the output
to show "Solr stopped":
$RTDIR/scripts/stopSolr.sh
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long time
to complete (depends on the number of logs and indexes).

R81.10 Multi-Domain Security Management Administration Guide | 515

migrate_server

Parameter Description

/var/log/md Important:
ss.json
n In the Upgrade Tools for R81.10 build higher than 996000356,
the syntax is (this filename is mandatory):
Previously:
-change_ /var/log/mdss.json
ips_file You must create the file /var/log/mdss.json and not use the
/<Full parameter "-change_ips_file".
Path n In the Upgrade Tools for R81.10 build 996000356 and lower,
>/<
the syntax was:
Name>.json
-change_ips_file /<Full Path>/<Name of JSON
File>.json

Specifies the absolute path to the special JSON configuration file with
new IPv4 addresses.
This file is mandatory during an upgrade of a Multi-Domain Security
Management environment.
Even if only one of the servers migrates to a new IP address, all the other
servers must get this configuration file for the import process.
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress
4":"172.30.40.51"},
{"name":"MySecondaryMultiDomainServer","newIpAddres
s4":"172.30.40.52"}]

R81.10 Multi-Domain Security Management Administration Guide | 516

migrate_server

Parameter Description

--ignore_ If during an upgrade procedure, the Pre-Upgrade Verifier shows

warnings warnings, you can use this parameter to ignore warnings and continue
or the upgrade.
-ivw Important - To prevent issues during and after upgrade, we strongly
recommend to resolve all issues and not use this parameter.

--exclude- n During the export operation, does not back up the licenses from the
licenses Management Server.
n During the import operation, does not restore the license on the
Management Server.

--no_ Disables the progress bar in the command line.

progress_
bar
or
-npb

-n Disables the interactive mode.

/<Full Specifies the absolute path to the exported database file. This path must
Path>/<Name exist.
of Exported
File>
n During the export operation, specifies the name of the output file.
The command automatically adds the *.tgz extension.
n During the import operation, specifies the name of the exported file.
You must manually enter the *.tgz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R81.10/migrate-2021 - 2024.06.14_11.03.46.log
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 517

migrate_server

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R81.10/log/migrate-2021 - 2024.06.14_
11.21.39.log' for further details
[Expert@MGMT:0]#

R81.10 Multi-Domain Security Management Administration Guide | 518

migrate_global_policies

migrate_global_policies
Description
This utility transfers (and upgrades, if necessary) the global configuration database from one
Multi-Domain Server to another Multi-Domain Server.

Notes:
n You can only use this command when the target Multi-Domain Server does not
have global configurations defined.
n This utility replaces all existing global configurations. Each existing global
configuration is saved with a *.pre_migrate extension.
n If you migrate only the global configurations (without the Domain Management
Servers) to a new Multi-Domain Server, disable all Security Gateways that are
enabled for global use.

Important - You cannot export an R80.X global configuration database and then use
this utility on an R80.X Multi-Domain Server.

Syntax

migrate_global_policies <Path>

Parameters

Parameter Description

<Path> The fully qualified path to the directory where the global policies files,
originally exported from the source Multi-Domain Server
($MDSDIR/conf/), are located.

Example
[email protected]_MDS:0]# migrate_global_policies /var/log/exported_global_db.22Jul2019-124547.tgz

R81.10 Multi-Domain Security Management Administration Guide | 519

queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 507 command to search in the management database for objects or policy rules
according to search parameters.

R81.10 Multi-Domain Security Management Administration Guide | 520

rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-
Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

R81.10 Multi-Domain Security Management Administration Guide | 521

rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Specifies the IPv4 address of the DAIP object

Address>

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the
Live> entry is valid.

R81.10 Multi-Domain Security Management Administration Guide | 522

sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the
information received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User
Defined Alerts mechanism.

Important:
n You must run this command on the Management Server.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam" on page 387 and "fw sam_policy" on page 395 commands.

SAM v1 syntax

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the "fw sam" command.

-o Specifies to print the input of this tool to the standard output (to use with
pipes in a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is "localhost".

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The
default is forever.

R81.10 Multi-Domain Security Management Administration Guide | 523

sam_alert

Parameter Description

-f Specifies the Security Gateway / Cluster object, on which to run the

<Security operation.
Gateway> Important - If you do not specify the target Security Gateway /
Cluster object explicitly, this command applies to all managed
Security Gateways and Clusters.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified

criteria, passes through the Security Gateway / ClusterXL / Security
Group.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria

and closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

R81.10 Multi-Domain Security Management Administration Guide | 524

sam_alert

SAM v2 syntax

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f
<Security Gateway>] [-n <Name>] [-c "<Comment">] [-o
<Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip
|-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the "fw sam" command.

-O Specifies to print the input of this tool to the standard output (to
use with pipes in a CLI syntax).

-S <SAM Server> Specifies the SAM server to be contacted. Default is

"localhost".

-t <Time> Specifies the time (in seconds), during which to enforce the
action. The default is forever.

-f <Security Specifies the Security Gateway / Cluster object, on which to run

Gateway> the operation.
Important - If you do not specify the target Security
Gateway / Cluster object explicitly, this command applies
to all managed Security Gateways and Clusters.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single
quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is "sam_alert".

R81.10 Multi-Domain Security Management Administration Guide | 525

sam_alert

Parameter Description

-l {r | a} Specifies the log type for connections that match the specified
criteria:
n r - Regular
n a - Alert
Default is None.

-a {d | r| n | b Specifies the action to apply on connections that match the

| q | i} specified criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the

criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of

connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

R81.10 Multi-Domain Security Management Administration Guide | 526

stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug
purposes - to make sure the applicable SNMP OIDs provide the requested information.

Syntax to query a Regular OID

n On a Management Server / Security Gateway / Cluster Member:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2> ...
<Regular_OID_N>

Notes:
n These Regular OIDs are specified in the SNMP MIB files.
n For Check Point MIB files, see sk90470.

Syntax to query a Statistical OID

n On a Management Server / Security Gateway / Cluster Member:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Notes:
n These Statistical OIDs take some time to "initialize".
n For example, to calculate an average, it is necessary to collect enough samples.
n Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_
oid.conf file.

R81.10 Multi-Domain Security Management Administration Guide | 527

stattest

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to

query by its IP address or resolvable
hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address

or resolvable hostname.
Note - Use only when you query a
remote host.

-l <Polling Interval> Specifies the time in seconds between

queries.
Note - Use only when you query a
Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which

to run consecutive queries.
Note - Use only when you query a
Statistical OID.

-t <Timeout> Specifies the session timeout in

milliseconds.

<Regular_OID_1> <Regular_OID_2> Specifies the Regular OIDs to query.

... <Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

R81.10 Multi-Domain Security Management Administration Guide | 528

stattest

Parameter Description

<Statistical_OID_1> Specifies the Statistical OIDs to query.

<Statistical_OID_2> ... Notes:
<Statistical_OID_N>
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).

[Expert@HostName]# stattest get 1.3.6.1.4.1.2620.1.6.7.4.2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID 1.3.6.1.4.1.2620.1.6.7.2.3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds

[Expert@HostName]# stattest get -l 5 -r 5 1.3.6.1.4.1.2620.1.6.7.2.3

R81.10 Multi-Domain Security Management Administration Guide | 529

threshold_config

threshold_config
Description
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts.
You can use these thresholds to monitor many system components automatically without
requesting information from each object or device.
You configure these SNMP Monitoring Thresholds only on the Security Management Server,
Multi-Domain Server, or Domain Management Server.
During policy installation, the managed a Security Gateway and Clusters receive and apply
these thresholds as part of their policy.

For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Instructions

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain

Management Server:
[Expert@HostName:0]# mdsenv <Name or IP address of Domain
Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

R81.10 Multi-Domain Security Management Administration Guide | 530

threshold_config

Step Instructions

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).
Threshold Engine Configuration Options:
---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
See "cpwd_admin stop" on page 344.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"
See "cpwd_admin start" on page 341.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"
See "cpwd_admin list" on page 337.

11 In SmartConsole, install the Access Control Policy on Security Gateways and

Clusters.

R81.10 Multi-Domain Security Management Administration Guide | 531

threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file If you do not specify the path explicitly, the file is imported from the
current working directory.

(6) Configure Configures global settings:

global alert
settings
n How frequently alerts are sent (configured delay must be
greater than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to

alert which the managed Security Gateways and Cluster Members send
destinations their SNMP alerts.
Configure Alert Destinations Options:
-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS

(8) View Shows a list of all available thresholds and their current settings.
thresholds These include:
overview
n Name
n Category (see the next option "(9)")
n State (disabled or enabled)
n Threshold (threshold point, if applicable)
n Description

R81.10 Multi-Domain Security Management Administration Guide | 532

threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

thresholds Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources
See the Thresholds Categories table below.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Local Logging Mode Status Thresholds:

Mode Status -------------------------------------
(1) Local Logging Mode

(4) Log Server Log Server Connectivity Thresholds:

Connectivity -----------------------------------
(1) Connection with log server
(2) Connection with all log servers

R81.10 Multi-Domain Security Management Administration Guide | 533

threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

R81.10 Multi-Domain Security Management Administration Guide | 534

threshold_config

Notes:
n If you run the threshold_config command locally on a Security Gateway or
Cluster Members to configure the SNMP Monitoring Thresholds, then each
policy installation erases these local SNMP threshold settings and reverts them
to the global SNMP threshold settings configured on the Management Server
that manages this Security Gateway or Cluster.
n On a Security Gateway and Cluster Members, you can save the local Threshold
Engine Configuration settings to a file and load it locally later.
n The Threshold Engine Configuration is stored in the
$FWDIR/conf/thresholds.conf file.
n In a Multi-Domain Security Management environment:
l You can configure the SNMP thresholds in the context of Multi-Domain

Server (MDS) and in the context of each individual Domain Management

Server.
l Thresholds that you configure in the context of the Multi-Domain Server

are for the Multi-Domain Server only.

l Thresholds that you configure in the context of a Domain Management

Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a

Domain Management Server, then configure the SNMP threshold both in

the context of the Multi-Domain Server and in the context of the Domain
Management Server.
However, in this scenario you can only get alerts from the Multi-Domain
Server, if the monitored object exceeds the threshold.
Example:
If you configure the CPU threshold, then when the monitored value
exceeds the configured threshold, it applies to both the Multi-Domain
Server and the Domain Management Server. However, only the Multi-
Domain Server generates SNMP alerts.

R81.10 Multi-Domain Security Management Administration Guide | 535

$MDSVERUTIL

$MDSVERUTIL
Description
This utility returns information about the Multi-Domain Server and Domain Management
Servers.
This utility is intended for internal use by Check Point scripts on the Multi-Domain Server.
You can use this utility to get some information about the Multi-Domain Server and Domain
Management Servers (for example, the names of all Domain Management Servers).

R81.10 Multi-Domain Security Management Administration Guide | 536

$MDSVERUTIL

Syntax

$MDSVERUTIL help

R81.10 Multi-Domain Security Management Administration Guide | 537

$MDSVERUTIL

$MDSVERUTIL
AllCMAs <options>
AllVersions
CMAAddonDir <options>
CMACompDir <options>
CMAFgDir <options>
CMAFw40Dir <options>
CMAFw41Dir <options>
CMAFwConfDir <options>
CMAFwDir <options>
CMAIp <options>
CMAIp6 <options>
CMALogExporterDir <options>
CMALogIndexerDir <options>
CMANameByFwDir <options>
CMANameByIp <options>
CMARegistryDir <options>
CMAReporterDir <options>
CMASmartLogDir <options>
CMASvnConfDir <options>
CMASvnDir <options>
ConfDirVersion <options>
CpdbUpParam <options>
CPprofileDir <options>
CPVer <options>
CustomersBaseDir <options>
DiskSpaceFactor <options>
InstallationLogDir <options>
IsIPv6Enabled
IsLegalVersion <options>
IsOsSupportsIPv6
LatestVersion
MDSAddonDir <options>
MDSCompDir <options>
MDSDir <options>
MDSFgDir <options>
MDSFwbcDir <options>
MDSFwDir <options>
MDSIp <options>
MDSIp6 <options>
MDSLogExporterDir <options>
MDSLogIndexerDir <options>
MDSPkgName <options>
MDSRegistryDir <options>
MDSReporterDir <options>

R81.10 Multi-Domain Security Management Administration Guide | 538

$MDSVERUTIL

MDSSmartLogDir <options>
MDSSvnDir <options>
MDSVarCompDir <options>
MDSVarDir <options>
MDSVarFwbcDir <options>
MDSVarFwDir <options>
MDSVarSvnDir <options>
MSP <options>
OfficialName <options>
OptionPack <options>
ProductName <options>
RegistryCurrentVer <options>
ShortOfficialName <options>
SmartCenterPuvUpgradeParam <options>
SP <options>
SVNPkgName <options>
SvrDirectory <options>
SvrParam <options>

Parameters

Parameter Description

help Shows the list of available commands.

AllCMAs <options> Returns the list of names of the configured Domain

Management Servers.
See "$MDSVERUTIL AllCMAs" on page 547.

AllVersions Returns the internal representation of versions,

this Multi-Domain Server recognizes.
See "$MDSVERUTIL AllVersions" on page 548.

CMAAddonDir <options> Returns the path to the Management Addon

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMAAddonDir" on
page 551.

CMACompDir <options> Returns the full path for the specified Backward
Compatibility Package in the context of the
specified Domain Management Server.
See "$MDSVERUTIL CMACompDir" on page 552.

R81.10 Multi-Domain Security Management Administration Guide | 539

$MDSVERUTIL

Parameter Description

CMAFgDir <options> Returns the full path for the $FGDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAFgDir" on page 553.

CMAFw40Dir <options> Returns the full path for the $FWDIR directory for
FireWall-1 4.0 in the context of the specified
Domain Management Server.
See "$MDSVERUTIL CMAFw40Dir" on page 554.

CMAFw41Dir <options> Returns the full path for the $FWDIR directory for
Edge devices (that are based on FireWall-1 4.1) in
the context of the specified Domain Management
Server.
Note - R81.10 does not support UTM-1 Edge
and Safe@Office devices. The information
about this command is provided only to
describe the existing syntax option until it is
removed completely.
See "$MDSVERUTIL CMAFw41Dir" on page 555.

CMAFwConfDir <options> Returns the full path for the $FWDIR/conf/

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMAFwConfDir" on
page 556.

CMAFwDir <options> Returns the full path for the $FWDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAFwDir" on page 557.

CMAIp <options> Returns the IPv4 address of the Domain

Management Server specified by its name.
See "$MDSVERUTIL CMAIp" on page 558.

CMAIp6 <options> Returns the IPv6 address of the Domain

Management Server specified by its name.
See "$MDSVERUTIL CMAIp6" on page 559.

CMALogExporterDir <options> Returns the full path for the $EXPORTERDIR

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMALogExporterDir" on
page 560.

R81.10 Multi-Domain Security Management Administration Guide | 540

$MDSVERUTIL

Parameter Description

CMALogIndexerDir <options> Returns the full path for the $INDEXERDIR

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMALogIndexerDir" on
page 561.

CMANameByFwDir <options> Returns the name of the Domain Management

Server based on the context of the current $FWDIR
directory.
See "$MDSVERUTIL CMANameByFwDir" on
page 562.

CMANameByIp <options> Returns the name of the Domain Management

Server based on the specified IPv4 address.
See "$MDSVERUTIL CMANameByIp" on
page 563.

CMARegistryDir <options> Returns the full path for the $CPDIR/registry/

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMARegistryDir" on
page 564.

CMAReporterDir <options> Returns the full path for the $RTDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMAReporterDir" on
page 565.

CMASmartLogDir <options> Returns the full path for the $SMARTLOGDIR

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMASmartLogDir" on
page 566.

CMASvnConfDir <options> Returns the full path for the $CPDIR/conf/

directory in the context of the specified Domain
Management Server.
See "$MDSVERUTIL CMASvnConfDir" on
page 567.

CMASvnDir <options> Returns the full path for the $CPDIR directory in
the context of the specified Domain Management
Server.
See "$MDSVERUTIL CMASvnDir" on page 568.

R81.10 Multi-Domain Security Management Administration Guide | 541

$MDSVERUTIL

Parameter Description

ConfDirVersion <options> Returns the internal Version ID based on the

context of the current $FWDIR/conf/ directory.
See "$MDSVERUTIL ConfDirVersion" on
page 569.

CpdbUpParam <options> Returns internal version numbers from the internal

database.
See "$MDSVERUTIL CpdbUpParam" on
page 570.

CPprofileDir <options> Returns the path to the directory that contains the
.CPprofile.sh and the .CPprofile.csh
shell scripts.
See "$MDSVERUTIL CPprofileDir" on page 571.

CPVer <options> Returns internal Check Point version number.

See "$MDSVERUTIL CPVer" on page 572.

CustomersBaseDir <options> Returns the full path for the

$MDSDIR/customers/ directory.
See "$MDSVERUTIL CustomersBaseDir" on
page 573.

DiskSpaceFactor <options> Returns the disk-space factor (the mds_setup

command uses this value during an upgrade).
See "$MDSVERUTIL DiskSpaceFactor" on
page 574.

InstallationLogDir Returns the full path for directory with all

<options> installation logs (/opt/CPInstLog/).
See "$MDSVERUTIL InstallationLogDir" on
page 575.

IsIPv6Enabled Returns true, if IPv6 is enabled in Gaia OS.

Returns false, if IPv6 is disabled in Gaia OS.
See "$MDSVERUTIL IsIPv6Enabled" on
page 576.

IsLegalVersion <options> Returns 0, if the specified internal Version ID is

legal.
Returns 1, if the specified internal Version ID is
illegal.
See "$MDSVERUTIL IsLegalVersion" on
page 577.

R81.10 Multi-Domain Security Management Administration Guide | 542

$MDSVERUTIL

Parameter Description

IsOsSupportsIPv6 Returns true, if the OS supports IPv6.

Returns false, if the OS does not support IPv6.
See "$MDSVERUTIL IsOsSupportsIPv6" on
page 578.

LatestVersion Returns the internal Version ID of the latest

installed version.
See "$MDSVERUTIL LatestVersion" on page 579.

MDSAddonDir <options> Returns the path to the Management Addon

directory in the MDS context.
See "$MDSVERUTIL MDSAddonDir" on
page 580.

MDSCompDir <options> Returns the full path for the specified Backward
Compatibility Package in the MDS context.
See "$MDSVERUTIL MDSCompDir" on page 581.

MDSDir <options> Returns the full path in the /opt/ directory to the
$MDSDIR directory.
See "$MDSVERUTIL MDSDir" on page 582.

MDSFgDir <options> Returns the full path for the $FGDIR directory in
the MDS context.
See "$MDSVERUTIL MDSFgDir" on page 583.

MDSFwbcDir <options> Returns the full path in the /opt/ directory (in the
MDS context) for the Backward Compatibility
directory for Edge devices.
See "$MDSVERUTIL MDSFwbcDir" on page 584.

MDSFwDir <options> Returns the full path in the /opt/ directory for the
$FWDIR directory in the MDS context.
See "$MDSVERUTIL MDSFwDir" on page 585.

MDSIp <options> Returns the IPv4 address of Multi-Domain Server.

See "$MDSVERUTIL MDSIp" on page 586.

MDSIp6 <options> Returns the IPv6 address of Multi-Domain Server.

See "$MDSVERUTIL MDSIp6" on page 587.

MDSLogExporterDir <options> Returns the full path for the $EXPORTERDIR

directory in the MDS context.
See "$MDSVERUTIL MDSLogExporterDir" on
page 588.

R81.10 Multi-Domain Security Management Administration Guide | 543

$MDSVERUTIL

Parameter Description

MDSLogIndexerDir <options> Returns the full path for the $INDEXERDIR

directory in the MDS context.
See "$MDSVERUTIL MDSLogIndexerDir" on
page 589.

MDSPkgName <options> Returns the name of the MDS software package.

See "$MDSVERUTIL MDSPkgName" on
page 590.

MDSRegistryDir <options> Returns the full path for the $CPDIR/registry/

directory in the MDS context.
See "$MDSVERUTIL MDSRegistryDir" on
page 591.

MDSReporterDir <options> Returns the full path for the $RTDIR directory in
the MDS context.
See "$MDSVERUTIL MDSReporterDir" on
page 592.

MDSSmartLogDir <options> Returns the full path for the $SMARTLOGDIR

directory in the MDS context.
See "$MDSVERUTIL MDSSmartLogDir" on
page 593.

MDSSvnDir <options> Returns the full path in the /opt/ directory for the
$CPDIR directory in the MDS context.
See "$MDSVERUTIL MDSSvnDir" on page 594.

MDSVarCompDir <options> Returns the full path in the /var/opt/ directory

for the specified Backward Compatibility Package
in the MDS context.
See "$MDSVERUTIL MDSVarCompDir" on
page 595.

MDSVarDir <options> Returns the full path in the /var/opt/ directory to

the $MDSDIR directory.
See "$MDSVERUTIL MDSVarCompDir" on
page 595.

MDSVarFwbcDir <options> Returns the full path in the /var/opt/ directory

(in the MDS context) for the Backward
Compatibility directory for Edge devices.
See "$MDSVERUTIL MDSVarFwbcDir" on
page 597.

R81.10 Multi-Domain Security Management Administration Guide | 544

$MDSVERUTIL

Parameter Description

MDSVarFwDir <options> Returns the full path in the /var/opt/ directory

for the $FWDIR directory in the MDS context.
See "$MDSVERUTIL MDSVarFwDir" on
page 598.

MDSVarSvnDir <options> Returns the full path in the /var/opt/ directory

for the $CPDIR directory in the MDS context.
See "$MDSVERUTIL MDSVarSvnDir" on
page 599.

MSP <options> Returns the Minor Service Pack version.

See "$MDSVERUTIL MSP" on page 600.

OfficialName <options> Returns the official version name.

See "$MDSVERUTIL OfficialName" on page 601.

OptionPack <options> Returns the internal Option Pack version.

See "$MDSVERUTIL OptionPack" on page 602.

ProductName <options> Returns the official name of the Multi-Domain

Server product.
See "$MDSVERUTIL ProductName" on page 603.

RegistryCurrentVer Returns the current internal version of Check Point

<options> Registry.
See "$MDSVERUTIL RegistryCurrentVer" on
page 604.

ShortOfficialName <options> Returns the short (without spaces) official version

name.
See "$MDSVERUTIL ShortOfficialName" on
page 605.

SmartCenterPuvUpgradeParam Returns the version to the Pre-Upgrade Verifier

<options> (PUV) in order for it to upgrade to that version.
See "$MDSVERUTIL
SmartCenterPuvUpgradeParam" on page 606.

SP <options> Returns the Service Pack version.

See "$MDSVERUTIL SP" on page 607.

SVNPkgName <options> Returns the name of the Secure Virtual Network

(SVN) package.
See "$MDSVERUTIL SVNPkgName" on
page 608.

R81.10 Multi-Domain Security Management Administration Guide | 545

$MDSVERUTIL

Parameter Description

SvrDirectory <options> Returns the full path for the SmartReporter

directory.
See "$MDSVERUTIL SvrDirectory" on page 609.

SvrParam <options> Returns the SmartReporter version.

See "$MDSVERUTIL SvrParam" on page 610.

R81.10 Multi-Domain Security Management Administration Guide | 546

$MDSVERUTIL AllCMAs

Description
Returns the list of names of the configured Domain Management Servers.

Syntax

$MDSVERUTIL AllCMAs [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL AllCMAs

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL AllCMAs -v VID_92

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 547

$MDSVERUTIL AllVersions

Description
Returns the internal representation of versions, this Multi-Domain Server recognizes.
You can you these internal version strings in other commands.
In addition, see these commands:
n "$MDSVERUTIL IsLegalVersion" on page 577
n "$MDSVERUTIL OfficialName" on page 601

Syntax

$MDSVERUTIL AllVersions

R81.10 Multi-Domain Security Management Administration Guide | 548

$MDSVERUTIL AllVersions

Mapping

Internal Version ID Official version

VID_94 R80.40

VID_93 R80.30

VID_92 R80.20

VID_91 R80

VID_90 R77.X

VID_89 R76

VID_88 R75.40VS

VID_87 R75.40

VID_86 R75.30

VID_85 R75.20

VID_84 R75

VID_83 R71.X

VID_80 R70.X

VID_65 NGX R65

VID_62 NGX R62

VID_NGX_61 NGX R61

VID_60 NGX R60

VID_541_A NG AI R55W

VID_541 NG AI R55

VID_54_VSX_R2 VSX NG AI R2

VID_54_VSX VSX NG AI 2.2N and VSX NG AI 2.3N

VID_54 NG AI R54

VID_53_VSX VSX NG AI

R81.10 Multi-Domain Security Management Administration Guide | 549

$MDSVERUTIL AllVersions

Internal Version ID Official version

VID_53 NG FP3

VID_52 NG FP2

VID_51 NG FP1

VID_41 4.1

Example

[Expert@MDS:0]# $MDSVERUTIL AllVersions

VID_94
VID_93
VID_92
VID_91
VID_90
VID_89
VID_88
VID_87
VID_86
VID_85
VID_84
VID_83
VID_80
VID_65
VID_62
VID_NGX_61
VID_61
VID_60
VID_541_A
VID_541
VID_54_VSX_R2
VID_54_VSX
VID_54
VID_53_VSX
VID_53
VID_52
VID_51
VID_41
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 550

$MDSVERUTIL CMAAddonDir

Description
Returns the path to the Management Addon directory in the context of the specified Domain
Management Server. Applies only to NG AI R55W version.
In addition, see the "$MDSVERUTIL MDSAddonDir" on page 580 command.

Syntax

$MDSVERUTIL CMAAddonDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAAddonDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPmgmt-R55W
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 551

$MDSVERUTIL CMACompDir

Description
Returns the full path for the specified Backward Compatibility Package in the context of the
specified Domain Management Server.
In addition, see these commands:
n "$MDSVERUTIL MDSCompDir" on page 581
n "$MDSVERUTIL MDSVarCompDir" on page 595

Syntax

$MDSVERUTIL CMACompDir -n <Name or IP address of Domain Management

Server> -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-n <Name or IP Specifies the Domain Management Server by its name or IPv4

address of Domain address.
Management Server>

-c <Name of Specifies the name of Backward Compatibility Package.

Backward The Backward Compatibility Package contains the applicable
Compatibility files to install policy on Security Gateways that run a lower
Package> version than the Multi-Domain Server.
To see the list of all Backward Compatibility Packages, run in
Expert mode:
ls -1 $MDSDIR/customers/<Name of Domain
Management Server>/ | grep CMP

Example

[Expert@MDS:0]# $MDSVERUTIL CMACompDir -n MyDomain_Server -c CPR77CMP-R81.10

/opt/CPmds-R81.10/customers/MyDomain_Server/CPR77CMP-R81.10
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 552

$MDSVERUTIL CMAFgDir

Description
Returns the full path for the $FGDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSFgDir" on page 583 command.

Syntax

$MDSVERUTIL CMAFgDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fg1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fg1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 553

$MDSVERUTIL CMAFw40Dir

Description
Returns the full path for the $FWDIR directory for FireWall-1 4.0 in the context of the specified
Domain Management Server.

Syntax

$MDSVERUTIL CMAFw40Dir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 554

$MDSVERUTIL CMAFw41Dir

$MDSVERUTIL CMAFw41Dir
Note - R81.10 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Returns the full path for the $FWDIR directory for UTM-1 Edge devices (that are based on
FireWall-1 4.1) in the context of the specified Domain Management Server.

Syntax

$MDSVERUTIL CMAFw41Dir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPEdgecmp-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPEdgecmp-R77
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 555

$MDSVERUTIL CMAFwConfDir

Description
Returns the full path for the $FWDIR/conf/ directory in the context of the specified Domain
Management Server.

Syntax

$MDSVERUTIL CMAFwConfDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1/conf
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1/conf
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 556

$MDSVERUTIL CMAFwDir

Description
Returns the full path for the $FWDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSFwDir" on page 585 command.

Syntax

$MDSVERUTIL CMAFwDir -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPsuite-R81.10/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 557

$MDSVERUTIL CMAIp

Description
Returns the IPv4 address of the Domain Management Server specified by its name.
In addition, see the "$MDSVERUTIL MDSIp" on page 586 command.

Syntax

$MDSVERUTIL CMAIp -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAIp -n MyDomain_Server

192.168.3.240
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 558

$MDSVERUTIL CMAIp6

Description
Returns the IPv6 address of the Domain Management Server specified by its name.
In addition, see the "$MDSVERUTIL MDSIp6" on page 587 command.

Note - Multi-Domain Server does not support IPv6 at all (Known Limitation PMTR-
14989).

Syntax

$MDSVERUTIL CMAIp6 -n <Name or IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv6 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

R81.10 Multi-Domain Security Management Administration Guide | 559

$MDSVERUTIL CMALogExporterDir

Description
Returns the full path for the $EXPORTERDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSLogExporterDir" on page 588 command.

Syntax

$MDSVERUTIL CMALogExporterDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMALogExporterDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPrt-R81.10/log_exporter
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 560

$MDSVERUTIL CMALogIndexerDir

Description
Returns the full path for the $INDEXERDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSLogIndexerDir" on page 589 command.

Syntax

$MDSVERUTIL CMALogIndexerDir -n <Name or IP address of Domain

Management Server> [-v <Version_ID>]

Parameters

Parameter Description

-n <Name or IP address of Domain Specifies the Domain Management Server

Management Server> by its name or IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMALogIndexerDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPrt-R81.10/log_indexer
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 561

$MDSVERUTIL CMANameByFwDir

Description
Returns the name of the Domain Management Server based on the context of the current
$FWDIR directory.

Syntax

$MDSVERUTIL CMANameByFwDir -d $FWDIR [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMANameByFwDir -d $FWDIR

MyDomain_Server
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 562

$MDSVERUTIL CMANameByIp

Description
Returns the name of the Domain Management Server based on the specified IPv4 address.

Syntax

$MDSVERUTIL CMANameByIp -i <IP address of Domain Management

Server> [-v <Version_ID>]

Parameters

Parameter Description

-i <IP address of Domain Specifies the Domain Management Server by

Management Server> its IPv4 address.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMANameByIp -i 192.168.3.240

MyDomain_Server
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 563

$MDSVERUTIL CMARegistryDir

Description
Returns the full path for the $CPDIR/registry/ directory in the context of the specified
Domain Management Server.
In addition, see the "$MDSVERUTIL MDSRegistryDir" on page 591 command.

Syntax

$MDSVERUTIL CMARegistryDir -n <Name of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMARegistryDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPshrd-R81.10/registry
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 564

$MDSVERUTIL CMAReporterDir

Description
Returns the full path for the $RTDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSReporterDir" on page 592 command.

Syntax

$MDSVERUTIL CMAReporterDir -n <Name of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMAReporterDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPrt-R81.10
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 565

$MDSVERUTIL CMASmartLogDir

Description
Returns the full path for the $SMARTLOGDIR directory in the context of the specified Domain
Management Server.
In addition, see the "$MDSVERUTIL MDSSmartLogDir" on page 593 command.

Syntax

$MDSVERUTIL CMASmartLogDir -n <Name of Domain Management Server>

[-v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASmartLogDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPSmartLog-R81.10
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 566

$MDSVERUTIL CMASvnConfDir

Description
Returns the full path for the $CPDIR/conf/ directory in the context of the specified Domain
Management Server.

Syntax

$MDSVERUTIL CMASvnConfDir -n <Name of Domain Management Server> [-

v <Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASvnConfDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPshrd-R81.10/conf
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 567

$MDSVERUTIL CMASvnDir

Description
Returns the full path for the $CPDIR directory in the context of the specified Domain
Management Server.
In addition, see these commands:
n "$MDSVERUTIL MDSSvnDir" on page 594
n "$MDSVERUTIL MDSVarSvnDir" on page 599

Syntax

$MDSVERUTIL CMASvnDir -n <Name of Domain Management Server> [-v

<Version_ID>]

Parameters

Parameter Description

-n <Name of Domain Management Specifies the Domain Management Server by its

Server> name.

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on
page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL CMASvnDir -n MyDomain_Server

/opt/CPmds-R81.10/customers/MyDomain_Server/CPshrd-R81.10
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 568

$MDSVERUTIL ConfDirVersion

Description
Returns the internal Version ID based on the context of the current $FWDIR/conf/ directory.
For information about the internal Version ID, see the "$MDSVERUTIL AllVersions" on
page 548 command.

Syntax

$MDSVERUTIL ConfDirVersion -d $FWDIR/conf

Example

[Expert@MDS:0]# $MDSVERUTIL ConfDirVersion -d $FWDIR/conf

VID_92
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 569

$MDSVERUTIL CpdbUpParam

Description
Returns internal version numbers from the internal database.
In addition, see these commands:
n "$MDSVERUTIL MSP" on page 600
n "$MDSVERUTIL SP" on page 607

Syntax

$MDSVERUTIL CpdbUpParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam

6.0.5.1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_90

6.0.4.0
[Expert@MDS:0]#

Example 3

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_65

6.0.1.0
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 570

$MDSVERUTIL CPprofileDir

Description
Returns the path to the directory that contains the .CPprofile.sh and the
.CPprofile.csh shell scripts.

Syntax

$MDSVERUTIL CPprofileDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir

/opt/CPshrd-R81.10/tmp
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir -v VID_90

/opt/CPshrd-R77/tmp
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 571

$MDSVERUTIL CPVer

Description
Returns internal Check Point version number.

Syntax

$MDSVERUTIL CPVer [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CPVer

9.0
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CPVer -v VID_80

8.0
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 572

$MDSVERUTIL CustomersBaseDir

Description
Returns the full path for the $MDSDIR/customers/ directory.

Syntax

$MDSVERUTIL CustomersBaseDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir

/opt/CPmds-R81.10/customers
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir -v VID_90

/opt/CPmds-R77/customers
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 573

$MDSVERUTIL DiskSpaceFactor

Description
Returns the disk-space factor. The mds_setup command uses this value during an upgrade.

Syntax

$MDSVERUTIL DiskSpaceFactor [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL DiskSpaceFactor

1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 574

$MDSVERUTIL InstallationLogDir

Description
Returns the full path for directory with all installation logs (/opt/CPInstLog/).

Syntax

$MDSVERUTIL InstallationLogDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL InstallationLogDir

/opt/CPInstLog
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 575

$MDSVERUTIL IsIPv6Enabled

R81.10 Multi-Domain Security Management Administration Guide | 576

$MDSVERUTIL IsLegalVersion

Description
Returns 0, if the specified internal Version ID is legal.
Returns 1, if the specified internal Version ID is illegal.

Syntax

$MDSVERUTIL IsLegalVersion -v <Version_ID>

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_92

0
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_123456

1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 577

$MDSVERUTIL IsOsSupportsIPv6

Description
Returns true, if the OS supports IPv6.
Returns false, if the OS does not support IPv6.

Note - Multi-Domain Server does not support IPv6 at all (Known Limitation PMTR-
14989).

Syntax

$MDSVERUTIL IsOsSupportsIPv6

R81.10 Multi-Domain Security Management Administration Guide | 578

$MDSVERUTIL LatestVersion

Description
Returns the internal Version ID of the latest installed version.

Syntax

$MDSVERUTIL LatestVersion

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL LatestVersion

VID_92
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 579

$MDSVERUTIL MDSAddonDir

Description
Returns the path to the Management Addon directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAAddonDir" on page 551 command.

Syntax

$MDSVERUTIL MDSAddonDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSAddonDir

/opt/CPmgmt-R55W
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 580

$MDSVERUTIL MDSCompDir

Description
Returns the full path for the specified Backward Compatibility Package in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMACompDir" on page 552
n "$MDSVERUTIL MDSVarCompDir" on page 595

Syntax

$MDSVERUTIL MDSCompDir -c <Name of Backward Compatibility Package>

Parameters

Parameter Description

-c <Name of Specifies the name of Backward Compatibility Package.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSCompDir -c CPR77CMP-R81.10

/opt/CPR77CMP-R81.10
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 581

$MDSVERUTIL MDSDir

Description
Returns the full path in the /opt/ directory to the $MDSDIR directory.
In addition, see the "$MDSVERUTIL MDSVarDir" on page 596 command.

Syntax

$MDSVERUTIL MDSDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSDir

/opt/CPmds-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSDir -v VID_90

/opt/CPmds-R77
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 582

$MDSVERUTIL MDSFgDir

Description
Returns the full path for the $FGDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAFgDir" on page 553 command.

Syntax

$MDSVERUTIL MDSFgDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir

/opt/CPsuite-R81.10/fg1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir -v VID_90

/opt/CPsuite-R77/fg1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 583

$MDSVERUTIL MDSFwbcDir

$MDSVERUTIL MDSFwbcDir
Note - R81.10 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Returns the full path in the /opt/ directory (in the MDS context) for the Backward
Compatibility directory for UTM-1 Edge devices.
This Backward Compatibility directory contains the applicable files to install policy on UTM-1
Edge devices.
In addition, see the "$MDSVERUTIL MDSVarFwbcDir" on page 597 command.

Syntax

$MDSVERUTIL MDSFwbcDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir

/opt/CPEdgecmp-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir -v VID_90

/opt/CPEdgecmp-R77
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 584

$MDSVERUTIL MDSFwDir

Description
Returns the full path in the /opt/ directory for the $FWDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL MDSVarFwDir" on page 598
n "$MDSVERUTIL CMAFwDir" on page 557

Syntax

$MDSVERUTIL MDSFwDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir

/opt/CPsuite-R81.10/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir -v VID_90

/opt/CPsuite-R77/fw1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 585

$MDSVERUTIL MDSIp

Description
Returns the IPv4 address of Multi-Domain Server.
In addition, see the "$MDSVERUTIL CMAIp" on page 558 command.

Syntax

$MDSVERUTIL MDSIp [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSIp

192.168.3.51
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 586

$MDSVERUTIL MDSIp6

Description
Returns the IPv6 address of Multi-Domain Server.
In addition, see the "$MDSVERUTIL CMAIp6" on page 559 command.

Note - Multi-Domain Server does not support IPv6 at all (Known Limitation PMTR-
14989).

Syntax

$MDSVERUTIL MDSIp6 [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

R81.10 Multi-Domain Security Management Administration Guide | 587

$MDSVERUTIL MDSLogExporterDir

Description
Returns the full path for the $EXPORTERDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMALogExporterDir" on page 560 command.

Syntax

$MDSVERUTIL MDSLogExporterDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir

/opt/CPrt-R81.10/log_exporter
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 588

$MDSVERUTIL MDSLogIndexerDir

Description
Returns the full path for the $INDEXERDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMALogIndexerDir" on page 561 command.

Syntax

$MDSVERUTIL MDSLogIndexerDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir

/opt/CPrt-R81.10/log_indexer
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 589

$MDSVERUTIL MDSPkgName

Description
Returns the name of the MDS software package.
In addition, see the "$MDSVERUTIL SVNPkgName" on page 608 command.

Syntax

$MDSVERUTIL MDSPkgName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName

CPmds-R81.10-00
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName -v VID_90

CPmds-R77-00
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 590

$MDSVERUTIL MDSRegistryDir

Description
Returns the full path for the $CPDIR/registry/ directory in the MDS context.
In addition, see the "$MDSVERUTIL CMARegistryDir" on page 564 command.

Syntax

$MDSVERUTIL MDSRegistryDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir

/opt/CPshrd-R81.10/registry
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir -v VID_90

/opt/CPshrd-R77/registry
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 591

$MDSVERUTIL MDSReporterDir

Description
Returns the full path for the $RTDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMAReporterDir" on page 565 command.

Syntax

$MDSVERUTIL MDSReporterDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir

/opt/CPrt-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir -v VID_91

/opt/CPrt-R80
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 592

$MDSVERUTIL MDSSmartLogDir

Description
Returns the full path for the $SMARTLOGDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL CMASmartLogDir" on page 566 command.

Syntax

$MDSVERUTIL MDSSmartLogDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir

/opt/CPSmartLog-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir -v VID_91

/opt/CPSmartLog-R80
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 593

$MDSVERUTIL MDSSvnDir

Description
Returns the full path in the /opt/ directory for the $CPDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMASvnDir" on page 568
n "$MDSVERUTIL MDSVarSvnDir" on page 599

Syntax

$MDSVERUTIL MDSSvnDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir

/opt/CPshrd-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir -v VID_91

/opt/CPshrd-R80
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 594

$MDSVERUTIL MDSVarCompDir

Description
Returns the full path in the /var/opt/ directory for the specified Backward Compatibility
Package in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMACompDir" on page 552
n "$MDSVERUTIL MDSCompDir" on page 581

Syntax

$MDSVERUTIL MDSVarCompDir -c <Name of Backward Compatibility

Package>

Parameters

Parameter Description

-c <Name of Specifies the name of Backward Compatibility Package.

Example

[Expert@MDS:0]# $MDSVERUTIL MDSVarCompDir -c CPR77CMP-R81.10

/var/opt/CPR77CMP-R81.10
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 595

$MDSVERUTIL MDSVarDir

Description
Returns the full path in the /var/opt/ directory to the $MDSDIR directory.
In addition, see the "$MDSVERUTIL MDSDir" on page 582 command.

Syntax

$MDSVERUTIL MDSVarDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir

/var/opt/CPmds-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir -v VID_90

/var/opt/CPmds-R77
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 596

$MDSVERUTIL MDSVarFwbcDir

$MDSVERUTIL MDSVarFwbcDir
Note - R81.10 does not support UTM-1 Edge and Safe@Office devices. The
information about this command is provided only to describe the existing syntax
option until it is removed completely.

Description
Returns the full path in the /var/opt/ directory (in the MDS context) for the Backward
Compatibility directory for UTM-1 Edge devices.
This Backward Compatibility directory contains the applicable files to install policy on UTM-1
Edge devices.
In addition, see the "$MDSVERUTIL MDSFwbcDir" on page 584 command.

Syntax

$MDSVERUTIL MDSVarFwbcDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir

/var/opt/CPEdgecmp-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir -v VID_90

/var/opt/CPEdgecmp-R77
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 597

$MDSVERUTIL MDSVarFwDir

Description
Returns the full path in the /var/opt/ directory for the $FWDIR directory in the MDS context.
In addition, see the "$MDSVERUTIL MDSFwDir" on page 585 command.

Syntax

$MDSVERUTIL MDSVarFwDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir

/var/opt/CPsuite-R81.10/fw1
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir -v VID_90

/var/opt/CPsuite-R77/fw1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 598

$MDSVERUTIL MDSVarSvnDir

Description
Returns the full path in the /var/opt/ directory for the $CPDIR directory in the MDS context.
In addition, see these commands:
n "$MDSVERUTIL CMASvnDir" on page 568
n "$MDSVERUTIL MDSSvnDir" on page 594

Syntax

$MDSVERUTIL MDSVarSvnDir [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir

/var/opt/CPshrd-R81.10
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir -v VID_90

/var/opt/CPshrd-R77
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 599

$MDSVERUTIL MSP

Description
Returns the Minor Service Pack version.
In addition, see these commands:
n "$MDSVERUTIL SP" on page 607
n "$MDSVERUTIL CpdbUpParam" on page 570

Syntax

$MDSVERUTIL MSP [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL MSP

9
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL MSP -v VID_91

8
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 600

$MDSVERUTIL OfficialName

Description
Returns the official version name.
In addition, see the "$MDSVERUTIL ShortOfficialName" on page 605 command.

Syntax

$MDSVERUTIL OfficialName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL OfficialName

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_91

R80
[Expert@MDS:0]#

Example 3

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_65

NGX R65
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 601

$MDSVERUTIL OptionPack

Description
Returns the internal Option Pack version.

Syntax

$MDSVERUTIL OptionPack [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL OptionPack

3
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL OptionPack -v VID_90

1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 602

$MDSVERUTIL ProductName

Description
Returns the official name of the Multi-Domain Server product.

Syntax

$MDSVERUTIL ProductName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL ProductName

Multi-Domain Security Management
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL ProductName -v VID_65

Provider-1
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 603

$MDSVERUTIL RegistryCurrentVer

Description
Returns the current internal version of Check Point Registry.

Syntax

$MDSVERUTIL RegistryCurrentVer [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example

[Expert@MDS:0]# $MDSVERUTIL RegistryCurrentVer

6.0
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 604

$MDSVERUTIL ShortOfficialName

Description
Returns the short (without spaces) official version name.
In addition, see the "$MDSVERUTIL OfficialName" on page 601 command.

Syntax

$MDSVERUTIL ShortOfficialName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL ShortOfficialName

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# ShortOfficialName -v VID_65

NGX_65
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 605

$MDSVERUTIL SmartCenterPuvUpgradeParam

Description
Returns the version to the Pre-Upgrade Verifier (PUV) in order for it to upgrade to that version.

Syntax

$MDSVERUTIL SmartCenterPuvUpgradeParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam

R80.20
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_90

R77
[Expert@MDS:0]#

Example 3
[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_65
NGX_R65
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 606

$MDSVERUTIL SP

Description
Returns the Service Pack version.
In addition, see these commands:
n "$MDSVERUTIL MSP" on page 600
n "$MDSVERUTIL CpdbUpParam" on page 570

Syntax

$MDSVERUTIL SP [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SP
4
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SP -v VID_91

4
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 607

$MDSVERUTIL SVNPkgName

Description
Returns the name of the Secure Virtual Network (SVN) package. Applies to versions NGX R60
and above.
In addition, see the "$MDSVERUTIL MDSPkgName" on page 590 command.

Syntax

$MDSVERUTIL SVNPkgName [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

Example 1

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName

CPsuite-R81.10-00
[Expert@MDS:0]#

Example 2

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName -v VID_90

CPsuite-R77-00
[Expert@MDS:0]#

R81.10 Multi-Domain Security Management Administration Guide | 608

$MDSVERUTIL SvrDirectory

Description
Returns the full path for the SmartReporter directory.

Syntax

$MDSVERUTIL SvrDirectory [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

R81.10 Multi-Domain Security Management Administration Guide | 609

$MDSVERUTIL SvrParam

Description
Returns the SmartReporter version.

Syntax

$MDSVERUTIL SvrParam [-v <Version_ID>]

Parameters

Parameter Description

-v <Version_ID> Specifies the internal Version ID.

See the "$MDSVERUTIL AllVersions" on page 548 command.

R81.10 Multi-Domain Security Management Administration Guide | 610

Creating a Domain Management Server with the 'mgmt_cli' Command

Creating a Domain Management Server with the

'mgmt_cli' Command
Prerequisites
n Name or Identifier of the Domain. For example: MyDomain
n Name or Identifier of the new Domain Management Server. For example: MyDMS
n IPv4 address for the new Domain Management Server.
n IPv4 Address for the Multi-Domain Server.
n The Multi-Domain Server username and password for a Multi-Domain Superuser, who
has permission to create the new Domain Management Server.

To create a new Domain Management Server

1. Connect to the command line on the Multi-Domain Server.
2. Log in to the Expert mode with the Superuser credentials.
3. Create the Domain Management Server.
Run this command:

mgmt_cli add domain name <domain_name> servers.ip address

"<ipv4>" servers.name "<server_name>" servers.multi-domain-
server "<mdm_name>"

For more information, see "mgmt_cli" on page 507.

Example:

mgmt_cli add domain name "domain1" servers.ip-address

"192.0.2.1" servers.name "domain1_ManagementServer_1"
servers.multi-domain-server "primary_mdm"

4. Connect with SmartConsole to the new Domain Management Server to configure the
applicable settings.

R81.10 Multi-Domain Security Management Administration Guide | 611

Glossary

Glossary
A

Active Domain Server

The only Domain Management Server in a Management High Availability deployment
that can manage a specified Domain.

Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and
communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

Anti-Spam
Check Point Software Blade on a Security Gateway that provides comprehensive
protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS,
ASPAM.

Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures
and anomaly-based protections from ThreatCloud to detect and block malware at the
Security Gateway before users are affected. Acronym: AV.

Application Control
Check Point Software Blade on a Security Gateway that allows granular control over
specific web-enabled applications by using deep packet inspection. Acronym: APPI.

Audit Log
Log that contains administrator actions on a Management Server (login and logout,
creation or modification of an object, installation of a policy, and so on).

Bridge Mode
Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

R81.10 Multi-Domain Security Management Administration Guide | 612

Glossary

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

Cluster Member
Security Gateway that is part of a cluster.

Compliance
Check Point Software Blade on a Management Server to view and apply the Security
Best Practices to the managed Security Gateways. This Software Blade includes a
library of Check Point-defined Security Best Practices to use as a baseline for good
Security Gateway and Policy configuration.

Content Awareness
Check Point Software Blade on a Security Gateway that provides data visibility and
enforcement. Acronym: CTNT.

CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CoreXL Firewall Instance

On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple
times. Each replicated copy, or firewall instance, runs on one processing CPU core.
These firewall instances handle traffic at the same time, and each firewall instance is a
complete and independent firewall inspection kernel. Synonym: CoreXL FW Instance.

R81.10 Multi-Domain Security Management Administration Guide | 613

Glossary

CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick
to a particular FWK daemon is done at the first packet of connection on a very high level,
before anything else. Depending on the SecureXL settings, and in most of the cases, the
SecureXL can be offloading decryption calculations. However, in some other cases,
such as with Route-Based VPN, it is done by FWK daemon.

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can
automatically update Check Point products for the Gaia OS, and the Gaia OS itself.

DAIP Gateway
Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the
IP address of the external interface is assigned dynamically by the ISP.

Data Loss Prevention

Check Point Software Blade on a Security Gateway that detects and prevents the
unauthorized transmission of confidential information outside the organization. Acronym:
DLP.

Data Type
Classification of data in a Check Point Security Policy for the Content Awareness
Software Blade.

Distributed Deployment
Configuration in which the Check Point Security Gateway and the Security Management
Server products are installed on different computers.

Domain Dedicated Log Server

Dedicated Log Server (not a Domain Log Server) configured in a specified Domain (in
versions R81 and higher). It stores and processes logs from Security Gateways that are
managed by the corresponding Domain Management Server. Acronym: DDLS.

R81.10 Multi-Domain Security Management Administration Guide | 614

Glossary

Domain Dedicated SmartEvent Server

Dedicated SmartEvent Server configured in a specified Domain (in versions R81 and
higher). It hosts the events database for logs from Security Gateways that are managed
by the corresponding Domain Management Server.

Domain Management Server

Virtual Security Management Server that manages Security Gateways for one Domain,
as part of a Multi-Domain Security Management environment. Acronym: DMS.

Dynamic Object
Special object type, whose IP address is not known in advance. The Security Gateway
resolves the IP address of this object in real time.

Endpoint Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
Harmony Endpoint Security environment.

Expert Mode
The name of the elevated command line shell that gives full system root permissions in
the Check Point Gaia operating system.

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restricted shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for the Check Point Gaia operating system.

R81.10 Multi-Domain Security Management Administration Guide | 615

Glossary

Global Domain
Domain on a Multi-Domain Security Management Server, on which the Multi-Domain
Server administrator creates and manages objects, security policies and settings that
apply to the entire Multi-Domain Security Management environment.

Global Objects
On a Multi-Domain Security Management Server, all objects defined in the Global
Domain. You can use this objects in a Global Policy or Local Policies on Domains.

Global Policy
On a Multi-Domain Security Management Server, a policy defined in the Global Domain.
You can assigns this Global Policy to Domains.

Hotfix
Software package installed on top of the current software version to fix a wrong or
undesired behavior, and to add a new behavior.

HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets
Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection.
Acronyms: HTTPSI, HTTPSi.

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and
audits data based on network location, the identity of the user, and the identity of the
computer. Acronym: IDA.

Identity Logging
Check Point Software Blade on a Management Server to view Identity Logs from the
managed Security Gateways with enabled Identity Awareness Software Blade.

R81.10 Multi-Domain Security Management Administration Guide | 616

Glossary

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets
and data for numerous types of risks (Intrusion Prevention System).

IPsec VPN
Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and
Remote Access VPN access.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

Kerberos
An authentication server for Microsoft Windows Active Directory Federation Services
(ADFS).

Log Server
Dedicated Check Point server that runs Check Point software to store and process logs.

Logging & Status

Check Point Software Blade on a Management Server to view Security Logs from the
managed Security Gateways.

Management Interface
(1) Interface on a Gaia Security Gateway or Cluster member, through which
Management Server connects to the Security Gateway or Cluster member. (2) Interface
on Gaia computer, through which users connect to Gaia Portal or CLI.

R81.10 Multi-Domain Security Management Administration Guide | 617

Glossary

Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security
Management Server.

Manual NAT Rules

Manual configuration of NAT rules by the administrator of the Check Point Management
Server.

Mobile Access
Check Point Software Blade on a Security Gateway that provides a Remote Access VPN
access for managed and unmanaged clients. Acronym: MAB.

Multi-Domain Log Server

Dedicated Check Point server that runs Check Point software to store and process logs
in a Multi-Domain Security Management environment. The Multi-Domain Log Server
consists of Domain Log Servers that store and process logs from Security Gateways that
are managed by the corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security
Management Servers called Domain Management Servers. Synonym: Multi-Domain
Security Management Server. Acronym: MDS.

Network Object
Logical object that represents different parts of corporate topology - computers, IP
addresses, traffic protocols, and so on. Administrators use these objects in Security
Policies.

Network Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
environment with an Access Control and Threat Prevention policies.

Open Server
Physical computer manufactured and distributed by a company, other than Check Point.

R81.10 Multi-Domain Security Management Administration Guide | 618

Glossary

Primary Multi-Domain Server

The Multi-Domain Security Management Server in Management High Availability that
you install as Primary.

Provisioning
Check Point Software Blade on a Management Server that manages large-scale
deployments of Check Point Security Gateways using configuration profiles. Synonyms:
SmartProvisioning, SmartLSM, Large-Scale Management, LSM.

QoS
Check Point Software Blade on a Security Gateway that provides policy-based traffic
bandwidth management to prioritize business-critical traffic and guarantee bandwidth
and control latency.

Rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause
specified actions to be taken for a communication session.

Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase.

Secondary Multi-Domain Server

The Multi-Domain Security Management Server in Management High Availability that
you install as Secondary.

SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that
passes through a Security Gateway.

R81.10 Multi-Domain Security Management Administration Guide | 619

Glossary

Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and
enforce Security Policies for connected network resources.

Security Management Server

Dedicated Check Point server that runs Check Point software to manage the objects and
policies in a Check Point environment within a single management Domain. Synonym:
Single-Domain Security Management Server.

Security Policy
Collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over SSL,
for secure communication. This authentication is based on the certificates issued by the
ICA on a Check Point Management Server.

SmartConsole
Check Point GUI application used to manage a Check Point environment - configure
Security Policies, configure devices, monitor products and events, install updates, and
so on.

SmartDashboard
Legacy Check Point GUI client used to create and manage the security settings in
versions R77.30 and lower. In versions R80.X and higher is still used to configure
specific legacy settings.

SmartProvisioning
Check Point Software Blade on a Management Server (the actual name is
"Provisioning") that manages large-scale deployments of Check Point Security
Gateways using configuration profiles. Synonyms: Large-Scale Management,
SmartLSM, LSM.

SmartUpdate
Legacy Check Point GUI client used to manage licenses and contracts in a Check Point
environment.

R81.10 Multi-Domain Security Management Administration Guide | 620

Glossary

Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade
inspects specific characteristics of the traffic (2) On a Management Server, each
Software Blade enables different management capabilities.

Standalone
Configuration in which the Security Gateway and the Security Management Server
products are installed and configured on the same server.

Standby Domain Server

All Domain Management Servers for a Domain that are not designated as the Active
Domain Management Server.

Threat Emulation
Check Point Software Blade on a Security Gateway that monitors the behavior of files in
a sandbox to determine whether or not they are malicious. Acronym: TE.

Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from
files. Acronym: TEX.

Updatable Object
Network object that represents an external service, such as Microsoft 365, AWS, Geo
locations, and more.

URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over
which web sites can be accessed by a given group of users, computers or networks.
Acronym: URLF.

User Directory
Check Point Software Blade on a Management Server that integrates LDAP and other
external user management servers with Check Point products and security solutions.

R81.10 Multi-Domain Security Management Administration Guide | 621

Glossary

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer
or cluster with virtual abstractions of Check Point Security Gateways and other network
devices. These Virtual Devices provide the same functionality as their physical
counterparts.

VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that provide
the functionality of physical network devices. It holds at least one Virtual System, which
is called VS0.

Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides
real-time phishing prevention based on URLs. Acronym: ZPH.

R81.10 Multi-Domain Security Management Administration Guide | 622

156-215.81.20 CheckPoint CCSA Exam Practice Questions
No ratings yet
156-215.81.20 CheckPoint CCSA Exam Practice Questions
21 pages
PSI - ITGC Appendix PWC Audit Guideline
50% (2)
PSI - ITGC Appendix PWC Audit Guideline
25 pages
MWG Product 11.0, X PG-PRODUCT-1021-En
No ratings yet
MWG Product 11.0, X PG-PRODUCT-1021-En
941 pages
BRKSPG 2904 PDF
No ratings yet
BRKSPG 2904 PDF
168 pages
DLP 15.1 Install Guide PDF
No ratings yet
DLP 15.1 Install Guide PDF
160 pages
Sketchup Essentials Guide
57% (7)
Sketchup Essentials Guide
11 pages
Binder6 PDF
100% (7)
Binder6 PDF
709 pages
2016 TMI Training
0% (1)
2016 TMI Training
23 pages
Check Point Security Management: Administration Guide
No ratings yet
Check Point Security Management: Administration Guide
172 pages
CP R81.10 Gaia AdminGuide
No ratings yet
CP R81.10 Gaia AdminGuide
520 pages
Bluecoat Manual
100% (1)
Bluecoat Manual
990 pages
Fortiadc-V5 2 0-Handbook PDF
No ratings yet
Fortiadc-V5 2 0-Handbook PDF
669 pages
Mcafee Web Gateway 7.7.2 Product Guide (Unmanaged) 1-6-2020 PDF
No ratings yet
Mcafee Web Gateway 7.7.2 Product Guide (Unmanaged) 1-6-2020 PDF
387 pages
FortiProxy 7.0 Administration Guide
No ratings yet
FortiProxy 7.0 Administration Guide
507 pages
BIG-IP TMOS Implementations
No ratings yet
BIG-IP TMOS Implementations
276 pages
Day1-01-CCSBA-Introduction and Overview-V7.3-169
No ratings yet
Day1-01-CCSBA-Introduction and Overview-V7.3-169
56 pages
CP R81.10 QoS AdminGuide
No ratings yet
CP R81.10 QoS AdminGuide
111 pages
Ping and Trace Route
No ratings yet
Ping and Trace Route
28 pages
Cisco Firepower and Radware Technical Overview
100% (1)
Cisco Firepower and Radware Technical Overview
14 pages
Number: 300-730 Passing Score: 825 Time Limit: 140 Min File Version: v1.10
No ratings yet
Number: 300-730 Passing Score: 825 Time Limit: 140 Min File Version: v1.10
53 pages
Palo Alto Networks PANOS 6 0 CEF Configuration Guide 2014
No ratings yet
Palo Alto Networks PANOS 6 0 CEF Configuration Guide 2014
18 pages
Exam 156-315.80: Check Point Certified Security Expert - R80
No ratings yet
Exam 156-315.80: Check Point Certified Security Expert - R80
112 pages
BlueCoat Roger Gotthardsson
No ratings yet
BlueCoat Roger Gotthardsson
81 pages
156 215 81 20 Exam Questions
No ratings yet
156 215 81 20 Exam Questions
25 pages
B Ise Upgrade Guide 3 1 PDF
No ratings yet
B Ise Upgrade Guide 3 1 PDF
58 pages
ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco
No ratings yet
ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco
5 pages
Lenteur SSL Palo Alto
No ratings yet
Lenteur SSL Palo Alto
17 pages
Firepower FMC PDF
No ratings yet
Firepower FMC PDF
8 pages
f5 Vmware Nsx t Deployment Guide
No ratings yet
f5 Vmware Nsx t Deployment Guide
115 pages
This Study Resource Was: 156-585 Free Questions Good Demo For Check Point 156-585 Exam
No ratings yet
This Study Resource Was: 156-585 Free Questions Good Demo For Check Point 156-585 Exam
7 pages
Prisma Sd Wan Admin
No ratings yet
Prisma Sd Wan Admin
572 pages
Re-Establishing SIC SecureInternalCommunications For CheckPoint
No ratings yet
Re-Establishing SIC SecureInternalCommunications For CheckPoint
3 pages
ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL
No ratings yet
ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL
14 pages
SS110 ADM MAN 08 Deployment Monitoring 04292015
No ratings yet
SS110 ADM MAN 08 Deployment Monitoring 04292015
35 pages
Answer: A
No ratings yet
Answer: A
34 pages
Cisco Sd-Wan Vmanage Cluster Creation and Troubleshooting
No ratings yet
Cisco Sd-Wan Vmanage Cluster Creation and Troubleshooting
27 pages
F5 Device Troubleshooting CLI Commands
No ratings yet
F5 Device Troubleshooting CLI Commands
4 pages
Checkpoint Certification Exam Questions 156-80 Enero 2020
No ratings yet
Checkpoint Certification Exam Questions 156-80 Enero 2020
200 pages
fortiadc
No ratings yet
fortiadc
317 pages
156 915.80 Premium
100% (1)
156 915.80 Premium
108 pages
Tech Note - QoS - in - PAN-OS
No ratings yet
Tech Note - QoS - in - PAN-OS
21 pages
Document Guide For Barracuda NG Firewall & Control Center
No ratings yet
Document Guide For Barracuda NG Firewall & Control Center
184 pages
Irule CONFIGUR
No ratings yet
Irule CONFIGUR
10 pages
Vyatta VPNRef R6.1 v02
No ratings yet
Vyatta VPNRef R6.1 v02
321 pages
Cisco Identity Services Engine (ISE) OG PDF
No ratings yet
Cisco Identity Services Engine (ISE) OG PDF
23 pages
Troubleshoot SD-WAN Control Connections - Cisco
No ratings yet
Troubleshoot SD-WAN Control Connections - Cisco
14 pages
CheckPoint End Security
No ratings yet
CheckPoint End Security
2 pages
Palo Alto CLI Cheatsheet PDF
No ratings yet
Palo Alto CLI Cheatsheet PDF
2 pages
Dumpsfree: Dumpsfree Provide High-Quality Dumps Vce & Dumps Demo
No ratings yet
Dumpsfree: Dumpsfree Provide High-Quality Dumps Vce & Dumps Demo
4 pages
CP R80.40 CloudGuard Controller AdminGuide
No ratings yet
CP R80.40 CloudGuard Controller AdminGuide
47 pages
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
No ratings yet
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
4 pages
156-215.80 Exam
No ratings yet
156-215.80 Exam
227 pages
CP R80.20 PerformanceTuning AdminGuide
No ratings yet
CP R80.20 PerformanceTuning AdminGuide
330 pages
Ccsa - 156-215.80 V18.75
No ratings yet
Ccsa - 156-215.80 V18.75
142 pages
Questions 156-315.80
No ratings yet
Questions 156-315.80
25 pages
CISCO Asa Troubleshoot Anyconnect VPN Troubleshooting
100% (1)
CISCO Asa Troubleshoot Anyconnect VPN Troubleshooting
23 pages
201 - FortiGate Multi-Threat Security Systems L PDF
No ratings yet
201 - FortiGate Multi-Threat Security Systems L PDF
12 pages
VPC Nag PDF
No ratings yet
VPC Nag PDF
234 pages
Juniper SRX IKEv2 EAP MD5 Config
No ratings yet
Juniper SRX IKEv2 EAP MD5 Config
57 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassoulii
No ratings yet
Oracle VM Manager 2.1.2
From Everand
Oracle VM Manager 2.1.2
Tarry Singh
No ratings yet
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
LGTitan Dryer
No ratings yet
LGTitan Dryer
1 page
WG20C Z Spec
No ratings yet
WG20C Z Spec
3 pages
Electric Electronics Brochure
No ratings yet
Electric Electronics Brochure
8 pages
Annexure - 7 - Data Sheet - Nokia - DC - Fabric - 7220 IXR-D-SW - Data - Sheet - EN71028
No ratings yet
Annexure - 7 - Data Sheet - Nokia - DC - Fabric - 7220 IXR-D-SW - Data - Sheet - EN71028
9 pages
C-418eb Via
No ratings yet
C-418eb Via
2 pages
SD-DOP-A1ED-ST-7111 - A Piece Mark Drawing For Primary Pipes of Pallet L2 at EL 116.500 of Module A1ED REVA - Reply
No ratings yet
SD-DOP-A1ED-ST-7111 - A Piece Mark Drawing For Primary Pipes of Pallet L2 at EL 116.500 of Module A1ED REVA - Reply
48 pages
Unit-3 - Function Generator Using IC 8038
No ratings yet
Unit-3 - Function Generator Using IC 8038
10 pages
PPT-TLE 6-ICT and Entrepreneurship April 16, 2024
No ratings yet
PPT-TLE 6-ICT and Entrepreneurship April 16, 2024
32 pages
Web Technology Assignment
100% (1)
Web Technology Assignment
50 pages
Final Draft Ict Diploma November 2024 Exam Timetable
No ratings yet
Final Draft Ict Diploma November 2024 Exam Timetable
5 pages
A Brief Comparison of Security Patterns For Peer To Peer Systems
No ratings yet
A Brief Comparison of Security Patterns For Peer To Peer Systems
7 pages
DOST Scholarship
No ratings yet
DOST Scholarship
6 pages
Datasheet PDF
No ratings yet
Datasheet PDF
17 pages
Reverse Engineering Process Flow Chart
100% (1)
Reverse Engineering Process Flow Chart
3 pages
The Lean Transformation Roadmap
No ratings yet
The Lean Transformation Roadmap
22 pages
Difference Between Optical Fiber and Coaxial Cabl
No ratings yet
Difference Between Optical Fiber and Coaxial Cabl
1 page
BIMC
No ratings yet
BIMC
52 pages
A Low Cost Indoor Mapping Robot Based On Tinyslam Algorithm
No ratings yet
A Low Cost Indoor Mapping Robot Based On Tinyslam Algorithm
4 pages
FOOD COURT MANAGEMENT SYSTEM (1)
No ratings yet
FOOD COURT MANAGEMENT SYSTEM (1)
5 pages
Digital Locker Authorized Partner API Specification v2.0
No ratings yet
Digital Locker Authorized Partner API Specification v2.0
40 pages
ALDAR Projects Health and Safety Alert Electrical Safety
No ratings yet
ALDAR Projects Health and Safety Alert Electrical Safety
1 page
Article 9 Visual Examination: Laminate Laminate
No ratings yet
Article 9 Visual Examination: Laminate Laminate
3 pages
Xlogic Users Manual
No ratings yet
Xlogic Users Manual
318 pages
Ransomware PPT Sts
No ratings yet
Ransomware PPT Sts
25 pages
Frequency Discriminator: Analog Communication
No ratings yet
Frequency Discriminator: Analog Communication
11 pages
IT-Pruefung: Prüfungshilfen Für IT Zertifizierungen
No ratings yet
IT-Pruefung: Prüfungshilfen Für IT Zertifizierungen
6 pages