The ULTIMATE Check Point Commands Cheat Sheet

This page is a list of the most useful and common configuration, monitoring and troubleshooting commands used on Check Point products. The sources include Check Point product documentation, admin guides, Secure Knowledge articles, Advanced Technical Reference Guides (ATRG), TAC cases and other experts in the field who are kind enough to share their knowledge and expertise.

You can search, filter, and sort through the table to find the command or topic you are looking for.

This page will be updated frequently. I recommend bookmarking it.

Last updated: 24 July 2016

CategoryCommandDescription
/var/log/messages*Displays the OS log.
Helpful in overall monitoring of the system.
Check for relevant messages about interfaces, links, any abnormal messages.
arp -an | wc -lDisplays the system's ARP cache table.
Helpful in monitoring the ARP table (mostly, number of entries).
Refer to sk43772 (/var/log/messages file shows repeatedly - 'kernel: neighbour table overflow').

Man page - http://linux.die.net/man/8/arp
cat /proc/cpuinfoDisplays a collection of CPU and system architecture dependent items about CPU.
Helpful in collecting information about CPU cores (architecture, vendor, number).
Multi-CPU (SMP) machines will show information for each CPU.

Man page - http://linux.die.net/man/5/proc
cat /proc/interruptsDisplays the number of interrupts per each IRQ.
Helpful in monitoring interrupts on CPU cores from different devices (mostly, NICs).
Verify that the interfaces do not share the same IRQ number, which is problematic with affinity.

Man page - http://linux.die.net/man/5/proc
cat /proc/meminfoDisplays the amount of free and used memory (both physical and swap) on the system as well as the shared memory and buffers used by the kernel.
Helpful in monitoring memory utilization.
Refer to sk42717 (How to read the output of 'cat /proc/meminfo' on Linux-based system).

Man page - http://linux.die.net/man/5/proc
cat /proc/slabinfoDisplays the information about kernel caches.
Helpful in monitoring memory utilization on low level.

Man page - http://linux.die.net/man/5/proc
Man page - http://linux.die.net/man/5/slabinfo
cpconfigChange SIC, licenses and more.
cphaconf failover_bondInitiates bond interface failover in the High Availability mode.

"cphaconf failover_bond "
cphaconf show_bondDisplays the status of an interface bond, or with the -a argument, a summary table of all bonds.
When a bond is specified information for each slave interface is also displayed.

cphaconf show_bond {|-a}
- Required slave interfaces.
- The Status column can contain these values:
--- Down (Load Sharing mode only) - the physical link is down.
--- Active - currently handling traffic.
--- Standby (High Availability mode only) - the interface is ready, and can support internal bond failover.
--- Not Available (High Availability mode only) - either the physical link is broken, or that the Cluster member is in status down. The bond cannot failover in this state.
- The Link column reports whether the physical link exists.
ClusterXLcphaprobYou use the cphaprob command to verify cluster functionality and to debug cluster related problems. This section provides a brief overview of the cphaprob command and its command options.

A critical device is a process running on a cluster member that enables the member to notify other cluster members that it can no longer function as a member. The device reports to the ClusterXL mechanism regarding its current state or it may fail to report, in which case ClusterXL decides that a failure has occurred and another cluster member takes over. When a critical device (also known as a Problem Notification, or pnote) fails, the cluster member is considered to have failed.

There are a number of built-in critical devices, and the administrator can define additional critical devices. The default critical devices are:
Cluster interfaces on the cluster members.
Synchronization — full synchronization completed successfully.
Filter — the Security Policy, and whether it is loaded.
fwd — the VPN‑1 daemon.

You can include these commands in scripts for automatic execution.
To produce a usage printout for cphaprob that shows all the available commands, type cphaprob at the command line and press Enter.

[-vs vsid] stat
View the status all cluster members or for a specific Virtual System. -vs is relevant only for VSLS.

[-a] [-vs vsid] if
View the state of the cluster member interfaces and the virtual cluster interfaces. -vs is relevant only for VSLS.

[-i[a]] [-e] list
View the list of critical devices on a cluster member, and of all the other machines in the cluster.

-d -t -s [-p] register
Register as a critical process, and add it to the list of devices that must be running for the cluster member to be considered active.

-f register
Register all the user defined critical devices listed in.

-d [-p] unregister
Unregister a user defined as a critical process. This means that this device is no longer considered critical.

-a unregister
Unregister all user defined devices

-d -s report
Report the status of a user defined critical device to ClusterXL.

[-reset] ldstat -vs
View sync serialization statistics. -vs is relevant only for VSLS.

[-reset] syncstat -vs
View sync transport layer statistics. -vs is relevant only for VSLS.

tablestat
Displays interfaces and IP addresses for each cluster member
cphaprob -a ifDisplays the status of all interface bonds and VLANs for all the Virtual Systems. For a High Availability bond, specifies whether it can failover.
ClusterXLcphaprob ldstatDisplay sync serialization statistics.
ClusterXLcphaprob statList the state of the high availability cluster members. Should show active and standby devices.
ClusterXLcphaprob syncstatDisplay sync transport layer statistics.
ClusterXLcphastopStop a cluster member from passing traffic. Stops synchronization (emergency only).
cplic printLicense information.
cpstartStart all checkpoint services.
cpstat -f cpu osDisplays internal statistics for OS about CPU as collected by Check Point. Helpful in monitoring CPU utilization.
cpstat -f memory osDisplays internal statistics for OS about memory as collected by Check Point. Helpful in monitoring memory utilization.
cpstat -f multi_cpu osDisplays internal statistics for OS about all CPUs as collected by Check Point. Helpful in monitoring CPU utilization.
cpstat fwShow policy name, policy install time and interface table.
cpstat haHigh Availability state.
cpstat os -f allCheckpoint interface table, routing table, version, memory status, CPU load, disk space.
cpstat os -f cpuCheckpoint CPU status.
cpstat os -f routingCheckpoint routing table.
cpstopStop all checkpoint services.
cpwd_admin monitor_listList processes actively monitored. Firewall should contain cpd and vpnd.
dmesgDisplays boot up messages and message from various FireWall mechanisms.
Helpful in detecting problems in kernel and in execution of functions.
Man page - http://linux.die.net/man/8/dmesg
ethtool -g IF_NAMEDisplays information about RX/TX ring parameter.
Helpful in collecting the data about the interface's receiving and transmitting buffers.
Check the current size of the buffers versus the maximum allowed.
Refer to sk42181 (How to increase sizes of buffer on SecurePlatform/Gaia for Intel NIC and Broadcom NIC).
Man page - http://linux.die.net/man/8/ethtool
ethtool -i IF_NAMEDisplays information about associated driver.
Helpful in detecting problems with current NIC driver.
Use driver with NAPI.
Use the latest version of the driver.
Man page - http://linux.die.net/man/8/ethtool
ethtool -S IF_NAMEDisplays NIC-specific and driver-specific statistics.
Helpful in monitoring traffic through this NIC.
Check every line that contains "error", "drop", "buffer", "fail".
Man page - http://linux.die.net/man/8/ethtool
ethtool IF_NAMEDisplays Ethernet card settings.
Helpful in collecting the data about the interface's speed, duplex, link.
Check every line of the output.
Man page - http://linux.die.net/man/8/ethtool
fgate statDisplays status of FloodGate-1 and summary for traffic that passed through QoS.
Helpful in detecting problems with FloodGate-1 and with traffic that went through QoS.
CoreXLfw ctl affinity -lShow the configured affinities of the Virtual System.
CoreXLfw ctl affinity -l -r -v -aDisplays affinity of CoreXL instances and CPU cores.
Helpful in detecting problems with CoreXL and FW Affinity that lead to poor CPU utilization.
Use static affinity if there is no SecureXL ('fw ctl affinity -s' command ; $FWDIR/conf/fwaffinity.conf file).
CoreXLfw ctl affinity -l -x [-vsid ] [-flags [e|h|k|n|t]Monitor the affinity of processes on the VSX Gateway. You can use the -vsid parameter to show the affinity for a process to the specified Virtual Systems.

vsids
Shows the affinity for processes for these Virtual System IDs.
Use a dash to set a range of Virtual Systems.

e
Do not show processes that are affinity exceptions. Affinity exceptions are configured in the $FWDIR/conf/vsaffinity_exception.conf file.

h
Show CPU affinity mask in hexadecimal format.

k
Do not show kernel threads.

n
Show the process name instead of /proc//cmdline

t
Show information about the process threads.
CoreXLfw ctl affinity -s -d -fwkall Use the -fwkall parameter to set the affinity of all the firewall instances to all the Virtual Systems.


Number of cores that are used for CPU affinity. You cannot use this parameter to assign specific cores to the firewall instances.
CoreXLfw ctl affinity -s -d -pname [-vsid ] -cpu Set the affinity of processes to one or more CPUs. You can use the -vsid parameter to set the affinity for a process to Virtual Systems in any context. If you do not use the -vsid parameter, the affinity of the current context is set.

process
Name of process that you are setting affinity.

vsids
Virtual System IDs that you are setting affinity for this process. Use a dash to set a range of Virtual Systems.

cpus
Number range of CPU processing cores that you are setting affinity. Use a dash to set a range of cores.
CoreXLfw ctl affinity -s -d [-vsid ] -cpu Set the affinity of the Virtual Systems to one or more CPUs. You can use the -vsid parameter to set affinity to the specified Virtual Systems. If you do not use the -vsid parameter, the affinity of the current Virtual System is set.

vsids
Virtual System IDs that you are setting affinity. Use a dash to set a range of Virtual Systems.

cpus
Number range of CPU processing cores that you are setting affinity. Use a dash to set a range of cores.
CoreXLfw ctl affinity -s -d {-inst -cpu |-fwkall } Set the affinity of firewall instances to one or more CPUs for each Virtual System separately.
Run the fw ctl affinity command to set these CPU affinities:
- Firewall instance
- Process
- Virtual System

You must be in Expert mode to run the fw ctl affinity command.


Number range of firewall instances that you are setting affinity. Use a dash to set a range of instances.


Number range of CPU processing cores that you are setting affinity. Use a dash to set a range of cores.


Number of cores that are used for CPU affinity. You cannot use this parameter to assign specific cores to the firewall instances.
fw ctl iflistShow interface names.
CoreXLfw ctl multik statDisplays status of CoreXL instances and summary for traffic that passes through each instance (current number and peak number of concurrent connections). Helpful in detecting problems with CoreXL and with traffic that went through each instance.
CoreXLfw ctl pstatDisplays FireWall internal statistics about memory and traffic.
Helpful in monitoring memory utilization, traffic counters, ClusterXL Sync counters.
No single field that indicates a problem - need to interpret all counters together.
Collect the output before and after the suspected problem.

Use different flags to get more data (fw ctl pstat -flag)
- 'h' for HMEM
- 's' for SMEM
- 'k' for KMEM
- 'l' for Handles (kbufs)

Counters are reset when Check Point Services are stopped.
Under memory, "allocations" counter always grows, may wrap around.

HMEM
- failures under HMEM - no real memory problem, just mean HMEM is full ; HMEM should have been configured larger.
- "failed allocations" under HMEM (only) do not indicate any problem.

SMEM
- failures under SMEM - reached Check Point memory limit , exhausted OS memory, large non-sleep allocation , indicate some shortage
- "failed allocations" under SMEM may not mean that a user's allocation failed, maybe HMEM extension failed.
- "failed free" under SMEM means an overrun or freeing an invalid pointer - indicates a bug.

KMEM
- failures under KMEM - application asked for memory and couldn't get it , usually, it is a memory problem.
- "failed allocations" under KMEM means that the application didn't get memory.

Under "Connections" look at "W total, X TCP, Y UDP, Z ICMP" to understand the traffic blend
Under "Fragments" look at "duplicates" (attack, or simple duplicate) and "failures" (failed due to lack of resources) on ClusterXL members refer to "Sync" section (refer to ClusterXL Administration Guide for explanations).
Firewallfw exportlog -oExport the current log file to ASCII.
Firewallfw fetch Get the policy from the firewall manager.
fw fetch [-n] [-f ] [-c] [-i] master1 [master2] ...
Fetches the Inspection Code from the specified host and installs it to the kernel. Run vsenv to change context and show an interface list for a different Virtual System.

-n
Fetch the Security Policy from the Security Management Server to the local state directory, and install the Policy only if the fetched Policy is different from the Policy already installed.

-f
Fetch the Security Policy from the Security Management Server listed in . If filename is not specified, the list in conf/masters is used.

-c
Cluster mode, get policy from one of the cluster members, from the Check Point High Availability (CPHA) kernel list.

-i
Ignore SIC information (for example, SIC name) in the database and use the information in conf/masters. This option is used when a Security Policy is fetched for the first time by a DAIP gateway from a Security Management Server with a changed SIC name.

master1
Runs the command on the designated master.
The name of the Security Management Server from which to fetch the Policy. You may specify a list of one or more Security Management Servers, such as master1 master2 which will be searched in the order listed.
If target is not specified, or inaccessible, the policy is fetched from localhost.
fw getifsShows a driver interface list for a specific Virtual System. By default, the VSX Gateway interface is displayed.
Run vsenv to change context and show an interface list for a different Virtual System.
Firewallfw logShow the content of the connections log.
Firewallfw log -b Search the current log for activity between specific times, eg.
Firewallfw log -c dropSearch for dropped packets in the active log; also can use accept or reject to search.
Firewallfw log -fTail the current log.
Firewallfw logswitchRotate logs.
Firewallfw lslogsList firewall logs.
fw monitor [-v vsid]Captures network packets at multiple points within the VSX environment. You can only run one instance of this command at a time on VSX Gateway.
This section only presents the syntax relevant for VSX Gateways or clusters.

[-v vsid]
Specify a gateway or Virtual System by its ID. The specific Virtual System on which packets should be captured. The default gives the VSX Gateway.
Firewallfw statFirewall status, should contain the name of the policy and the relevant interfaces.
Firewallfw stat -lShow which policy is associated with which interface and package drop, accept and reject.
Firewallfw tabDisplays firewall tables.
Firewallfw tab -t connections -sDisplays summary about connections in Connections Table.
Helpful in monitoring the amount of concurrent connections.
Collect the output several times to see how fast the #VALS counter changes.
Calculate the ratio of the #SLINKS counter to the #VALS counter (greater than 4-5 means problem).
Compare the #PEAK counter to the limit of Connections Table (fw tab -t connections | head -n 3 | grep limit).
Firewallfw tab -t xlate -xClear all translated entries.
Firewallfw tab –t connections | head –n 3 | grep limitGet the configured limit of the connections table.
Firewallfw unloadlocalClear local firewall policy.
Firewallfw verFirewall version.
VSXfw vsx stat –v
SecureXLfwaccel connsDisplays Connections in SecureXL.
Helpful in detecting problems with non-accelerated traffic.

Flags:
F = Forward to Firewall - the connection is not accelerated.
U = Unidirectional - the connection can pass data on either C2S or S2C - data packets from the opposite direction will be F2F'ed.
N = NAT is being performed on the connection by the device.
A = Accounting is performed on the connection (the connection is viewed by either rulebase accounting or SmartView Monitor).
C = Encryption is done on the connection by the device.
W = the connection is in wire mode.
P = Partial (versions R70 and higher).
S = Streaming - PXL (versions R70 and higher).
SecureXLfwaccel statDisplays statistics for SecureXL.
Helpful in detecting problems and SecureXL and with poorly or non-accelerated traffic.
Check the status of Accelerator.
Check the status of Accept Templates (refer to sk32578 (SecureXL Mechanism)).
Check the status of Drop Templates (refer to sk66402 (SecureXL Drop Templates are not supported in versions lower than R76)).
SecureXLfwaccel stats
fwaccel stats -s
fwaccel stats -d
Displays statistics for SecureXL.
Helpful in detecting problems with non-accelerated traffic.
Calculate the ratio of "F2F" counter to "Accelerated" counter (the lower the better).
Check the statistics on the device (use 'fwaccel stats -s').
Check for "dropped" traffic (use 'fwaccel stats -d' in versions R70 and higher).
Check "TCP violations" counter.
SecureXLfwaccel templatesDisplays Connection Templates in SecureXL.
Helpful in detecting problems with Connection Templates.

Flags:
F = Forward to Firewall - the connection is not accelerated
U = Unidirectional - the connection can pass data on either C2S or S2C - data packets from the opposite direction will be F2F'ed
N = NAT is being performed on the connection by the device
A = Accounting is performed on the connection (the connection is viewed by either rulebase accounting or SmartView Monitor)
C = Encryption is done on the connection by the device
W = the connection is in wire mode
P = Partial (versions R70 and higher)
S = Streaming - PXL (versions R70 and higher)
D = Drop Template
L = Log drop action
fwm logexport -i -o Export an old log file on the firewall manager.
ifconfig IF_NAMEDisplays the status of the currently active interfaces.
Helpful in monitoring the amount of traffic and the drops on NICs.
Look at "errors", "dropped", "overruns", "frame", "carrier".
Man page - http://linux.die.net/man/8/ifconfig
netstat -anDisplays both listening and non-listening sockets.
Helpful in monitoring queue of incoming traffic to specific application and outgoing traffic from specific application.
Under "Active Internet connections" look at "Recv-Q" and at "Send-Q".
- where 'Recv-Q' is the data (in bytes), which has not yet been pulled from the socket buffer by the application (value should be as close to 0 as possible).
- where 'Send-Q' is the data (in bytes), which the sending application has given to the transport, but has yet to be ACKnowledged by the receiving TCP (value should be as close to 0 as possible - a large number may indicate a network bottleneck).
Man page - http://linux.die.net/man/8/netstat
netstat -niDisplays a table of all network interfaces.
Helpful in monitoring the amount of traffic and the drops on NICs.
Look at "RX-ERR" , "RX-DRP" , "RX-OVR" and "TX-ERR" , "TX-DRP" , "TX-OVR".
- the 'RX-OK' and 'TX-OK' columns show how many packets have been received (RX) or transmitted (TX) error-free.
- the 'RX-ERR' and 'TX-ERR' columns show how many packets have been received (RX) or transmitted (TX) damaged.
- the 'RX-DRP' and 'TX-DRP' columns show how many received packets (RX) and transmitted packets (TX) have been dropped.
- the 'RX-OVR' and 'TX-OVR' columns show how many received packets (RX) and transmitted packets (TX) have been lost because of an overrun
RX-OVR = the number of times the receiver hardware was unable to hand received data to a hardware buffer - the internal FIFO buffer of the chip is full, but is still tries to handle incoming traffic ; most likely, the input rate of traffic exceeded the ability of the receiver to handle the data.
- the 'Flg' column shows the flags that have been set for this interface - these characters are one-character versions of the long flag names that are displayed in the output of 'ifconfig' command:
A = this interface will receive all Multicast addresses
B = a Broadcast address has been set
D = debugging is turned on
L = this interface is a loopback device
M = all packets are received (promiscuous mode)
m = master
N = trailers are avoided
O = ARP is turned off for this interface
P = this is a Point-to-Point connection
R = interface is running s = slave
U = interface is up

Man page - http://linux.die.net/man/8/netstat
netstat -sDisplays summary statistics for each protocol.
Helpful in monitoring traffic.
Under "Ip" look at "incoming packets discarded".
Under "Icmp" look at "ICMP messages failed".
Under "Tcp" look at "bad segments received".
Under "Udp" look at "packet receive errors".
Man page - http://linux.die.net/man/8/netstat
ps auxwfDisplays information about the current processes (daemons).
Helpful in detecting problems in User Space (Memory , CPU).
Look at the amount of "CPU", "MEM", "VSZ", "RSS", "TIME" consumed by the daemons.
Collect this output over period of time to see the trend of memory consumption.
Man page - http://linux.die.net/man/1/ps
VSXset virtual-system Change context to a different virtual device.
SecureXLsim affinity -lDisplays affinity of physical interfaces and CPU cores.
Helpful in detecting problems with SIM Affinity that lead to poor CPU utilization.
Use static affinity ('sim affinity -s' command ; $PPKDIR/boot/modules/sim_aff.conf file will be created)
- for Clear traffic
--- with SecureXL - use dual affinity
--- without SecureXL - use single affinity
- for VPN traffic
--- with SecureXL - use dual affinity
--- without SecureXL - use single affinity
topDisplays dynamic real-time view of a running system on Linux.
Helpful in monitoring different aspects of CPU utilization.
Look at the amount of "Idle".
Look at the load in "User Space".
Look at the load in "System (kernel) Space".
Look at the amount of "SoftIRQ".
Look at the amount of "IOwait".
Collect this output continuously during the problem.
Output differs on Linux kernel 2.4 and Linux kernel 2.6 (have to press 1 and Shift+W).

Man page - http://linux.die.net/man/1/top
vmstat X [Y]Displays information about processes, memory, paging, block IO, and CPU activity.
Helpful in monitoring different aspects of CPU utilization and memory utilization.
Look at the "procs" section - counter "r" (number of processes waiting for CPU).
Look at the "memory" section - all counters.
Look at the "swap" section - reading "si" and writing "so" in swap file.
Look at the "io" section - reading "bi" and writing "bo" on hard disk.
Look at the "system" section at "cs" (number of Context Switches).
Look at the "cpu" section - all counters.
Collect this output continuously during the problem.

Man page - http://linux.die.net/man/8/vmstat
VSXvsenv [context id]Change context to a different virtual device (expert mode).
VSXvsx fetchFetches the most current configuration files from the Main Domain Management Server, and applies it to the VSX Gateway.

vsx fetch [-v] [-q] [-s] local
vsx fetch [-v | -q| -s] [-f conf_file]
vsx fetch [-v | -q] -C "command"
vsx fetch [-v | -q| -c| -n| -s] [management]

-c
Cluster mode

-n
Do not run local.vsall if VSX configuration, as fetched from management server, is up-to-date.

-s
Concurrent fetches for multi-processor environment.

-q
Quiet mode - Only summary lines appear.

-v
Verbose mode - Detailed information appears.

-f conf_file
Fetches NCS commands configuration file instead of the default local.vsall.

local
Reads local.vsall configuration file from$FWDIR/state/local/vsx and executes the NCS

management
Fetches local.vsall from management, replaces and runs it.

-C command
Execute NCS command
VSXvsx fetchvsRetrieves a specific Virtual System configuration file based on information stored locally on the gateway.

vsx fetchvs [-v | -q] [ | ]

-q
Quiet output. Only summary information appears.

-v
Verbose output. Detailed information appears.

|
Enter the Virtual System name or ID.
VSXvsx sic resetResets SIC for the Virtual System.
Run vsenv to change context and show an interface list for a different Virtual System.
Note - On the management server, use the cpca_client revoke_cert command to cancel the old certificate. In SmartDashboard, open the Virtual System object for editing. Click OK. This action creates a new certificate, and transfers the certificate to the gateway.
VSXvsx statDisplays VSX status information.

vsx stat [-v] [-l] []

-v
Displays detailed (verbose) information.

-l
Displays a detailed list of all virtual devices.


Displays statistics for the specified Virtual System.
VSXvsx_utilPerforms various VSX maintenance tasks. You run this command from the expert mode on the management server (Security Management Server or a Main Domain Management Server in a Multi-Domain Security Management environment).

vsx_util [parameters]

-s
Perform action using the specified management IP

-u
Perform the action using the specified administrator

-c
Perform the action on the specified cluster or VSX Gateway

-m
Perform the action on the specified member

-h
Display help text

Note - You must close SmartDashboard before executing the vsx_util command if any Virtual Systems are defined on the Security Management Server or Multi-Domain Security Management Domain Management Server. Failure to do so may result in a database locked error.

The vsx_util command typically requires you to enter the following information before executing the command:
- Management server name or IP address
- User name and password
- The command may ask for the name of one or more VSX objects upon which the command operates
- Most vsx_util sub-commands are interactive and require additional user input. Brief descriptions of additional input requirements appear in the Input section for the various sub-commands. The instructions on the screen typically provide helpful information regarding required information.
VSXvsx_util add_memberAdds a new member to an existing VSX cluster.
- VSX cluster object name
- New member name
- IP for [interface]: IP address assigned to specified interface (IP address is required for management and sync network interfaces)

Run the command and follow the instructions on the screen. When the command finishes executing, you must also Run the vsx_util add_member_reconf command.
VSXvsx_util add_member_reconfRestores VSX configuration after adding a cluster member.
- VSX member object name: VSX cluster member name
- Activation Key: SIC activation key assigned to the Security Management Server or main Domain Management Server
- Retype Activation Key: Retype to confirm the SIC activation key

Execute the command and follow the instructions on the screen. Reboot the member after the command script finishes.
VSXvsx_util change_interfacesAutomatically replaces designated existing interfaces with new interfaces on all virtual devices to which the existing interfaces connect.
This command is useful when converting a deployment to use Link Aggregation, especially where VLANs connect to many virtual devices.
- This command is interactive. Follow the instructions on the screen.
- This command supports the resume feature.
You can use this command to migrate a VSX deployment from an Open Server to a Check Point appliance by using the Management Only mode.
Important - You must close SmartDashboard for all Multi-Domain Security Management Domain Management Servers using the affected interfaces prior to running this command.
VSXvsx_util change_mgmt_ipChanges gateway or cluster member management IP address within the same subnet. See sk92425.
VSXvsx_util change_mgmt_subnetChange the gateway or member management IP address to a different subnet. See sk92425.
- Backup the management database before using this command.
- Only automatically generated routes are changed by the command script. You must remove and/or change all manually created routes using the previous management subnet.
To perform this action, execute the command and follow the instructions on the screen. Reboot the VSX Gateway or cluster members after the command script finishes.
VSXvsx_util change_private_netChanges the cluster internal communication network IP address.
We recommend that you back up the management database before using this command.
The private network IP address must be unique and not used anywhere behind the VSX Gateway, cluster or Virtual Systems.
For an IPv4 cluster, the default cluster private network uses255.255.252.0 for the netmask. You can change this value.
For an IPv6 cluster, the new cluster private network must use /80 for the netmask.
Run the command and follow the instructions on the screen.
VSXvsx_util convert_clusterConverts the cluster type from High Availability to VSLS or from VSLS to High Availability
Backup the management database before using this command.
To perform this action, execute the command and follow the instructions on the screen.
When switching to High Availability, all Virtual Systems are active on the same member by default. Peer Virtual Systems are standby on other members.
When converting to VSLS, all members must be in the Per Virtual System state.
VSXvsx_util reconfigureFor more about how to use the vsx_util reconfigure command, go tosk97552.
This command is also useful for restoring a gateway or cluster member after a system failure.
Execute the command and follow the instructions on the screen.
A new gateway or cluster member must have the same hardware specifications and configuration as its replacement and other cluster members. Most importantly, it must have the same number of interfaces (or more) and the same management IP address.
The new or replacement machine must be a new installation. You cannot use a machine with a previous VSX configuration.
VSXvsx_util remove_memberRemoves a member from an existing cluster.
Backup the management database before using this command.
Make certain that you remove member license before executing this command.
Execute the command and follow the instructions on the screen.
VSXvsx_util show_interfacesDisplays selected interface information in a VSX deployment. Provides information regarding interface types, connections to virtual devices, and IP addresses. The output appears on the screen and is also saved to the interfacesconfig.csv file.
1) All Interfaces
Show all interfaces (physical and Warp)

2) All Physical Interfaces
Show Physical interfaces only

3) All Warp Interfaces
Show Warp interfaces only

4) A Specific Interface
Enter the interface name when prompted to a specific interface.

Note - You cannot specify a VLAN tag as a parameter for the Specific Interfaceoption. You can, however, specify an interface used as a VLAN (without the tag suffix) to view all tags associated with that interface. This is illustrated in the sample output below.
VSXvsx_util upgradeUpgrades Gateways and/or cluster members to newer versions.
This command updates all VSX objects in the management database to the designated newer version.
Backs up the management server.
Execute the command and follow the instructions on the screen.
After the command script finishes, execute the vsx_util reconfigure command.
VSXvsx_util view_vs_confDisplays virtual device configuration and status, including troubleshooting information. This command also compares the management server database with the actual VSX Gateways and cluster member configurations.
VSXvsx_util vslsDisplays the Virtual System Load Sharing Menu, which allows you to perform a variety of configuration tasks for Load Sharing deployments. You perform configuration tasks interactively by following the instructions on the screen.

You use the vsx_util vsls command to perform various Virtual System Load Sharing configuration tasks, including:
- Displaying the current VSLS configuration
- Distributing Virtual Systems equally amongst cluster members
- Set all Virtual Systems as active on one member
- Manually define the priority and weight for individual Virtual Systems
- Import VSLS configurations from comma separated value (CSV) text files
- Export VSLS configurations to comma separated value (CSV) text files
- Exporting and Import VSLS configurations from/to comma separated value (CSV) text files

To work with the vsx_util vsls command:
- Run vsx_util vsls from the Expert mode on the management server
Select the desired choice from the VSLS menu.

Prithvi Mandava

Prithvi Mandava

Prithvi is an experienced cyber security professional with global experience across 3 continents. He has proven skills and experience on Cisco, Check Point, Fortinet, Juniper and other vendors' products and technologies. He also has a passion for nature and landscape photography and can be seen lugging his camera gear in and around some pretty locations.

A few of the industry credentials he currently holds include CISSP, CISM, CISA, CCNP R&S, CCNA Security, CCNA.

Prithvi Mandava Photography
Original Indian Music

Shares