CheckPoint Firewall – Crash Course

I will go little bit through the main concepts of firewalls which is quite necessary to understand how checkpoint works and what is its main privilege in comparison with other firewalls. There are in total 3 categories of firewall which the following first two are more or less the traditional approach:

  • Packet filters
  • Application-layer Gateways (Proxy-based firewalls)
  • Stateful Inspection


Packet Filter firewall

It inspect traffics based on layer 3 (source/destination IP address & IP protocol types/numbers) and layer 4 parameters such as TCP/UDP ports which identify the upper-layer application protocol data contained within the packet (e.g., HTTP, DNS, or FTP).

Here each packet processed independently of any other packet without establishing any logical relationship between packets that belong to the same connection. So any packets whether allowed or rejected.

Application-Layer Firewall (proxy based firewall)

The idea here is that do not let the client and server communicate directly with each other but all happens through a firewall in between which basically equipped with a daemon that emulate both server and client for different direction. The following figure shows how it works:


Good example would be a Web Proxy server which is basically an Application-Layer Gateway for http, https and ftp traffic. It is usually the case that web proxy server locates behind another firewall (normally packet-filter) which is connected to the Internet and is equipped with rules/policies that allows Internet connection only from the web proxy server. The main reason for such a design is to use the speed/performance of the packet-filter or even stateful firewall, besides having the security advantages of the application-layer firewall. Following figure show such as design which is usually the case in big organization. Keep it in mind that web proxy authenticates client requests in order to make sure that only authorized users, systems or applications allowed to access the internet. All content passed through the web proxy is checked for malicious content (e.g., viruses) as well as content appropriateness (e.g., is the content business-related), and then permitted or rejected Appropriately.



It is usually not the case to use Application-layer firewall in a production environment, but use Web proxy as a special kind of that which only inspect http, https and ftp protocols and mix it with another firewall as mentioned above. The main reasons are due to performance issues that applications-layer firewalls have.

Stateful Inspection firewall

Here we have a stateful inspection engine which maintains a connection table as an extra component in comparison to the packet-filter firewall. So here the decision does not made only based on Layer 3/4 parameters, but also based on the current state/phase of the connection. As an example, it knows if the connection is in setup phase or data transfer phase and based on that decides to allow or reject the return traffic of a connection by checking if the connection is active or by ensuring that only legitimate traffic consistent with the expected state of the connection is permitted.

We can say that we have actually the speed & flexibility of a packet filter firewall as well as high security of the application-layer firewall. Maybe two of the main advantages of stateful inspection firewall are following:

  • Secure against IP fragmentation while it is capable of the fragment reassembly and inspecting them.
  • Securing the underlying OS of the firewall since the stateful inspection engine process the packets before they reach TCP/IP stack of the OS.




It has a capability of seperation of duties- administration, management & enforcement- in order to enhance the scalabity and performance of the product. As an example, we can have a separate device which only handle Security Policy configuration and auditing information and let firewall to focus on its main job which is Security Enforcement. As can be seen in the following figure, Checkpoint provides a three.tier mode that consists of following components:

  • Smart Clients
  • SmartCenter Server
  • Enforcement Modules (means firewall itself)


SMART Clients

It’s a set of GUI applications that being installed on a separate machine (usually windows) and have different functionalities as I will go through it here:

  • SmartDashboard allow security administrators to configure and manage the global security policy. It’s a main application for users.
  • SmartView Tracker (Log viewer) Allows you to view security audit and event logs.
  • SmartView Status(system status) Allows you to monitor status of enforcement modules

SmartCenter server

This component can be on the checkpoint firewall itself or prefebly in a big organization that have multiple checkpoint firewall on a sperate machine. In a very simple term, it contains Security policies which being defined using SmartDashboard. It contains following databases:

  • Object database: can be network devices, systems and services (http,…).
  • User database
  • Security rules: each rule comprises objects or users that are defined in their corresponding database.
  • Log database

To summarize, SmartCenter server does following:

  • Uploading security rules specific to that firewall (enforcement module)
  • Downloading logging information from firewall(s)
  • Monitors the status of each firewall(s) which can be seen using SmartView status

Beside doing almost all things from GUI through Smart Dashboard, we can also use Command line for this purpose. The new cli utility is called “fwm” which replaces “fw” for all commands that was related to the smartCenter server.

fwm : Perform various management operations on the firewall from cli.

  • load: It will read the security policy(rule base or filter files (located in $FWDIR/conf)) on the target’s firewall which is usually “local firewall” (the one we run fwm from). Keep it in mind that it does not have anything to do with Security Management server and security policies which is located there. But here we can have the security policy in a file (*.pf or *.w) and install it directly on the target.

         “fwm load targets”

  • unload: it will uninstall the current security policy from the firewall  (enforcement       module). It is usually the case that we want to unload default filter or an initial policy from the kernel.  “fwm unload targets”
  • verify:  it verifies the specified policy package without installing it.

There are some other commands such as dbload, dbexport, dbimport, snmp_trap, printcert … that can be used also from fwm.

Enforcement Module

I just don’t get why they don’t call it simply a firewall which protects the internal (protected) networks from the Internet (untrusted). Each enforcement module in the network has a rule set downloaded from the SmartCenter server that is specific to the enforcement module. Due to its importance, I will elaborate more the enforcement module later.

We have to keep it in mind that all communication between different components are secured through SSL encryption. They call this feature SIC (secure internal communication).

Enforcement Module (firewall) Operation

As mentioned earlier, checkpoint is based on stateful inspection technology. It consists of 3 components:

Inspect Module:  it provides following features:

  • Access control
  • Stateful inspection
  • NAT
  • Log & alerts generation
  • encryption

The good point about this component is the fact that it is integrated with the OS kernel, in a way that it receives all packets from Layer 2 – do access control and packet inspection – and then if is allowed pass packets to the TCP/IP stack of OS. This approach protect the OS of the firewall.

The majority of the traffics are whether TCP or UDP. TCP is connection-oriented and Inspect module use TCP flags, sequence number and Source/Destination IP and ports for any decision and control. I would say the tcp flags is quite useful here since we can tell if packet is a control packet (such as one that might be used to establish or tear down a connection) or a packet that contains real data. Since in UDP we do not have such a flags, Checkpoint usually use Idle time – default of 40 seconds- for this purpose.

Other transport-layer protocol connections, such as IPSec connections, are tracked based on only source and destination IP address, as they do not possess the concept of ports, unlike TCP and UDP.

Security servers: Provide user authentication and content security for HTTP, FTP, and SMTP traffic.

Synchronization module Allows the stateful connection table to be shared with other enforcement modules for high availability deployments.

The following figure shows how firewall specially Inspect module works


Fw : The fw commands are used for working with various aspects of the firewall. All fw commands are executed on the Check Point Security Gateway (directly on the firewall). It has many usefull commands such killing some processes and analyzing security/audit logs.

a. Ctl: controls the firewall kernel module.

  •  fw ctl {install | uninstall}
  • fw ctl debug [-m <module>] [+|-] {options | all | 0}
  • fw ctl debug -buf <buffer size>
  • fw ctl kdebug
  • fw ctl pstat [-h] [-k] [-s] [-n] [-l]
  • fw ctl iflist
  • fw ctl arp [-n]
  • fw ctl block {on | off}
  • fw ctl chain
  • fw ctl conn

b. Ctl debug: create debug message to the buffer

  • fw ctl debug -buf [buffer size] fw ctl debug [-m <module>] [+ | -] {options|all|0}
  • fw ctl debug 0
  • fw ctl debug [-d <comma separated list of strings>]
  • fw ctl debug [-d <comma separated list of strings>]
  • fw ctl debug [-s <string>]
  • fw ctl debug -h
  • fw ctl debug –x

c. stat:  to view the policy installed on the gateway, and which interfaces are being protected. The cpstat command is an enhanced version of fw stat

  • fw stat -l
  • fw stat -s

d. monitor: it can capture the network packets for inspection as an essential part of troubleshooting network. It provides much better functionality and low security risk of tools such as “tcpdump” & “snoop” which usually being used for this purpose. fw monitor does not use the promiscuous mode to capture packets.

e. tab: it shows data from the kernel tables, and lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.
Kernel tables (also known as State tables) store data that the Firewall and other modules in the Security Gateway use to inspect packets. These kernel tables are the “memory” of the virtual computer in the kernel and are a critical component of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel memories.

f. fetch: it instructs the firewall to download and install the current security policy from Smart Center server. This command is an alternative to the fwm load command, where instead of the Smart-Center server pushing the policy, the enforcement module instead pulls the policy.
“fw fetch management-server”

cpstartn & cpstop: starts all the Check Point applications installed on a machine, excluding the cprid daemon, which is started separately during machine boot up.

fwstart & fwstop: it starts all firewall components installed on a machine. Firewall  components including the enforcement module (fwd), the SmartCenter server (fwm), the SNMP daemon (snmpd), and authentication daemons (such as httpd, which is used to provide an HTTP application-layer gateway daemon for authenticating HTTP access).

Notice that the fwstart and fwstop only start/stop the FireWall service, unlike cpstart and cpstop, which start/stop all Check Point components.


Security Policy

Security policies are rules which their main function is to allow or disallow the types of traffics and connections as per security policy.

dbedit : Creates and configures objects and rules in the database for the Security Policy from cli. It can be used if for some reason we don’t want use Smart Dashboard for this reason.

We run the command only from “expert” mode. After running “dbedit” it will ask for the Security Management Server Address. In our case which we have installed the Security management server also on the first checkpoint firewall, we can just write LocalHost.

We recommend that you use the -globallock option when you use dbedit to make changes to the Security Management Server database. dbedit partially locks the database, if a user configures objects with SmartDashboard, there can be problems in the database. The -globallock option does not let SmartDashboard or a dbedit user make changes to the database.

When the -globallock option is enabled, dbedit commands run on a copy of the database. After you change the database and run the savedb command, it is saved and committed on the actual database. You can use the savedb command multiple times in a dbedit script.

At the end of a script, it is a best practice to run these commands:

  • # update_all
  • # savedb

Example 1:

  • create network net-internal
  • modify network_objects net-internal ipaddr
  • modify network_objects net-internal netmask
  • modify network_objects net-internal comments “Created by fwadmin with dbedit

Example 2: This sample script creates these services:

  1. tcp_8081 – TCP protocol port 8081
  2. udp_8082 – UDP protocol port 8082
  • create tcp_service tcp_8081
  • modify services tcp_8081 port 8081
  • create udp_service udp_8082
  • modify services udp_8082 port 8082

At the end we need to run “fwm load” for the written script (policy here called standard as an exp) to push it to the Security Gateway (firewall):

  • # fwm load Standard samplegw

This command validates the policy and makes sure that rules agree with each other.

ClusterXL Gateway

A ClusterXL cluster is basically representing Fail over (high availability) & Load sharing (increase performance) concept by grouping identical CheckPoint firewalls in such a way that if one fails, another immediately takes its place.

In simple terms, such A High availability cluster ensures gateway and VPN connection redundancy by providing transparent failover to a backup gateway in the event of failure.

The Cluster Control Protocol (CCP) is the glue that links together the machines in the Check Point Gateway Cluster. CCP traffic is distinct from ordinary network traffic and can be viewed using any network sniffer.

CCP runs on UDP port 8116, and has the following roles:

  • It allows cluster members to report their own states and learn about the states of other members by sending keep-alive packets (this only applies to ClusterXL clusters).
  • State Synchronization.



CoreXL is a performance-enhancing technology for firewall on multi-core processing platforms. CoreXL enhances the firewall performance by enabling the processing cores to concurrently perform multiple tasks. The increase in performance is achieved without requiring any changes to network topology and managent.

In a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.


Summary of most useful commands:

a. Redirecting to the special directory: should be run from “expert” mode.

explanation: The Expert mode provides the user with full UNIX root permissions and a full UNIX shell. Expert mode displays this prompt: [Expert@hostname]#

  • $FWDIR —installation directory, in my case is /opt/CPsuite-R77/fw1

b. View and Manage Logfiles

  • fw lslogs —View a list of available fw logfiles and their size.
  • fwm logexport —Export/display current fw.log to stdout.
  • fw log -c <action> —Show only records with action <action>, e.g. accept, drop, reject etc. Starts from the top of the log, use -t to start a tail at the end.
  • fw log -f -t —Tail the actual log file from the end of the log. Without the -t switch it starts from the beginning.
  • fw log -b <starttime> <endtime> —View today’s log entries between <starttime> and <endtime>. Example:    fw log -b 10:00:00 11:15:00.

c. Display and Manage Licenses

  • cp_conf lic get —View licenses.
  • cplic print —Display more detailed license information.
  • fw lichosts —List protected hosts with limited hosts licenses.
  • cplic get <ip host|-all> —Retrieve all licenses from a certain gateway or all gateways in order to synchronize license repository on the SmartCenter server with the gateway(s).
  • cplic put <-l file> —Install local license from file to an local machine.
  • cplic put <obj> <-l file> —Attach one or more central or local licenses from file remotely to obj.
  • cprlic —Remote license management tool.

d. ClusterXL

  • cp_conf ha enable|disable —Enable or disable HA.
  • cphastop —Disable ClusterXL on the cluster member. Issued on a cluster member running in HA Legacy Mode cphastop might stop the entire cluster.
  • cphastart —Activate ClusterXL on this cluster member.
  • fw hastat —View HA state of local machine.
  • cphaprob state —View HA state of all cluster members.
  • cphaprob -a if —View interface status.
  • cphaprob -ia list —View list and state of critical cluster devices.
  • cphaprob syncstat —View sync transport layer statistics. Reset with -reset.

e. Traffic monitoring

  • fw monitor -e ‘accept src=x.x.x.x or dst=v.v.v.v;’ -o filename.cap
  • fw monitor -e “accept;” -o /var/log/fw_mon.cap
  • fw monitor -e “((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;” -o /var/log/fw_mon.cap
  • # packets with IP as SRC or DST
    fw monitor -e ‘accept host(;’
  • # all packets from to
    fw monitor -e ‘accept src= and dst=;’
  • # UDP port 53 (DNS) packets, pre-in position is before ‘ippot_strip’
    fw monitor -pi ipopt_strip -e ‘accept udpport(53);’
  • # UPD traffic from or to unprivileged ports, only show post-out
    fw monitor -m O -e ‘accept udp and (sport>1023 or dport>1023);’
  • # Windows traceroute (ICMP, TTL<30) from and to
    fw monitor -e ‘accept host( and tracert;’
  • # Capture web traffic for VSX virtual system ID 23
    fw monitor -v 23 -e ‘accept tcpport(80);’

We can also use tcpdump command direct from linux “expert mode”:

  • tcpdump -i <int name> host <ip> -w filename
  • tcpdump -i <int name> tcp port <port number>
  • tcpdump -i <int name> udp port <port number>
  • tcpdump -i <int name> proto osp

f. Site to site VPN troubleshooting

  • Turn on debugs
    vpn debug trunc
    vpn debug on TDERROR_ALL_ALL=5
  • Run the following command to reset the tunnel
    (not needed if you are testing a Remote Access VPN):
    vpn tu
    Then select the option that reads,
    Delete all IPsec+IKE SAs for a given peer (GW)
    enter your remote GW ip address
    exit the utility
  • Try to build the tunnel back up again, in both directions,
    attempt to connect from YOUR NETWORK to a device in
    the remote encryption domain and then attempt to connect
    from THE REMOTE NETWORK to a device in the local
    encryption domain.
  • Turn off debugs
    vpn debug ikeoff
    vpn debug off
    debug file location:
    SecurePlatform – $FWDIR/log/ike.elg*
    Windows – %FWDIR%\log\ike.elg*












%d bloggers like this: