[Classification:Protected]

22 January 2020

CLI

R80.40

Reference Guide

Check Point Copyright Notice©2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributedunder licensing restricting their use, copying, distribution, and decompilation. No part of this product orrelated documentation may be reproduced in any form or by any means without prior written authorizationof Check Point. While every precaution has been taken in the preparation of this book, Check Pointassumes no responsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTEDRIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.

TRADEMARKS:

Refer to the Copyright page for a list of our trademarks.

Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.

https://www.checkpoint.com/copyright/https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/

CLI R80.40 Reference Guide

CLI R80.40 ReferenceGuide      |      3

Important InformationLatest Software

We recommend that you install the most recent software release to stay up-to-date with thelatest functional improvements, stability fixes, security enhancements and protectionagainst new and evolving attacks.

Certifications

For third party independent certification of Check Point products, see the Check PointCertifications page.

Check Point R80.40

For more about this release, see the R80.40 home page.

Latest Version of this Document

Open the latest version of this document in aWeb browser.

Download the latest version of this document in PDF format.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments.

Revision History

Date Description

22 January 2020 First release of this document

https://www.checkpoint.com/products-solutions/certified-check-point-solutions/https://www.checkpoint.com/products-solutions/certified-check-point-solutions/http://supportcontent.checkpoint.com/solutions?id=sk160736https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_CLI_ReferenceGuide/Default.htmhttp://downloads.checkpoint.com/dc/download.htm?ID=96075mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on CLI R80.40 Reference Guide

Table of Contents

CLI R80.40 ReferenceGuide      |      4

Table of ContentsGlossary 30

Introduction 66

Syntax Legend 67

Gaia Commands 70

Security Management Server Commands 71

Managing Security through API 72

API 72

API Tools 72

Configuring the API Server 72

contract_util 74

contract_util check 76

contract_util cpmacro 77

contract_util download 78

contract_util mgmt 80

contract_util print 81

contract_util summary 82

contract_util update 83

contract_util verify 84

cp_conf 85

cp_conf admin 88

cp_conf auto 91

cp_conf ca 93

cp_conf client 95

cp_conf finger 99

cp_conf lic 101

cp_log_export 103

cpca_client 108

cpca_client create_cert 110

cpca_client double_sign 112

cpca_client get_crldp 114

Table of Contents

CLI R80.40 ReferenceGuide      |      5

cpca_client get_pubkey 115

cpca_client init_certs 116

cpca_client lscert 117

cpca_client revoke_cert 120

cpca_client revoke_non_exist_cert 123

cpca_client search 124

cpca_client set_mgmt_tool 127

cpca_client set_sign_hash 130

cpca_create 132

cpconfig 133

cpinfo 136

cplic 137

cplic check 140

cplic contract 142

cplic db_add 144

cplic db_print 146

cplic db_rm 148

cplic del 149

cplic del 150

cplic get 151

cplic print 153

cplic put 155

cplic put 157

cplic upgrade 160

cppkg 162

cppkg add 164

cppkg delete 165

cppkg get 167

cppkg getroot 168

cppkg print 169

cppkg setroot 170

cpprod_util 171

cprid 175

Table of Contents

CLI R80.40 ReferenceGuide      |      6

cprinstall 176

cprinstall boot 179

cprinstall cprestart 180

cprinstall cpstart 181

cprinstall cpstop 182

cprinstall delete 183

cprinstall get 184

cprinstall install 185

cprinstall revert 188

cprinstall show 189

cprinstall snapshot 190

cprinstall transfer 191

cprinstall uninstall 192

cprinstall verify 194

cpstart 196

cpstat 197

cpstop 205

cpview 206

Overview of CPView 206

CPView User Interface 206

Using CPView 207

cpwd_admin 208

cpwd_admin config 211

cpwd_admin del 214

cpwd_admin detach 215

cpwd_admin exist 216

cpwd_admin flist 217

cpwd_admin getpid 219

cpwd_admin kill 220

cpwd_admin list 221

cpwd_admin monitor_list 225

cpwd_admin start 226

cpwd_admin start_monitor 228

Table of Contents

CLI R80.40 ReferenceGuide      |      7

cpwd_admin stop 229

cpwd_admin stop_monitor 231

dbedit 232

fw 245

fw fetchlogs 247

fw hastat 249

fw kill 250

fw log 251

fw logswitch 260

fw lslogs 264

fw mergefiles 267

fw repairlog 270

fw sam 271

fw sam_policy 279

fw sam_policy add 282

fw sam_policy batch 295

fw sam_policy del 297

fw sam_policy get 300

fwm 304

fwm dbload 307

fwm exportcert 309

fwm fetchfile 310

fwm fingerprint 311

fwm getpcap 313

fwm ikecrypt 315

fwm load 316

fwm logexport 317

fwm mds 322

fwm printcert 324

fwm sic_reset 329

fwm snmp_trap 330

fwm unload 333

fwm ver 337

Table of Contents

CLI R80.40 ReferenceGuide      |      8

fwm verify 338

inet_alert 339

ldapcmd 342

ldapcompare 344

ldapmemberconvert 348

ldapmodify 353

ldapsearch 355

mgmt_cli 358

migrate 359

migrate_server 363

queryDB_util 367

rs_db_tool 368

sam_alert 370

stattest 374

threshold_config 377

Multi-Domain Security Management Commands 383

Managing Security through API 384

API 384

API Tools 384

Configuring the API Server 384

cma_migrate 386

contract_util 387

contract_util check 389

contract_util cpmacro 390

contract_util download 391

contract_util mgmt 393

contract_util print 394

contract_util summary 395

contract_util update 396

contract_util verify 397

cp_conf 398

cp_conf admin 401

cp_conf auto 404

Table of Contents

CLI R80.40 ReferenceGuide      |      9

cp_conf ca 406

cp_conf client 408

cp_conf finger 412

cp_conf lic 414

cp_log_export 416

cpca_client 421

cpca_client create_cert 423

cpca_client double_sign 425

cpca_client get_crldp 427

cpca_client get_pubkey 428

cpca_client init_certs 429

cpca_client lscert 430

cpca_client revoke_cert 433

cpca_client revoke_non_exist_cert 436

cpca_client search 437

cpca_client set_mgmt_tool 440

cpca_client set_sign_hash 443

cpca_create 445

cpinfo 446

cplic 447

cplic check 450

cplic contract 452

cplic db_add 454

cplic db_print 456

cplic db_rm 458

cplic del 459

cplic del 460

cplic get 461

cplic print 463

cplic put 465

cplic put 467

cplic upgrade 470

cpmiquerybin 472

Table of Contents

CLI R80.40 ReferenceGuide      |      10

cppkg 474

cppkg add 476

ppkg delete 477

cppkg get 479

cppkg getroot 480

cppkg print 481

cppkg setroot 482

cpprod_util 483

cprid 487

cprinstall 488

cprinstall boot 491

cprinstall cprestart 492

cprinstall cpstart 493

cprinstall cpstop 494

cprinstall delete 495

cprinstall get 496

cprinstall install 497

cprinstall revert 500

cprinstall show 501

cprinstall snapshot 502

cprinstall transfer 503

cprinstall uninstall 504

cprinstall verify 506

cpstat 508

cpview 516

Overview of CPView 516

CPView User Interface 516

Using CPView 517

cpwd_admin 518

cpwd_admin config 521

cpwd_admin del 524

cpwd_admin detach 525

cpwd_admin exist 526

Table of Contents

CLI R80.40 ReferenceGuide      |      11

cpwd_admin flist 527

cpwd_admin getpid 529

cpwd_admin kill 530

cpwd_admin list 531

cpwd_admin monitor_list 535

cpwd_admin start 536

cpwd_admin start_monitor 538

cpwd_admin stop 539

cpwd_admin stop_monitor 541

dbedit 542

fw 555

fw fetchlogs 557

fw hastat 559

fw kill 560

fw log 561

fw logswitch 570

fw lslogs 574

fw mergefiles 577

fw repairlog 580

fw sam 581

fw sam_policy 589

fw sam_policy add 592

fw sam_policy batch 605

fw sam_policy del 607

fw sam_policy get 610

fwm 614

fwm dbload 617

fwm exportcert 619

fwm fetchfile 620

fwm fingerprint 621

fwm getpcap 623

fwm ikecrypt 625

fwm load 626

Table of Contents

CLI R80.40 ReferenceGuide      |      12

fwm logexport 627

fwm mds 632

fwm printcert 634

fwm sic_reset 639

fwm snmp_trap 640

fwm unload 643

fwm ver 647

fwm verify 648

inet_alert 649

ldapcmd 652

ldapcompare 654

ldapmemberconvert 658

ldapmodify 663

ldapsearch 665

mcd 668

mds_backup 670

mds_restore 673

mdscmd 674

mdsconfig 676

mdsenv 680

mdsquerydb 682

mdsstart 684

mdsstart_customer 688

mdsstat 689

mdsstop 691

mdsstop_customer 695

mgmt_cli 696

migrate 697

migrate_server 701

migrate_global_policies 705

queryDB_util 706

rs_db_tool 707

sam_alert 709

Table of Contents

CLI R80.40 ReferenceGuide      |      13

stattest 713

threshold_config 716

$MDSVERUTIL 722

$MDSVERUTIL AllCMAs 732

$MDSVERUTIL AllVersions 733

$MDSVERUTIL CMAAddonDir 736

$MDSVERUTIL CMACompDir 737

$MDSVERUTIL CMAFgDir 738

$MDSVERUTIL CMAFw40Dir 739

$MDSVERUTIL CMAFw41Dir 740

$MDSVERUTIL CMAFwConfDir 741

$MDSVERUTIL CMAFwDir 742

$MDSVERUTIL CMAIp 743

$MDSVERUTIL CMAIp6 744

$MDSVERUTIL CMALogExporterDir 745

$MDSVERUTIL CMALogIndexerDir 746

$MDSVERUTIL CMANameByFwDir 747

$MDSVERUTIL CMANameByIp 748

$MDSVERUTIL CMARegistryDir 749

$MDSVERUTIL CMAReporterDir 750

$MDSVERUTIL CMASmartLogDir 751

$MDSVERUTIL CMASvnConfDir 752

$MDSVERUTIL CMASvnDir 753

$MDSVERUTIL ConfDirVersion 754

$MDSVERUTIL CpdbUpParam 755

$MDSVERUTIL CPprofileDir 756

$MDSVERUTIL CPVer 757

$MDSVERUTIL CustomersBaseDir 758

$MDSVERUTIL DiskSpaceFactor 759

$MDSVERUTIL InstallationLogDir 760

$MDSVERUTIL IsIPv6Enabled 761

$MDSVERUTIL IsLegalVersion 762

$MDSVERUTIL IsOsSupportsIPv6 763

Table of Contents

CLI R80.40 ReferenceGuide      |      14

$MDSVERUTIL LatestVersion 764

$MDSVERUTIL MDSAddonDir 765

$MDSVERUTIL MDSCompDir 766

$MDSVERUTIL MDSDir 767

$MDSVERUTIL MDSFgDir 768

$MDSVERUTIL MDSFwbcDir 769

$MDSVERUTIL MDSFwDir 770

$MDSVERUTIL MDSIp 771

$MDSVERUTIL MDSIp6 772

$MDSVERUTIL MDSLogExporterDir 773

$MDSVERUTIL MDSLogIndexerDir 774

$MDSVERUTIL MDSPkgName 775

$MDSVERUTIL MDSRegistryDir 776

$MDSVERUTIL MDSReporterDir 777

$MDSVERUTIL MDSSmartLogDir 778

$MDSVERUTIL MDSSvnDir 779

$MDSVERUTIL MDSVarCompDir 780

$MDSVERUTIL MDSVarDir 781

$MDSVERUTIL MDSVarFwbcDir 782

$MDSVERUTIL MDSVarFwDir 783

$MDSVERUTIL MDSVarSvnDir 784

$MDSVERUTIL MSP 785

$MDSVERUTIL OfficialName 786

$MDSVERUTIL OptionPack 787

$MDSVERUTIL ProductName 788

$MDSVERUTIL RegistryCurrentVer 789

$MDSVERUTIL ShortOfficialName 790

$MDSVERUTIL SmartCenterPuvUpgradeParam 791

$MDSVERUTIL SP 792

$MDSVERUTIL SVNPkgName 793

$MDSVERUTIL SvrDirectory 794

$MDSVERUTIL SvrParam 795

Creating a Domain Management Server with the 'mgmt_cli' Command 796

Table of Contents

CLI R80.40 ReferenceGuide      |      15

SmartProvisioning Commands 797

Managing Security through API 798

API 798

API Tools 798

Configuring the API Server 798

Check Point LSMcli Overview 800

SmartLSM Security Gateway Management Actions 802

LSMcli AddROBO VPN1 803

LSMcli ModifyROBO VPN1 805

LSMcli ModifyROBOManualVPNDomain 807

LSMcli ModifyROBOTopology VPN1 808

LSMcli ModifyROBOInterface VPN1 809

LSMcli AddROBOInterface VPN1 810

LSMcli DeleteROBOInterface VPN1 811

LSMcli ExportIke 812

LSMcli ResetIke 813

LSMcli Remove 814

LSMcli ResetSic 815

LSMcli Show 816

LSMcli ShowROBOTopology 818

LSMcli UpdateCO 819

SmartUpdate Actions 820

LSMcli Install 821

LSMcli Uninstall 823

LSMcli Distribute 824

LSMcli VerifyInstall 825

LSMcli VerifyUpgrade 826

LSMcli Upgrade 827

LSMcli GetInfo 828

LSMcli ShowInfo 829

LSMcli ShowRepository 830

LSMcli Stop 831

LSMcli Start 832

Table of Contents

CLI R80.40 ReferenceGuide      |      16

LSMcli Restart 833

LSMcli Reboot 834

LSMcli Push Actions 835

LSMcli PushPolicy 836

LSMcli PushDOs 837

LSMcli GetStatus 838

LSMcli Gateway Conversion Actions 839

LSMcli Convert ROBO VPN1 840

LSMcli Convert Gateway VPN1 842

Managing SmartLSM Clusters with LSMcli 844

LSMcli AddROBO VPN1Cluster 845

LSMcli ModifyROBO VPN1Cluster 847

LSMcli ModifyROBOTopology VPN1Cluster 848

LSMcli ModifyROBONetaccess VPN1Cluster 849

LSMcli AddClusterSubnetOverride VPN1Cluster 851

LSMcli ModifyClusterSubnetOverride VPN1Cluster 853

LSMcli DeleteClusterSubnetOverride VPN1Cluster 855

LSMcli AddPrivateSubnetOverride VPN1ClusterMember 857

LSMcli ModifyPrivateSubnetOverride VPN1ClusterMember 859

LSMcli DeletePrivateSubnetOverride VPN1ClusterMember 861

LSMcli RemoveCluster 863

Using LSMcli Commands for Small Office Appliances 864

LSMcli AddROBO 865

LSMcli AddROBO Cluster 867

Other LSMcli Commands for Small Office Appliances 869

Security Gateway Commands 870

comp_init_policy 871

control_bootsec 874

cp_conf 878

cp_conf auto 881

cp_conf corexl 883

cp_conf fullha 885

cp_conf ha 886

Table of Contents

CLI R80.40 ReferenceGuide      |      17

cp_conf intfs 887

cp_conf lic 888

cp_conf sic 890

cpconfig 892

cpinfo 895

cplic 896

cplic check 898

cplic contract 900

cplic del 902

cplic print 903

cplic put 905

cpprod_util 907

cpstart 911

cpstat 912

cpstop 920

cpview 921

Overview of CPView 921

CPView User Interface 921

Using CPView 922

dynamic_objects 923

cpwd_admin 927

cpwd_admin config 930

cpwd_admin del 936

cpwd_admin detach 937

cpwd_admin exist 938

cpwd_admin flist 939

cpwd_admin getpid 941

cpwd_admin kill 942

cpwd_admin list 943

cpwd_admin monitor_list 947

cpwd_admin start 948

cpwd_admin start_monitor 950

cpwd_admin stop 951

Table of Contents

CLI R80.40 ReferenceGuide      |      18

cpwd_admin stop_monitor 953

fw 954

fw -i 958

fw amw 959

fw ctl 962

fw ctl arp 965

fw ctl bench 966

fw ctl block 968

fw ctl chain 969

fw ctl conn 971

fw ctl conntab 973

fw ctl cpasstat 977

'fw ctl debug' and 'fw ctl kdebug' 978

fw ctl dlpkstat 979

fw ctl get 980

fw ctl iflist 982

fw ctl install 983

fw ctl leak 984

fw ctl pstat 988

fw ctl set 991

fw ctl tcpstrstat 993

fw ctl uninstall 995

fw defaultgen 996

fw fetch 998

fw fetchlogs 1000

fw getifs 1002

fw hastat 1003

fw isp_link 1004

fw kill 1005

fw lichosts 1006

fw log 1007

fw logswitch 1016

fw lslogs 1020

Table of Contents

CLI R80.40 ReferenceGuide      |      19

fw mergefiles 1023

fw monitor 1026

fw repairlog 1056

fw sam 1057

fw sam_policy 1065

fw sam_policy add 1068

fw sam_policy batch 1081

fw sam_policy del 1083

fw sam_policy get 1086

fw showuptables 1090

fw stat 1091

fw tab 1093

fw unloadlocal 1100

fw up_execute 1104

fw ver 1107

fwboot 1109

fwboot bootconf 1111

fwboot corexl 1116

fwboot cpuid 1123

fwboot default 1125

fwboot fwboot_ipv6 1126

fwboot fwdefault 1127

fwboot ha_conf 1128

fwboot ht 1129

fwboot multik_reg 1132

fwboot post_drv 1134

sam_alert 1135

stattest 1139

usrchk 1142

ClusterXL Commands 1147

ClusterXL Configuration Commands 1148

Configuring the Cluster Member IDMode in Local Logs 1152

Registering a Critical Device 1153

Table of Contents

CLI R80.40 ReferenceGuide      |      20

Unregistering a Critical Device 1155

Reporting the State of a Critical Device 1156

Registering Critical Devices Listed in a File 1157

Unregistering All Critical Devices 1159

Configuring the Cluster Control Protocol (CCP) Settings 1160

Initiating Manual Cluster Failover 1161

Configuring the Minimal Number of Required Slave Interfaces for Bond Load Sharing 1165

Configuring Link Monitoring on the Cluster Interfaces 1166

Configuring the Multi-Version Cluster Mechanism 1169

ClusterXL Monitoring Commands 1170

Viewing Cluster State 1175

Viewing Critical Devices 1180

Viewing Cluster Interfaces 1187

Viewing Bond Interfaces 1192

Viewing Cluster Failover Statistics 1197

Viewing Software Versions on Cluster Members 1199

Viewing Delta Synchronization 1200

Viewing IGMPStatus 1207

Viewing Cluster Delta Sync Statistics for Connections Table 1208

Viewing Cluster IP Addresses 1209

Viewing the Cluster Member IDMode in Local Logs 1210

Viewing Interfaces Monitored by RouteD 1211

Viewing Roles of RouteD Daemon on Cluster Members 1212

Viewing Cluster Correction Statistics 1213

Viewing the Cluster Control Protocol (CCP) Settings 1215

Viewing Latency and Drop Rate of Interfaces 1216

Viewing the State of the Multi-Version Cluster Mechanism 1217

Viewing Full Connectivity Upgrade Statistics 1218

cpconfig 1219

cphastart 1222

cphastop 1223

cp_conf fullha 1224

cp_conf ha 1225

Table of Contents

CLI R80.40 ReferenceGuide      |      21

fw hastat 1226

fwboot ha_conf 1227

The clusterXL_admin Script 1228

The clusterXL_monitor_ips Script 1232

The clusterXL_monitor_process Script 1236

SecureXL Commands 1240

'fwaccel' and 'fwaccel6' 1241

fwaccel cfg 1244

fwaccel conns 1247

fwaccel dbg 1251

fwaccel dos 1257

fwaccel dos blacklist 1259

fwaccel dos config 1261

fwaccel dos pbox 1267

fwaccel dos rate 1272

fwaccel dos stats 1274

fwaccel dos whitelist 1276

fwaccel feature 1281

fwaccel off 1284

fwaccel on 1288

fwaccel ranges 1292

fwaccel stat 1298

fwaccel stats 1304

Description of the Statistics Counters in the "fwaccel stats" Output 1306

Example Outputs on the "fwaccel stats" Commands 1312

fwaccel synatk 1327

fwaccel synatk -a 1330

fwaccel synatk -c 1331

fwaccel synatk -d 1332

fwaccel synatk -e 1333

fwaccel synatk -g 1334

fwaccel synatk -m 1335

fwaccel synatk -t 1336

Table of Contents

CLI R80.40 ReferenceGuide      |      22

fwaccel synatk config 1337

fwaccel synatk monitor 1340

fwaccel synatk state 1345

fwaccel synatk whitelist 1347

fwaccel tab 1352

fwaccel templates 1356

fwaccel ver 1360

'sim' and 'sim6' 1361

sim affinity 1363

sim affinityload 1366

sim enable_aesni 1367

sim if 1368

sim nonaccel 1372

sim ver 1374

fw sam_policy 1375

fw sam_policy add 1378

fw sam_policy batch 1391

fw sam_policy del 1393

fw sam_policy get 1396

The /proc/ppk/ and /proc/ppk6/ entries 1400

/proc/ppk/affinity 1402

/proc/ppk/conf 1403

/proc/ppk/conns 1404

/proc/ppk/cpls 1405

/proc/ppk/cqstats 1406

/proc/ppk/drop_statistics 1407

/proc/ppk/ifs 1408

/proc/ppk/mcast_statistics 1412

/proc/ppk/nac 1413

/proc/ppk/notify_statistics 1414

/proc/ppk/profile_cpu_stat 1415

/proc/ppk/rlc 1416

/proc/ppk/statistics 1417

Table of Contents

CLI R80.40 ReferenceGuide      |      23

/proc/ppk/stats 1419

/proc/ppk/viol_statistics 1420

SecureXL Debug 1421

fwaccel dbg 1422

SecureXL Debug Procedure 1428

SecureXL Debug Modules and Debug Flags 1432

CoreXL Commands 1440

cp_conf corexl 1441

dynamic_split 1443

fw ctl multik 1445

fw ctl multik add_bypass_port 1448

fw ctl multik del_bypass_port 1450

fw ctl multik dynamic_dispatching 1452

fw ctl multik gconn 1453

fw ctl multik get_instance 1458

fw ctl multik print_heavy_conn 1460

fw ctl multik prioq 1462

fw ctl multik show_bypass_ports 1463

fw ctl multik stat 1464

fw ctl multik start 1466

fw ctl multik stop 1467

fw ctl multik utilize 1468

fw ctl affinity 1469

Running the 'fw ctl affinity -l' command in Gateway Mode 1470

Running the 'fw ctl affinity -l' command in VSXMode 1474

Running the 'fw ctl affinity -s' command in Gateway Mode 1477

Running the 'fw ctl affinity -s' command in VSXMode 1481

fw -i 1485

fwboot bootconf 1486

fwboot corexl 1491

fwboot cpuid 1498

fwboot ht 1500

fwboot multik_reg 1503

Table of Contents

CLI R80.40 ReferenceGuide      |      24

fwboot post_drv 1505

Multi-Queue Commands 1506

mq_mng 1507

Identity Awareness Commands 1510

adlog 1511

adlog control 1513

adlog dc 1515

adlog debug 1516

adlog query 1517

adlog statistics 1518

pdp 1519

pdp ad 1521

General Syntax 1521

The 'pdp ad associate' command 1521

The 'pdp ad disassociate' command 1522

pdp auth 1523

pdp broker 1527

pdp conciliation 1531

pdp connections 1533

pdp control 1534

pdp debug 1535

pdp idc 1538

pdp idp 1540

pdp ifmap 1541

pdp monitor 1543

pdp muh 1545

pdp nested_groups 1546

pdp network 1547

pdp radius 1548

pdp status 1552

pdp tasks_manager 1553

pdp timers 1554

pdp topology_map 1555

Table of Contents

CLI R80.40 ReferenceGuide      |      25

pdp tracker 1556

pdp update 1557

pdp vpn 1558

pep 1559

pep control 1560

pep debug 1561

pep show 1563

pep tracker 1566

test_ad_connectivity 1567

VPNCommands 1571

vpn 1572

vpn check_ttm 1576

vpn compreset 1577

vpn compstat 1578

vpn crl_zap 1579

vpn crlview 1580

vpn debug 1582

vpn dll 1586

vpn drv 1587

vpn dump_psk 1588

vpn ipafile_check 1589

vpn ipafile_users_capacity 1590

vpn macutil 1591

vpn mep_refresh 1592

vpn neo_proto 1593

vpn nssm_toplogy 1594

vpn overlap_encdom 1595

vpn rim_cleanup 1596

vpn rll 1597

vpn set_slim_server 1598

vpn set_snx_encdom_groups 1599

vpn set_trac 1600

vpn shell 1601

Table of Contents

CLI R80.40 ReferenceGuide      |      26

vpn show_tcpt 1608

vpn sw_topology 1609

vpn tu 1610

vpn tu del 1612

vpn tu list 1615

vpn tu mstats 1617

vpn tu tlist 1618

vpn ver 1620

mcc 1621

mcc add 1623

mcc add2main 1624

mcc del 1625

mcc lca 1626

mcc main2add 1627

mcc show 1628

Mobile Access Commands 1630

admin_wizard 1631

cvpnd_admin 1635

cvpnd_settings 1638

cvpn_ver 1640

cvpnrestart 1641

cvpnstart 1642

cvpnstop 1643

deleteUserSettings 1644

fwpush 1645

ics_updates_script 1649

listusers 1650

rehash_ca_bundle 1651

UserSettingsUtil 1652

Data Loss Prevention Commands 1654

dlpcmd 1655

VSX Commands 1658

cpconfig 1659

Table of Contents

CLI R80.40 ReferenceGuide      |      27

vsenv 1662

vsx 1663

vsx fetch 1665

vsx fetch_all_cluster_policies 1667

vsx fetchvs 1668

vsx get 1669

vsx initmsg 1670

vsx mstat 1671

vsx resctrl 1675

vsx showncs 1678

vsx sicreset 1679

vsx stat 1680

vsx unloadall 1682

vsx vspurge 1683

vsx_util 1684

vsx_util add_member 1687

vsx_util change_interfaces 1689

vsx_util change_mgmt_ip 1692

vsx_util change_mgmt_subnet 1693

vsx_util change_private_net 1694

vsx_util convert_cluster 1695

vsx_util reconfigure 1696

vsx_util remove_member 1701

vsx_util show_interfaces 1702

vsx_util upgrade 1704

vsx_util view_vs_conf 1705

vsx_util vsls 1708

vsx_provisioning_tool 1709

Transactions 1712

vsx_provisioning_tool Commands 1713

Explicit Transaction Commands 1714

Adding a VSXGateway 1715

Adding a VSXCluster 1717

Table of Contents

CLI R80.40 ReferenceGuide      |      28

Adding a Virtual Device 1720

Deleting a Virtual Device 1723

Modifying Settings of a Virtual Device 1724

Adding an Interface to a Virtual Device 1727

Removing an Interface from a Virtual Device 1731

Modifying Settings of an Interface 1733

Adding a Route 1736

Removing a Route 1738

Showing Virtual Device Data 1740

Script Examples 1741

Example 1 1741

Example 2 1742

Example 3 1742

QoS Commands 1743

etmstart 1744

etmstop 1745

fgate 1746

IPS Commands 1754

ips 1755

ips bypass 1757

ips debug 1759

ips off 1760

ips on 1761

ips pmstats 1762

ips refreshcap 1763

ips stat 1764

ips stats 1765

Running Check Point Commands in Shell Scripts 1768

Working with Kernel Parameters on Security Gateway 1769

Introduction to Kernel Parameters 1769

Firewall Kernel Parameters 1770

Working with Integer Kernel Parameters 1771

Working with String Kernel Parameters 1776

Table of Contents

CLI R80.40 ReferenceGuide      |      29

SecureXL Kernel Parameters 1779

Glossary

CLI R80.40 ReferenceGuide      |      30

Glossary3

3rd party ClusterCluster of Check Point Security Gateways that work together in a redundantconfiguration. These Check Point Security Gateways are installed on X-Series XOS, orIPSO OS. VRRP Cluster on Gaia OS is also considered a 3rd party cluster. The 3rdparty cluster handles the traffic, and Check Point Security Gateways perform only StateSynchronization.

A

Accelerated PathPacket flow on the Host appliance, when the packet is completely handled by theSecureXL device. It is processed and forwarded to the network.

Access RoleAccess Role objects let you configure network access according to: Networks, Usersand user groups, Computers and computer groups, Remote Access Clients. After youactivate the Identity Awareness Software Blade, you can create Access Role objectsand use them in the Source and Destination columns of Access Control Policy rules.

ActiveState of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to thestate of the Security Gateway component (2) In 3rd party / OPSEC cluster, this appliesto the state of the cluster State Synchronization mechanism.

Active-ActiveA cluster mode, where cluster members are located in different geographical areas(different sites, different availability zones). Administrator configures Dynamic Routingon each cluster member, so it becomes a router in the applicable area or autonomoussystem on the site. The IP addresses of the interfaces on each cluster member are ondifferent networks (including the Sync interfaces). Each cluster member inspects alltraffic routed to it and synchronizes the recorded connections to its peer clustermembers. The traffic is not balanced between the cluster members.

Glossary

CLI R80.40 ReferenceGuide      |      31

Active DirectoryMicrosoft® directory information service. Stores data about user, computer, and serviceidentities for authentication and access. Acronym: AD.

Active Domain ServerThe only Domain Management Server in a High Availability deployment that canmanage a specified Domain.

Active UpClusterXL in High Availability mode that was configured as Maintain current activeCluster Member in the cluster object in SmartConsole: (1) If the current Active memberfails for some reason, or is rebooted (for example, Member_A), then failover occursbetween Cluster Members - another Standby member will be promoted to be Active (forexample, Member_B). (2) When former Active member (Member_A) recovers from afailure, or boots, the former Standby member (Member_B) will remain to be in Activestate (and Member_A will assume the Standby state).

Active(!)In ClusterXL, state of the Active Cluster Member that suffers from a failure. A problemwas detected, but the Cluster Member still forwards packets, because it is the onlymember in the cluster, or because there are no other Active members in the cluster. Inany other situation, the state of the member is Down. Possible states: ACTIVE(!),ACTIVE(!F) - Cluster Member is in the freeze state, ACTIVE(!P) - This is the PivotCluster Member in Load Sharing Unicast mode, ACTIVE(!FP) - This is the Pivot ClusterMember in Load Sharing Unicast mode and it is in the freeze state.

Active/ActiveSee "Load Sharing".

Active/StandbySee "High Availability".

AD QueryCheck Point clientless identity acquisition tool. It is based on Active Directoryintegration and it is completely transparent to the user. The technology is based onquerying the Active Directory Security Event Logs and extracting the user and computermapping to the network address from them. It is based on Windows ManagementInstrumentation (WMI), a standard Microsoft protocol. The Check Point SecurityGateway communicates directly with the Active Directory domain controllers and doesnot require a separate server. No installation is necessary on the clients, or on theActive Directory server.

Glossary

CLI R80.40 ReferenceGuide      |      32

AdministratorA user with permissions to manage Check Point security products and the networkenvironment.

AffinityThe assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface,user space process, or IRQ to one or more specified CPU cores.

Anti-BotCheck Point Software Blade that inspects network traffic for malicious bot software.

Anti-VirusCheck Point Software Blade that protects networks against self-propagating programsor processes that can cause damage.

APIIn computer programming, an application programming interface (API) is a set ofsubroutine definitions, protocols, and tools for building application software. In generalterms, it is a set of clearly defined methods of communication between various softwarecomponents.

ApplianceA physical computer manufactured and distributed by Check Point.

ARP ForwardingForwarding of ARP Request and ARP Reply packets between Cluster Members byencapsulating them in Cluster Control Protocol (CCP) packets. Introduced in R80.10version. For details, see sk111956.

AskUserCheck rule action that blocks traffic and files and shows a UserCheck message.The user can agree to allow the activity.

Audit LogA record of an action that is done by an Administrator.

Glossary

CLI R80.40 ReferenceGuide      |      33

B

Backup(1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to bepromoted to Master state (if Master member fails). (2) In VSX Cluster configured inVirtual System Load Sharing mode with three or more Cluster Members - State of aVirtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member orVirtual System in this state does not process any traffic passing through cluster.

Blocking ModeCluster operation mode, in which Cluster Member does not forward any traffic (forexample, caused by a failure).

BondA virtual interface that contains (enslaves) two or more physical interfaces forredundancy and load sharing. The physical interfaces share one IP address and oneMAC address. See "Link Aggregation".

BondingSee "Link Aggregation".

BotMalicious software that neutralizes Anti-Virus defenses, connects to a Command andControl center for instructions from cyber criminals, and carries out the instructions.

Bridge ModeA Security Gateway or Virtual System that works as a Layer 2 bridge device for easydeployment in an existing topology.

Browser-Based AuthenticationAuthentication of users in Check Point Identity Awareness web portal - Captive Portal,to which users connect with their web browser to log in and authenticate.

BurstinessData that is transferred or transmitted in short, uneven spurts. LAN traffic is typicallybursty. Opposite of streaming data.

Glossary

CLI R80.40 ReferenceGuide      |      34

C

CACertificate Authority. Issues certificates to gateways, users, or computers, to identifyitself to connecting entities with Distinguished Name, public key, and sometimes IPaddress. After certificate validation, entities can send encrypted data using the publickeys in the certificates.

Captive PortalA Check Point Identity Awareness web portal, to which users connect with their webbrowser to log in and authenticate, when using Browser-Based Authentication.

CCPSee "Cluster Control Protocol".

CertificateAn electronic document that uses a digital signature to bind a cryptographic public keyto a specific identity. The identity can be an individual, organization, or software entity.The certificate is used to authenticate one identity to another.

Cisco ISECisco Identity Services Engine is a network administration product that enables thecreation and enforcement of security and access policies for endpoint devicesconnected to the company's routers and switches. The purpose is to simplify identitymanagement across diverse devices and applications.

ClusterTwo or more Security Gateways that work together in a redundant configuration - HighAvailability, or Load Sharing.

Cluster Control ProtocolProprietary Check Point protocol that runs between Cluster Members on UDP port8116, and has the following roles: (1) State Synchronization (Delta Sync), (2) Healthchecks (state of Cluster Members and of cluster interfaces): Health-status Reports,Cluster-member Probing, State-change Commands, Querying for cluster membership.Note: CCP is located between the Check Point Firewall kernel and the networkinterface (therefore, only TCPdump should be used for capturing this traffic). Acronym:CCP.

Glossary

CLI R80.40 ReferenceGuide      |      35

Cluster Correction LayerProprietary Check Point mechanism that deals with asymmetric connections in CheckPoint cluster. The CCL provides connections stickiness by "correcting" the packets tothe correct Cluster Member: In most cases, the CCL makes the correction from theCoreXL SND; in some cases (like Dynamic Routing, or VPN), the CCL makes thecorrection from the Firewall or SecureXL. Acronym: CCL.

Cluster InterfaceAn interface on a Cluster Member, whose Network Type was set as Cluster inSmartConsole in cluster object. This interface is monitored by cluster, and failure on thisinterface will cause cluster failover.

Cluster MemberA Security Gateway that is part of a cluster.

Cluster ModeConfiguration of Cluster Members to work in these redundant modes: (1) One ClusterMember processes all the traffic - High Availability or VRRP mode (2) All traffic isprocessed in parallel by all Cluster Members - Load Sharing.

Cluster TopologySet of interfaces on all members of a cluster and their settings (Network Objective, IPaddress/Net Mask, Topology, Anti-Spoofing, and so on).

ClusterXLCluster of Check Point Security Gateways that work together in a redundantconfiguration. The ClusterXL both handles the traffic and performs StateSynchronization. These Check Point Security Gateways are installed on Gaia OS: (1)ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 ClusterMembers, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXLLoad Sharing mode, configuring more than 4 Cluster Members significantly decreasesthe cluster performance due to amount of Delta Sync traffic.

Cooperative EnforcementIntegration of Endpoint Security server compliance to verify internal networkconnections.

CoreXLA performance-enhancing technology for Security Gateways on multi-core processingplatforms. Multiple Check Point Firewall instances are running in parallel on multipleCPU cores.

Glossary

CLI R80.40 ReferenceGuide      |      36

CoreXL Dynamic DispatcherImproved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXLFirewall instances. Traffic distribution between CoreXL Firewall instances isdynamically based on the utilization of CPU cores, on which the CoreXL Firewallinstances are running. The dynamic decision is made for first packets of connections, byassigning each of the CoreXL Firewall instances a rank, and selecting the CoreXLFirewall instance with the lowest rank. The rank for each CoreXL Firewall instance iscalculated according to its CPU utilization. The higher the CPU utilization, the higherthe CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is lesslikely to be selected by the CoreXL SND. See sk105261.

CoreXL Firewall InstanceAlso CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewallkernel is copied multiple times. Each replicated copy, or firewall instance, runs on oneprocessing CPU core. These firewall instances handle traffic at the same time, andeach firewall instance is a complete and independent firewall inspection kernel.

CoreXL SNDSecure Network Distributer. Part of CoreXL that is responsible for: Processing incomingtraffic from the network interfaces; Securely accelerating authorized packets (ifSecureXL is enabled); Distributing non-accelerated packets between Firewall kernelinstances (SND maintains global dispatching table, which maps connections that wereassigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewallinstances is statically based on Source IP addresses, Destination IP addresses, and theIP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision tostick to a particular FWK daemon is done at the first packet of connection on a very highlevel, before anything else. Depending on the SecureXL settings, and in most of thecases, the SecureXL can be offloading decryption calculations. However, in some othercases, such as with Route-Based VPN, it is done by FWK daemon.

Correlation UnitA SmartEvent software component that analyzes logs and detects events.

CPHAGeneral term in Check Point Cluster that stands for Check Point High Availability(historic fact: the first release of ClusterXL supported only High Availability) that is usedonly for internal references (for example, inside kernel debug) to designate ClusterXLinfrastructure.

Glossary

CLI R80.40 ReferenceGuide      |      37

CPUSECheck Point Upgrade Service Engine for Gaia Operating System. With CPUSE, youcan automatically update Check Point products for the Gaia OS, and the Gaia OS itself.For details, see sk92449.

Critical DeviceAlso known as a Problem Notification, or pnote. A special software device on eachCluster Member, through which the critical aspects for cluster operation are monitored.When the critical monitored component on a Cluster Member fails to report its state ontime, or when its state is reported as problematic, the state of that member isimmediately changed to Down. The complete list of the configured critical devices(pnotes) is printed by the 'cphaprob -ia list' command or 'show cluster members pnotesall' command.

Custom ReportA user defined report for a Check Point product, typically based on a predefined report.

D

DAIP GatewayA Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where theIP address of the external interface is assigned dynamically by the ISP.

Data Loss PreventionCheck Point Software Blade that detects and prevents the unauthorized transmission ofconfidential information outside the organization. Acronym: DLP.

Data TypeA classification of data. The Firewall classifies incoming and outgoing traffic accordingto Data Types, and enforces the Policy accordingly.

DatabaseThe Check Point database includes all objects, including network objects, users,services, servers, and protection profiles.

DeadState reported by a Cluster Member when it goes out of the cluster (due to 'cphastop'command (which is a part of 'cpstop'), or reboot).

Glossary

CLI R80.40 ReferenceGuide      |      38

Decision FunctionA special cluster algorithm applied by each Cluster Member on the incoming traffic inorder to decide, which Cluster Member should process the received packet. EachCluster Members maintains a table of hash values generated based on connectionstuple (source and destination IP addresses/Ports, and Protocol number).

Dedicated Management InterfaceA separate physical interface on VSX Gateway or VSX Cluster Members, through whichCheck Point Security Management Server or Multi-Domain Server connects directly toVSX Gateway or VSX Cluster Members. DMI is restricted to management traffic, suchas provisioning, logging and monitoring. Acronym: DMI.

Delta SyncSynchronization of kernel tables between all working Cluster Members - exchange ofCCP packets that carry pieces of information about different connections and operationsthat should be performed on these connections in relevant kernel tables. This DeltaSync process is performed directly by Check Point kernel. While performing Full Sync,the Delta Sync updates are not processed and saved in kernel memory. After Full Syncis complete, the Delta Sync packets stored during the Full Sync phase are applied byorder of arrival.

Delta Sync RetransmissionIt is possible that Delta Sync packets will be lost or corrupted during the Delta Syncoperations. In such cases, it is required to make sure the Delta Sync packet is re-sent.The Cluster Member requests the sending Cluster Member to retransmit thelost/corrupted Delta Sync packet. Each Delta Sync packet has a sequence number. Thesending member has a queue of sent Delta Sync packets. Each Cluster Member has aqueue of packets sent from each of the peer Cluster Members. If, for any reason, a DeltaSync packet was not received by a Cluster Member, it can ask for a retransmission ofthis packet from the sending member. The Delta Sync retransmission mechanism issomewhat similar to a TCP Window and TCP retransmission mechanism. When amember requests retransmission of Delta Sync packet, which no longer exists on thesending member, the member prints a console messages that the sync is not complete.

DetectUserCheck rule action that allows traffic and files to enter the internal network and logsthem.

Distributed DeploymentThe Check Point Security Gateway and Security Management Server products aredeployed on different computers.

Glossary

CLI R80.40 ReferenceGuide      |      39

DomainA network or a collection of networks related to an entity, such as a company, businessunit or geographical location.

Domain Log ServerA Log Server for a specified Domain. It stores and processes logs from SecurityGateways that are managed by the corresponding Domain Management Server.Acronym: DLS.

Domain Management ServerA virtual Security Management Server that manages Security Gateways for oneDomain, as part of a Multi-Domain Security Management environment. Acronym: DMS.

DownState of a Cluster Member during a failure when one of the Critical Devices reports itsstate as "problem": In ClusterXL, applies to the state of the Security Gatewaycomponent; in 3rd party / OPSEC cluster, applies to the state of the StateSynchronization mechanism. A Cluster Member in this state does not process any trafficpassing through cluster.

DyingState of a Cluster Member as assumed by peer members, if it did not report its state for0.7 second.

E

EventA record of a security or network incident that is based on one or more logs, and on acustomizable set of rules that are defined in the Event Policy.

Event CorrelationA procedure that extracts, aggregates, correlates and analyzes events from the logs.

Event PolicyA set of rules that define the behavior of SmartEvent.

Expert ModeThe name of the full command line shell that gives full system root permissions in theCheck Point Gaia operating system.

Glossary

CLI R80.40 ReferenceGuide      |      40

External NetworkComputers and networks that are outside of the protected network.

External UsersUsers defined on external servers. External users are not defined in the SecurityManagement Server database or on an LDAP server. External user profiles tell thesystem how to identify and authenticate externally defined users.

F

F2FDenotes non-VPN connections that SecureXL forwarded to firewall. See "FirewallPath".

Failback in ClusterAlso, Fallback. Recovery of a Cluster Member that suffered from a failure. The state of arecovered Cluster Member is changed from Down to either Active, or Standby(depending on Cluster Mode).

Failed MemberA Cluster Member that cannot send or accept traffic because of a hardware or softwareproblem.

FailoverAlso, Fail-over. Transferring of a control over traffic (packet filtering) from a ClusterMember that suffered a failure to another Cluster Member (based on internal clusteralgorithms).

FailureA hardware or software problem that causes a Security Gateway to be unable to serveas a Cluster Member (for example, one of cluster interface has failed, or one of themonitored daemon has crashed). Cluster Member that suffered from a failure is declaredas failed, and its state is changed to Down (a physical interface is considered Downonly if all configured VLANs on that physical interface are Down).

FirewallThe software and hardware that protects a computer network by analyzing the incomingand outgoing network traffic (packets).

Glossary

CLI R80.40 ReferenceGuide      |      41

Firewall PathAlso Slow Path. Packet flow on the Host Security Appliance, when the SecureXLdevice is unable to process the packet (see sk32578). The packet is passed to theCoreXL layer and then to one of the CoreXL Firewall instances for full processing. Thispath also processes all packets when SecureXL is disabled.

FlappingConsequent changes in the state of either cluster interfaces (cluster interface flapping),or Cluster Members (Cluster Member flapping). Such consequent changes in the stateare seen in the 'Logs & Monitor' > 'Logs' (if in SmartConsole > cluster object, the clusteradministrator set the 'Track changes in the status of cluster members' to 'Log').

Flush and ACKAlso, FnA, F&A. Cluster Member forces the Delta Sync packet about the incomingpacket and waiting for acknowledgments from all other Active members and only thenallows the incoming packet to pass through. In some scenarios, it is required that someinformation, written into the kernel tables, will be Sync-ed promptly, or else a racecondition can occur. The race condition may occur if a packet that caused a certainchange in kernel tables left Member_A toward its destination and then the return packettries to go through Member_B. In general, this kind of situation is called asymmetricrouting. What may happen in this scenario is that the return packet arrives at Member_Bbefore the changes induced by this packet were Sync-ed to this Member_B. Example ofsuch a case is when a SYN packet goes through Member_A, causing multiple changesin the kernel tables and then leaves to a server. The SYN-ACK packet from a serverarrives at Member_B, but the connection itself was not Sync-ed yet. In this condition, theMember_B will drop the packet as an Out-of-State packet (First packet isn't SYN). Inorder to prevent such conditions, it is possible to use the"Flush and ACK" (F&A)mechanism. This mechanism can send the Delta Sync packets with all the changesaccumulated so far in the Sync buffer to the other Cluster Members, hold the originalpacket that induced these changes and wait for acknowledgment from all other (Active)Cluster Members that they received the information in the Delta Sync packet. When allacknowledgments arrived, the mechanism will release the held original packet. Thisensures that by the time the return packet arrived from a server at the cluster, all theCluster Members are aware of the connection. F&A is being operated at the end of theInbound chain and at the end of the Outbound chain (it is more common at theOutbound).

ForwardingProcess of transferring of an incoming traffic from one Cluster Member to anotherCluster Member for processing. There are two types of forwarding the incoming trafficbetween Cluster Members - Packet forwarding and Chain forwarding. Also see"Forwarding Layer in Cluster" and "ARP Forwarding in Cluster".

Glossary

CLI R80.40 ReferenceGuide      |      42

Forwarding LayerThe Forwarding Layer is a ClusterXL mechanism that allows a Cluster Member to passpackets to peer Cluster Members, after they have been locally inspected by the firewall.This feature allows connections to be opened from a Cluster Member to an externalhost. Packets originated by Cluster Members are hidden behind the Cluster Virtual IPaddress. Thus, a reply from an external host is sent to the cluster, and not directly to thesource Cluster Member. This can pose problems in the following situations: (1) Thecluster is working in High Availability mode, and the connection is opened from theStandby Cluster Member. All packets from the external host are handled by the ActiveCluster Member, instead. (2) The cluster is working in a Load Sharing mode, and thedecision function has selected another Cluster Member to handle this connection. Thiscan happen since packets directed at a Cluster IP address are distributed betweenCluster Members as with any other connection. If a Cluster Member decides, upon thecompletion of the firewall inspection process, that a packet is intended for anotherCluster Member, it can use the Forwarding Layer to hand the packet over to that ClusterMember. In High Availability mode, packets are forwarded over a Synchronizationnetwork directly to peer Cluster Members. It is important to use secured networks only,as encrypted packets are decrypted during the inspection process, and are forwardedas clear-text (unencrypted) data. In Load Sharing mode, packets are forwarded over aregular traffic network. Packets that are sent on the Forwarding Layer use a specialsource MAC address to inform the receiving Cluster Member that they have alreadybeen inspected by another Cluster Member. Thus, the receiving Cluster Member cansafely hand over these packets to the local Operating System, without further inspection.

Full High AvailabilityAlso, Full HA Cluster Mode. A special Cluster Mode (supported only on Check Pointappliances running Gaia OS or SecurePlatform OS, where each Cluster Member alsoruns as a Security Management Server. This provides redundancy both betweenSecurity Gateways (only High Availability is supported) and between SecurityManagement Servers (only High Availability is supported - see sk39345).

Glossary

CLI R80.40 ReferenceGuide      |      43

Full SyncProcess of full synchronization of applicable kernel tables by a Cluster Member from theworking Cluster Member(s) when it tries to join the existing cluster. This process ismeant to fetch a"snapshot" of the applicable kernel tables of already Active ClusterMember(s). Full Sync is performed during the initialization of Check Point software(during boot process, the first time the Cluster Member runs policy installation, during'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, thisCluster Member remains in the Down state, because until it is fully synchronized withother Cluster Members, it cannot function as a Cluster Member. Meanwhile, the DeltaSync packets continue to arrive, and the Cluster Member that tries to join the existingcluster, stores them in the kernel memory until the Full Sync completes. The whole FullSync process is performed by fwd daemons on TCP port 256 over the Sync network (if itfails over the Sync network, it tries the other cluster interfaces). The information is sentby fwd daemons in chunks, while making sure they confirm getting the informationbefore sending the next chunk. Also see "Delta Sync".

G

GaiaCheck Point security operating system that combines the strengths of bothSecurePlatform and IPSO operating systems.

Gaia ClishThe name of the default command line shell in Check Point Gaia operating system. Thisis a restrictive shell (role-based administration controls the number of commandsavailable in the shell).

Gaia PortalWeb interface for Check Point Gaia operating system.

Global DomainA Domain on a Multi-Domain Server, on which the Multi-Domain Server administratorcreates and manages objects, security policies and settings that apply to the entireMulti-Domain Security Management environment.

Global ObjectsFor Multi-Domain Management, all network and objects defined in the Global Domain.

Global PolicyAll Policies defined in the Global Domain that can be assigned to Domains, or tospecified groups of Domains.

Glossary

CLI R80.40 ReferenceGuide      |      44

H

HA not startedOutput of the 'cphaprob ' command or 'show cluster ' command on theCluster Member. This output means that Check Point clustering software is not startedon this Security Gateway (for example, this machine is not a part of a cluster, or'cphastop' command was run, or some failure occurred that prevented the ClusterXLproduct from starting correctly).

High AvailabilityA redundant cluster mode, where only one Cluster Member (Active member) processesall the traffic, while other Cluster Members (Standby members) are ready to be promotedto Active state if the current Active member fails. In the High Availability mode, theCluster Virtual IP address (that represents the cluster on that network) is associated: (1)With physical MAC Address of Active member (2) With virtual MAC Address (seesk50840). Acronym: HA.

HotfixA piece of software installed on top of the current software in order to fix some wrong orundesired behavior.

HTUStands for "HA Time Unit". All internal time in ClusterXL is measured in HTUs (thetimes in cluster debug also appear in HTUs). Formula in the Check Point software: 1HTU = 10 x fwha_timer_base_res = 10 x 10 milliseconds = 100 ms.

HybridStarting in R80.20, on Security Gateways with 40 or more CPU cores, Software Bladesrun in the user space (as 'fwk' processes). The Hybrid Mode refers to the state when youupgrade Cluster Members from R80.10 (or below) to R80.20 (or above). The HybridMode is the state, in which the upgraded Cluster Members already run their SoftwareBlades in the user space (as fwk processes), while other Cluster Members still run theirSoftware Blades in the kernel space (represented by the fw_worker processes). In theHybrid Mode, Cluster Members are able to synchronize the required information.

I

ICAInternal Certificate Authority. A component on Check Point Management Server thatissues certificates for authentication.

Glossary

CLI R80.40 ReferenceGuide      |      45

ICAP ClientThe ICAP Client functionality in your Security Gateway or Cluster enables it to interactwith an ICAP Server responses (see RFC 3507), modify their content, and block thematched HTTP connections.

ICAP ServerThe ICAP Server functionality in your Security Gateway or Cluster enables it to interactwith an ICAP Client requests, send the files for inspection, and return the verdict.

Identity AgentCheck Point dedicated client agent installed on Windows-based user endpointcomputers. This Identity Agent acquires and reports identities to the Check Point IdentityAwareness Security Gateway. The administrator configures the Identity Agents (not theend users). There are three types of Identity Agents - Full, Light and Custom. You candownload the Full, Light and Custom Identity Agent package from the Captive Portal -'https:///connect'. You can transfer the Full and Light IdentityAgent package from the Identity Awareness Agents -'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk134312'.

Identity Agent Configuration UtilityCheck Point utlity that creates custom Identity Agent installation packages. This utlity isinstalled as a part of the Identity Agent: go to the Windows Start menu > All Programs >Check Point > Identity Agent > right-click the 'Identity Agent' shortcut > select'Properties' > click 'Open File Location' ('Find Target' in some Windows versions >double-click 'IAConfigTool.exe').

Identity Agent Distributed Configuration ToolCheck Point Identity Agent control tool for Windows-based client computers that aremembers of an Active Directory domain. The Distributed Configuration tool lets youconfigure connectivity and trust rules for Identity Agents - to which Identity AwarenessSecurity Gateways the Identity Agent should connect, depending on its IPv4 / IPv6address, or Active Directory Site. This tool is installed a part of the Identity Agent: go tothe Windows Start menu > All Programs > Check Point > Identity Agent > open theDistributed Configuration. Note - You must have administrative access to this ActiveDirectory domain to allow automatic creation of new LDAP keys and writing.

Identity AwarenessCheck Point Software Blade that enforces network access and audits data based onnetwork location, the identity of the user, and the identity of the computer.

Glossary

CLI R80.40 ReferenceGuide      |      46

Identity BrokerIdentity Sharing mechanism between Identity Servers (PDP): (1) Communicationchannel between PDPs based on Web-API (2) Identity Sharing capabilities betweenPDPs - ability to add, remove, and update the identity session.

Identity CollectorCheck Point dedicated client agent installed on Windows Servers in your network.Identity Collector collects information about identities and their associated IP addresses,and sends it to the Check Point Security Gateways for identity enforcement. For moreinformation, see sk108235. You can download the Identity Collector package from theIdentity Awareness Agents -'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk134312'.

Identity Collector Identity SourcesIdentity Sources for Check Point Identity Collector - Microsoft Active Directory DomainControllers, Cisco Identity Services Engine (ISE) Servers, or NetIQ eDirectory Servers.

Identity Collector Query PoolA list of Identity Sources for Check Point Identity Collector.

Identity ServerCheck Point Security Gateway with enabled Identity Awareness Software Blade.

IKEInternet Key Exchange. An Encryption key management protocol for IPSec that createsa shared key to encrypt and decrypt IP packets and establishes a VPN tunnel andSecurity Association.

IndicatorPattern of relevant observable malicious activity in an operational cyber domain, withrelevant information on how to interpret it and how to handle it.

InitState of a Cluster Member in the phase after the boot and until the Full Sync completes.A Cluster Member in this state does not process any traffic passing through cluster.

Inline LayerSet of rules used in another rule in Security Policy.

Glossary

CLI R80.40 ReferenceGuide      |      47

Intelligent Queuing EngineA bandwidth allocation algorithm that guarantees high priority traffic takes precedenceover low priority traffic.

Internal NetworkComputers and resources protected by the Firewall and accessed by authenticatedusers.

IP TrackingCollecting and saving of Source IP addresses and Source MAC addresses fromincoming IP packets during the probing. IP tracking is a useful for Cluster Members todetermine whether the network connectivity of the Cluster Member is acceptable.

IP Tracking PolicyInternal setting that controls, which IP addresses should be tracked during IP tracking:(1) Only IP addresses from the subnet of cluster VIP, or from subnet of physical clusterinterface (this is the default) (2) All IP addresses, also outside the cluster subnet.

IPSIntrusion Prevention System. Check Point Software Blade that inspects and analyzespackets and data for numerous types of risks.

IPv4Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, eachset can be from 0 - 255. For example, 192.168.2.1.

IPv6Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets ofhexadecimal numbers, each set can be from 0 - ffff. For example,FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

IRQ AffinityA state of binding an IRQ to one or more CPU cores.

Glossary

CLI R80.40 ReferenceGuide      |      48

J

JitterVariation in the delay of received packets. On the sending side, packets are spacedevenly apart and sent in a continuous stream. On the receiving side, the delay betweeneach packet can vary according to network congestion, improper queuing orconfiguration errors.

Jumbo Hotfix AccumulatorCollection of hotfixes combined into a single package. Acronyms: JHA, JHF.

K

KerberosA computer network authentication protocol that works based on tickets to allow nodescommunicating over a non-secure network to prove their identity to one another in asecure manner. Kerberos builds on symmetric key cryptography and requires a trustedthird party, and optionally may use public-key cryptography during certain phases ofauthentication.

L

Link AggregationTechnology that joins multiple physical interfaces together into one virtual interface,known as a bond interface. Also known as Interface Bonding.

LLQLow Latency Queuing is a feature developed by Cisco to bring strict priority queuing(PQ) to class-based weighted fair queuing (CBWFQ). LLQ allows delay-sensitive data(such as voice) to be given preferential treatment over other traffic by letting the data tobe dequeued and sent first.

Load SharingAlso, Load Balancing mode. A redundant cluster mode, where all Cluster Membersprocess all incoming traffic in parallel. See "Load Sharing Multicast Mode" and "LoadSharing Unicast Mode". Acronym: LS.

Glossary

CLI R80.40 ReferenceGuide      |      49

Load Sharing MulticastLoad Sharing Cluster Mode, where all Cluster Members process all traffic in parallel.Each Cluster Member is assigned the equal load of [ 100% / number_of_members ].The Cluster Virtual IP address (that represents the cluster on that network) is associatedwith Multicast MAC Address 01:00:5E:X:Y:Z (which is generated based on last 3 bytesof cluster Virtual IP address on that network). A ClusterXL decision algorithm (DecisionFunction) on all Cluster Members decides, which Cluster Member should process thegiven packet.

Load Sharing UnicastLoad Sharing Cluster Mode, where one Cluster Member (called Pivot) accepts all traffic.Then, the Pivot member decides to process this traffic, or to forward it to other non-PivotCluster Members. The traffic load is assigned to Cluster Members based on the hard-coded formula per the value of Pivot_overhead attribute (see sk34668). The ClusterVirtual IP address (that represents the cluster on that network) is associated with: (1)Physical MAC Address of Pivot member (2) Virtual MAC Address (see sk50840).

LogA record of an action that is done by a Software Blade.

Log ServerA dedicated Check Point computer that runs Check Point software to store and processlogs in Security Management Server or Multi-Domain Security Managementenvironment.

M

Mail Transfer AgentA gateway feature that intercepts SMTP traffic and forwards it to the applicableinspection component.

Main Domain Management ServerA Domain Management Server on a Multi-Domain Server, on which you defined theobject of your VSX Gateway or VSX Cluster. In this case, objects of your VirtualSystems are defined on different Domain Management Servers (Target DomainManagement Servers).

Malware DatabaseThe Check Point database of commonly used signatures, URLs, and their relatedreputations, installed on a Security Gateway and used by the ThreatSpect engine.

Glossary

CLI R80.40 ReferenceGuide      |      50

Management High AvailabilityDeployment and configuration mode of two Check Point Management Servers, in whichthey automatically synchronize the management databases with each other. In thismode, one Management Server is Active, and the other is Standby. Acronyms:Management HA, MGMT HA.

Management InterfaceInterface on Gaia computer, through which users connect to Portal or CLI. Interface on aGaia Security Gateway or Cluster member, through which Management Serverconnects to the Security Gateway or Cluster member.

Management ServerA Check Point Security Management Server or a Multi-Domain Server.

MasterState of a Cluster Member that processes all traffic in cluster configured in VRRP mode.

Medium Path (PXL)Packet flow on the Host Security Appliance, when the packet is handled by theSecureXL device. The CoreXL layer passes the packet to one of the CoreXL Firewallinstances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXLinfrastructure to send the packet to the single CoreXL Firewall instance that stillfunctions. When the Medium Path is available, the SecureXL fully accelerates the TCPhandshake. Rule Base match is achieved for the first packet through an existingconnection acceleration template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK] packets. However, once data starts to flow, to stream it for ContentInspection, an FWK instance now handles the packets. The SecureXL sends allpackets that contain data to FWK for data extraction in order to build the data stream.Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets,because they do not contain data that needs to be streamed. This path is available onlywhen CoreXL is enabled. Exceptions are: IPS (some protections); VPN (in someconfigurations); Application Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPSInspection; Proxy mode; Mobile Access; VoIP; Web Portals.

Mirror and DecryptThe Mirror and Decrypt feature on your Security Gateway or Cluster performs theseactions: (1) Mirror only of all traffic - Clones all traffic (including HTTPS withoutdecryption) that passes through, and sends it out of the designated physical interface.(2) Mirror and Decrypt of HTTPS traffic - Clones all HTTPS traffic that passes through,decrypts it, and sends it in clear-text out of the designated physical interface.

Glossary

CLI R80.40 ReferenceGuide      |      51

Multi-Domain Log ServerA computer that runs Check Point software to store and process logs in Multi-DomainSecurity Management environment. The Multi-Domain Log Server consists of DomainLog Servers that store and process logs from Security Gateways that are managed bythe corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Security ManagementA centralized management solution for large-scale, distributed environments with manydifferent Domain networks.

Multi-Domain ServerA computer that runs Check Point software to host virtual Security Management Serverscalled Domain Management Servers. Acronym: MDS.

Multi-QueueAn acceleration feature on Security Gateway that lets you assign more than one packetqueue and CPU core to an interface.

Multi-Version ClusterThe Multi-Version Cluster (MVC) mechanism lets you synchronize connectionsbetween cluster members that run different versions. This lets you upgrade to a newerversion without a loss in connectivity and lets you test the new version on some of thecluster members before you decide to upgrade the rest of the cluster members.

MVCSee "Multi-Version Cluster".

N

NACNetwork Access Control. This is an approach to computer security that attempts to unifyendpoint security technology (such as Anti-Virus, Intrusion Prevention, and VulnerabilityAssessment), user or system authentication and network security enforcement. CheckPoint's Network Access Control solution is called Identity Awareness Software Blade.

Network ObjectLogical representation of every part of corporate topology (physical machine, softwarecomponent, IP Address range, service, and so on).

Glossary

CLI R80.40 ReferenceGuide      |      52

Network ObjectiveDefines how the cluster will configure and monitor an interface - Cluster, Sync,Cluster+Sync, Monitored Private, Non-Monitored Private. Configured in SmartConsole >cluster object > 'Topology' pane > 'Network Objective'.

Non-Blocking ModeCluster operation mode, in which Cluster Member keeps forwarding all traffic.

Non-Dedicated Management InterfaceA shared physical interface on VSX Gateway or VSX Cluster Members, which carriesuser "production" traffic and through which Check Point Security Management Server orMulti-Domain Server connects to VSX Gateway or VSX Cluster Members. Non-DMIconfiguration requires the use of a Virtual Router or Virtual Switch. Acronym: Non-DMI.

Non-Monitored InterfaceAn interface on a Cluster Member, whose Network Type was set as Private inSmartConsole, in cluster object.

Non-PivotA Cluster Member in the Unicast Load Sharing cluster that receives all packets from thePivot Cluster Member.

Non-Sticky ConnectionA connection is called non-sticky, if the reply packet returns via a different ClusterMember, than the original packet (for example, if network administrator has configuredasymmetric routing). In Load Sharing mode, all Cluster Members are Active, and inStatic NAT and encrypted connections, the Source and Destination IP addresseschange. Therefore, Static NAT and encrypted connections through a Load Sharingcluster may be non-sticky.

O

ObservableAn event or a stateful property that can be observed in an operational cyber domain.

Open ServerA physical computer manufactured and distributed by a company, other than CheckPoint.

Glossary

CLI R80.40 ReferenceGuide      |      53

P

Packet SelectionDistinguishing between different kinds of packets coming from the network, andselecting, which member should handle a specific packet (Decision Functionmechanism): CCP packet from another member of this cluster; CCP packet from anothercluster or from a Cluster; Member with another version (usually older version of CCP);Packet is destined directly to this member; Packet is destined to another member of thiscluster; Packet is intended to pass through this Cluster Member; ARP packets.

PDPCheck Point Identity Awareness Security Gateway that acts as Policy Decision Point:acquires identities from identity sources; shares identities with other gateways.

PEPCheck Point Identity Awareness Security Gateway that acts as Policy EnforcementPoint: receives identities via identity sharing; redirects users to Captive Portal.

Permission ProfileA predefined group of SmartConsole access permissions assigned to Domains andadministrators. With this feature you can configure complex permissions for manyadministrators with one definition.

Pingable HostSome host (that is, some IP address) that Cluster Members can ping during probingmechanism. Pinging hosts in an interface's subnet is one of the health checks thatClusterXL mechanism performs. This pingable host will allow the Cluster Members todetermine with more precision what has failed (which interface on which member). OnSync network, usually, there are no hosts. In such case, if switch supports this, an IPaddress should be assigned on the switch (for example, in the relevant VLAN). The IPaddress of such pingable host should be assigned per this formula: IP_of_pingable_host = IP_of_physical_interface_on_member + ~10. Assigning the IP address topingable host that is higher than the IP addresses of physical interfaces on the ClusterMembers will give some time to Cluster Members to perform the default health checks.Example: IP address of physical interface on a given subnet on Member_A is10.20.30.41; IP address of physical interface on a given subnet on Member_B is10.20.30.42; IP address of pingable host should be at least 10.20.30.5

Glossary

CLI R80.40 ReferenceGuide      |      54

PivotA Cluster Member in the Unicast Load Sharing cluster that receives all packets. ClusterVirtual IP addresses are associated with Physical MAC Addresses of this ClusterMember. This Pivot Cluster Member distributes the traffic between other Non-PivotCluster Members.

PnoteSee "Critical Device".

Policy LayerA layer (set of rules) in a Security Policy.

Policy PackageA collection of different types of Security Policies, such as Access Control, ThreatPrevention, QoS, and Desktop Security. After installation, Security Gateways enforce allPolicies in the Policy Package.

Preconfigured ModeCluster Mode, where cluster membership is enabled on all Cluster Members to be.However, no policy had been yet installed on any of the Cluster Members - none ofthem is actually configured to be primary, secondary, and so on. The cluster cannotfunction, if one Cluster Member fails. In this scenario,the "preconfigured mode" takesplace. The preconfigured mode also comes into effect when no policy is yet installed,right after the Cluster Members came up after boot, or when running the 'cphaconf init'command.

Predefined ReportA default report included in a Check Point product that you can run right out of the box.

PreventUserCheck rule action that blocks traffic and files and can show a UserCheck message.

Primary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install as Primary.

Glossary

CLI R80.40 ReferenceGuide      |      55

Primary UpClusterXL in High Availability mode that was configured as Switch to higher priorityCluster Member in the cluster object in SmartConsole: (1) Each Cluster Member isgiven a priority (SmartConsole > cluster object > 'Cluster Members' pane). ClusterMember with the highest priority appears at the top of the table, and Cluster Memberwith the lowest priority appears at the bottom of the table. (2) The Cluster Member withthe highest priority will assume the Active state. (3) If the current Active Cluster Memberwith the highest priority (for example, Member_A), fails for some reason, or is rebooted,then failover occurs between Cluster Members. The Cluster Member with the nexthighest priority will be promoted to be Active (for example, Member_B). (4) When theCluster Member with the highest priority (Member_A) recovers from a failure, or boots,then additional failover occurs between Cluster Members. The Cluster Member with thehighest priority (Member_A) will be promoted to Active state (and Member_B will returnto Standby state).

Private InterfaceAn interface on a Cluster Member, whose Network Type was set as 'Private' inSmartConsole in cluster object. This interface is not monitored by cluster, and failure onthis interface will not cause any changes in Cluster Member's state.

ProbingIf a Cluster Member fails to receive status for another member (does not receive CCPpackets from that member) on a given segment, Cluster Member will probe that segmentin an attempt to illicit a response. The purpose of such probes is to detect the nature ofpossible interface failures, and to determine which module has the problem. Theoutcome of this probe will determine what action is taken next (change the state of aninterface, or of a Cluster Member).

Problem NotificationSee "Critical Device".

Glossary

CLI R80.40 ReferenceGuide      |      56

PSLPassive Streaming Library. Packets may arrive at Security Gateway out of order, or maybe legitimate retransmissions of packets that have not yet received an acknowledgment.In some cases, a retransmission may also be a deliberate attempt to evade IPSdetection by sending the malicious payload in the retransmission. Security Gatewayensures that only valid packets are allowed to proceed to destinations. It does this withthe Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer,which provides stream reassembly for TCP connections. (2) The Security Gatewaymakes sure that TCP data seen by the destination system is the same as seen by codeabove PSL. (3) The PSL handles packet reordering, congestion, and is responsible forvarious security aspects of the TCP layer, such as handling payload overlaps, someDoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewallchain and from the SecureXL. (5) The PSL serves as a middleman between the varioussecurity applications and the network packets. It provides the applications with acoherent stream of data to work with, free of various network problems or attacks. (6)The PSL infrastructure is wrapped with well-defined APIs called the Unified StreamingAPIs, which are used by the applications to register and access streamed data. Formore details, see sk95193.

PSLXLTechnology name for combination of SecureXL and PSL (Passive Streaming Library) inR80.20 and higher versions. In R80.10 and lower versions, this technology was calledPXL (PacketXL).

Publisher PDPCheck Point Identity Awareness Security Gateway that gets identities from an identitysource/remote PDP and shares identities to a remote PDP. The Publisher PDP: (1)Initiates an HTTPS connection to the Subscriber PDP for each Identity to be shared (2)Verifies the CN and OU present in the subject field of the certificate presented (3)Verifies that the CA's certificate matches the certificate that was approved in advance bythe administrator (4) Checks if the certificate presented is revoked (5) Shares identitiesincluding the information about user(s), machine(s) and Access Roles in the form ofHTTP POST requests.

PXLSee "PSLXL".

Q

QoSCheck Point Software Blade that guarantees quality of service for traffic.

Glossary

CLI R80.40 ReferenceGuide      |      57

QoS Action PropertiesProperties that define bandwidth allocation, limits, and guarantees for a security rule.

R

RADIUSRemote Authentication Dial-In User Service (RADIUS) is a networking protocol thatprovides centralized Authentication, Authorization, and Accounting (AAA or Triple A)management for users who connect and use a network service. RADIUS is aclient/server protocol that runs in the application layer, and can use either TCP or UDPas transport.

RDEDRetransmit Detect Early Drop. The bottleneck that results from the connection of a LANto the WAN causes TCP to retransmit packets. RDED prevents inefficiencies bydetecting retransmits in TCP streams and preventing the transmission of redundantpackets when multiple copies of a packet are concurrently queued on the same flow.

ReadyState of a Cluster Member during after initialization and before promotion to the nextrequired state - Active / Standby / VRRP Master / VRRP Backup (depending on ClusterMode). A Cluster Member in this state does not process any traffic passing throughcluster. A member can be stuck in this state due to several reasons - see sk42096.

Remote Access VPNAn encryption tunnel between a Security Gateway and Remote Access clients.Provides secure, seamless access to corporate networks remotely, over IPsec VPN.

Remote Access VPN CommunityA group of computers, appliances, and devices that access, with authentication andencryption, the internal protected network from physically remote sites.

ReportA summary of network activity and Security Policy enforcement that is generated byCheck Point products such as SmartEvent.

RuleA set of traffic parameters and other conditions in a Rule Base that cause specifiedactions to be taken for a communication session.

Glossary

CLI R80.40 ReferenceGuide      |      58

Rule BaseAlso Rulebase. All rules configured in a given Security Policy.

RX QueueReceive packet queue. See "Multi-Queue".

S

Secondary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install asSecondary.

SecureXLCheck Point product that accelerates IPv4 and IPv6 traffic. Installed on SecurityGateways for significant performance improvements.

Security GatewayA computer that runs Check Point software to inspect traffic and enforces SecurityPolicies for connected network resources.

Security Management ServerA computer that runs Check Point software to manage the objects and policies in CheckPoint environment.

Security PolicyA collection of rules that control network traffic and enforce organization guidelines fordata protection and access to resources with packet inspection.

SelectionThe packet selection mechanism is one of the central and most important componentsin the ClusterXL product and State Synchronization infrastructure for 3rd party clusteringsolutions. Its main purpose is to decide (to select) correctly what has to be done to theincoming and outgoing traffic on the Cluster Member. (1) In ClusterXL, the packet isselected by Cluster Member(s) depending on the cluster mode: In HA modes - by Activemember; In LS Unicast mode - by Pivot member; In LS Multicast mode - by all members.Then the Cluster Member applies the Decision Function (and the Cluster CorrectionLayer). (2) In 3rd party / OPSEC cluster, the 3rd party software selects the packet, andCheck Point software just inspects it (and performs State Synchronization).

Glossary

CLI R80.40 ReferenceGuide      |      59

Service AccountIn Microsoft® Active Directory, a user account created explicitly to provide a securitycontext for services running on Microsoft® Windows® Server.

SICSecure Internal Communication. The Check Point proprietary mechanism with whichCheck Point computers that run Check Point software authenticate each other overSSL, for secure communication. This authentication is based on the certificates issuedby the ICA on a Check Point Management Server.

Single Sign-OnA property of access control of multiple related, yet independent, software systems. Withthis property, a user logs in with a single ID and password to gain access to aconnected system or systems without using different usernames or passwords, or insome configurations seamlessly sign on at each system. This is typically accomplishedusing the Lightweight Directory Access Protocol (LDAP) and stored LDAP databaseson (directory) servers. Acronym: SSO.

Site to Site VPNAn encryption tunnel between two Security Gateways.

Slow PathSee "Firewall Path".

SmartConsoleA Check Point GUI application used to manage Security Policies, monitor products andevents, install updates, provision new devices and appliances, and manage a multi-domain environment and each domain.

SmartDashboardA legacy Check Point GUI client used to create and manage the security settings inR77.30 and lower versions.

SmartEvent ServerServer with enabled SmartEvent Software Blade that hosts the events database.

Software BladeA software blade is a security solution based on specific business needs. Each blade isindependent, modular and centrally managed. To extend security, additional blades canbe quickly added.

Glossary

CLI R80.40 ReferenceGuide      |      60

SSOSee "Single Sign-On".

StandaloneA Check Point computer, on which both the Security Gateway and SecurityManagement Server products are installed and configured.

StandbyState of a Cluster Member that is ready to be promoted to Active state (if the currentActive Cluster Member fails). Applies only to ClusterXL High Availability Mode.

Standby Domain ServerAll Domain Management Servers for a Domain that are not designated as the ActiveDomain Management Server.

State SynchronizationTechnology that synchronizes the relevant information about the current connections(stored in various kernel tables on Check Point Security Gateways) among all ClusterMembers over Synchronization Network. Due to State Synchronization, the currentconnections are not cut off during cluster failover.

Sticky ConnectionA connection is called sticky, if all packets are handled by a single Cluster Member (inHigh Availability mode, all packets reach the Active Cluster Member, so all connectionsare sticky).

STIXStructured Threat Information eXpression™. A language that describes cyber threatinformation in a standardized and structured way.

Subscriber PDPCheck Point Identity Awareness Security Gateway that gets identities from a remotePDP. The Subscriber PDP: (1) Presents the configured SSL certificate to the PublisherPDP (2) Receives the information from the Publisher PDP after verifying the pre-sharedsecret in the POST requests.

SubscribersUser Space processes that are made aware of the current state of the ClusterXL statemachine and other clustering configuration parameters. List of such subscribers can beobtained by running the 'cphaconf debug_data' command (see sk31499).

Glossary

CLI R80.40 ReferenceGuide      |      61

Sync InterfaceAlso, Secured Interface, Trusted Interface. An interface on a Cluster Member, whoseNetwork Type was set as Sync or Cluster+Sync in SmartConsole