Checkpoint Database Files

Important checkpoint database files:

  1. $FWDIR/conf/objects_5_0_c: It contains

Network objects
Host objects
Firewall gateway objects
Service objects

2. $FWDIR/conf/fwauth.NDB: It contains

User administrator accounts
3. $FWDIR/conf/rulebases_5_0_fws: It contains

Security rules
NAT rules

Checkpoint Services

Checkpoint  important services are mentioned below.

  1. FWM
  2. FWD
  3. CPD
  4. CPCA

1.FWM  Tasks:

  • Serving the GUI clients
  • Database Tasks (Rules, objects, users etc..)
  • Collecting status from different firewalls
  • Policy compilation

2. FWD  tasks:

  •     Receiving the logs on port 257

3. CPD (Checkpoint Daemon) Tasks:

  • SIC
  • Loading policy
  • Status collections (AMON)

4. CPCA (Checkpoint certification Authority)

  • SIC certificate pulling
  • Certificate enrollment
  • CRL fetch
  • Admin WebUI




To obtain the Cluster members information, type the following command:

      tmsh show sys cluster
[root@vhost:/S1-green-P:Active:Standalone] config # tmsh show sys cluster

Sys::Cluster: default
Availability            available
State                   enabled
Reason                  Cluster Enabled
Primary Slot ID         1
Primary Selection Time  07/23/17 22:01:49

| Sys::Cluster Members
| ID  Address      Availability  State    Licensed  HA      Clusterd  Reason
| 1  available     enabled  true      active  running   Run
| 2  available     enabled  true      active  running   Run
| 3  available     enabled  true      active  running   Run
| 4  available     enabled  true      active  running   Run


To obtain the configured vCMP guest information, type the following command:
tmsh show vcmp guest

[root@vhost:/S1-green-P:Active:Standalone] config # tmsh show vcmp guest

Name      Slot ID Status  Requested   Request  Retries  Uptime  Comment
State  Complete
test1          3  running   deployed      true        0  07/23/17 22:18:16
test2          4  running   deployed      true        0  07/23/17 22:19:41
test3        1  running   deployed      true        0  07/24/17 19:24:16
test4        2  running   deployed      true        0  07/24/17 19:29:25
vguest1        3  running   deployed      true        0  07/24/17 19:28:49
vguest2        4  running   deployed      true        0  07/24/17 19:28:49  


To access the vGuest console you  may run the following command. 

        vconsole <guest name> <slot#> 
[root@vhost:/S1-green-P:Active:Standalone] config # vconsole guest 1
Connected to
Escape character is ‘^]’.

BIG-IP 12.0.0 Build 0.0.606
Kernel 2.6.32-431.56.1.el6.f5.x86_64 on an x86_64 login:
[root@guest1:/S1-green-P:Active:Standalone] config #

SSH into a specific slot:
ssh <slot number>

[root@guest1:/S1-green-P:Active:Standalone] config # ssh slot2

Forcing a Primary blade to Secondary

  1. Locate the primary slot# by running
    tmsh show sys cluster
  2. Disable the primary slot with the following command:
    tmsh modify sys cluster default members { 2 { disabled } }
    From the above command, the primary slot# is “2”

Shutting Down and Restarting a single VIPRION Blade

Restarting, powering off, and powering off VIPRION Blades can be done via the following commands:

  1. Reboot a single blade:
    bladectl -b <blade#> -r
    Example: bladectl -b 2 -r
  2. Power Down a single blade
    bladectl -b <blade#> -p 0
    Example bladectl -b 2 -p 0
  3. Power On a single blade
    bladectl -b <blade#> -p 1
    Example: bladectl -b 2 -p 1

Checkpoint Model List-2

P-30-00                       Power-1 11000
P-20-00                       Power-1 9070 Appliance
P-10-00                       Power-1 5075 Appliance
P-10-00                       Power-1 5070 Appliance
S-10-00                        Smart-1 5
S-20-00                        Smart-1 25
S-21-00                        Smart-1 25B
S-30-00                        Smart-1 50
S-40-00                        Smart-1 150
ST-5-00                        Smart-1 205
ST-10-00                      Smart-1 210
ST-25-00                      Smart-1 225
ST-50-00                      Smart-1 3050
ST-150-00                    Smart-1 3150
U-40-00                        Smart-1 3070
ST-105-00                    Smart-1 405
ST-110-00                     Smart-1 410
ST-425-00                     Smart-1 525
ST-4050-00                   Smart-1 5050
ST-4150-00                   Smart-1 5150
T-181-00                       TE250
P-231-00                       TE1000
P-371-00                       TE2000
TT-10-00                       TE100X
TT-20-00                       TE250X
TT-30-00                       TE1000X
TT-40-00                       TE2000X
U-31-00                         IPS-1 2076
P-11-00                          IPS-1 5076
P-21-00                          IPS-1 9076
P-22-00                          DLP-1 9571
U-42-00                          DLP-1 2571
L-50                                       Security Gateway 80
L-50                                       Check Point 600
S2 (SMB)                             Check Point 700
L-50                                      Check Point 1100
L-61i                                     Check Point 1200R
S1 (Enterprise)                Check Point 1430 / 1450
S2 (Enterprise)                 Check Point 1470 / 1490
L-71                                     Check Point 1430/1450
L-71W                                Check Point 1430/1450 WiFi
L-72                                    Check Point 1470/1490
L-72W                               Check Point 1470/1490 WiFi
L-72P                                 Check Point 1470/1490 PoE

Checkpoint DMI List -Part-1

Appliance UTM-1
U-40-00                        UTM-1 3070 Appliance
U-30-00                        UTM-1 2070 Appliance
U-20-00                        UTM-1 1070 Appliance
U-15-00                        UTM-1 570 Appliance
U-15-01                        UTM-1 570 Appliance
U-10-00                        UTM-1 270 Appliance
U-5-00                          UTM-1 130 Appliance
T-180-00                       UTM-1 4800
T-160-00                       UTM-1 4600
T-140-00                       UTM-1 4400
T-120-00                       UTM-1 4200 2012 Appliance
T-110-00                       UTM-1 2200 2012 Appliance
C6P_UTM                      UTM-1 2050 Appliance
C6_UTM                        UTM-1 1050 Appliance
C2_UTM                        UTM-1 450 Appliance


Appliance 2012
G-50                             Appliance 21400
G-70                             Appliance 21600
G-72                             Appliance 21700
G-75                             Appliance 21800
P-380-00                      Appliance 13800
P-370-00                      Appliance 13500
P-231-00                      Appliance 12600
P-230-00                      Appliance 12600
P-220-00                      Appliance 12400
P-210-00                      Appliance 12200


PB-05-00                     Appliance 3100
PB-10-00                     Appliance 3200
PB-15-00                     Appliance 5100
PB-20-00                     Appliance 5200
PL-10-00                     Appliance 5400
PL-20-00                     Appliance 5600
PL-30-00                     Appliance 5800
PL-40-00                     Appliance 5900
PH-20-00                    Appliance 15400
PH-30-00                    Appliance 15600
PD-10-00                    Appliance 23500
PD-20-00                    Appliance 23800



Export F5 SSL certificate and Key files to PFX format:

Step 1 :

Copy the designated website ssl certificate and key files to the tmp folder

SSL cert location:


Key location:


Step 2 :

Impact of procedure: There will be no impact to the system with the below procedure.

  1. Log in to the BIG-IP command line.
  2. Copy the certificate file to the /var/tmp directory

   cp /config/filestore/files_d/Common_d/certificate_d/<Certificate-Filename> /var/tmp/<Destination-Filename>

3. Copy the key file to the /var/tmp directory

cp /config/filestore/files_d/Common_d/certificate_key_d/<Key-Filename> /var/tmp/<Destination-Filename>

4. verify the files using the below command

ls -las /var/tmp/<Destination-Filename>

Step 3 :

To export the certificate/key pair to PFX format, perform the following procedure:

Export the certificate/key pair to PFX format to /var/tmp/certificate.pfx using the following command syntax:

openssl pkcs12 -export -out /var/tmp/<PFX -CertificateName> -inkey /var/tmp/<Key-Filename> -in /var/tmp/<Certificate-Filename>

For example, to export the certificate test.crt and key test.key copied in the previous procedure, type the following command:

openssl pkcs12 -export -out /var/tmp/certificate.pfx -inkey /var/tmp/test.key -in /var/tmp/test.crt

The exported PFX file is named /var/tmp/certificate.pfx.



Checkpoint MDS Issue Tips:

A. Issue is MDS is down:

  1. Issue is unable to access MDS.
  2. Login to the MDS through CLI or console
  3. Verify the MDS status using mdsstat command


4. If everything is down including CMA’s, perform the below steps.



   B. Issue is One of the CMA is down:

  1. Issue is unable to access CMA.
  2. Login to the MDS through CLI or console
  3. Verify the MDS status using mdsstat command


4. If one of the CMA is down, note it down the CMA IP and run the below command

          mdsstart_customer <IP_address>




F5 -n3-crypto2 Hardware error Resolution Step:

Web-ui Error:

F5 Viprion device slot is in failsafe fault mode


CLI Error logs:

tmm[12091]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck


  1. Login to the affected F5 device
  2. Take a UCS backup
  3. Reboot the viprion guest device with the below command.

         clsh reboot

4. If issue is not resolved after a reboot, please open a case with F5 vendor.

Google Cloud- Disk Changes

  1. Create disk using Gcloud command


gcloud compute disks create &lt;DISK_NAME&gt; --type=&lt;DISK_TYPE&gt; --size=&lt;SIZE&gt; --zone=&lt;ZONE&gt;


gcloud compute disks create disk-2 –size=100 –zone=us-east1-b

2. Resize disk using Gcloud command


  gcloud compute disks resize &lt;disk_name&gt; --size=&lt;size&gt; --zone=&lt;zone&gt;


gcloud compute disks resize disk-2 –size=150 –zone=us-east1-b

3. Attach Disk using Gcloud command:


gcloud compute instances attach-disk &lt;instance&gt; --disk=&lt;disk_name&gt; --zone=&lt;zone&gt;


gcloud compute instances attach-disk windows-instance –disk=disk-2 –zone=us-east1-b