Support Center > Search Results > SecureKnowledge Details
HealthCheck Point (HCP) Release Updates Technical Level

Click Here to Show the Entire Article
  • Introduction
  • Availability
  • List of Resolved Issues
  • Manual Installation
  • Uninstall
  • SmartConsole Extension Installation
  • Tests
  • What's The Story (WTS)
  • Topology
  • Usage
  • Revision History



HealthCheck Point (HCP) is a self-updatable suite of tools for:

  • Tests: Assesses the health of your system
  • WTS (What's The Story): Provides a timeline of critical and informative events occurred on the system
  • Topology: Visualize the Firewall topology

HealthCheck Point supports all Gaia versions starting from R80.10.



Product Update # Release Date Download package
  • Quantum Security Gateways
  • Quantum Maestro
  • Quantum Scalable Chassis
  • VSX
  • Management Servers
  • Multi-Domain Servers
Update 11 - Take 58 18 Sep 2022 (TAR)


List of Resolved Issues and New Features per Update for HCP

ID Description
Update 11 - Take 58 (18 Sep 2022)
HCP-6 NEW: Added a test that checks if tables reached their limits. 
HCP-510 NEW: Added the "--domain" option to collect reports for a single domain.
HCP-531 NEW: Added the Feature compatibility - VSX test.
HCP-530 NEW: Added the "snmp configuration" option for the Feature compatibility - VSX test. 
HCP-517 Updated the Feature Compatibility test.
HCP-499 SmartConsole may not provide the HCP report for a cluster member object.
HCP-504 The URL Filtering test may fail with an exception.
HCP-500 The VSX Hardware Utilization test may fail with an exception.
HCP-502 Improved the SSD Health test.
HCP-511 The ICA test may fail false positive on a Multi-Domain Log Module (MLM).
HCP-518 The Distribution test may incorrectly pass if the "dxl stat" command failed.
HCP-522 The Templates Efficiency test may fail with an exception.
HCP-543 The MTU test may fail with an exception in an MDPS environment.
Update 10 - Take 57 (20 Jun 2022)
HCP-66 NEW: Added a test that checks whether the hardware is utilized efficiently. 
HCP-264 NEW: Added a test to verify the SSD SMART health.
HCP-72 UPDATE: Added a section in the report which displays installed software versions.
HCP-460 UPDATE: The Local Logging Monitor Test will now check for failures in the past.
  • Major improvement in test loading time on VSX systems.
  • Changed the "hcp -l" output table. It will now display all tests except the tests disabled in configuration.
HCP-431 The "Failed creating HTML report" error is displayed after running HCP.
HCP-433 The output table of the Scalable Platforms Features Compatibility Test is broken.
HCP-440 Running the "hcp -v" command in the VS context does not show the HCP Take number.
HCP-441 Running the "hcp --show-last-full" command in the non-VS0 Virtual System context may fail with an error message.
HCP-442 The Software Provision Test incorrectly reports about missing AUTOUPDATER packages on some members. 
HCP-443 The MSG VLAN Consistency Test may fail with an exception.
HCP-450 The MTU test may fail with an exception related to some bridge interfaces.
HCP-457 The HCP Section icon in the report is not updated correctly.
HCP-464 Virtual System interfaces may be missing in the topology tab of a generated report.
HCP-466 Some tests may be shown in the status "Skipped", when running the "hcp --show-last" command with the "only-failed" flag.
HCP-471 HCP SmartConsole Extension cannot fetch the VSX Cluster report. 
HCP-458 HCP SmartConsole Extension cannot fetch the Log Server report.
Update 9 - Take 55 (30 May 2022)
HCP-415 UPDATE: Protections Impact test now collects real time PM statistics, and matches protections with the same LSS as the critical protections.
HCP-295 The Connection Distribution test may collect distribution statistics from a wrong source because of a CPView issue.
HCP-375 Arrows in the Topology tab may be missing.
HCP-404 WTS may not show any cluster state event. 
HCP-423 MDPS is listed as an unsupported version.
HCP-426  The Static Affinity Test may fail with an exception.
HCP-427 The Memory Usage Test may show an abnormally large command.
HCP-428 Loading an HTML page with the Maestro Orchestrator report may fail. 
HCP-453 The Dynamic Objects Database Test may be executed on the Maestro Hyperscale Orchestrator (MHO) and the Management Servers although it should not.
Update 8 - Take 52 (07 Mar 2022)
HCP-332 NEW: The "hcp -r all" report will now automatically include topology, WTS, and charts, no additional flags are needed.
HCP-374 NEW: Added new flags to modify HCP default behavior. Some tests or products can be disabled/enabled:
Note: The "performance-impact" configuration will persist after running the command.     
HCP-164 NEW: Added a new test to check if any debug flags are enabled.
HCP-237 NEW: Added an optional flag "-only-failed" for "show-last-full" and "-show-last" to represent only tests with a status not equal to "Passed".
SWSCFG-132 NEW: Added an HCP test to validate if interface errors are present. If any errors are detected, possible solutions will be provided based on the error type.
HCP-225 UPDATE: The "hcp -l" command output is now displayed as a table.
HCP-378 UPDATE: The "hcp -l" and "hcp -r" commands will now load the test faster. 
HCP-87 There may be a wrong timestamp in the report.
HCP-167 Added verifications of fwkern.conf file according to sk149412.
HCP-218 The user cannot open the HCP report of the Management Server from SmartConsole because of the wrong UID in the report file.
HCP-328 The FW Configuration File Sanity test may fail on valid parameters.
HCP-240 The "hcp --show-last-full" command takes several minutes to represent very large reports.
HCP-333 The WTS report is not generated correctly, a “Failed to generate WTS report" message is displayed.
HCP-343 When running HCP with the -f flag, a JSON encode/decode error is shown.
HCP-345 The "hcp  --ext-update-reports <gw_name>" command may fail with an exception.
HCP-368 The IDA Sharing Mechanism test may fail with an exception.
HCP-370 The "hcp --ext-update-reports all" command collects reports only from the first 50 Gateways. 
HCP-373 The SecureXL Status test may fail with an exception.
HCP-377 Autoupdatercli fails to install HCP on R80.20 Scalable Platforms.
HCP-380 The Core Dumps test may fail with an exception.
Update 7 - Take 49 (17 Jan 2022)
HCP-260 NEW: Added a test to validate Software Provision across Scalable Platforms cluster members.
HCP-291 NEW: Added HCP version and Take number to the HCP report.
HCP-324 NEW: Threat Prevention Heavy Connections test now shows 10 most loaded connections and connections load per instance.
NEW: Added 2 new tables to the Memory Usage test:
  • user space consumption per virtual system
  • total consumption per process (aggregated by name)
HCP-219 NEW: Added a test to check if the ICA certificate expires in less than a year/already expired. Refer to sk158096.
HCP-318 UPDATE: The Processes Memory test was removed. It is now part of the Memory Usage test.
HCP-292 Transceiver EEPROM data may cause an exception in HCP test.
HCP-297 In some scenarios, in a Scalable Platforms VSX environment, HCP may show an exception on test with Global Result option enabled.
HCP-299 Cluster members may appear twice in the test result.
HCP-303 Some zombie processes may not be detected by HCP test.
HCP-307 The SIC test output appears twice in the test result.
HCP-308 The CPView test may fail with an exception.
HCP-314 The Topology graph may fail to generate on systems with numbers or a dot (.) in the name.
HCP-317 The Transceiver test may fail with an exception.
HCP-342 The IDA Tables Mismatch test may fail with an exception.
Update 6 - Take 48 (9 November 2021)
HCP-210 NEW: Added to the Dmesg Errors test to handle the "stalls on CPU" messages.
HCP-209 NEW: Added the Bond Health test which validates that there are no slaves with different aggregator id under the same bond.
HCP-211 NEW: Added ports link integrity test for Maestro Orchestrator.
HCP-160 UPDATE: An error message will be displayed when trying to view report for the Security Management Server if the last report does not exist on the Security Gateway.
HCP-61 On VSX systems, the Topology graph of HCP report either does not display or shows incorrect information.
HCP-230 In some scenarios, the IDA Tables Limit test takes more than 5 seconds to run.
HCP-206 In some scenarios, the SecureXL Status test shows status [EXCEPTION].
HCP-224 In some scenarios, the SIC test may be skipped the Security Gateway connected to a Multi-Domain Management Server.
HCP-223 The "hcp --ext-update-reports all" command is not working properly on Multi-Domain Management environment.
HCP-208 The "FW Configuration File Sanity" report raises exception on some appliances like 16600t.
HCP-214 HCP "Core Dumps" may crash if there are broken headers in core dump archive.
HCP-207 The Feature Compatibility test may fail when "smo image auto-clone" is enabled.
HCP-205 In some scenarios, SmartConsole fails to open reports from the Management machine.
Update 5 - Take 46 (20 October 2021)
HCP-151 NEW: Added perf reports summary table to the CPU spikes performance test (listing top functions and processes during latest spikes).
HCP-158 NEW: Added HCP test to verify the IPv4 forwarding flag on FireWall interfaces.
HCP-106 NEW: Added HCP test to verify MTU values on FireWall interfaces.
HCP-30 NEW: Added basic filters and date navigation to What's The Story.
HCP-153 NEW:
  • Added hostname and date to the report file name
  • Added purge ability to delete old reports (archive are saved up to 10, and last reports the last one only).
HCP-198 NEW: Added new Threat Prevention Heavy Connections test.
HCP-192 NEW: Added new Threat Prevention tests to automate and improve the investigation of Threat Prevention performance issues.
HCP-202 NEW: Added the Threat Prevention protections impact test.
HCP-163 NEW: Added 3 new tests to the HCP tool:
  1. "IDA tables instances mismatch" - To check the number of mismatches between Identity Awareness kernel tables instances.
  2. "IDA tables limit" - For each Identity Awareness kernel table, to make sure the peak value is approaching the limit.
  3. "IDA tables mismatch" - To check the number of mismatches between Identity Awareness kernel tables.
HCP-193 In some scenarios, the connectivity to User Center may fail.
HCP-50 Improved the loading time of What's The Story events.
HCP-107 Local Logging test may fail even when remote logging setup is configured correctly.
HCP-166 The hcp.elg log file may show exceptions on some tests even if they did not run on the environment.
HCP-149 Typo in the Transceivers test.
HCP-38 When running HCP with custom VS "-c" flag, the VS number is displayed incorrectly in SmartConsole report.
HCP-162 HCP does not display a message when What's The Story does not contain events.
HCP-150 In some scenarios, the File Descriptors test fails with exception.
HCP-168 In some scenarios, after running HCP fails with error related to cpdiag stats.
HCP-188 Disabled WTS (What's The Story) and Topology when the specific test runs, unless specifically indicated that it should run WTS / Topology.
Update 3 - Take 44 (13 June 2021)
HCP-24 NEW: Added timestamp to HTML report.
HCP-16 NEW: Added the Transceiver Verifier test that checks that transceivers attached to appliances interfaces are supported.
HCP-82 NEW: Added a new CSV file to allow CPDiag to collect statistics for:
  • Number of times the HCP ran in this environment
  • Passed tests
  • Failed tests
  • Tests score
HCP-67 NEW: Added a new test to examine the SIC status between Security Management and Security Gateway. 
HCP-108 NEW: Added event of SNMP send failure to chassis modules to WTS (What's The Story).
HCP-93 NEW: Added a new test that checks Gaia database performance.
HCP-70 NEW: Added Support for HCP Extension on MDS
HCP-76 UPDATE: Search functionality in the HTML report is now under WIP and disabled.
HCP-29 UPDATE: Added the Threshold column to CPView.
HCP-26 UPDATE: WTS (What's The Story) will be displayed the HTML report by default.
HCP-100 UPDATE: Errors previously printed on the screen while tests are running will be printed to the hcp.elg file.
HCP-117 UPDATE: HCP test will alert about custom applications with signatures that may cause performance impact.
HCP-48 UPDATE: Help message is now displayed if the incorrect command syntax entered.
HCP-119 UPDATE: The Local Logging test is now disabled.
HCP-128 UPDATE: Added ability to run the fwkern.conf sanity test on each VS.
HCP-68 SecureXL status is missing in HCP test.
HCP-78 When running HCP with the wrong "-c" parameter, unnecessary blank HTML report is created.
HCP-64 The gexec command has a different default timeout value than hcpexec
HCP-96 Added more information to compatibility check of Forward Error Correction (FEC) feature.
HCP-97 The local logging test fails when a backup server is configured.
HCP-98 The Distribution test does not run from the Chassis Monitor.
HCP-53 Added core dumps information to WTS (What's The Story).
HCP-43 Cannot move between VSs in ARP CACHE limit test.
HCP-47 Charts tab time shows incorrect time.
HCP-71 The SIM Configuration File Sanity test may fail to find the kernel parameter although it exists.
HCP-89 Long words in the HCP test reports may cause overflow to adjacent table columns.
HCP-79 Added cosmetics fix to MSG Vlans consistency test: replace between the result table titles and add new line at the end of each missing VLAN
HCP-77 The Kernel Crash test shows "PASSED" although there are existing cores dump files.
HCP-129 In some scenarios, the Static Affinity Test fails with exception.
HCP-131 Scalable Platform Clients with ZETCLIENT process is shown as terminated and the Check Point Processes test status displays "ERROR". 
Update 2 - Take 29 (18 March 2021)
HCP-18 NEW: Added the Memory Usage (RAM) test, which analyzes the different memory sections and their current usage.
HCP-12 NEW: Added a compatibility test of configured features in Scalable Platform environments (based on sk148074).
HCP-15 NEW: Added --v / -version argument to display the Take number / RPM build of HCP.
HCP-11 NEW: Added ability to see a back trace of core dump files.
HCP-20 NEW: Added a new test that verifies that the distribution configurations between local members and SSMs are consistent.
HCP-13 NEW: Added a new test that confirms that logs are being written to a Log Server and not locally.
HCP-21 NEW: Added the Bond test and Corexl Status on VSX performance tests.
HCP-1 Running HCP on remote members using the "-m" flag is not available in Maestro environments.
HCP-23 Tests that are supposed to run only in Scalable Platform run in all environments.
HCP-17 The FW kern sanity test may fail when using parameter from type "uint".
Update 1 - Take 24 (18 February 2021)
ODU-81 Initial Release


Manual Installation (Offline)

HCP is installed automatically on all relevant Check Point devices, if the user allows the Automatic updates download per sk94508.
For users who do not allow automatic updates, HCP can be installed as described below.

Prerequisites: Install the latest Take of the AutoUpdater.
If you have issues with installing Autoupdater, contact Check Point Support for assistance.


  • Instructions for Security Gateways, VSX, Maestro Hyperscale Orchestrator and Management Servers

    Show / Hide this Section

    1. Download the latest HCP TAR from the Availability table.

    2. Run this command in the Expert mode:
      # autoupdatercli install <Full Path to the TAR Package>

    Note: The installation does not require a restart of Check Point services ("cpstop; cpstart") or a reboot. After it is installed, no further action is required. The future updates are be applied immediately.

  • Instructions for Maestro Gateways and Scalable Chassis R80.20SP and higher

    Show / Hide this Section

    1. Download the latest HCP TAR from the Availability table.

    2.  Copy the TAR to all other members by using the command
      # asg_cp2blades -b all <Full Path to the TAR Package>

    3. Run this command in the Expert mode:
      # g_all autoupdatercli install <Full Path to the TAR Package>

    4. Delete the TAR file from your system as it is no longer needed after installation.

Install Validation log

Make sure the package was correctly install.
View the log file located in the /opt/CPInstLog/AutoUpdateLogs/hcp/ directory and make sure the following lines appear:

 <HH:MM:SS>% :  Script /var/log/AutoUpdater/metadata/HealthCheck_Point/hcp/hcp_AutoUpdate/24/product_scripts/ output:
  [INFO] - verification endded successfully
 <HH:MM:SS>% :  Installation succeeded for component hcp
 <HH:MM:SS>% :  ----------------------------------------------------------------------



Run this command in the Expert mode: # autoupdatercli revert-completely hcp

Uninstall Validation log

Make sure the package was correctly uninstalled.
View the log file located in the /opt/CPInstLog/AutoUpdateLogs/hcp/ directory and make sure the following lines appear:

[SUCCESS] - Finish running
<HH:MM:SS>% :  Revert succeeded for component hcp
<HH:MM:SS>% :  ----------------------------------------------------------------------

SmartConsole Extension Installation


  1. Make sure the HCP package is installed on your Security Management Server
  2. Run the "hcp -r all" command at least once on each Security Gateway you want to see the report from.

Activating Extension on Security Management

Show / Hide this Section

Connect to your Security Management Server via SSH and run:
  1. # service hcp_ext start

  2. # hcp --ext-update-reports all
    • You must run this command on every restart of the Security Management Server to collect a report from the newly created  Security Gateway.

Adding Extension in SmartConsole

Show / Hide this Section
  1. Go to Manage & Settings -> Preference -> SmartConsole Extensions -> click "+":

  2. Enter the following as URL:  


  3. In the next prompt, click "Continue" and then "OK":
  4. You should see HCP extension added:

  5. Move to "Gateways & Servers", Choose your GW and click on "Health Check" button:


  6. HCP new window should pop up:

  7. To fetch the latest report from the Security Gateway or run it live on it, use one of the following options: "Fetch Latest" Report or "Fetch Live Report":



  • Self-diagnostics utility program that executes a set of tests.
  • Tests scan the system and can detect:
    • Feature/system configuration bad practices
    • Foresee future issues that may affect the system
    • Historical issues that may re-occur
  • Provide a comprehensive structured system assessment report:
    • Include each of the tests and a final verdict (Success/Error/Warning)
    • Tests that failed show their findings and suggest a next-step action



What's The Story (WTS)

  • WTS tells the story of the system by arranging critical/informative events into a timeline
  • WTS combines events of several processes and services into a single timeline which gives a bird-eye vision
  • WTS become helpful when troubleshooting issues that affected the system but no longer exists (RCA)
  • WTS events can be extended



  • Visualize the firewall topology in the network

  • Very helpful with complex VSX environments



Default manual run: # hcp -r all --include-wts yes


# hcp {-r | --run} {all | "test 1" "test2" ...} [{-f | --format} <json | table>] [{-o |--output-file} </Path/To/Output-File>]

# hcp {-l | --list-tests} [{-f | --format} <json | table>]

# hcp {-r | --run} [{-m | --members} {all| 2_1-2_3}] 
 (for Scalable Platforms only)


Parameter Parameter Status Parameter Description
-h | --help Optional  Shows the built-in help and exits
-r {all | "test 1" "test2" ...}
--run {all | "test 1" "test2" ...}
Mandatory  Runs all or only the specified HealthCheck Point (HCP) tests
-l |--list-tests Mandatory  Lists all tests
-s |--silent Optional  Runs in a silent mode (no stdout)
--show-last Optional  Shows a full report for the last test
--include-topology {yes|no} Optional  Includes the topology in the JSON output
--include-wts {yes|no} Optional  Includes the "What's The Story" information in the JSON output
--include-charts {yes|no} Optional  Includes the history charts in the JSON output
-o </Path/To/Output-File>
--output-file </Path/To/Output-File>
Optional  Specifies the path and name of the output file
-f {json|table}
--format {json|table}
Optional  Output display format - JSON, or table (default)
--cli-list-tests Optional  Shows all available tests
-m {all| 2_1-2_3}
--members {all| 2_1-2_3}
Optional  Available on Scalable Platforms / Maestro. Runs the tool on all members.

To view report in CLI:
# hcp --show-last | more

To view report in Web browser:

  1. Copy the /var/log/hcp/last/hcp_last_report.tar.gz file to your personal computer
  2. Extract the TAR content
  3. Open the index.html file in your web browser


Revision History

Show / Hide revision history

Date Description
18 Sep 2022 Released Update 11 - Take 58
20 Jun 2022 Released Update 10 - Take 57
30 May 2022 Released Update 9 - Take 55
01 Mar 2022 Released Update 8 - Take 52
19 Jan 2022 Added HCP-187 to Update 7 - Take 49
17 Jan 2022 Released Update 7 - Take 49
09 Nov 2021 Released Update 6 - Take 48
20 Oct 2021 Released Update 5 - Take 46
16 Jun 2021 Added the "SmartConsole Extension Installation" section
13 Jun 2021 Released Update 3 - Take 44
18 Mar 2021 Released Update 2 - Take 29
18 Feb 2021 First release of this document - Update 1 - Take 24

Give us Feedback
Please rate this document