Important notes:

• The CPinfo version in this solution is valid for all Check Point versions and Operating Systems except Solaris and IPSO 3.x/4.x
• For Solaris and IPSO 3.x/4.x, refer to sk30567.

Table of Contents:

• Introduction
• Usage Instructions
• CLI Syntax
• Data Collected
• Installing CPinfo
• System Requirements
• First Time Installation Instructions
• Known Limitations

Introduction

CPInfo is an auto updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the "cp_uploader" utility for uploading files to Check Point servers)

The CPinfo output file allows analyzing customer setups from a remote location. Check Point's support engineers can open the CPinfo file in a demo mode, while viewing actual customer Security Policies and objects. This allows the in-depth analysis of all of customer configuration options and environment settings.

Usage Instructions

CPinfo can be run from CLI (on all versions) or via SmartUpdate (from R75.47 and above).

• CLI
  
  
  
  • Gaia - run "cpinfo [flags]" in Clish or in Expert mode
  • SecurePlatform - run "cpinfo [flags]" in Expert mode
  • IPSO - run "cpinfo [flags]" on CLI
  • Windows - run "cpinfo [flags]" in Windows Command Prompt
  • On all versions, run "cpinfo -h" to see additional help
  
  
  
• SmartUpdate
  
  
  1. Right-click on the Security Gateway / Security Management object, from which you want to collect the CPinfo.
  2. Select "Upload diagnostics (CPinfo) to Check Point".
  3. Enter your User Center credentials, SR number, and click OK.

Using an HTTP proxy:

CPinfo uses HTTPS in order to update itself and upload files. This step is relevant for customers for which internet access traffic is required to pass through an HTTP proxy server and that their Check Point Security Gateway / Security Management is not configured with such proxy (as described in Administration Guide). CPinfo will read the proxy configuration that was configured on the Security Gateway (either via SmartDashboard, or CLI).

The proxy can be configured in one of the following ways:

1. In the SmartDashboard - in the Security Gateway object (requires policy installation).
   
   
2. On the Security Gateway machine:
   
   
   • On Gaia OS - in Clish:
     
     
     1. Configure the proxy:
        HostName> set proxy ipv4-address http://PROXY_HOST port PROXY_PORT
        
        
     2. Save the configuration:
        HostName> save config
     
     
     
   • On Gaia / SecurePlatform / IPSO OS - in Expert mode:
     
     
     1. In the $CPDIR/tmp/.CPprofile.sh script
        
        Add this line:
        http_proxy=http://USERNAME:PASSWORD@PROXY_HOST:PROXY_PORT ; export http_proxy
        
        (where "username" and "password" are the proxy credentials - only if needed)
        
        Under this line:
        INFODIR=/opt/CPinfo-10 ; export INFODIR
        
        
     2. Restart all Check Point services:
        [Expert@HostName]# cpstop ; cpstart
     
     
     
   • On Windows OS:
     
     
     1. Start - Run... - "%WINDIR%\system32\rundll32.exe" sysdm.cpl,EditEnvironmentVariables - OK
        
        
     2. Under 'System Variables' - click on 'New...'
        
        
        • name: http_proxy
        • value: http://USERNAME:PASSWORD@PROXY_HOST:PROXY_PORT
        • and click 'OK'
        (where "username" and "password" are the proxy credentials - only if needed)
        
        
     3. Click on 'OK'.
        
        
     4. Reboot the machine.

CLI Syntax

# cpinfo [-v] [-l] [-a] [-z] [-k] [-n] [-i] [-f <FILE1> <FILE2> ... ] [-s <SR_Number>] [-u <username>] [-y all | <product>] [-o <filename>] [-c <Domain> | -x <VSID>] [-e <e-mail1>,<e-mail2>,<e-mail3>,...] [-d] [-h]

where

• -v - Show CPinfo version information
• -l - Include Log files
• -n - Don't create CPinfo file (used in combination with "-f" flag)
• -z - Output is gzipped
• -k - Include FireWall Kernel Tables dump
• -i - Non-interactive mode
• -f <FILE> - Upload additional files (separated with space) to Check Point server
• -s <SR_Number> - Specifies the ticket number
• -u <username> - Connects to User Center with username and password
• -y - Show Installed hotfixes
• -o - Specifies CPinfo output file name
• -c <Domain> - Generate CPinfo for a certain Domain (Multi-Domain Management only)
• -x <VSID> - Generate CPinfo for a certain VSID (VSX mode only)
• -e <e-mail> - Specifies e-mail addresses (separated by comma) to notify about upload status
• -d - Don't check for updates
• -a - Force update check (the check is weekly by default)
• -h - Display this help and exit

Example:

The below command will create a gateway.cpinfo output file in /var/log directory. This file will include logs and will be gzipped

cpinfo -l -z -o /var/log/gateway.cpinfo 
 

Data Collected

CPinfo collects the entire Security Gateway installation directory, including $FWDIR/log/* and other log files. Some of the other viewable information includes:

• System message logs
• Module version information
• Installed hotfixes information
• OS and network stats
• Interfaces and devices information
• Various FW1 tables
• Configuration and database files
• Core dump files

Installing CPinfo

Installing CPinfo involves downloading the proper platform's version of CPInfo, extracting the CPinfo file, and running the command to start the CPinfo script.

You can install this CPInfo on Gaia / SecurePlatform / Linux / IPSO / Windows OS.

System Requirements

• Operating Systems: SecurePlatform, Gaia, Linux, IPSO 6.x, Windows.
  
  
• Supported versions: All.
  
  
• For Solaris and IPSO 3.x/4.x, refer to sk30567.
  
  
• In order to upload CPinfo files to Check Point, the following ports should be open:
  
  
  • For Authentication (HTTPS - port 443): services.checkpoint.com
    
    
  • File uploading (HTTPS - port 443, or SFTP - port 22): ftp-proxy.checkpoint.com, mercury.ts.checkpoint.com, fairfax.ott.checkpoint.com
  
  
  
• Configured DNS on the machine, on which you run CPinfo.
  
  
• To collect CPinfo on a Windows machine, Microsoft Visual C++ 2012 Redistributable Package (2012 or above) should be installed (if it is not already installed).

First Time Installation Instructions

Downloading and updating CPinfo should be done once for version before R75.47, after the tool was updated, it will update itself.

• Gaia / SecurePlatform / Linux

  Download the latest CPinfo utility from here.

  Note: If the download of CPinfo utility is impossible, then either install it from the /sysimg/CPwrapper/linux/CPinfo/CPinfo-10-00.i386.rpm, or extract the /linux/CPinfo/CPinfo-10-00.i386.rpm package from the CD.

  Run the following commands from the directory where you put the downloaded file:

  1. Place the file in a temp directory on the target system.
     
     
  2. Go into that directory.
     
     
  3. Unpack the CPInfo package:
     [Expert@HostName]# tar -xvzf cpinfo_<package_name>.tgz
     
     
  4. Install the CPInfo utility:
     [Expert@HostName]# rpm -Uvh --force CPinfo-10-00.i386.rpm
     
     
  5. Log out from all shells on the target system.
     
     
  6. Log in to the shell before.
     
     
  7. Verify that the CPInfo utility was installed:
     [Expert@HostName]# rpm -qa | grep CPinfo
     
     Note: If the CPinfo-10-00 package does not appear in the output, try to rebuild the rpm database:
     [Expert@HostName]# rpm -v --rebuilddb
     
     
  8. Check the build number of CPinfo utility:
     [Expert@HostName]# cpvinfo /opt/CPinfo-10/bin/cpinfo | grep Build
     
     The 'Build Number' should be 9120000xxx. Note that usually the build number is mentioned in the archive file name.
  
  
  

• IPSO

  Download the latest CPinfo utility from here.

  Installation in Voyager:

  1. Log into "Voyager" and download the package to the IPSO machine by clicking 'Configuration'.
  2. Select 'System Configuration' > 'Packages' > 'Install Package'.
  3. If FTP is accessible, transfer the cpinfo.tgz file to the Site Listing pane.
  4. Select the file and click 'Apply'.
  5. Make sure that the package is listed in the 'Unpack Package' pane.
  6. Select the package, and then click the "Click here to install/upgrade /opt/packages<package_name>.tgz" link.
  7. If FTP is not accessible, copy the package to /opt/packages/ on the IPSO machine.
  8. Make sure that the package is listed in the 'Unpack Package' pane.
  9. Select the package, and then click the "Click here to install/upgrade /opt/packages<package_name>.tgz" link.
  10. In the 'Package Installation and Upgrade' window, select the 'Install' checkbox and click 'Apply'.
  11. In the 'Manage Packages' window, verify that cpinfo is enabled.

  Installation in Clish:

  1. On the IPSO machine, run clish command to switch into CLISH shell.
  2. Download the cpinfo.tgz file to the IPSO machine home directory via FTP.
  3. Run in clish:
     HostName> add package media ftp addr <IP_Address> user <UserName> password <Password> name cpinfo_<cpinfo_build>.tgz
     Note: If FTP is not accessible, download the cpinfo.tgz file to the IPSO machine /opt/packages/ directory and modify the 'add package media' command accordingly.
  4. Log out from clish to usual shell.
  
  
  

• Windows

  Download the latest CPinfo utility from here.

  Install the downloaded package, following instructions in the Installation shield (if it is not possible to uninstall the current version of CPinfo, refer to sk65030). Reboot the machine.

Additional clarifications 

Up until recently Check Point support has been providing SFTP credentials for upload and download of file. 
Here are the main benefits of using the CPinfo utility over SFTP:

• Authentication is using the customer UserCenter credentials
• Files are encrypted before leaving customer’s network
• Files are verified for MD5 and size
• Notification system on upload process
• Hold/resume features
• Built on top of https and SFTP protocols
  
  

Known Limitations