Support Center > Search Results > SecureKnowledge Details
The CPinfo utility
Solution

Table of Contents:

  • Introduction
  • Usage Instructions
  • CLI Syntax
  • Data Collected
  • System Requirements
  • First Time Installation Instructions
  • Additional clarifications
  • Known Limitations

 

Introduction

CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the cp_uploader utility for uploading files to Check Point servers)

The CPinfo output file allows analyzing customer setups from a remote location. Check Point's support engineers can open the CPinfo file in a demo mode, while viewing actual customer Security Policies and objects. This allows the in-depth analysis of all of customer configuration options and environment settings.

When contacting Check Point's support, collect cpinfo files from the Security Management and Security Gateways involved in your case.

 

Usage Instructions

CPinfo can be run from command line (on all versions) or via SmartUpdate (from R75.47 and above).

CLI SmartUpdate
  • On Gaia OS: run cpinfo [flags] in Clish or in Expert mode
  • On SecurePlatform OS: run cpinfo [flags] in Expert mode
  • On Linux OS: run cpinfo [flags] on CLI
  • On IPSO OS: run cpinfo [flags] on CLI
  • On Windows OS: run cpinfo [flags] in Windows Command Prompt
  • On all versions, run cpinfo -h to see additional help
  1. Right-click the Security Gateway / Security Management object, from which you want to collect the CPinfo.
  2. Select "Upload diagnostics (CPinfo) to Check Point".
  3. Enter your User Center credentials, SR number, and click OK.

 

Using an HTTP proxy

CPinfo uses HTTPS to update itself and upload files. This step is relevant for customers for which Internet access traffic is required to pass through an HTTP proxy server and that their Check Point Security Gateway / Security Management is not configured with such proxy (as described in Administration Guide). CPinfo will read the proxy configuration that was configured on the Security Gateway (either via SmartDashboard, or CLI).

The proxy can be configured either in SmartDashboard, or on the Security Gateway machine.

Show / Hide proxy configuration instructions for all platforms
  1. In the SmartDashboard - in the Security Gateway object (requires policy installation).

  2. On the Security Gateway machine:

    • On Gaia OS - in Clish:

      1. Configure the proxy:
        HostName> set proxy ipv4-address http://PROXY_HOST port PROXY_PORT

      2. Save the configuration:
        HostName> save config


    • On Gaia / SecurePlatform / IPSO OS - in Expert mode:

      1. In the $CPDIR/tmp/.CPprofile.sh script

        Add this line:
        http_proxy=http://USERNAME:PASSWORD@PROXY_HOST:PROXY_PORT ; export http_proxy

        (where "username" and "password" are the proxy credentials - only if needed)

        Under this line:
        INFODIR=/opt/CPinfo-10 ; export INFODIR

      2. Restart all Check Point services:
        [Expert@HostName]# cpstop ; cpstart


    • On Windows OS:

      1. Start - Run... - "%WINDIR%\system32\rundll32.exe" sysdm.cpl,EditEnvironmentVariables - OK

      2. Under 'System Variables' - click on 'New...'

        • name: http_proxy
        • value: http://USERNAME:PASSWORD@PROXY_HOST:PROXY_PORT
        • and click 'OK'
        (where "username" and "password" are the proxy credentials - only if needed)

      3. Click on 'OK'.

      4. Reboot the machine.


Allowing upload data to Check Point / download data from Check Point

  • To be able to download the latest CPinfo, enable the "Automatically download Contracts and other important data" option in the Security Management section of Global Properties

  • To be able to upload the CPinfo output to Check Point, enable the "Improve product experience by sending data to Check Point" option in the Security Management section of Global Properties.

For more information, refer to sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point.

Offline Mode

If Internet connectivity is not available, CPinfo will output the following message:

[Expert@23800-2:0]# cpinfo
This is Check Point CPinfo Build 914000xxx for GAIA
Checking for updates...
Updating...
Verifying CK...
Could not verify CK: Connection failed
CPinfo update failed, using existing package

Disable the "Automatically download Contracts and other important data" and "Improve product experience by sending data to Check Point" options in the Security Management section of Global Properties to prevent the CPinfo utility attempts to connect to Check Point.

For more information, refer to sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point.

 

CLI Syntax

  • On Gaia / SecurePlatform / IPSO / Linux OS:

    Usage:   cpinfo [-v] | [-l] [-a] [-z] [-k] [-n] [-i] [-x]
    	 [-f <FILE1> <FILE2> ... ] [-s <SR number>] [-u <username>]
    	 [-c <CMA1> <CMA2> ... ]
    	 [-y all | <product>] [-o <filename>] [-e <email>] [-R <email>]
    		-v	Show CPinfo version information
    		-y	Show Installed hotfixes
    		-k	Include FW table dump
    		-l	Include Log records
    		-c	Generate CPinfo for a certain Domain (Multi-Domain Management only)
    		-o	CPinfo output file name
    		-z	Output is compressed
    		-i	Non-interactive mode
    		-d	Don't check for updates
    		-a	Force update check (the check is weekly by default)
    		-n	Don't collect and create CPinfo file (used in combination with -f)
    		-f	Upload additional files to Check Point server
    		-u	Connect to User Center with username (you will later be asked to enter a password)
    		-e	Emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>")
    		-s	SR Number
    		-T	Timeout per command (in seconds). 0 means no timeout. Default timeout is 5 minutes
    		-h	Display this help and exit
    		-R	R80 upgrade simulation service mode for Management or Multi-Domain Management only (can only be used in combination with -i),
    		  	requires emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>"),
    		-x	Don't create migrate export or MDS export, for Management or Multi-Domain Management, R80 version or above only 
        
  • On Windows OS:

    Usage: CPinfo [-v] [-l] [-n] [-z] [-d] [-g] [-i]
    	[-f <FILE1> <FILE2> ... ] [-s <SR number>] [-u <username>]
    	[-o <output_file>] [-y all|<product>] [-e <email>] [-R <email>]
    	[-r|-t [tablename]] [-b|-j <conf_file>]
    		-v: Show CPinfo version information
    		-y: Show Installed hotfixes
    		-k: Include FW table dump
    		-l: Include Log records
    		-j: Create a CPinfo configuration file
    		-b: CPinfo will perform according to the configuration file
    		-o: CPinfo output file name
    		-z: Output is compressed
    		-i: Non-interactive mode 
    		-d: Don't check for updates
    		-n: Don't create CPinfo file (used in combination with -f)
    		-g: Do not resolve network addresses
    		-u: Connect to User Center with username (you will later be asked to enter a password)
    		-f: Upload additional files to Check Point server
    		-a: Force update check (the check is weekly by default) 
    		-e: Emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>")
    		-R: R80 upgrade simulation service mode for Management only (can only be used in combination with -i),
    		    requires emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>")
    		-s: SR number
    		-r: Include the registry in the output
    		-t: Output consists of tables only (SecureRemote only)
    		-h: Display this help and exit
          

Example:

The below command creates a gateway.info.gz output file in /var/log/ directory. This file will include logs and will be gzipped:

cpinfo -z -l -o /var/log/gateway

Notes:

  • Upgrade Verification and Environment Simulation service: To allow users with older versions (R75.40 and above) to check if their system can be easily upgraded to R80, a new flag was added to CPinfo: -R.

    When running cpinfo -R besides the regular data collection, CPinfo will perform export collection on pre-R80 machines (using a custom version of export tools) and will upload the output to a destination folder in Check Point FTP server. Both files will have a unique name consistent of a 10-digit number to match the CPinfo and the export files together, a counter (102 or 202) to state how many files were uploaded, the name of the machine and the time stamp. Once the files are uploaded they will be handled by R80 upgrade simulation service team.
    For additional information regarding the -R flag, refer to sk110267.
  • The "-c" flag functionality now allows performing CPinfo (and MDS export collection on R80 or above) per certain Domain (CMA) without having to switch to it (from the Multi-Domain MDS environment).

 

Data Collected

CPinfo collects the entire Security Gateway installation directory, including $FWDIR/log/* and other log files. Some of the other viewable information includes:

  • System message logs
  • Module version information
  • Installed hotfixes information
  • OS and network statistics
  • Interfaces and devices information
  • Various FW1 tables
  • Configuration and database files
  • Core dump files

 

System Requirements

Supported Operating Systems
  • Gaia
  • SecurePlatform
  • Linux
  • IPSO 6.x
  • Windows
For Solaris and IPSO 3.x/4.x, refer to sk30567.
Supported versions All
DNS DNS server must be configured on the machine, on which you run CPinfo
Uploading CPinfo files to Check Point To upload CPinfo files to Check Point, the following ports should be open:
  • For Authentication (HTTPS - port 443):
    • services.checkpoint.com
  • File uploading (HTTPS - port 443, or SFTP - port 22):
    • ftp-proxy.checkpoint.com
    • mercury.ts.checkpoint.com
    • fairfax.ott.checkpoint.com

 

First Time Installation Instructions

Downloading and updating CPinfo should be done once for version before R75.47, after the tool was updated, it will update itself.

  • For Gaia / SecurePlatform / Linux

    Download the latest CPinfo utility from the table below:

    Platform Product Version Download CPinfo
    CPinfo for Gaia / SecurePlatform / Linux OS Pre-R80
    CPinfo for Gaia / SecurePlatform / Linux OS R80

    Note: If the download of CPinfo utility is impossible, either install it from the /sysimg/CPwrapper/linux/CPinfo/CPinfo-10-00.i386.rpm, or extract the /linux/CPinfo/CPinfo-10-00.i386.rpm package from the CD.

    Show / Hide the installation instructions for Gaia / SecurePlatform / Linux

    Run the following commands from the directory where you put the downloaded file:

    1. Place the file in a temp directory on the target system.

    2. Go into that directory.

    3. Unpack the CPInfo package:
      [Expert@HostName]# tar -xvzf cpinfo_<package_name>.tgz

    4. Install the CPInfo utility:
      [Expert@HostName]# rpm -Uvh --force CPinfo-10-00.i386.rpm

    5. Log out from all shells on the target system.

    6. Log in to the shell before.

    7. Verify that the CPInfo utility was installed:
      [Expert@HostName]# rpm -qa | grep CPinfo

      Note: If the CPinfo-10-00 package does not appear in the output, try to rebuild the rpm database:
      [Expert@HostName]# rpm -v --rebuilddb

    8. Check the build number of CPinfo utility:
      [Expert@HostName]# cpinfo 

      The output should be

      This is Check Point CPinfo Build 914000xxx for GAIA

      Verifying CK...

      OR run

      [Expert@HostName]# cpinfo -v

      The output should be: "This is Check Point CPinfo Build 914000xxx for GAIA"


  • For IPSO

    Download the latest CPinfo utility for IPSO from the table below:

    Platform Product Version Download CPinfo
    CPinfo for IPSO OS Pre-R80

    • Show / Hide the installation instructions for IPSO
      • Installation in Voyager:

        1. Log into "Voyager".
        2. Copy the CPinfo package to the machine:
          1. Download the CPinfo package (the tgz file) to your local computer.
          2. Select 'Configuration' > 'System Configuration' > 'Packages' > 'Install Package'.
          3. In the 'Install Package from Remote' section choose 'Upload'.
          4. Click 'Choose file' and select the package from the local file system.
          5. Click 'Apply' at the bottom of the page and wait until upload process finishes (it can take a few minutes).
        3. Select the CPinfo version you wish to install and click 'Apply'.
        4. Click the "Click here to install/upgrade /opt/packages<package_name>.tgz" link.
        5. In the 'Package Installation and Upgrade' window, select the 'Install' checkbox and click 'Apply'.
        6. In the 'Manage Packages' window, verify that CPinfo is enabled.
      • Installation in Clish:

        1. Download the cpinfo_<cpinfo_build>.tgz file to the IPSO machine home directory.
        2. Place a copy of cpinfo_<cpinfo_build>.tgz file under /opt/packages/.
        3. Run the following commands:
          cd /opt/packages
          clish -c "set config-lock on override"
          clish -c "add package media local name cpinfo_<cpinfo_build>.tgz "
        4. Logout for the changes to take effect.
        5. Check the build number of CPinfo utility:
          # cpinfo 

          The output should be

          This is Check Point CPinfo Build 914000xxx for IPSO

          Verifying CK...

          OR run

          # cpinfo -v

          The output should be: "This is Check Point CPinfo Build 914000xxx for IPSO"
    • Show / Hide the uninstall instructions for IPSO
      1. Run the following commands:
        clish -c "set package name /opt/CPinfo-10 off"
        clish -c "delete package name /opt/CPinfo-10"
      2. Logout.


  • For Windows

    Download the latest CPinfo utility for Windows from the table below:

    Platform Product Version Download CPinfo
    CPinfo for Windows OS Pre-R80

    Show / Hide the install instructions for Windows

    Install the downloaded package, following instructions in the Installation shield, then reboot the machine.

    Check the build number of CPinfo utility:
    > cpinfo 

    The output should be

    This is Check Point CPinfo Build 914000xxx for Windows

    Verifying CK...

    OR run

    > cpinfo -v

    The output should be: "This is Check Point CPinfo Build 914000xxx for Windows"

    If it is not possible to uninstall the current version of CPinfo, refer to sk65030.

     

 

Additional clarifications

Here are the main benefits of using the CPinfo utility over SFTP:

  • Authentication is using the customer UserCenter credentials
  • Files are encrypted before leaving customer¬ís network
  • Files are verified for MD5 and size
  • Notification system on upload process
  • Hold/resume features
  • Built on top of HTTPS and SFTP protocols

 

Known Limitations

# Symptoms
1

When CPInfo is executed with flag -a and then self-updates to build 914000158, the upgrade should complete successfully, but the following error message will be received afterwards: "Force update check mode (-a flag) cannot be used in combination with don't check for updates mode (-d flag) or with non-interactive mode (-i flag)."

 

This issue is created upon the relaunch of the newly updated version, when CPInfo uses the original flags and -d flag is added (since there is no need to attempt an update again).

The combination of -a and -d flags is not allowed (since they contradict each other) and thus this error message is printed.

This issue will be resolved when CPInfo build 914000158 will be self-updated to future CPInfo builds.

In the meantime, simply re-execute CPInfo with the desired flags.

2

CPinfo self-update for builds 914000112-914000128 fails with the following error:

Downloaded package verification failed
Error: Wrong update package format!
CPinfo update failed, using existing package

Refer to sk110788

3 Auto update on Windows OS in Command Prompt will require manual trigger of Install Shield.
4 Files that contain '/' or '\' in their name, which is not according to the OS, on which the CPinfo tool is running ('/' on Windows and '\' on all the rest of OS), cannot be uploaded to Check Point servers.>

Examples:
  • On Linux-based OS:
    • Uploading \directory\demofile.txt will be blocked
    • Uploading /directory/demofile.txt will be processed successfully
  • On Windows OS:
    • Uploading C:/demofile.txt will be blocked
    • Uploading C:\demofile.txt will be processed successfully
5 The following operating system are not supported:
  • IPSO 3.X
  • IPSO 4.X
  • Solaris OS

Refer to sk30567

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment