Table of Contents:
Introduction
CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the cp_uploader utility for uploading files to Check Point servers)
The CPinfo output file allows analyzing customer setups from a remote location. Check Point's support engineers can open the CPinfo file in a demo mode, while viewing actual customer Security Policies and objects. This allows the in-depth analysis of all of customer configuration options and environment settings.
When contacting Check Point's support, collect cpinfo files from the Security Management and Security Gateways involved in your case.
Usage Instructions
CPinfo can be run from command line (on all versions) or via SmartUpdate (from R75.47 and above).
Using an HTTP proxy
CPinfo uses HTTPS to update itself and upload files. This step is relevant for customers for which Internet access traffic is required to pass through an HTTP proxy server and that their Check Point Security Gateway / Security Management is not configured with such proxy (as described in Administration Guide). CPinfo will read the proxy configuration that was configured on the Security Gateway (either via SmartDashboard, or CLI).
The proxy can be configured either in SmartDashboard, or on the Security Gateway machine.
Show / Hide proxy configuration instructions for all platforms
- In the SmartDashboard - in the Security Gateway object (requires policy installation).
- On the Security Gateway machine:
- On Gaia OS - in Clish:
- Configure the proxy:
HostName> set proxy ipv4-address http://PROXY_HOST port PROXY_PORT
- Save the configuration:
HostName> save config
- On Gaia / SecurePlatform / IPSO OS - in Expert mode:
- In the
$CPDIR/tmp/.CPprofile.sh script
Add this line:
http_proxy=http://USERNAME:PASSWORD@PROXY_HOST:PROXY_PORT ; export http_proxy
(where "username" and "password" are the proxy credentials - only if needed)
Under this line:
INFODIR=/opt/CPinfo-10 ; export INFODIR
- Restart all Check Point services:
[Expert@HostName]# cpstop ; cpstart
- On Windows OS:
- Start - Run... -
"%WINDIR%\system32\rundll32.exe" sysdm.cpl,EditEnvironmentVariables - OK
- Under '
System Variables' - click on 'New...'
- name:
http_proxy
- value:
http://USERNAME:PASSWORD@PROXY_HOST:PROXY_PORT
- and click '
OK'
(where "username" and "password" are the proxy credentials - only if needed)
- Click on '
OK'.
- Reboot the machine.
Allowing upload data to Check Point / download data from Check Point
- To be able to download the latest CPinfo, enable the "Automatically download Contracts and other important data" option in the Security Management section of Global Properties
- To be able to upload the CPinfo output to Check Point, enable the "Improve product experience by sending data to Check Point" option in the Security Management section of Global Properties.
For more information, refer to sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point.
Offline Mode
If Internet connectivity is not available, CPinfo will output the following message:
[Expert@23800-2:0]# cpinfo
This is Check Point CPinfo Build 914000xxx for GAIA
Checking for updates...
Updating...
Verifying CK...
Could not verify CK: Connection failed
CPinfo update failed, using existing package
Disable the "Automatically download Contracts and other important data" and "Improve product experience by sending data to Check Point" options in the Security Management section of Global Properties to prevent the CPinfo utility attempts to connect to Check Point.
For more information, refer to sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point.
CLI Syntax
-
On Gaia / SecurePlatform / IPSO / Linux OS:
Usage: cpinfo [-v] | [-l] [-a] [-z] [-k] [-n] [-i] [-x]
[-f <FILE1> <FILE2> ... ] [-s <SR number>] [-u <username>]
[-c <CMA1> <CMA2> ... ]
[-y all | <product>] [-o <filename>] [-e <email>] [-R <email>]
-v Show CPinfo version information
-y Show Installed hotfixes
-k Include FW table dump
-l Include Log records
-c Generate CPinfo for a certain Domain (Multi-Domain Management only)
-o CPinfo output file name
-z Output is compressed
-i Non-interactive mode
-d Don't check for updates
-a Force update check (the check is weekly by default)
-n Don't collect and create CPinfo file (used in combination with -f)
-f Upload additional files to Check Point server
-u Connect to User Center with username (you will later be asked to enter a password)
-e Emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>")
-s SR Number
-T Timeout per command (in seconds). 0 means no timeout. Default timeout is 5 minutes
-h Display this help and exit
-R R80 upgrade simulation service mode for Management or Multi-Domain Management only (can only be used in combination with -i),
requires emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>"),
-x Don't create migrate export or MDS export, for Management or Multi-Domain Management, R80 version or above only
-
On Windows OS:
Usage: CPinfo [-v] [-l] [-n] [-z] [-d] [-g] [-i]
[-f <FILE1> <FILE2> ... ] [-s <SR number>] [-u <username>]
[-o <output_file>] [-y all|<product>] [-e <email>] [-R <email>]
[-r|-t [tablename]] [-b|-j <conf_file>]
-v: Show CPinfo version information
-y: Show Installed hotfixes
-k: Include FW table dump
-l: Include Log records
-j: Create a CPinfo configuration file
-b: CPinfo will perform according to the configuration file
-o: CPinfo output file name
-z: Output is compressed
-i: Non-interactive mode
-d: Don't check for updates
-n: Don't create CPinfo file (used in combination with -f)
-g: Do not resolve network addresses
-u: Connect to User Center with username (you will later be asked to enter a password)
-f: Upload additional files to Check Point server
-a: Force update check (the check is weekly by default)
-e: Emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>")
-R: R80 upgrade simulation service mode for Management only (can only be used in combination with -i),
requires emails to notify about upload status (<single email> or "<email #1>;<email #2>;....;<email #n>")
-s: SR number
-r: Include the registry in the output
-t: Output consists of tables only (SecureRemote only)
-h: Display this help and exit
Example:
The below command creates a gateway.info.gz output file in /var/log/ directory. This file will include logs and will be gzipped:
cpinfo -z -l -o /var/log/gateway
Notes:
- Upgrade Verification and Environment Simulation service: To allow users with older versions (R75.40 and above) to check if their system can be easily upgraded to R80, a new flag was added to CPinfo: -R.
When running cpinfo -R besides the regular data collection, CPinfo will perform export collection on pre-R80 machines (using a custom version of export tools) and will upload the output to a destination folder in Check Point FTP server. Both files will have a unique name consistent of a 10-digit number to match the CPinfo and the export files together, a counter (102 or 202) to state how many files were uploaded, the name of the machine and the time stamp. Once the files are uploaded they will be handled by R80 upgrade simulation service team.
For additional information regarding the -R flag, refer to sk110267.
- The "-c" flag functionality now allows performing CPinfo (and MDS export collection on R80 or above) per certain Domain (CMA) without having to switch to it (from the Multi-Domain MDS environment).
Data Collected
CPinfo collects the entire Security Gateway installation directory, including $FWDIR/log/* and other log files. Some of the other viewable information includes:
- System message logs
- Module version information
- Installed hotfixes information
- OS and network statistics
- Interfaces and devices information
- Various FW1 tables
- Configuration and database files
- Core dump files
System Requirements
| Supported Operating Systems |
- Gaia
- SecurePlatform
- Linux
- IPSO 6.x
- Windows
For Solaris and IPSO 3.x/4.x, refer to sk30567. |
| Supported versions |
All |
| DNS |
DNS server must be configured on the machine, on which you run CPinfo |
| Uploading CPinfo files to Check Point |
To upload CPinfo files to Check Point, the following ports should be open:
- For Authentication (HTTPS - port 443):
- File uploading (HTTPS - port 443, or SFTP - port 22):
ftp-proxy.checkpoint.commercury.ts.checkpoint.comfairfax.ott.checkpoint.com
|
First Time Installation Instructions
Downloading and updating CPinfo should be done once for version before R75.47, after the tool was updated, it will update itself.
-
For Gaia / SecurePlatform / Linux
Download the latest CPinfo utility from the table below:
Note: If the download of CPinfo utility is impossible, either install it from the /sysimg/CPwrapper/linux/CPinfo/CPinfo-10-00.i386.rpm, or extract the /linux/CPinfo/CPinfo-10-00.i386.rpm package from the CD.
-
For IPSO
Download the latest CPinfo utility for IPSO from the table below:
-
Show / Hide the installation instructions for IPSO
-
Installation in Voyager:
- Log into "Voyager".
- Copy the CPinfo package to the machine:
- Download the CPinfo package (the tgz file) to your local computer.
- Select 'Configuration' > 'System Configuration' > 'Packages' > 'Install Package'.
- In the 'Install Package from Remote' section choose 'Upload'.
- Click 'Choose file' and select the package from the local file system.
- Click 'Apply' at the bottom of the page and wait until upload process finishes (it can take a few minutes).
- Select the CPinfo version you wish to install and click 'Apply'.
- Click the "Click here to install/upgrade /opt/packages<package_name>.tgz" link.
- In the 'Package Installation and Upgrade' window, select the 'Install' checkbox and click 'Apply'.
- In the 'Manage Packages' window, verify that CPinfo is enabled.
-
Installation in Clish:
- Download the cpinfo_<cpinfo_build>.tgz file to the IPSO machine home directory.
- Place a copy of cpinfo_<cpinfo_build>.tgz file under /opt/packages/.
- Run the following commands:
cd /opt/packages
clish -c "set config-lock on override"
clish -c "add package media local name cpinfo_<cpinfo_build>.tgz "
- Logout for the changes to take effect.
- Check the build number of CPinfo utility:
# cpinfo
The output should be
This is Check Point CPinfo Build 914000xxx for IPSO
Verifying CK...
OR run
# cpinfo -v
The output should be: "This is Check Point CPinfo Build 914000xxx for IPSO"
-
-
For Windows
Download the latest CPinfo utility for Windows from the table below:
Show / Hide the install instructions for Windows
Install the downloaded package, following instructions in the Installation shield, then reboot the machine.
Check the build number of CPinfo utility:
> cpinfo
The output should be
This is Check Point CPinfo Build 914000xxx for Windows
Verifying CK...
OR run
> cpinfo -v The output should be: "
This is Check Point CPinfo Build 914000xxx for Windows"
If it is not possible to uninstall the current version of CPinfo, refer to
sk65030.
Additional clarifications
Here are the main benefits of using the CPinfo utility over SFTP:
- Authentication is using the customer UserCenter credentials
- Files are encrypted before leaving customers network
- Files are verified for MD5 and size
- Notification system on upload process
- Hold/resume features
- Built on top of HTTPS and SFTP protocols
Known Limitations
