Checkpoint Firewall Logs from CLI

Syntax
fw log displays the content of log files. The full syntax of the fw log command is as follows:

fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile]

Optional Switches
The optional switches for fw log are as follows:

-f [-t]
After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the log file indefinitely, and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file. The display will initially be empty, and only new records added later will be displayed. -t is used with a -f flag. These flags are relevant only for active files.

-n
Do not perform DNS resolution of the IP addresses in the log file (the default behavior). This option significantly speeds up processing.

-l
Display both the date and the time for each log record. (The default is to show the date only once above the relevant records, and then specify the time per log record.)

-o
Show detailed log chains (all log segments a log record consists of).

-c action
Display only events whose action is action, i.e., accept, drop, reject, authorize, deauthorize, encrypt, and decrypt. Control actions are always displayed.

-h host
Display only the log whose origin is the specified IP address or name.

-s starttime
Display only events that were logged after the specified time. (See format below.) starttime may be a date, time, or both. If the date is omitted, today’s date is assumed.

-e endtime
Display only events that were logged before the specified time. (See format below) endtime may be a date, a time, or both.

-b starttime endtime
Display only events that were logged between the specified start and end times (format below), each of which may be a date, time, or both. If date is omitted, today’s date is assumed. The start and end times are expected after the flag.

-u unification_scheme_file
Unification-scheme filename. (The unification-scheme specifies the precise manner, in which logs are processed, per selected unification mode.)

-m unification_mode
This flag specifies the unification mode.
* initial - the default mode, specifying complete unification of log records; i.e., output one unified record for each ID (default). When used together with -f, no updates, but only entries relating to the start of new connections will be displayed. To display updates, use the semi parameter.
* semi - step-by-step unification; for each log record, output a record that unifies this record with all previously-encountered records with the same ID.
* raw - outputs all records, with no unification.

-a
Output account-log records only.

-k alert_name
Display only events that match a specific alert type. The default is all, for any alert type.

-g
Do not use a delimited style. The default is:
* : after field name
* ; after field value

logfile
Use logfile instead of the default log file. The default log file is $FWDIR/log/fw.log.

DATE & TIME FORMAT:
The full date-and-time format is: MMM DD, YYYY HH:MM:SS (for example: May 26, 1999 14:20:00)

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS. In the format, where time only is specified, the current date is assumed.

Examples:

fw log
fw log | more
fw log -c reject
fw log -s "May 26, 1999"
fw log -f -s 16:00:00