Using the Check Point Suspicious Activity Monitoring Client Tool


The following procedure assumes you are using the CKP_SAM_Client.exe tool provided by Check Point to import suspicious object data to a Check Point firewall server.


Before using the Check Point SAM Client tool, you must:

  1. Log on to the Control Manager server.
  2. Open a command prompt.
  3. Use the following command to locate the directory which contains the CKP_SAM_Client.exe file: cd <Control Manager installation directory>/SOTools
  4. Execute CKP_SAM_Client.exe using the following command:

    CKP_SAM_Client.exe -t <timeout> -g <fw-ip> -c <conf_path> -A notify any <IP_address>


    • -t <timeout>: Indicates the amount of time (in seconds) that the Check Point server waits before expiring a suspicious object

    • -c <conf_path>: Indicates the relative path of the sam.conf file

    • -g <fw-ip>: Indicates the IPv4 address of the Check Point firewall server

    • -A notify any <IP_address>: Requests the Check Point firewall server to notify a valid IPv4 address

    • Running CKP_SAM_Client.exe without any arguments displays usage details for the tool.

    • For more information about the Check Point sam_client_action arguments, refer to the Check Point firewall server documentation.

    The CKP_SAM_Client.exe tool indicates a successfully completed request.

  5. To view the imported suspicious object data on the Check Point firewall server:
    1. Log on to the Check Point SmartView Monitor console.
    2. Go to Tools > Suspicious Activity Rules.

      The Enforced Suspicious Activity Rules screen appears and displays the imported suspicious object data.