topic Re: Security Zones in Firewall and Security Management

Security Zones

h2k — Thu, 19 Jan 2023 18:33:36 GMT

Hi Checkmates,

Is there a way to view the security zones and their associated interfaces using CLI. I can see it in the smart console from the gateway properties. However it is time consuming for my work. I'm in a process of consolidating the Security zone information, associated interfaces and the routing information . I have close to 100 network interfaces configured in multiple security gateways in the VSX cluster and going into every single gateway property to get this information is time consuming and prone to human errors. I say its prone to human error because I have to copy that information in to an excel sheet.

Please let me know if there is way to fetch this information via CLI or any effective methods for both VSX and Checkpoint appliances.

🙏

Thanks,

Hari

Re: Security Zones

the_rock — Thu, 19 Jan 2023 14:38:08 GMT

Hi Hari,

Not sure if below might be helpful, but I will also check in lab and see what I get.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/?#cli/show-security-zone~v1.9%20

Re: Security Zones

the_rock — Thu, 19 Jan 2023 14:42:06 GMT

Does below help?

By the way, password is smart console password, not ssh.

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli show security-zones
Username: admin
Password:
objects:
- uid: "8c4041ea-ff14-4e4b-a9d9-4183d18c790a"
name: "DMZZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
- uid: "237a4cbc-7fb6-4d50-872a-4904468271c4"
name: "ExternalZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
- uid: "e8131db2-8388-42a5-924a-82de32db20f7"
name: "InternalZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
- uid: "57de3848-3675-48ed-b045-41378f4babb3"
name: "WirelessZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
from: 1
to: 4
total: 4

[Expert@QUANTUM-MANAGEMENT:0]#

Re: Security Zones

h2k — Thu, 19 Jan 2023 14:50:18 GMT

Thanks for the reply. I have tried this already. We don't get the associated interface name from this output.

Re: Security Zones

the_rock — Thu, 19 Jan 2023 15:07:55 GMT

Would you mind send the output? Blur out any sensitive info please.

Re: Security Zones

h2k — Thu, 19 Jan 2023 15:24:09 GMT

Hi Andy,

When run the 'show security-zones' command in Smart console CLI, I get exactly the same output format as you get, except for different values. I would like to see the association between the security zone and the interface. I'm not sure, but I guess the management API commands cannot help us here. I'm pretty sure that there would be a checkpoint database with this information and would like to get it from there.

Re: Security Zones

the_rock — Thu, 19 Jan 2023 15:26:17 GMT

K, I see what you mean. Let me look into it and see if I can get it. So you need correct interfaces to show as associated with the zones displayed...got it. Will update you how far I get.

Andy

Re: Security Zones

Bob_Zimmerman — Thu, 19 Jan 2023 16:09:33 GMT

The management API should be able to help for the non-VSX boxes. Log in to a CMA, 'show security-zones' to get the zone objects, then 'show simple-gateways' and 'show simple-clusters'. Each firewall object in the result should have an array of interfaces, which should each have a security-zone boolean and optionally a security-zone-settings object (if security-zone is true). Inside the security-zone-settings, there's auto-calculated and specific-zone.

I'm not sure about VSs, as I haven't explored that area of the API yet.

Re: Security Zones

PhoneBoy — Thu, 19 Jan 2023 18:58:09 GMT

There are no official APIs for anything VS related (management or gateway).
I know we plan to address this in the future.

Having said that, you might be able to do some scripting work to extract the various details.
This will involve use of the generic-object API and running db_tool from the gateway to get the UUID of the relevant objects as I'm not aware of a way to get them otherwise.
Since I don't have VSX set up anywhere, I hope someone can give this a try and let me know if it works or not.
Even without that, I'm sure it'll be useful for regular Security Gateway 🙂

First, use something like the following to list all the objects involved in the policy from the gateway.
Note the paths will need to be modified for your version and to the specific "state" directory for the given VS.

db_tool -p /opt/CPsuite-R81.20/fw1/state/local/FW1 get_rules |grep UUID | awk '{split($0,a,":"); print a[2]}' | uniq | awk ' { cmd="db_tool -p /opt/CPsuite-R81.20/fw1/state/local/FW1 get_object -u "$1;system(cmd)}'

What you're looking for is the UUID of the VS object, which will only show if the VS is directly used in the policy.
Once you have all the UUIDs of all the VS objects, you can get the interface names and zone information with something like this from the management server (note this is for a specific UUID):

mgmt_cli -r true --format json show generic-object uid 8414a95f-8f3d-5442-9944-9877f964d08e | jq -r '.interfaces[] | [.officialname, .securityZone ] | @csv'

This returns the information nicely in CSV format, with one small exception (the Zone is listed as a UUID)

"eth0","237a4cbc-7fb6-4d50-872a-4904468271c4"
"eth1","e8131db2-8388-42a5-924a-82de32db20f7"

Fortunately, it's easy to get the UUIDs for the Security Zones like so:

mgmt_cli -r true --format json show security-zones | jq -r '.objects[] | [.name, .uid] | @csv'

Which translates (in my case) to:

"DMZZone","8c4041ea-ff14-4e4b-a9d9-4183d18c790a"
"ExternalZone","237a4cbc-7fb6-4d50-872a-4904468271c4"
"InternalZone","e8131db2-8388-42a5-924a-82de32db20f7"
"WirelessZone","57de3848-3675-48ed-b045-41378f4babb3"

Which means we can conclude that:

eth0 is a member of External Zone
eth1 is a member of Internal Zone

Again, whether any of this will work with VSX objects is a separate question.

Re: Security Zones

Bob_Zimmerman — Thu, 19 Jan 2023 19:10:00 GMT

You can get the VS' UUIDs easily enough using 'show gateways-and-servers'. There are a few relevant object types:

CpmiVsxClusterMember - VSX cluster member
CpmiVsxClusterNetobj - VSX cluster
CpmiVsClusterNetobj - VS cluster (a VS on a VSX cluster is technically a cluster of VSs, but the members are automatically managed)

I don't know the types for a non-clustered VSX gateway or a non-clustered VS. I've never actually seen a non-clustered VSX deployment outside a lab.

Re: Security Zones

PhoneBoy — Thu, 19 Jan 2023 19:18:33 GMT

If that API returns information about VSX objects (including VSes), then this particular command from the management might be easier to work with:

mgmt_cli -r true --format json show gateways-and-servers | jq -r '.objects[] | [.name, .type, .uid] | @csv'

Again, results are returned in CSV format.
You'll have to filter the results to VS objects as this will return all gateway/server objects.

Re: Security Zones

h2k — Fri, 20 Jan 2023 07:17:39 GMT

Thanks 🙂

Re: Security Zones

h2k — Fri, 20 Jan 2023 07:22:44 GMT

Thanks !The mangement API commands have a different effect on the VSs. For example, 'show simple-gateways' and 'show simple-clusters' didn't give me any output when I ran them in the VSX cluster. I could be wrong, but just saying that there could be a difference in way we need to execute the commands for VSs.

Re: Security Zones

h2k — Fri, 20 Jan 2023 07:25:52 GMT

Thanks a lot! I believe this should work. I will try this today and will let you know. 🙂

Re: Security Zones

Bob_Zimmerman — Fri, 20 Jan 2023 15:38:18 GMT

I knew 'show simple-gateways' and 'show simple-clusters' don't return anything VSX, but they include the zone information for interfaces on objects which they do return. Meanwhile, 'show gateways-and-servers' includes VSX objects, and some interface information like IP address, but doesn't include the zone information in the interfaces. The API results when dealing with firewalls are super inconsistent between calls.

'show generic-object' provides the most complete information, but it also only works on one object at a time. It's also not officially stable, so result format might change between versions. Great for one-off stuff like getting this today. Not so great if you want to dump this every week for the foreseeable future.

Re: Security Zones

Bob_Zimmerman — Fri, 20 Jan 2023 16:20:01 GMT

I would start with this:

Tweak the 'grep -v' lines (e.g, by adding more) if the list contains objects which aren't firewalls or VSs. Once the list is down to what you want, pipe it into 'jq ".uuid"' and you'll get UUIDs one per line. That's suitable to pipe into something like this:

mgmt_cli -f json -r true show gateways-and-servers limit 500 details-level full \ | jq -c '.objects[]|{type:.type,name:.name,uuid:.uid}' \ | grep -v cluster-member \ | grep -v CpmiVsxClusterNetobj \ | grep -v CpmiVsxClusterMember \ | grep -v "checkpoint-host" \ | jq '.uuid' \ | xargs -L 1 -I % sh -c ' mgmt_cli -f json -r true show generic-object uid % \ | jq -c "{name:.name,interface:.interfaces[]|{interfaceName:.officialname,zone:.securityZone}}"'

I find security zones a fantastic way to shoot myself in the foot, so I don't use them at all. As such, I can't be sure if that last field on the last line will return the zone information you want.

Re: Security Zones

PhoneBoy — Fri, 20 Jan 2023 20:07:34 GMT

Right, generic-object isn't formally supported, or even documented in the Management API guide.
Where possible, use a documented API endpoint, you can get proper support if it doesn't work, etc.

Having said that, I've never actually seen an instance where generic-object returns different results in different versions.
Certainly this is the case for object types that still don't have API support.