topic Re: Smart1 - Firewalls - Checkpoint extract info - Package - Routes in Firewall and Security Management

Smart1 - Firewalls - Checkpoint extract info - Package - Routes

CheckGatzMet — Sat, 18 Feb 2023 00:48:02 GMT

Hello CheckMates! good afternoon

I hope you are very well.

I have a doubt, of a FW or some Firewalls Checkpoints that you have to obtain the Package of policies, which have a SMART1 console Appliance and two FW in cluster.

Environment: SMART-1=====FW01--FW02

When entering in expert mode, in the SMART1:

1.- Is the Linux command cp valid ? is it copy or some other command ? to copy and move a file from one directory to another ? ?

2.- To get the Package, do you get it from the SMART1 CLI or from the firewalls ?

3.- For the routes netstat -nr > routes.txt, is this taken from the Firewalls or from the SMART1 ? this command executes from expert mode or Gaia Shell?

4.- If I connect for example with WinSCP to the Smart-1 or one of the Firewalls, can I remove, copy, move files without problems ?

5.- When I run these scripts, the package file that it generates, in which path is it placed ? in the same directory where I run it ?

6.- To update the version of I have to put the new version web_api_show_package-jar-with-dependencies.jar in the path: MDS_FWDIR/api/samples/lib/ then execute: only $MDS_FWDIR/scripts/web_api_show_package.sh or I need execute java -jar web_api_show_package-jar-with-dependencies.jar -v and then java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>

Scripts:The Check Point Management Server also has a wrapper script so the tool can be run as $MDS_FWDIR/scripts/web_api_show_package.sh which in turn executes java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar

-Export Package ( Exporting Configuration )

https://github.com/CheckPointSW/ShowPolicyPackage

https://github.com/CheckPointSW/ShowPolicyPackage#examples

https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641

Thanks for your time, support, collaboration, and good vibes.

Best regards

Re: Smart1 - Firewalls - Checkpoint extract info - Package - Routes

PhoneBoy — Sat, 18 Feb 2023 02:52:02 GMT

In Expert Mode, cp works the same as it does on a regular Linux system.
"To get the package" what precisely do you mean by this? In any case, you can only get the full details of the policy from the Smart-1. There is a command to retrieve the policy from the CLI of the gateways: db_tool -p $FWDIR/state/local/FW1 get_rules
netstat can only be executed from expert mode as it is not a valid clish command. It works similar to a standard Linux system, i.e. only gets routes from the local system.
You can use WinSCP. However, the user in question cannot have /etc/cli.sh as the default shell as that will not work.
Believe it puts the output in current working directory.
If you're using a different version of the Show Package Tool than is included in your installation, then I would execute it separately (i.e. not replace the existing installed version).

Re: Smart1 - Firewalls - Checkpoint extract info - Package - Routes

Hugo_vd_Kooij — Mon, 20 Feb 2023 08:50:17 GMT

There is a caveat. The command `db_tool -p $FWDIR/state/local/FW1 get_rules` only show the policy the gateway is supposed to have. If a policy installation failure occurs on the gateway it may not actually run that policy. But a nifty command to know about during policy install trouble shoooting.

And removing files at will is ... frowned upon. If you don't know what the purpose of a file is then just ripping it out is sort of like using the rm command in the wrong directory. It makes for some digital fireworks and a big mess. (Not something I would put on your resume.)

Re: Smart1 - Firewalls - Checkpoint extract info - Package - Routes

CheckGatzMet — Mon, 20 Feb 2023 23:15:11 GMT

Hello @PhoneBoy

Thanks for your comments.

I understand that users with admin-role have no problem to connect via scp to SMART1.
If I want to generate a particular user for this purpose I would have to execute:
R80>=
Example:
add user scpuser01 uid 2700 homedir /home/scpuser
set user scpuser realname Scpuser
add rba role scpRole domain-type System readwrite-features expert
add rba user scpuser roles scpRole
set user scpuser gid 100 shell /usr/bin/scponly
set user scpuser password
save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍

According to this, the netstat command is valid for Gaia Clish Commands:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_AdminGuide/202015

If you are asking me to pull/execute from checkpoint:, well from SMART-1 this:
java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME>
So they tell me that it generates a tar.gz file that I have to get and deliver.

Thank you for your time and comments.

I remain attentive

Regards

Re: Smart1 - Firewalls - Checkpoint extract info - Package - Routes

PhoneBoy — Tue, 21 Feb 2023 16:55:09 GMT

The Show Package Tool generates a tar.gz file because the output of this tool contains multiple things:

HTML files with the policy in a human readable form (open index.html in your web browser)
Multiple JSON files that contain the policy and objects extracted
A log file

More details at: https://support.checkpoint.com/results/sk/sk120342
A .tar.gz file can be extracted using standard Linux commands (tar -xvfz) or using 7zip on Windows.