topic Re: Firewall policy configuration in Firewall and Security Management

Firewall policy configuration

TechGromit — Sun, 07 May 2023 14:09:49 GMT

Hello,

Is there a way to get a copy of the firewall policy when its offline using the CLI?

I upgraded a firewall, replaced a 4000 model with a 6200 model on smart console and the new firewall isn't working the same as the old firewall. Obviously I missed something on how it was configured on smart console.

I know when you console/putty into a switch you can do a show configuration, but this doesn't give you the policy the firewall currently has, that was installed from smart console. So is it possible to get a copy of the current policy a firewall has?

If not, if the firewall was reconnected to smart console, with a different host name and management address, after the secure communication was established, would you be able to see the interface policy the firewall had? Or would smart console try to over write the existing firewall settings?

Re: Firewall policy configuration

just13pro — Sun, 07 May 2023 15:09:49 GMT

As per my knowledge, the policy is stored in Management DB.

I assume you have upgraded your Management Server as well, hence migrate_export/import from the Management Server will have the policy configuration

Re: Firewall policy configuration

the_rock — Sun, 07 May 2023 23:43:11 GMT

Copy should be in $FWDIR/state dir...I cant recall exactly where, but if you go to that dir on mgmt, you should see dir with fw name there and once you open that, its easy to find.

Andy

Re: Firewall policy configuration

the_rock — Mon, 08 May 2023 00:49:03 GMT

I checked in my R81.20 lab and below seems to work fine. Obviously, your layer name would be different : - ). You can alternatively examine files in below dir (just search for fw name dir after $FWDIR/state)

Andy[Expert@QUANTUM-MANAGEMENT:0]# pwd
/opt/CPsuite-R81.20/fw1/state/quantum-fw/FW1
[Expert@QUANTUM-MANAGEMENT:0]#

https://sc1.checkpoint.com/documents/latest/APIs/?#cli/show-access-rulebase~v1.9%20

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli show access-rulebase offset 0 limit 20 name "firewall_layer" details-level "standard" use-object-dictionary true --format json

HTH

Andy

Re: Firewall policy configuration

garrod — Mon, 08 May 2023 03:27:55 GMT

Question first,

1. Which Appliance Model that you planned to show the policy?

2. What is the OS version?

3. What is deployment type (Central / Distri)?

4. What is your main goal? (Show Policy in CLI? / want to show policy only not matter the format?

Re: Firewall policy configuration

TechGromit — Mon, 08 May 2023 12:54:23 GMT

1. Which Appliance Model that you planned to show the policy?

Checkpoint 4200

2. What is the OS version?

Kernel: 3.10.0-957.21.3cpx86_64

R80.40 take 294

3. What is deployment type (Central / Distri)?

Originally it was deployed/managed via smartconsole R80.40. The firewall was replaced with a Checkpoint 6200 model, it used the same host name, ip address as the original. The show configuration information was copied to build the replacement firewall. The Security policies are the same, however the Gateway & Server information changes for a new firewall, for example eth2 is was to external on the 4200, this infomation is not transferred over to the 6200 model. This had to be set manually.

4. What is your main goal? (Show Policy in CLI? / want to show policy only not matter the format?

The goal is to verify no other changes were set on the 4200 model under the Gateway & Server settings on smartconsole that were not captured to deploy on the new firewall. Since the 4200 model has been disconnected and it offline. From experience I know that even if the firewall is removed from smartconsole, it continues to process the same marching orders that were deployed from smart console, so the policy's set should be accessible by powering it up and consoling into it to see the policies. I'm not interest in the security policies, those should be exactly the same, but I'm interest in any interface changes that were deployed via smart console to the 4200 model. Long as the format is readable, that's what I'm interested in.

Re: Firewall policy configuration

PhoneBoy — Mon, 08 May 2023 14:11:52 GMT

https://community.checkpoint.com/t5/Security-Gateways/Show-Ruleset-and-Objects-on-the-Gateway-Emergency-Recovery/m-p/155533#M30470 is your best bet

Re: Firewall policy configuration

the_rock — Mon, 08 May 2023 14:20:40 GMT

Wow, thanks for that @PhoneBoy , just tried it on the gateway, worked flawlessly!!

Re: Firewall policy configuration

CheckPointerXL — Fri, 26 May 2023 12:33:04 GMT

do you know the exact location in the filesystem?

Re: Firewall policy configuration

PhoneBoy — Tue, 30 May 2023 16:11:13 GMT

Is there an external management server or not?
In any case, the configuration is in a database which cannot be copied over to another system directly.
Supported methods for migrating a policy between gateways is either using migrate_server or via the API.
You may wish to work with your local Check Point SE on this also.

Re: Firewall policy configuration

CheckPointerXL — Wed, 31 May 2023 06:53:20 GMT

yes, that's a SMS with corrupted OS

so can i export $CPDIR/database to another SMS or not? my goal is to perform a migrate_server

thanks

Re: Firewall policy configuration

_Val_ — Wed, 31 May 2023 07:27:14 GMT

@CheckPointerXL No, copy/paste will not work, as @PhoneBoy already said, you cannot copy files/DBs from one server to another. If you have a failed SMS; the best is to ask TAC for assistance.