topic Re: Undocumented command to install policy on SMB unit in Spark Firewall (SMB)

Undocumented command to install policy on SMB unit

G_W_Albrecht — Wed, 20 Mar 2019 08:08:45 GMT

This is a follow-up after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def (e.g. for VPN Fine-Tuning) that are made on the SMS and installed on GW by policy install. Now, SMB units also have that files - crypt.def can be found there in /pfrm2.0/config2/fw1/lib/ and in /pfrm2.0/opt/fw1/lib/crypt.def.

As locally managed SMB units have no policy install, he speaks about reboot that would activate the new settings, but also, a much easier way is available (he says "not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274) by issuing:

[Expert]# fw_configload

Now i just ask myself if this has been tested not only with crypt.def, but also with the further config files (see my comment here). I assume that /pfrm2.0/config2/fw1/lib/crypt.def has to be changed, but is that true ?

And the sk100278 gives two commands:

[Expert]# fw_configload

[Expert]# sfwd_restart

The second one should be different to a reboot, but what does happen here? Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process:

Logging
Policy installation
VPN negotiation
Identity Awareness enforcement
UserCheck enforcement
etc.

Start and stop are documented as:

[Expert]# $FWDIR/bin/cpwd_admin stop -name SFWD
[Expert]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"

Following sk113090, we can also use:

[Expert]# sfwd_stop
[Expert]# sfwd_start

So the restart command will use the two commands above as we know from other parts of the CP CLI 😉

Re: Undocumented command to install policy on SMB unit

PhoneBoy — Wed, 07 Mar 2018 01:26:29 GMT

I believe sfwd is the userspace part of the firewall.

That command would restart it

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Wed, 07 Mar 2018 08:12:25 GMT

Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process - i have moved this information to the main article!

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Thu, 15 Mar 2018 14:52:53 GMT

I have added this question as a feedback in sk108600 and will update with the reply...

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Mon, 19 Mar 2018 07:55:02 GMT

SecureKnowledge solution sk108600 was updated. R&D responded: "The customer/partner is correct, crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect." sk was modified accordingly.

So the next steps are clear - verify the changes made by SMS policy install and ask the identical question for user.def, vpn_route.conf, vpn_table.def, implied_rules.def a.o. Then i can write a new SMB document about this procedure .

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Mon, 19 Mar 2018 08:44:35 GMT

After looking thru the document SMB units SMS files for VPN fine-tuning i have found only a few of these files are important for locally managed SMBs, e.g. vpn_table.def or vpn_route.conf make not much sense.

In sk108600, i have extended my question to user.def and also gave it as feedback to sk30919. Another file also usable on a locally managed SMB unit is table.def, so i asked my question in feedback to sk98339, sk62082 and sk31832.

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Mon, 19 Mar 2018 10:32:01 GMT

I have a reply for sk31832: How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own traffic behind Virtual IP address. My feedback was:

------------------

table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

The table.def file which should be changed is:

/opt/fw1/lib/table.def

(below are in directories which are softlinks - the only relevant file is /opt/fw1/lib/table.def)

You can make changes to it, which will not survive firmware upgrade (but will survive reboot), and then run:

fw_configload

fw reconf_sfwd

-----------------

So we have learned that changes must be made to /opt/fw1/lib/table.def as this is the same file as /pfrm2.0/config1/fw1/lib/table.def or /pfrm2.0/config2/fw1/lib/table.def (this is easily tested), and that these changes will not survive firmware upgrade (but will survive reboot). Further we get a new command similar to the one from sk100278: fw reconf_sfwd - this has not been documented in any public sk or guide yet.

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Tue, 20 Mar 2018 14:21:30 GMT

Concerning feedback to sk30919:

R&D responded: "In locally-managed appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported."

Also note that sk30919 does not list SMB as relevant Product.

That is very interesting - would be nice to know if it is not supported, but does work .

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Tue, 20 Mar 2018 14:50:04 GMT

Feedback to SecureKnowledge sk98339, titled "Location of 'table.def' files on Security Management Server" and sk62082 "How to allow TCP/UDP packets with IP options through Check Point Security Gateway".

Your feedback was:

------------------

A table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

We understand that this SecureKnowledge solution did not help you to resolve your issue. For further assistance, you can open a service request by logging into Check Point User Center

Yes, i know .

Re: Undocumented command to install policy on SMB unit

PhoneBoy — Tue, 20 Mar 2018 15:03:43 GMT

user.def might not be compiled by the local policy compilation process.

I'm sure you're going to test it and confirm one way or the other that it "works but isn't supported."

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Tue, 20 Mar 2018 15:33:51 GMT

Yes, that was my idea, too ! I bet that the SMBs local policy compilation process is much less complicated, compared to CP SW on GAiA - so, when changing a .def file on SMS we will use the "big" policy install process of the SMS for compilation. Also, some .defs like vpn_table.def or vpn_route.conf will not make much sense for StandAlone SMB GWs.

Testing that changing user.def does work - maybe i try Configuring Office Mode IP Assignment Based on Source IP Address from sk30919. But i do not see interesting uses for user.def on SMB - as sk108600 VPN Site-to-Site with 3rd party works with crypt.def.

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Wed, 30 May 2018 09:33:49 GMT

I did not find the time and target for such tests up to now...

Re: Undocumented command to install policy on SMB unit

obsidian11 — Mon, 08 May 2023 09:47:42 GMT

Thanks for explanation but I still don't get it.

What does fw_configload cmd do on those locally managed appliances?

Does it restore to initial policy or?

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Mon, 08 May 2023 10:03:27 GMT

It will load the current policy with all changes - see sk164793: How to disable SecureXL for specific ports on SMB appliances and sk108600: VPN Site-to-Site with 3rd party for example. It is also called during boot process, see sk159772: Check Point R80.20.X for 1500, 1600, and 1800 Appliances Known Limitations and Resolved Issues !

Re: Undocumented command to install policy on SMB unit

PhoneBoy — Mon, 08 May 2023 17:58:48 GMT

There are certain changes to the access policy or configuration that can only be made by editing .def files on the management.
For these changes to take effect, the access policy must be recompiled and installed.
Centrally managed SMB gateways, the .def files are edited on the management and these changes are pushed as part of an Access Policy installation.

For locally managed SMB gateways, you make the relevant changes on the appliance itself.
As there is no explicit "install policy" action on locally managed SMB appliances, you have to trigger the policy recompilation with fw_configload or a reboot.

Re: Undocumented command to install policy on SMB unit

G_W_Albrecht — Wed, 24 Apr 2024 08:38:02 GMT

# configload_Status

# runAllFeatures