Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Inbar_Moskovich
Employee Alumnus
Employee Alumnus
Jump to solution

Show Package - Tool to visualize a R80 policy package over HTML pages

Overview

Check Point ShowPolicyPackage tool visualizes the contents of a R80 security policy package (layers, rulebases, objects) over HTML pages.

Description

The tool allows the security policy as well as objects in the R80 objects database to be exported into a readable format. This exported information represents a snapshot of the database.

The tool generates a compressed file (.tar.gz) containing the following files:

• HTML files - The objects and rules presented as html files. The "index.html" acts as a starting point and
lists all the available items to display.

• JSON files - The objects and rules exported as multiple JSON files.

• Log file (e.g. show_package-yyyy-mm-dd_HH-MM-ss.elg) - A log file containing debug information.

In version 2.0.6, we've added 3 new flags, which indicates whether to calculate and show the Threat/Access/NAT policy as part of the package (note all three default to true):

  •          --show-access-policy (true|false)
  •          --show-threat-policy (true|false)
  •          --show-nat-policy (true|false)

Instructions

This tool is hosted on GitHub repository for public use, containing a stand-alone executable Java JAR file (plug & play) and accompanied source code:

https://github.com/CheckPointSW/ShowPolicyPackage

Please follow the usage instructions and examples on this site. It contains valuable information.

P.S. This tool is also delivered along with R80 management server releases. However, the GitHub repository contains the most updated code!

Source Code Availability

The source code is now public on GitHub repository as mentioned above.

Questions?

We welcome your feedback! Please create a new thread.

NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions

64 Replies
Nader_Assi__Old
Contributor

Robert,

I don't have a link in the "Action" Column as shown below (see parent rules # 3 and 4). Please note that I've hidden the original IP addresses and objects.

The Management server is running Gaia R80.10 with no Jumbo HF installed.

Could you please advise?

Thanks,

Nader

0 Kudos
Robert_Decker
Advisor

Maybe it is due to sections wrapping the inline layers.

I'll check and get back to you.

Robert.

0 Kudos
Robert_Decker
Advisor

Hi,

Checked with sections, looks fine - 

Are you running the tool that is installed by default on your management server or are you using the one from GitHub repo?

Robert.

0 Kudos
Nader_Assi__Old
Contributor

I'm running the default tool installed on the management server. Which instructions should I follow to install the latest version of this tool?

0 Kudos
Robert_Decker
Advisor

There is a link on the top of this post to the source of this tool, hosted on GitHub repo. But it is intended for developers, not for security engineers.

I'll generate executable files from the source code and upload to that repo, probably during next week and inform you here.

BTW, when you launch the index.html file you recieve a starting page. Under "Objects" category there should be a link to "access-layer". Can you click on the link and see the info?

Which R80.X version and hotfix take are installed on your server?

Robert.

0 Kudos
Nader_Assi__Old
Contributor

Yes I can click on the "Access-layer" link under Objects. It shows me a page with different info.

No Hotfix has been installed on our management server and the detailed version is listed below:

******* > show version all
Product version Check Point Gaia R80.10
OS build 421
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

****** > cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[KAV]
HOTFIX_R80_10

[IDA]
HOTFIX_R80_10

[CPFC]
HOTFIX_R80_10

[FW1]
HOTFIX_R80_10

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 187
This is Check Point's software version R80.10 - Build 423

[SecurePlatform]
No hotfixes..

[CPinfo]
No hotfixes..

[SmartLog]
HOTFIX_R80_10

[MGMTAPI]
No hotfixes..

[DIAG]
HOTFIX_R80_10

[SmartPortal]
No hotfixes..

[Reporting Module]
HOTFIX_R80_10

[CPuepm]
HOTFIX_R80_10

[VSEC]
HOTFIX_R80_10

[R7520CMP]
HOTFIX_R80_10

[R7540CMP]
HOTFIX_R80_10

[R7540VSCMP]
HOTFIX_R80_10

[R76CMP]
HOTFIX_R80_10

[SFWR77CMP]
HOTFIX_R80_10

[R77CMP]
HOTFIX_R80_10

[R75CMP]
HOTFIX_R80_10

[NGXCMP]
HOTFIX_R80_10

[EdgeCmp]
HOTFIX_R80_10

[SFWCMP]
HOTFIX_R80_10

[FLICMP]
HOTFIX_R80_10

[SFWR75CMP]
HOTFIX_R80_10

[rtm]
No hotfixes..

0 Kudos
Robert_Decker
Advisor

Ok.

In the same folder where index.html file resides, there should be html files per inline layer ([inline_layer_name]-Management-server.html).

Do you see that files?

In addition, there is a "xxx.elg" file. Please attach this file here for examination.

Thanks.

0 Kudos
Nader_Assi__Old
Contributor

There no HTML files per Inline layer (see screenshot below).

I can't find the option to attach a text file ?!

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Robert_Decker
Advisor

All stuff is fixed and uploaded to the Github repository, including a new stand-alone plug&play executable.

Please read again the instructions on the top of this page.

Robert.

Anderson_Madru1
Employee Alumnus
Employee Alumnus

I need your help. My customer used WebVisualization Tool in the R77.30. Now the MDS was migrated to R80.10. They were importing the files to Web Server. But now with JSON files are with any erros. It is possible export in the R80.10 the same format in the R77.30?

0 Kudos
Robert_Decker
Advisor

Hi,

Currently the output is in JSON format and it is not in the same structure (due to layers) as in R77.30.

Therefore, just converting the JSON to CSV as is will not help.

Please note that it is an open source tool and it was not intended to replace the WebVisualization Tool.

Anyone can change the source code for his/her needs.

Robert.

MiGro
Participant

Hi,

Unfortunately we are not able to get the "Hits"-column with the "-c"-flag. I tried versions 1.25, 1.30 and 2.00 from the github-repository with different versions in /opt/CPsuite-R80/fw1/api/samples/lib via ...

-> java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -c

Export is always generated without errors, but the "Hits"-column is missing. Using the updated templates from https://github.com/CheckPointSW/ShowPolicyPackage/tree/master/src/main/resources/com/checkpoint/mgmt... in /opt/CPsuite-R80/fw1/api/samples/conf does not help. (I guess the templates are meanwhile included in the "jar".)

show_package-xxx.elg:

[7/3/18 9:00 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.showAccessRulebase()INFO]: Starting handling access layer: 'FWlab Security'

[7/3/18 9:00 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Run command: 'show-access-rulebase' with payload: {"hits-settings":{"from-date":"1970-1-2"},"uid":"xxxxxxxxxxxxx","show-hits":true,"show-membership":true,"use-object-dictionary":true,"details-level":"full"}

[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 59 rules in : 'FWlab Security'

[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 0 inline layer(s)
[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Creating html file for layer: 'FWlab Security'

[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.showRulebase()INFO]: Done handling rulebase 'FWlab Security'

The Hit-counter via SmartConsole is working fine.

Json-file is including the hits-parameters:

...

           "hits":{
               "level":"low",
               "percentage":"0%",
               "first-date":{
                  "iso-8601":"2018-06-07T06:48+0200",
                  "posix":1528346887000
               },
               "value":240,
               "last-date":{
                  "iso-8601":"2018-06-07T06:50+0200",
                  "posix":1528347031000
               }

...

But the HTML-file is generated without the Hits-Column. How can  I use the "-c" flag?

Michael

0 Kudos
Robert_Decker
Advisor

Hi Michael,

The version 1.2.5 should be enough to get the hit counts.

I'd like to examine the output of the tool (tar.gz archive file), maybe there is a bug there that incorrectly analyzes your data for hit counts.

Dameon Welch Abernathy‌, please provide Michael with the instructions to send me his file.

Thanks,

Robert.

0 Kudos
MiGro
Participant

Hello,

Maybe here is a problem in the rulebase.tpl.html

   122         var firstAccessRule = data.find(function (e) {
   123             return e.type === "access-rule"
   124         });

"var data" includes the hit informations - like:

..true,"hits":{"level":"low","percentage":"1%","first-date":{"iso-8601":"2018-03-26T18:33+0200","posix":1522082001000},"value":2161669,"last-date":{"iso-8601":"2018-07-04T07:59+0200","posix":1530683943000}}..


Method "find" is not supported. (Tested with IE11 and Chrome 66.0.3359)  Sorry, I'm not familiar with "script" - could this be the problem ?

Thanks,
Michael

UPDATE: Chrome works fine - and is the solution for me! Thank youSmiley Happy

Robert_Decker
Advisor

Hi,

You may be correct with your findings.

In Chrome v 67.0.3396.99 - 

In IE 11 - 

Nothing...

I'll check the code again for compatibility with other browsers/versions and fix as needed.

Great input, thank you!

Robert.

Robert_Decker
Advisor

Release version 2.0.1 now supports IE 11 as well.

Robert.

Xavier_FIQUET
Participant

hello,

each time i'm trying to run the script, i got 

[Expert@:0]# more show_package-2018-08-01_18-14-10.elg
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: server:(-m)=10.72.22.9 domain:(-d)=MDS userRequestPackage:(
-k)=xxxx
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Local Ips: [10.72.22.27, 10.72.22.31, 10.72.22.29, 10.72.22.25, 10.72.22.9, 127.0.0.1]
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: ERROR: failed connecting to the server: 127.0.0.1
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /var/tmp/6e3740f7-bc48-420c-bd31-d768450cf24a
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-08-01_18-14-10.tar.gz

any idea ?

regards

Xavier

0 Kudos
Robert_Decker
Advisor

The tool fails to connect to the API server.

Please run command "api status" and paste the output here for analysis.

Robert.

Xavier_FIQUET
Participant

Hello  Robert,

thanks for your reply,

i have check the " api status" command and found that we changed the tcp port of the web api server.

after adding the -n flag to the command, it works like a charm. thank you !

regards

xavier

Magnus_Holmberg
Explorer

Are these newer release included in new JFA to the mgmt or in the new M releases?

0 Kudos
Robert_Decker
Advisor

No, not yet, but it will be eventually included both in JHF and R80.20.

Anyway, GitHub repo always has the newest releases as it is instantly updateable, without bureaucracy.

Just copy the newest JAR file into your management server.

Robert.

0 Kudos
MiGro
Participant

Hello,

since version 2.0 the use of own templates was unfortunately disabled.

We would like to export more fields (custom-fields.field-1/ custom-fields.field-2 / custom-fields.field-3). So far we had created this via customized templates and the -t flag.

Example $FWDIR/api/sample/conf/rulebase.html.template :

$FWDIR/api/sample/conf/rulebase.html.template

Is it possible to reactive the template-flag or to define new flag for additive fields?

It is possible to compile your own web_api_show_package-jar-with-dependencies.jar including customized templates.

Here are some helpful steps/hints for non-professionals:

1.) You can use a fresh installed virtual machine with CheckPoint R80.10 and internet connection. I prefer a non-productive system...

2.) Download and extract the tar.gz-sources from Releases · CheckPointSW/ShowPolicyPackage · GitHub  

3.) IMPORTANT : Download and extract a Java Develop Kit - Linux x86 and tar.gz seems to be ok.

4.) IMPORTANT : Change the environment var JAVA_HOME to the [extracted JDK-dir] with export JAVA_HOME=[your-extracted-jdk-dir]

5.) Customize your template in the extracted ShowPolicyPackage-dir under src/main/resources/com/checkpoint/mgmt_api/templates. Example for html-export with custom-fields1-3

Header:

Body:

6.) Compile your customized api_show_package-jar-with-dependencies.jar with "./mvnw clean install -X" in the [extracted ShowPolicyPackage-*-dir] 

7.) Copy the new [extracted ShowPolicyPackage-*"]/target/web_api_show_package-jar-with-dependencies.jar to the management-server in $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies

8.) Test it with java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar

Regards,

Michael

0 Kudos
PaulNacamuli
Explorer

I miss the simplicity of being able to search for objects in a single file.  Is there any method yet to create a single file extract of the policy similar to what the Web Visualization Tool did... ie, maybe something that converts the multiple files generated by the ShowPackage tool into a single html file?   

0 Kudos
hozman
Explorer

Can you make this run on a standalone web server without installing the MDS?

0 Kudos
PhoneBoy
Admin
Admin
You need to run the tool on the Management server but the files themselves can be viewed on any web server.
0 Kudos
PhoneBoy
Admin
Admin
If you want to search objects in a flat file, there are other tools (or you can write API/CLI) that will provide this.
0 Kudos
S_E_
Advisor

Hi,

I tried following on a MDSM R80.30 and it did work.

java -jar web_api_show_package-jar-with-dependencies.jar -c --show-membership true --dereference-group-members true --query-limit 500 -d DOMAIN1

 

However, trying to export Global Policy ( -d Global) the script simply stops with following message:

Script stopped running due to severe error!

 

Any tip?

Thanks

Best Regards

0 Kudos
PhoneBoy
Admin
Admin
If I'm understanding sk120342 correctly, if you omit -d Global, it should work as the default is MDS level if you don't specify.
MelD
Explorer

Hi,

We are currently using R80.20. We plan to do an export of firewall rules and have a few questions. Your answer is appreciated!

1. Will running this .jar package cause any outage or reboot of GAIA console and associated Gateways (CheckPoint Firewalls)?

2. Does the .jar package run create any locks on CheckPoint Firewalls and impacting the traffic flowing through the firewalls? 

3. Does this tool write anything or make any changes to the policies and settings on GAIA console and Firewalls other than the output files?

Thanks!

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events