- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: Show Package - Tool to visualize a R80 policy ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show Package - Tool to visualize a R80 policy package over HTML pages
Overview
Check Point ShowPolicyPackage tool visualizes the contents of a R80 security policy package (layers, rulebases, objects) over HTML pages.
Description
The tool allows the security policy as well as objects in the R80 objects database to be exported into a readable format. This exported information represents a snapshot of the database.
The tool generates a compressed file (.tar.gz) containing the following files:
• HTML files - The objects and rules presented as html files. The "index.html" acts as a starting point and
lists all the available items to display.
• JSON files - The objects and rules exported as multiple JSON files.
• Log file (e.g. show_package-yyyy-mm-dd_HH-MM-ss.elg) - A log file containing debug information.
In version 2.0.6, we've added 3 new flags, which indicates whether to calculate and show the Threat/Access/NAT policy as part of the package (note all three default to true):
- --show-access-policy (true|false)
- --show-threat-policy (true|false)
- --show-nat-policy (true|false)
Instructions
This tool is hosted on GitHub repository for public use, containing a stand-alone executable Java JAR file (plug & play) and accompanied source code:
https://github.com/CheckPointSW/ShowPolicyPackage
Please follow the usage instructions and examples on this site. It contains valuable information.
P.S. This tool is also delivered along with R80 management server releases. However, the GitHub repository contains the most updated code!
Source Code Availability
The source code is now public on GitHub repository as mentioned above.
Questions?
We welcome your feedback! Please create a new thread.
NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Robert,
I don't have a link in the "Action" Column as shown below (see parent rules # 3 and 4). Please note that I've hidden the original IP addresses and objects.
The Management server is running Gaia R80.10 with no Jumbo HF installed.
Could you please advise?
Thanks,
Nader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe it is due to sections wrapping the inline layers.
I'll check and get back to you.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Checked with sections, looks fine -
Are you running the tool that is installed by default on your management server or are you using the one from GitHub repo?
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running the default tool installed on the management server. Which instructions should I follow to install the latest version of this tool?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a link on the top of this post to the source of this tool, hosted on GitHub repo. But it is intended for developers, not for security engineers.
I'll generate executable files from the source code and upload to that repo, probably during next week and inform you here.
BTW, when you launch the index.html file you recieve a starting page. Under "Objects" category there should be a link to "access-layer". Can you click on the link and see the info?
Which R80.X version and hotfix take are installed on your server?
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I can click on the "Access-layer" link under Objects. It shows me a page with different info.
No Hotfix has been installed on our management server and the detailed version is listed below:
******* > show version all
Product version Check Point Gaia R80.10
OS build 421
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit
****** > cpinfo -y all
This is Check Point CPinfo Build 914000176 for GAIA
[KAV]
HOTFIX_R80_10
[IDA]
HOTFIX_R80_10
[CPFC]
HOTFIX_R80_10
[FW1]
HOTFIX_R80_10
FW1 build number:
This is Check Point Security Management Server R80.10 - Build 187
This is Check Point's software version R80.10 - Build 423
[SecurePlatform]
No hotfixes..
[CPinfo]
No hotfixes..
[SmartLog]
HOTFIX_R80_10
[MGMTAPI]
No hotfixes..
[DIAG]
HOTFIX_R80_10
[SmartPortal]
No hotfixes..
[Reporting Module]
HOTFIX_R80_10
[CPuepm]
HOTFIX_R80_10
[VSEC]
HOTFIX_R80_10
[R7520CMP]
HOTFIX_R80_10
[R7540CMP]
HOTFIX_R80_10
[R7540VSCMP]
HOTFIX_R80_10
[R76CMP]
HOTFIX_R80_10
[SFWR77CMP]
HOTFIX_R80_10
[R77CMP]
HOTFIX_R80_10
[R75CMP]
HOTFIX_R80_10
[NGXCMP]
HOTFIX_R80_10
[EdgeCmp]
HOTFIX_R80_10
[SFWCMP]
HOTFIX_R80_10
[FLICMP]
HOTFIX_R80_10
[SFWR75CMP]
HOTFIX_R80_10
[rtm]
No hotfixes..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok.
In the same folder where index.html file resides, there should be html files per inline layer ([inline_layer_name]-Management-server.html).
Do you see that files?
In addition, there is a "xxx.elg" file. Please attach this file here for examination.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There no HTML files per Inline layer (see screenshot below).
I can't find the option to attach a text file ?!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://community.checkpoint.com/people/nassiea6aa1f1-d2d0-490f-bc77-04e8257bcd01 I will connect Robert with you out-of-band.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All stuff is fixed and uploaded to the Github repository, including a new stand-alone plug&play executable.
Please read again the instructions on the top of this page.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need your help. My customer used WebVisualization Tool in the R77.30. Now the MDS was migrated to R80.10. They were importing the files to Web Server. But now with JSON files are with any erros. It is possible export in the R80.10 the same format in the R77.30?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Currently the output is in JSON format and it is not in the same structure (due to layers) as in R77.30.
Therefore, just converting the JSON to CSV as is will not help.
Please note that it is an open source tool and it was not intended to replace the WebVisualization Tool.
Anyone can change the source code for his/her needs.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Unfortunately we are not able to get the "Hits"-column with the "-c"-flag. I tried versions 1.25, 1.30 and 2.00 from the github-repository with different versions in /opt/CPsuite-R80/fw1/api/samples/lib via ...
-> java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -c
Export is always generated without errors, but the "Hits"-column is missing. Using the updated templates from https://github.com/CheckPointSW/ShowPolicyPackage/tree/master/src/main/resources/com/checkpoint/mgmt... in /opt/CPsuite-R80/fw1/api/samples/conf does not help. (I guess the templates are meanwhile included in the "jar".)
show_package-xxx.elg:
[7/3/18 9:00 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.showAccessRulebase()INFO]: Starting handling access layer: 'FWlab Security'
[7/3/18 9:00 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Run command: 'show-access-rulebase' with payload: {"hits-settings":{"from-date":"1970-1-2"},"uid":"xxxxxxxxxxxxx","show-hits":true,"show-membership":true,"use-object-dictionary":true,"details-level":"full"}
[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 59 rules in : 'FWlab Security'
[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 0 inline layer(s)
[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Creating html file for layer: 'FWlab Security'
[7/3/18 9:01 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.showRulebase()INFO]: Done handling rulebase 'FWlab Security'
The Hit-counter via SmartConsole is working fine.
Json-file is including the hits-parameters:
...
"hits":{
"level":"low",
"percentage":"0%",
"first-date":{
"iso-8601":"2018-06-07T06:48+0200",
"posix":1528346887000
},
"value":240,
"last-date":{
"iso-8601":"2018-06-07T06:50+0200",
"posix":1528347031000
}
...
But the HTML-file is generated without the Hits-Column. How can I use the "-c" flag?
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael,
The version 1.2.5 should be enough to get the hit counts.
I'd like to examine the output of the tool (tar.gz archive file), maybe there is a bug there that incorrectly analyzes your data for hit counts.
Dameon Welch Abernathy, please provide Michael with the instructions to send me his file.
Thanks,
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Maybe here is a problem in the rulebase.tpl.html
122 var firstAccessRule = data.find(function (e) {
123 return e.type === "access-rule"
124 });
"var data" includes the hit informations - like:
..true,"hits":{"level":"low","percentage":"1%","first-date":{"iso-8601":"2018-03-26T18:33+0200","posix":1522082001000},"value":2161669,"last-date":{"iso-8601":"2018-07-04T07:59+0200","posix":1530683943000}}..
Method "find" is not supported. (Tested with IE11 and Chrome 66.0.3359) Sorry, I'm not familiar with "script" - could this be the problem ?
Thanks,
Michael
UPDATE: Chrome works fine - and is the solution for me! Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You may be correct with your findings.
In Chrome v 67.0.3396.99 -
In IE 11 -
Nothing...
I'll check the code again for compatibility with other browsers/versions and fix as needed.
Great input, thank you!
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Release version 2.0.1 now supports IE 11 as well.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
each time i'm trying to run the script, i got
[Expert@:0]# more show_package-2018-08-01_18-14-10.elg
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: server:(-m)=10.72.22.9 domain:(-d)=MDS userRequestPackage:(
-k)=xxxx
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Local Ips: [10.72.22.27, 10.72.22.31, 10.72.22.29, 10.72.22.25, 10.72.22.9, 127.0.0.1]
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: ERROR: failed connecting to the server: 127.0.0.1
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /var/tmp/6e3740f7-bc48-420c-bd31-d768450cf24a
[8/1/18 6:14 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-08-01_18-14-10.tar.gz
any idea ?
regards
Xavier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tool fails to connect to the API server.
Please run command "api status" and paste the output here for analysis.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Robert,
thanks for your reply,
i have check the " api status" command and found that we changed the tcp port of the web api server.
after adding the -n flag to the command, it works like a charm. thank you !
regards
xavier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are these newer release included in new JFA to the mgmt or in the new M releases?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, not yet, but it will be eventually included both in JHF and R80.20.
Anyway, GitHub repo always has the newest releases as it is instantly updateable, without bureaucracy.
Just copy the newest JAR file into your management server.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
since version 2.0 the use of own templates was unfortunately disabled.
We would like to export more fields (custom-fields.field-1/ custom-fields.field-2 / custom-fields.field-3). So far we had created this via customized templates and the -t flag.
Example $FWDIR/api/sample/conf/rulebase.html.template :
Is it possible to reactive the template-flag or to define new flag for additive fields?
It is possible to compile your own web_api_show_package-jar-with-dependencies.jar including customized templates.
Here are some helpful steps/hints for non-professionals:
1.) You can use a fresh installed virtual machine with CheckPoint R80.10 and internet connection. I prefer a non-productive system...
2.) Download and extract the tar.gz-sources from Releases · CheckPointSW/ShowPolicyPackage · GitHub
3.) IMPORTANT : Download and extract a Java Develop Kit - Linux x86 and tar.gz seems to be ok.
4.) IMPORTANT : Change the environment var JAVA_HOME to the [extracted JDK-dir] with export JAVA_HOME=[your-extracted-jdk-dir]
5.) Customize your template in the extracted ShowPolicyPackage-dir under src/main/resources/com/checkpoint/mgmt_api/templates. Example for html-export with custom-fields1-3:
Header:
Body:
6.) Compile your customized api_show_package-jar-with-dependencies.jar with "./mvnw clean install -X" in the [extracted ShowPolicyPackage-*-dir]
7.) Copy the new [extracted ShowPolicyPackage-*"]/target/web_api_show_package-jar-with-dependencies.jar to the management-server in $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies
8.) Test it with java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I miss the simplicity of being able to search for objects in a single file. Is there any method yet to create a single file extract of the policy similar to what the Web Visualization Tool did... ie, maybe something that converts the multiple files generated by the ShowPackage tool into a single html file?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you make this run on a standalone web server without installing the MDS?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I tried following on a MDSM R80.30 and it did work.
java -jar web_api_show_package-jar-with-dependencies.jar -c --show-membership true --dereference-group-members true --query-limit 500 -d DOMAIN1
However, trying to export Global Policy ( -d Global) the script simply stops with following message:
Script stopped running due to severe error!
Any tip?
Thanks
Best Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We are currently using R80.20. We plan to do an export of firewall rules and have a few questions. Your answer is appreciated!
1. Will running this .jar package cause any outage or reboot of GAIA console and associated Gateways (CheckPoint Firewalls)?
2. Does the .jar package run create any locks on CheckPoint Firewalls and impacting the traffic flowing through the firewalls?
3. Does this tool write anything or make any changes to the policies and settings on GAIA console and Firewalls other than the output files?
Thanks!