cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Chris_Hoff
Nickel

Check Point Directories

Does a document or knowledge base article exist that gives a list of the different "Check Point" directories and their use? I am thinking of the /opt directory specifically. I am pretty sure all of the directories that contain "CMP" within the name are for backwards compatibility with that specific version. Some of the others are fairly straightforward, then there are others that are not as obvious (e.g. why a CPshared and a CPshrd-R77, and what are they primarily used for?)

0 Kudos
2 Replies

Re: Check Point Directories

There is a good section in ATRG: Multi-Domain Security Management, which describes the purpose of some main directories on a management server (multi-domain in this case).

For example:

/opt/

CPshared - SVN Infrastructure - (mainly softlinks)

CPshrd-<Version> - SVN Infrastructure

/var/opt/CPmds-<Version>

CPshrd-<Version>/conf - licenses, CA certificate

CPshrd-<Version>/registry - top-level Registry (settings)

CPshrd-<Version>/log - CPShared-level process debug logs

SVN foundation (Secure Virtual Network, I believe) - is a component of management system for communications between modules. Maybe someone can explain better on this part.

There are some explanations in MDS Administration Guide itself - section Architecture and Processes.

Re: Check Point Directories

This is another part of a future complete list of directories and their use and mainly concerns the CMP directories lib folder. There are several SKs for special configuration files on the SMS. For a SMS version managing a GW version, a special folder contains the - identically named - .def files. Here is an overview of the corresponding SKs:

sk108600 VPN Site-to-Site with 3rd party shows fine-tuning VPN for special purposes using the user.def or the crypt.def file on SMS according to GW version. sk44852 How to configure a Site-to-Site VPN with a universal tunnel and sk30919 Creating customized rules for Check Point Security Gateway - 'user.def' file only make use of user.def. The user.def itself is somehow special as it resides in the $FWDIR/conf/ folder and is named corresponding to the GW version it will configure. An example for SMB devices managed by R80.10 SMS:

1100 with R75.20.x $FWDIR/conf/user.def.SFWR75CMP
1100 / 1200R / 1400 with R77.20.x $FWDIR/conf/user.def.SFWR77CMP

The locations of the user.def is listed in sk98239 Location of 'user.def' files on Security Management Server, for location of the crypt.def file we have sk98241 Location of 'crypt.def' files on SMS. Another example for SMB devices managed by R80.10 SMS:

1100 with R75.20.x /opt/CPSG80R75CMP-R80/lib/crypt.def
1100 / 1200R / 1400 with R77.20.x /opt/CPSFWR77CMP-R80/lib/crypt.def

Also very important is the vpn_route.conf from sk69726 VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM profile in Star Community and choosing option "To center and to other satellites through center".

And you can find the other relevant documents by searching for the filenames: ftp.def, vpn_table.def, implied_rules.def, base.def, table.def and communities.def in Support Center. To find all of them on the unit itself, in expert mode issue :

[Expert]# find /opt -name "xxxx.def"