This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JozkoMrkvicka
Authority
Authority
‎2018-06-23 10:39 AM

Objects and Rulebases on R80.10

Hello guys,

Simple question:
Where are all Objects and Rulebases stored on R80.10 ? On R77 it was supposed to be in /opt/CPsuite-R77/fw1/conf/ and the files were "objects_5_0.C" and "rulebases_5_0.fws".

AFAIK in R80 it should be in some table inside database. Is there any way how to access objects and rulebases directly from CLI ? Which table I need to access ?

Thank you very much.

Kind regards,
Jozko Mrkvicka
9 Replies
PhoneBoy
Admin
Admin
‎2018-06-23 03:37 PM

We use a proper database in R80.x for this information.

We have fully supported CLI/API commands to access the information.

I recommend perusing the Developers (Code Hub)‌ which has links to the relevant documentation and sample code/scripts.

JozkoMrkvicka
Authority
Authority
‎2018-06-24 01:25 AM
In response to PhoneBoy

Yes, I am familiar with those commands, but I am finding way how to get output like we have in R77.

We are using system which was programed originally for R77.X files (objects_5_0.C for example)

I was able to find "fwset" which is what I need to use in SQL query. It will convert output from R80 to R77 syntax.

The only remaining point for me is to find proper table in database where I can execute postgres SQL command:

select fwset from <table> where something like 'something';

Kind regards,
Jozko Mrkvicka
Tomer_Sole
Mentor
Mentor
‎2018-06-24 01:40 AM
In response to JozkoMrkvicka

R80 is a platform change. There is a change in conception - we no longer store data in files, but rather in databases, which mean - no easy file structure.  The replacement command-line would be mgmt_cli show access-rulebase name LayerName. There are tools for exporting - see Python tool for exporting/importing a policy package or parts of it  and Show Package - Tool to visualize a R80 policy package over HTML pages

Yes, this is more complicated than opening files. But with the R80 platform we changed the architecture to support automatic dynamic revisions, multiple admins working at the same time, inline validations that block users from publishing misconfigurations, full text search, and more. Those came with the cost of standardized REST API.

Let us know your feedback of any of the options.

PhoneBoy
Admin
Admin
‎2018-06-24 11:12 AM
In response to JozkoMrkvicka

While I'm sure it's possible to access the database directly, the proper and supported way to access the data contained therein is through the API.

Seems to me you might want to update those tools to use the R80.x API versus manually looking at files that may not exist in future versions.

If there is some specific functionality that's not present in the APIs/CLIs, we would appreciate the feedback so it can be improved.

Robin_Berthier
Participant
‎2019-08-01 03:50 PM
In response to PhoneBoy

It looks like even with R80.x, the files rulebases_5_0.fws and objects_5_0.C are still periodically saved on disk. Is there a specific event triggering the files being updated or is there a command to trigger the update?

S_E_
Advisor
‎2020-09-24 06:33 AM
In response to Robin_Berthier

Hi, 

Could you find out the trigger? it looks like that 'publish' does not write these files.

Why are these files still present or created? Even in R80.40 (fresh install) they could be found.

Regards

JozkoMrkvicka
Authority
Authority
‎2018-06-24 11:57 AM

Thank you for your effort Tomer Sole and Dameon Welch Abernathy.

Yep, the best way will be to re-build all our internal tools to work with API calls and parse outputs from them...

Anyway, I already found what I was looking for  

This query will show all access rules from all rulebases in classic R7X format:

select fwset from dleobjectderef_data where objclass like 'com.checkpoint.management.access.objects.access_rulebase.AccessCtrlRule';

Maybe there is also way how to show only rules in selected policy package (for sure, there is...).

These queries will show all network objects, services and time objects in classic R7X format:

select fwset from dleobjectderef_data where cpmitable like 'network_objects';
select fwset from dleobjectderef_data where cpmitable like 'services';
select fwset from dleobjectderef_data where cpmitable like 'times';

 

Kind regards,
Jozko Mrkvicka
Tomer_Sole
Mentor
Mentor
‎2018-06-24 09:25 PM
In response to JozkoMrkvicka

It is true that you can get the fwset representation for some of the objects, not all, by querying the postgres database directly. Few comments:

1. Check Point does not commit on maintaining this scheme, unlike mgmt_cli which keeps backward compatibility and has syntax versions.

2. Getting data directly from Postgres is unaudited. Your audit logs will not reflect the fact that you logged in to read some data. 

3. The order ratio is stored in various other places. The algorithm for ordering rules is actually quite complex. 

4. Concepts such as private/published/multi-admins are not taken into account this way.

Guergolet
Participant
‎2018-11-06 10:42 AM
In response to Tomer_Sole

Don't forget about possible performance issues while you execute queries made by unauthorized Check Point Software. Some queries could use a lot of resources of your machine (disk, CPU and memory) affecting CMA performance.


Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events