Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
Where are all Objects and Rulebases stored on R80.10 ? On R77 it was supposed to be in /opt/CPsuite-R77/fw1/conf/ and the files were "objects_5_0.C" and "rulebases_5_0.fws".
AFAIK in R80 it should be in some table inside database. Is there any way how to access objects and rulebases directly from CLI ? Which table I need to access ?
Thank you very much.
We use a proper database in R80.x for this information.
We have fully supported CLI/API commands to access the information.
I recommend perusing the Developers (Code Hub) which has links to the relevant documentation and sample code/scripts.
Yes, I am familiar with those commands, but I am finding way how to get output like we have in R77.
We are using system which was programed originally for R77.X files (objects_5_0.C for example)
I was able to find "fwset" which is what I need to use in SQL query. It will convert output from R80 to R77 syntax.
The only remaining point for me is to find proper table in database where I can execute postgres SQL command:
select fwset from <table> where something like 'something';
R80 is a platform change. There is a change in conception - we no longer store data in files, but rather in databases, which mean - no easy file structure. The replacement command-line would be mgmt_cli show access-rulebase name LayerName. There are tools for exporting - see Python tool for exporting/importing a policy package or parts of it and Show Package - Tool to visualize a R80 policy package over HTML pages
Yes, this is more complicated than opening files. But with the R80 platform we changed the architecture to support automatic dynamic revisions, multiple admins working at the same time, inline validations that block users from publishing misconfigurations, full text search, and more. Those came with the cost of standardized REST API.
Let us know your feedback of any of the options.
While I'm sure it's possible to access the database directly, the proper and supported way to access the data contained therein is through the API.
Seems to me you might want to update those tools to use the R80.x API versus manually looking at files that may not exist in future versions.
If there is some specific functionality that's not present in the APIs/CLIs, we would appreciate the feedback so it can be improved.
Yep, the best way will be to re-build all our internal tools to work with API calls and parse outputs from them...
Anyway, I already found what I was looking for
This query will show all access rules from all rulebases in classic R7X format:
select fwset from dleobjectderef_data where objclass like 'com.checkpoint.management.access.objects.access_rulebase.AccessCtrlRule';
Maybe there is also way how to show only rules in selected policy package (for sure, there is...).
These queries will show all network objects, services and time objects in classic R7X format:
select fwset from dleobjectderef_data where cpmitable like 'network_objects';
select fwset from dleobjectderef_data where cpmitable like 'services';
select fwset from dleobjectderef_data where cpmitable like 'times';
It is true that you can get the fwset representation for some of the objects, not all, by querying the postgres database directly. Few comments:
1. Check Point does not commit on maintaining this scheme, unlike mgmt_cli which keeps backward compatibility and has syntax versions.
2. Getting data directly from Postgres is unaudited. Your audit logs will not reflect the fact that you logged in to read some data.
3. The order ratio is stored in various other places. The algorithm for ordering rules is actually quite complex.
4. Concepts such as private/published/multi-admins are not taken into account this way.
Don't forget about possible performance issues while you execute queries made by unauthorized Check Point Software. Some queries could use a lot of resources of your machine (disk, CPU and memory) affecting CMA performance.