cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Undocumented command to install policy on SMB unit

This is a follow-up after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def (e.g. for VPN Fine-Tuning) that are made on the SMS and installed on GW by policy install. Now, SMB units also have that files - crypt.def can be found there in /pfrm2.0/config2/fw1/lib/ and in /pfrm2.0/opt/fw1/lib/crypt.def.

As locally managed SMB units have no policy install, he speaks about reboot that would activate the new settings, but also, a much easier way is available (he says "not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274) by issuing:

[Expert]# fw_configload

Now i just ask myself if this has been tested not only with crypt.def, but also with the further config files (see my comment here). I assume that /pfrm2.0/config2/fw1/lib/crypt.def has to be changed, but is that true ?

 

And the sk100278 gives two commands:

[Expert]# fw_configload
[Expert]# sfwd_restart

The second one should be different to a reboot, but what does happen here? Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process:

  • Logging
  • Policy installation
  • VPN negotiation
  • Identity Awareness enforcement
  • UserCheck enforcement
  • etc.

Start and stop are documented as:

[Expert]# $FWDIR/bin/cpwd_admin stop -name SFWD
[Expert]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"

Following sk113090, we can also use:

[Expert]# sfwd_stop
[Expert]# sfwd_start

So the restart command will use the two commands above as we know from other parts of the CP CLI 😉

Tags (2)
11 Replies
Admin
Admin

Re: Undocumented command to install policy on SMB unit

I believe sfwd is the userspace part of the firewall.

That command would restart it Smiley Happy

0 Kudos

Re: Undocumented command to install policy on SMB unit

Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process - i have moved this information to the main article!

0 Kudos

Re: Undocumented command to install policy on SMB unit

I have added this question as a feedback in sk108600 and will update with the reply...

0 Kudos

Re: Undocumented command to install policy on SMB unit

SecureKnowledge solution sk108600 was updated. R&D responded: "The customer/partner is correct, crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect." sk was modified accordingly.

So the next steps are clear - verify the changes made by SMS policy install and ask the identical question for user.def, vpn_route.conf, vpn_table.def, implied_rules.def a.o. Then i can write a new SMB document about this procedure .

0 Kudos

Re: Undocumented command to install policy on SMB unit

After looking thru the document SMB units SMS files for VPN fine-tuning i have found only a few of these files are important for locally managed SMBs, e.g. vpn_table.def or vpn_route.conf make not much sense.


In sk108600, i have extended my question to user.def and also gave it as feedback to sk30919. Another file also usable on a locally managed SMB unit is table.def, so i asked my question in feedback to sk98339, sk62082 and sk31832.

0 Kudos
Highlighted

Re: Undocumented command to install policy on SMB unit

I have a reply for sk31832: How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own traffic behind Vir....  My feedback was:

------------------

table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

The table.def file which should be changed is:

/opt/fw1/lib/table.def

(below are in directories which are softlinks - the only relevant file is /opt/fw1/lib/table.def)

 

You can make changes to it, which will not survive firmware upgrade (but will survive reboot), and then run:

fw_configload

fw reconf_sfwd

-----------------

So we have learned that changes must be made to /opt/fw1/lib/table.def as this is the same file as /pfrm2.0/config1/fw1/lib/table.def or /pfrm2.0/config2/fw1/lib/table.def (this is easily tested), and that these changes will not survive firmware upgrade (but will survive reboot). Further we get a new command similar to the one from sk100278: fw reconf_sfwd - this has not been documented in any public sk or guide yet.

0 Kudos

Re: Undocumented command to install policy on SMB unit

Concerning feedback to sk30919:

R&D responded: "In locally-managed appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported."

Also note that sk30919 does not list SMB as relevant Product.

That is very interesting - would be nice to know if it is not supported, but does work Smiley Happy.

0 Kudos

Re: Undocumented command to install policy on SMB unit

Feedback to SecureKnowledge sk98339, titled "Location of 'table.def' files on Security Management Server" and  sk62082 "How to allow TCP/UDP packets with IP options through Check Point Security Gateway".

 

Your feedback was:

------------------

A table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

We understand that this SecureKnowledge solution did not help you to resolve your issue. For further assistance, you can open a service request by logging into Check Point User Center

Yes, i know .

0 Kudos
Admin
Admin

Re: Undocumented command to install policy on SMB unit

user.def might not be compiled by the local policy compilation process.

I'm sure you're going to test it and confirm one way or the other that it "works but isn't supported."  

0 Kudos

Re: Undocumented command to install policy on SMB unit

Yes, that was my idea, too ! I bet that the SMBs local policy compilation process is much less complicated, compared to CP SW on GAiA - so, when changing a .def file on SMS we will use the "big" policy install process of the SMS for compilation. Also, some .defs like vpn_table.def or vpn_route.conf will not make much sense for StandAlone SMB GWs.

Testing that changing user.def does work - maybe i try Configuring Office Mode IP Assignment Based on Source IP Address from sk30919. But i do not see interesting uses for user.def on SMB - as sk108600 VPN Site-to-Site with 3rd party works with crypt.def.

0 Kudos

Re: Undocumented command to install policy on SMB unit

I did not find the time and target for such tests up to now...

0 Kudos