Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend

Undocumented command to install policy on SMB unit

This is a follow-up after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def (e.g. for VPN Fine-Tuning) that are made on the SMS and installed on GW by policy install. Now, SMB units also have that files - crypt.def can be found there in /pfrm2.0/config2/fw1/lib/ and in /pfrm2.0/opt/fw1/lib/crypt.def.

As locally managed SMB units have no policy install, he speaks about reboot that would activate the new settings, but also, a much easier way is available (he says "not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274) by issuing:

[Expert]# fw_configload

Now i just ask myself if this has been tested not only with crypt.def, but also with the further config files (see my comment here). I assume that /pfrm2.0/config2/fw1/lib/crypt.def has to be changed, but is that true ?

 

And the sk100278 gives two commands:

[Expert]# fw_configload
[Expert]# sfwd_restart

The second one should be different to a reboot, but what does happen here? Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process:

  • Logging
  • Policy installation
  • VPN negotiation
  • Identity Awareness enforcement
  • UserCheck enforcement
  • etc.

Start and stop are documented as:

[Expert]# $FWDIR/bin/cpwd_admin stop -name SFWD
[Expert]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"

Following sk113090, we can also use:

[Expert]# sfwd_stop
[Expert]# sfwd_start

So the restart command will use the two commands above as we know from other parts of the CP CLI 😉

CCSE CCTE CCSM SMB Specialist
14 Replies
PhoneBoy
Admin
Admin

I believe sfwd is the userspace part of the firewall.

That command would restart it Smiley Happy

0 Kudos
G_W_Albrecht
Legend
Legend

Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process - i have moved this information to the main article!

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

I have added this question as a feedback in sk108600 and will update with the reply...

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

SecureKnowledge solution sk108600 was updated. R&D responded: "The customer/partner is correct, crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect." sk was modified accordingly.

So the next steps are clear - verify the changes made by SMS policy install and ask the identical question for user.def, vpn_route.conf, vpn_table.def, implied_rules.def a.o. Then i can write a new SMB document about this procedure .

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

After looking thru the document SMB units SMS files for VPN fine-tuning i have found only a few of these files are important for locally managed SMBs, e.g. vpn_table.def or vpn_route.conf make not much sense.


In sk108600, i have extended my question to user.def and also gave it as feedback to sk30919. Another file also usable on a locally managed SMB unit is table.def, so i asked my question in feedback to sk98339, sk62082 and sk31832.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

I have a reply for sk31832: How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own traffic behind Vir....  My feedback was:

------------------

table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

The table.def file which should be changed is:

/opt/fw1/lib/table.def

(below are in directories which are softlinks - the only relevant file is /opt/fw1/lib/table.def)

 

You can make changes to it, which will not survive firmware upgrade (but will survive reboot), and then run:

fw_configload

fw reconf_sfwd

-----------------

So we have learned that changes must be made to /opt/fw1/lib/table.def as this is the same file as /pfrm2.0/config1/fw1/lib/table.def or /pfrm2.0/config2/fw1/lib/table.def (this is easily tested), and that these changes will not survive firmware upgrade (but will survive reboot). Further we get a new command similar to the one from sk100278: fw reconf_sfwd - this has not been documented in any public sk or guide yet.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

Concerning feedback to sk30919:

R&D responded: "In locally-managed appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported."

Also note that sk30919 does not list SMB as relevant Product.

That is very interesting - would be nice to know if it is not supported, but does work Smiley Happy.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

Feedback to SecureKnowledge sk98339, titled "Location of 'table.def' files on Security Management Server" and  sk62082 "How to allow TCP/UDP packets with IP options through Check Point Security Gateway".

 

Your feedback was:

------------------

A table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?

------------------

We understand that this SecureKnowledge solution did not help you to resolve your issue. For further assistance, you can open a service request by logging into Check Point User Center

Yes, i know .

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

user.def might not be compiled by the local policy compilation process.

I'm sure you're going to test it and confirm one way or the other that it "works but isn't supported."  

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, that was my idea, too ! I bet that the SMBs local policy compilation process is much less complicated, compared to CP SW on GAiA - so, when changing a .def file on SMS we will use the "big" policy install process of the SMS for compilation. Also, some .defs like vpn_table.def or vpn_route.conf will not make much sense for StandAlone SMB GWs.

Testing that changing user.def does work - maybe i try Configuring Office Mode IP Assignment Based on Source IP Address from sk30919. But i do not see interesting uses for user.def on SMB - as sk108600 VPN Site-to-Site with 3rd party works with crypt.def.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

I did not find the time and target for such tests up to now...

CCSE CCTE CCSM SMB Specialist
0 Kudos
obsidian11
Contributor

Thanks for explanation but I still don't get it.

What does fw_configload cmd do on those locally managed appliances?

Does it restore to initial policy or?

 

0 Kudos
G_W_Albrecht
Legend
Legend

It will load the current policy with all changes - see sk164793: How to disable SecureXL for specific ports on SMB appliances and sk108600: VPN Site-to-Site with 3rd party for example. It is also called during boot process, see sk159772: Check Point R80.20.X for 1500, 1600, and 1800 Appliances Known Limitations and Resolved Is... !

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

There are certain changes to the access policy or configuration that can only be made by editing .def files on the management.
For these changes to take effect, the access policy must be recompiled and installed.
Centrally managed SMB gateways, the .def files are edited on the management and these changes are pushed as part of an Access Policy installation. 

For locally managed SMB gateways, you make the relevant changes on the appliance itself.
As there is no explicit "install policy" action on locally managed SMB appliances, you have to trigger the policy recompilation with fw_configload or a reboot.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events