Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
This is a follow-up after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def (e.g. for VPN Fine-Tuning) that are made on the SMS and installed on GW by policy install. Now, SMB units also have that files - crypt.def can be found there in /pfrm2.0/config2/fw1/lib/ and in /pfrm2.0/opt/fw1/lib/crypt.def.
As locally managed SMB units have no policy install, he speaks about reboot that would activate the new settings, but also, a much easier way is available (he says "not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274) by issuing:
Now i just ask myself if this has been tested not only with crypt.def, but also with the further config files (see my comment here). I assume that /pfrm2.0/config2/fw1/lib/crypt.def has to be changed, but is that true ?
And the sk100278 gives two commands:
The second one should be different to a reboot, but what does happen here? Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process:
Start and stop are documented as:
[Expert]# $FWDIR/bin/cpwd_admin stop -name SFWD
[Expert]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"
Following sk113090, we can also use:
So the restart command will use the two commands above as we know from other parts of the CP CLI 😉
Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process - i have moved this information to the main article!
SecureKnowledge solution sk108600 was updated. R&D responded: "The customer/partner is correct, crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect." sk was modified accordingly.
So the next steps are clear - verify the changes made by SMS policy install and ask the identical question for user.def, vpn_route.conf, vpn_table.def, implied_rules.def a.o. Then i can write a new SMB document about this procedure .
After looking thru the document SMB units SMS files for VPN fine-tuning i have found only a few of these files are important for locally managed SMBs, e.g. vpn_table.def or vpn_route.conf make not much sense.
In sk108600, i have extended my question to user.def and also gave it as feedback to sk30919. Another file also usable on a locally managed SMB unit is table.def, so i asked my question in feedback to sk98339, sk62082 and sk31832.
I have a reply for sk31832: How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own traffic behind Vir.... My feedback was:
table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?
The table.def file which should be changed is:
(below are in directories which are softlinks - the only relevant file is /opt/fw1/lib/table.def)
You can make changes to it, which will not survive firmware upgrade (but will survive reboot), and then run:
So we have learned that changes must be made to /opt/fw1/lib/table.def as this is the same file as /pfrm2.0/config1/fw1/lib/table.def or /pfrm2.0/config2/fw1/lib/table.def (this is easily tested), and that these changes will not survive firmware upgrade (but will survive reboot). Further we get a new command similar to the one from sk100278: fw reconf_sfwd - this has not been documented in any public sk or guide yet.
Concerning feedback to sk30919:
R&D responded: "In locally-managed appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported."
Also note that sk30919 does not list SMB as relevant Product.
That is very interesting - would be nice to know if it is not supported, but does work .
Feedback to SecureKnowledge sk98339, titled "Location of 'table.def' files on Security Management Server" and sk62082 "How to allow TCP/UDP packets with IP options through Check Point Security Gateway".
Your feedback was:
A table.def can be found on locally managed SMBs in /pfrm2.0/config2/fw1/lib/table.def and in /pfrm2.0/opt/fw1/lib/table.def. Is it possible to make changes to the table.def and activate them using reboot or fw_configload ?
We understand that this SecureKnowledge solution did not help you to resolve your issue. For further assistance, you can open a service request by logging into Check Point User Center
Yes, i know .
user.def might not be compiled by the local policy compilation process.
I'm sure you're going to test it and confirm one way or the other that it "works but isn't supported."
Yes, that was my idea, too ! I bet that the SMBs local policy compilation process is much less complicated, compared to CP SW on GAiA - so, when changing a .def file on SMS we will use the "big" policy install process of the SMS for compilation. Also, some .defs like vpn_table.def or vpn_route.conf will not make much sense for StandAlone SMB GWs.
Testing that changing user.def does work - maybe i try Configuring Office Mode IP Assignment Based on Source IP Address from sk30919. But i do not see interesting uses for user.def on SMB - as sk108600 VPN Site-to-Site with 3rd party works with crypt.def.