This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TechGromit
Participant
‎2023-05-07 07:09 AM
Jump to solution

Firewall policy configuration

Hello, 

Is there a way to get a copy of the firewall policy when its offline using the CLI? 

I upgraded a firewall, replaced a 4000 model with a 6200 model on smart console and the new firewall isn't working the same as the old firewall. Obviously I missed something on how it was configured on smart console.

I know when you console/putty into a switch you can do a show configuration, but this doesn't give you the policy the firewall currently has, that was installed from smart console. So is it possible to get a copy of the current policy a firewall has?

If not, if the firewall was reconnected to smart console, with a different host name and management address, after the secure communication was established, would you be able to see the interface policy the firewall had? Or would smart console try to over write the existing firewall settings?

 

0 Kudos
1 Solution

Accepted Solutions
11 Replies
just13pro
Collaborator
‎2023-05-07 08:09 AM
Jump to solution

As per my knowledge, the policy is stored in Management DB.

I assume you have upgraded your Management Server as well, hence migrate_export/import from the Management Server will have the policy configuration

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-05-26 05:33 AM
In response to just13pro
Jump to solution

do you know the exact location in the filesystem?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-30 09:11 AM
In response to CheckPointerXL
Jump to solution

Is there an external management server or not?
In any case, the configuration is in a database which cannot be copied over to another system directly.
Supported methods for migrating a policy between gateways is either using migrate_server or via the API.
You may wish to work with your local Check Point SE on this also.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-05-30 11:53 PM
In response to PhoneBoy
Jump to solution

yes, that's a SMS with corrupted OS

so can i export $CPDIR/database to another SMS or not? my goal is to perform a migrate_server

thanks

0 Kudos
_Val_
Admin
Admin
‎2023-05-31 12:27 AM
In response to CheckPointerXL
Jump to solution

@CheckPointerXL No, copy/paste will not work, as @PhoneBoy already said, you cannot copy files/DBs from one server to another. If you have a failed SMS; the best is to ask TAC for assistance.

0 Kudos
the_rock
Legend
Legend
‎2023-05-07 04:43 PM
Jump to solution

Copy should be in $FWDIR/state dir...I cant recall exactly where, but if you go to that dir on mgmt, you should see dir with fw name there and once you open that, its easy to find.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-07 05:49 PM
Jump to solution

I checked in my R81.20 lab and below seems to work fine. Obviously, your layer name would be different : - ). You can alternatively examine files in below dir (just search for fw name dir after $FWDIR/state)

Andy[Expert@QUANTUM-MANAGEMENT:0]# pwd
/opt/CPsuite-R81.20/fw1/state/quantum-fw/FW1
[Expert@QUANTUM-MANAGEMENT:0]#

https://sc1.checkpoint.com/documents/latest/APIs/?#cli/show-access-rulebase~v1.9%20

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli show access-rulebase offset 0 limit 20 name "firewall_layer" details-level "standard" use-object-dictionary true --format json

HTH

Andy

 

 

0 Kudos
garrod
Contributor
‎2023-05-07 08:27 PM
Jump to solution

Question first,

1. Which Appliance Model that you planned to show the policy?

2. What is the OS version?

3. What is deployment type (Central  / Distri)?

4. What is your main goal? (Show Policy in CLI? / want to show policy only not matter the format?

0 Kudos
TechGromit
Participant
‎2023-05-08 05:54 AM
In response to garrod
Jump to solution

1. Which Appliance Model that you planned to show the policy?

Checkpoint 4200

2. What is the OS version?

Kernel: 3.10.0-957.21.3cpx86_64

R80.40 take 294

3. What is deployment type (Central  / Distri)?

Originally it was deployed/managed via smartconsole R80.40. The firewall was replaced with a Checkpoint 6200 model, it used the same host name, ip address as the original. The show configuration information was copied to build the replacement firewall. The Security policies are the same, however  the Gateway & Server information changes for a new firewall, for example eth2 is was to external on the 4200, this infomation is not transferred over to the 6200 model. This had to be set manually. 

 4. What is your main goal? (Show Policy in CLI? / want to show policy only not matter the format?

The goal is to verify no other changes were set on the 4200 model under the Gateway & Server settings on smartconsole that were not captured to deploy on the new firewall. Since the 4200 model has been disconnected and it offline. From experience I know that even if the firewall is removed from smartconsole, it continues to process the same marching orders that were deployed from smart console, so the policy's set should be accessible by powering it up and consoling into it to see the policies. I'm not interest in the security policies, those should be exactly the same, but I'm interest in any interface changes that were deployed via smart console to the 4200 model. Long as the format is readable, that's what I'm interested in.  

0 Kudos
the_rock
Legend
Legend
‎2023-05-08 07:20 AM
In response to PhoneBoy
Jump to solution

Wow, thanks for that @PhoneBoy , just tried it on the gateway, worked flawlessly!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top