This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Wolfgang
Mentor
Mentor
‎2019-12-01 03:26 AM

Manually defined encryption domain via user_early.def

Hello CheckMates,

I had a customer who is using a manually defined encryption domain for some of the remote third party VPN peer gateways. Normally this is done via user.def file and entries for "subnet_for_range_and_peer"...

But in this environment the customer is using "user_early.def" file in the same directories and the syntax in the file is the same like in user.def. 

Anyone know this ? I never used "user_early.def" for such kind of configuration.

regards

Wolfgang

0 Kudos
3 Replies
HeikoAnkenbrand
Champion
Champion
‎2019-12-01 06:07 AM

Hi @Wolfgang,

One question that keeps coming up is. Which config files are used on the management server to compile policies with user specificlally INSPECT code?

Here are the most important config files, which we can customize Check Point INSPECT code individually:
      |-> user.def                                          ->  User-defined implied rules that can be added in Check Point INSPECT language (sk98239)
      |-> fwui_head.def
                  |-> table.def                             -> Definitions of various kernel tables for Check Point security gateway (sk98339) 
                  |-> auth.def
                  |-> base.def
                            |-> crypt.def                   -> VPN encryption macros (sk98241)
                            |-> services.def
                            |-> proxy.def
                            |-> crypt.def

If you search in $FWDIR/lib for all files for „include user_early.def“ so you can find the dependent file.

More read here:

R80.x - Policy Installation Flowchart 

 

HeikoAnkenbrand
Champion
Champion
‎2019-12-01 11:35 PM
In response to HeikoAnkenbrand

Hi @Wolfgang,

I checked it out on an R80.30 gateway.

                              
      |-> fwui_head.def
                  |-> table.def                            
                  |-> user_early.def  ->  Here you can found the user_early.def
                  |-> base.def
                            |-> crypt.def                 
                            |-> services.def
                            |-> proxy.def
                            |-> crypt.def

"user_early.def" is an include file in "fwui_head.def"


You can also use the following command to search for dependencies:

# grep -rnwi '/opt/CPsuite-R80.30/fw1/lib/' -e 'user_early.def'

One more comment:
The normal user.def is executed after the "fwui_head.def". So you have the possibility to execute INSPECT code before user.def if you add the code to user_early.def.

Wolfgang
Mentor
Mentor
‎2019-12-02 12:47 AM
In response to HeikoAnkenbrand

Good Morning HeikoAnkenbrand,

thanks a lot for your help.

I got the same findings this morning and I think now it's understandable why the user_early.def is working.

In the meantime I opened a TAC case and got an answer. They told me, that this kind of configuration for "subnet_for_range_and_peer" should be done only via user.def in R80.30.

Wolfgang

 

0 Kudos