Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority

Manually defined encryption domain via user_early.def

Hello CheckMates,

I had a customer who is using a manually defined encryption domain for some of the remote third party VPN peer gateways. Normally this is done via user.def file and entries for "subnet_for_range_and_peer"...

But in this environment the customer is using "user_early.def" file in the same directories and the syntax in the file is the same like in user.def. 

Anyone know this ? I never used "user_early.def" for such kind of configuration.

regards

Wolfgang

0 Kudos
3 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Wolfgang,

One question that keeps coming up is. Which config files are used on the management server to compile policies with user specificlally INSPECT code?

Here are the most important config files, which we can customize Check Point INSPECT code individually:
      |-> user.def                                          ->  User-defined implied rules that can be added in Check Point INSPECT language (sk98239)
      |-> fwui_head.def
                  |-> table.def                            
-> Definitions of various kernel tables for Check Point security gateway (sk98339) 
                  |-> auth.def
                  |-> base.def
                            |-> crypt.def
                   -> VPN encryption macros (sk98241)
                            |-> services.def
                            |-> proxy.def
                            |-> crypt.def

If you search in $FWDIR/lib for all files for „include user_early.def“ so you can find the dependent file.

More read here:

R80.x - Policy Installation Flowchart 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

Hi @Wolfgang,

I checked it out on an R80.30 gateway.

                              
      |-> fwui_head.def
                  |-> table.def                            

                  |-> user_early.def 
->  Here you can found the user_early.def
                  |-> base.def
                            |-> crypt.def
                 
                            |-> services.def
                            |-> proxy.def
                            |-> crypt.def

"user_early.def" is an include file in "fwui_head.def"


You can also use the following command to search for dependencies:

# grep -rnwi '/opt/CPsuite-R80.30/fw1/lib/' -e 'user_early.def'

One more comment:
The normal user.def is executed after the "fwui_head.def". So you have the possibility to execute INSPECT code before user.def if you add the code to user_early.def.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Wolfgang
Authority
Authority

Good Morning HeikoAnkenbrand,

thanks a lot for your help.

I got the same findings this morning and I think now it's understandable why the user_early.def is working.

In the meantime I opened a TAC case and got an answer. They told me, that this kind of configuration for "subnet_for_range_and_peer" should be done only via user.def in R80.30.

Wolfgang

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events