- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
🏆 Code Hub Contribution of the Year 2019!
📌 Available as SmartConsole Extension.
👍 Endorsed by Check Point Support!
One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.
In expert mode run:
echo; tput bold; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; tput sgr0; echo; elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]] && [[ $INSTANCE_VSID == '0' ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!'; tput sgr0; echo; else echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi
The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script.
Thanks to Tim Hall's preliminary work in this thread.
Thanks to Norbert Bohusch for IPv6 support and testing.
Thanks to Kaspars Zibarts, Bob Zimmerman, Jan Kleinhans for VSX support and testing.
Thanks to Anthony Joubaire for support and testing multiple installation targets.
-- More one-liners --
One-liner to show VPN topology on gateways
One-liner for Remote Access VPN Statistics
One-liner to show Geo Policy on gateways
FW Monitor SuperTool
I see. I added the quotes your mentioned plus a check to verify that $vsname is not empty.
[[ ! -z '$vsname' ]]
These are both actually the same test:
[[ -n '$vsname' ]] && [[ ! -z '$vsname' ]]
Thanks for testing. I remove the obsolete check and I'm glad that it works now for you.
As for the output of both cluster members on your other cluster node, the One-liner already tries to avoid that by deleting all ifindex entries from local.set except the one of the current system. To further optimize the check please send me the relevant local.set privately, so I can have a look.
More weirdness. Turns out $vsname needs to be in quotes in the test. Apostrophes aren't enough:
if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]
Not sure if the second test should also be quotes.
I should be able to send the relevant chunks of the local.set soon.
Thanks, code was improved.
I can confirm the current version definitely works on my all-the-edge-cases R77.30 firewall. It also works for the current VS on my VSX R77.30 and VSX R80.10 firewalls.
Thanks for this cool one-liner, Danny!
I found one gateway where the script is not running:
It is a non-vsx gateway running R80.10 JHF 203.
All the output I get is:
Interface Topology > firewall
--------------------------------------------------------------------------------
I hope I will find some time for investigation...
Cheers
Sven
@Hadi , you can always find the latest revision of my one-liner in my initial post of this thread.
Ran into a bizarre issue. It seems in some environments, the main IP in the firewall object and the IP listed in the hosts file can be different. The IP in the hosts file aligns with the IP on the interface fed to
set management interface <interfaceName>
Meanwhile, the main IP can be any address. Technically, it doesn't even have to be an address the firewall has on an interface (though it's a really bad idea to use a main IP it doesn't own).
The script gets the anti spoofing configuration from the file local.set, which lists it under the main IP of the firewall object. Thus, the script as it is will fail in such environments. This is probably expected behavior. If you have this situation on your firewalls, you can work around it by replacing
$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)
with what you have set as the firewall's main IP. It will then work only on that firewall.
This is a workaround for administrative misconfiguration.
I have trouble with the same part of the oneliner, but your solution is not working for me. I will try to investigate...
Thanks @Bob_Zimmerman ,
I just added an error message for these situations to the one-liner.
Congratulations to @Danny on winning the award for this. I saw this mentioned in the Checkpoints email and tried it out. On the couple of VSX boxes I've used this on, I get "Main IP of myboxname-ch01-01 doesn`t match it`s management interface IP!". I spent a couple of minutes looking at the script to see what it's trying to check for but it wasn't obvious (to me). Could some kind soul let me know what the likely issue is so that I can investigate? Thanks.
HI @David_Kozinn ,
the main IP of your VS gateways is shown in SmartConsole under Gateways and Servers.
This should be the same IP that is configured within /etc/hosts for the specific VS. In your case this doesn't seem to match.
Danny, I ran the one-liner for anti-spoofing and the only output that came back was
Interface Topology > Xxx-FW01
Any thoughts on why this may be? This was on a small client, maybe 100 users, 200 servers and 10 interfaces. I do have a much bigger client that is a mess and this script would come in handy.
Thanks,
Paul
My guess is you are using R80.40.
Should have put that in my post. Sorry. Not 80.40. 80.10 JHF272.
Amazingly good stuff. Thank you Danny! As we discussed on our PM I did not have the host name setup correctly in the "hosts and dns" tree branch of the Gaia OS. I used to do that religiously, but as the years went by it didn't seem to matter. I guess with everything getting back to scripting it matters again. Thank you for your help.
Paul
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY